Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to create a VPN to a Sarian GPRS router

0

0

Article ID: KB9166 KB Last Updated: 11 Aug 2010Version: 3.0
Summary:
How to configure the NetScreen to accept incoming VPN requests from a remote Sarian ER4110 GPRS router
Symptoms:
Requirements:
            • The Sarian is assigned a public (not a “natted”) IP address on its GPRS interface.
            • The Sarian’s GPRS IP address can be dynamic or static. In this test, it was dynamcally assigned by the GSM/GPRS operator
            • IPSEC is to be used in “aggressive mode”.
 
If the Sarian’s GPRS IP address is “natted” it can still work but the head-end device must support NAT traversal. The Sarian configuration detailed here will attempt to use NAT traversal automatically if required however the Juniper configuration would require updating to work with NAT traversal.
It is entirely possible to use another ER4000 or other Sarian product at the head end instead of the Juniper in this example. All Sarian IPSEC products fully support NAT traversal.
Solution:

NetScreen Configuration

Juniper NetScreen-50 firewall used in this example is configured based on “Route-Based Site-to-Site VPN, Dynamic Peer” example from the “NetScreen Concepts & Examples
ScreenOS Reference Guide” (ScreenOS 5.2.0 P/N 093-1580-000 Rev. A). An AutoKey IKE VPN tunnel is using preshared key and provides a secure connection between NetScreen device and remote Sarian router. The ISP serving Sarian router assigns dynamic address to that router via DHCP. Because only the NetScreen device has a fixed address for its Untrust zone, VPN traffic must originate from hosts on Sarian side. After a tunnel has been established, traffic through the tunnel can originate from either end.
For the Phase 1 and 2 security levels, you specify one Phase 1 proposal (pre-g2-3des-sha) and custom set of proposals for Phase 2 (see more details below).
 
WebUI:
 
1. Interfaces
Network > Interfaces > Edit (for ethernet1 - Trust): Enter the following, and then click Apply:
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
 
Select the following, and then click OK:
Interface Mode: NAT
 
 
Network > Interfaces > Edit (for ethernet3 - Untrust): Enter the following, and then click OK:
Zone Name: Untrust
Static IP: (select this option when present)
IP Address: 2.2.2.2/24 (static public IP address!!!)
 
Network > Interfaces > New Tunnel IF: Enter the following, and then click OK:
Tunnel Interface Name: tunnel.1
Zone (VR): Untrust (trust-vr)
Unnumbered: (select)
Interface: ethernet3 (trust-vr)
 
 
2. Addresses
 
Objects > Addresses > List > New: Enter the following, and then click OK:
Address Name: Trust_LAN
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.0/24
Zone: Trust
 
 
Objects > Addresses > List > New: Enter the following, and then click OK:
Address Name: Sarian_Office
IP Address/Domain Name:
IP/Netmask: (select), 10.101.10.0/24
Zone: Untrust
 
 
3. VPN
 
VPNs > AutoKey Advanced > Gateway > New: Enter the following, and then click OK:
Gateway Name: to_Sarian
Security Level: Custom
Remote Gateway Type:
Dynamic IP Address: (select), Peer ID: sarian
 
 
Preshared Key
Preshared Key: <Specify.  Make sure it is the same as the Sarian>
LocalID: juniperfw
Outgoing Interface: ethernet3
 
 
> Advanced: Enter the following advanced settings
Security Level: Custom
Phase 1 Proposal (For Custom Security Level):
pre-g2-3des-sha
Mode (Initiator): Aggressive
Enable NAT-Traversal: (select)
Return
Ok
 
 
VPNs > AutoKey IKE > New: Enter the following, and then click OK:
VPN Name: corp_Sarian
Security Level: Compatible
Remote Gateway:
Predefined: (select), to_Sarian
 
> Advanced: Enter the following advanced settings
            Predefined: Compatible
Bind to: Tunnel Interface: (select), tunnel.1
Proxy-ID: (select)
Local IP / Netmask: 10.1.1.0/24
Remote IP / Netmask: 10.101.10.0/24
Service: ANY
Return
Ok
 
 
 
4. Routes
 
Network > Routing > Routing Entries > trust-vr New: Enter the following, and then click OK:
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: (select), 2.2.2.250
 
 
Network > Routing > Routing Entries > trust-vr New: Enter the following, and then click OK:
Network Address/Netmask: 10.101.10.0/24
Gateway: (select)
Interface: Tunnel.1
Gateway IP Address: 0.0.0.0
 
 
5. Policies
 
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click OK:
Source Address:
Address Book Entry: (select), Trust_LAN
Destination Address:
Address Book Entry: (select), Sarian_Office
Service: Any
Action: Permit
Position at Top: (select)
 
 
 
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click OK:
Source Address:
Address Book Entry: (select), Sarian_Office
Destination Address:
Address Book Entry: (select), Trust_LAN
Service: Any
Action: Permit
Position at Top: (select)

 

 

Sarian Configuration

At the Sarian unit you have the option of configuring the IPSec parameters either via the web interface or by writing a new configuration file. For ease of demonstrating the commands used, we will look at the configuration file. Only the parts of the configuration file that specifically relate to the configuration of this example will be explained in detail. (The entire configuration file can be found at the end of this document.)
 
The Sarian’s Ethernet IP address:
 
eth 0 IPaddr "10.101.10.99"
eth 0 ethanon ON
 
The following entries are required mainly for the interface between the Sarian and its GPRS module:
 
lapb 0 ans OFF
lapb 0 tinact 120
lapb 1 tinact 120
lapb 3 dtemode 0
lapb 3 asyport 2
lapb 3 mux_0710 ON
lapb 4 dtemode 0
lapb 4 dlc 1
lapb 4 asyport 2
lapb 4 virt_async "mux0"
lapb 4 mux_0710 ON
lapb 5 dtemode 0
lapb 5 dlc 2
lapb 5 asyport 2
lapb 5 virt_async "mux1"
lapb 5 mux_0710 ON
lapb 6 dtemode 0
lapb 6 dlc 3
lapb 6 asyport 2
lapb 6 virt_async "mux2"
lapb 6 mux_0710 ON
 
The default route to send packets to destinations not on a local interface is PPP 1. Interface PPP 1 is configured for GPRS and IPSEC.
 
def_route 0 ll_ent "PPP"
def_route 0 ll_add 1
 
The following Eroute settings mainly relate to IPSEC and phase 2.
The peer IP entry is the local name of the Juniper host.
 
eroute 0 peerip "juniperfw"
 
The peerid entry is the ID that the Juniper will send to Sarian the during the IKE negotiations.
 
eroute 0 peerid "juniper"
 
The ourid entry is the ID that the Sarian will send to the Juniper during the IKE negotiations.
 
eroute 0 ourid "sarian"
 
The “idisfqdn ON” setting sends our ID as a fully qualified domain name to the Juniper.
eroute 0 idisfqdn ON
 
Packets will be directed through this tunnel if the source IP matches:
 
eroute 0 locip "10.101.10.0"
eroute 0 locmsk "255.255.255.0"
 
And the destination IP matches:
 
eroute 0 remip "10.1.1.0"
eroute 0 remmsk "255.255.255.0"
 
The IPSEC ESP authentication algorithm is SHA1:
 
eroute 0 ESPauth "SHA1"
 
The IPSEC encryption algorithm to use is 3DES
 
eroute 0 ESPenc "3DES"
 
The IPSEC duration should be set to a value less than that of the Juniper’s ipsec “seconds” setting.
 
eroute 0 ltime 2000
 
The Sarian is configured not to expire the IPSEC SA based upon volume of data:
eroute 0 lkbytes 0
 
The IKE authentication method to use is pre-shared key:
 
eroute 0 authmeth "PRESHARED"
 
If a packet matches this “eroute” and no SA exists then try to create one:
 
eroute 0 nosa "TRY"
 
Continually try to keep the tunnel (IPSEC session) up regardless of whether we have any data to route:
 
eroute 0 autosa ON
 
The following section configures the Sarian to use PPP 1 for the GPRS interface. The username and password fields may or may not be require by the SIM. The “ipsec ON” setting enables IPSEC for the GPRS interface.
 
ppp 1 r_chap OFF
ppp 1 IPaddr "0.0.0.0"
ppp 1 username "gprs"
ppp 1 epassword "Py9kSQ=="
ppp 1 phonenum "*98*1#"
ppp 1 timeout 0
ppp 1 use_modem 1
ppp 1 aodion 1
ppp 1 autoassert 1
ppp 1 ipsec 2
ppp 1 ipanon ON
 
The following section contains some global IKE settings:
Lifetime of the IKE session (Should be less than the Juniper’s IKE lifetime):
 
ike 0 ltime 5000
 
Use 3DES settings for encryption and SHA1 for authentication (should be paired with Juniper IKE settings!)
 
ike 0 encalg "3DES"
ike 0 authalg "SHA1"
 
Use aggressive mode rather than main mode, and IKE MODP group 2 (paired to Juniper’s Diffie-Hellman exchange key length of 1024 bits):
 
ike 0 aggressive ON
ike 0 ikegroup 2
 
GPRS Module configuration:
 
modemcc 0 asy_add "mux1"
modemcc 0 info_asy_add "mux2"
modemcc 0 init_str "+CGQREQ=1,0,0,0,0,0"
modemcc 0 init_str1 "+CGQMIN=1,0,0,0,0,0"
modemcc 0 apn "gprs.promonte.com"
modemcc 0 epin "aWYmCQ=="
modemcc 0 link_retries 10
modemcc 0 stat_retries 30
modemcc 0 sms_interval 1
modemcc 0 sms_access 1
modemcc 0 sms_concat 0
modemcc 0 init_str_2 "+CGQREQ=1,0,0,0,0,0"
modemcc 0 init_str1_2 "+CGQMIN=1,0,0,0,0,0"
modemcc 0 apn_2 "Your.APN.goes.here"
modemcc 0 link_retries_2 10
modemcc 0 stat_retries_2 30
modemcc 1 link_retries 10
 
Analyser trace configuration:
 
ana 0 anon ON
ana 0 l1on ON
ana 0 ikeon ON
ana 0 lapdon 0
ana 0 asyon 1
ana 0 logsize 45
 
General Configuration:
 
cmd 0 unitid "ss%s>"
cmd 0 cmdnua "99"
cmd 0 hostname "ss.2000r"
cmd 0 asyled_mode 2
cmd 0 tremto 120
 
User table configuration:
The following entries are here to allow access to the Sarian’s management facilities:
 
user 0 name "Sarian"
user 0 epassword "HQ0iCxQc"
user 0 access 0
user 1 name "username"
user 1 epassword "KD5lSVJDVVg="
user 1 access 0
 
(The unencrypted version of this password is “password”)
 
The following entry is required to store the pre-shared key for the IKE negotiations. The pre-shared key to be used with the peer that identifies itself as Juniper.sarians.co.uk is test.
user 9 name "juniperfw"
user 9 epassword "LDplTg=="
 
NB the unencrypted version of "LDplTg==" is “test”.

 

Screen Shots

Screen shots of the web interface on the correctly configured Sarian follow:

Default Route 0

 

PPP 1

 

IKE

EROUTE 0

 

The full configuration files can be found on the next page.


Sarian configuration file
 
The Sarian config file (config.da0) can be FTP’d to the Sarian using an FTP client. Only use this config.da0 file on a ER4110. Remember to log in with your username and password rather than “anonymous” witch is the default setting for Internet Explorer TM.
 
eth 0 IPaddr "10.101.10.99"
lapb 0 ans OFF
lapb 0 tinact 120
lapb 1 tinact 120
lapb 3 dtemode 0
lapb 3 asyport 2
lapb 3 mux_0710 ON
lapb 4 dtemode 0
lapb 4 dlc 1
lapb 4 asyport 2
lapb 4 virt_async "mux0"
lapb 4 mux_0710 ON
lapb 5 dtemode 0
lapb 5 dlc 2
lapb 5 asyport 2
lapb 5 virt_async "mux1"
lapb 5 mux_0710 ON
lapb 6 dtemode 0
lapb 6 dlc 3
lapb 6 asyport 2
lapb 6 virt_async "mux2"
lapb 6 mux_0710 ON
x25sw 0 l2deactcc 9
gps 0 asy_add 1
mc45mon 0 asy_add "mux0"
mc45mon 0 mon_int 10
def_route 0 ll_ent "ppp"
def_route 0 ll_add 1
eroute 0 peerip "195.66.165.3"
eroute 0 peerid "juniperfw"
eroute 0 ourid "sarian"
eroute 0 idisfqdn ON
eroute 0 locip "10.101.10.0"
eroute 0 locmsk "255.255.255.0"
eroute 0 remip "10.1.1.0"
eroute 0 remmsk "255.255.255.0"
eroute 0 ESPauth "SHA1"
eroute 0 ESPenc "3DES"
eroute 0 authmeth "PRESHARED"
eroute 0 nosa "TRY"
eroute 0 autosa ON
dpd 0 okint 120
dpd 0 failint 5
dpd 0 inact 60
dpd 0 maxfail 3
dhcp 0 IPmin "10.101.10.1"
dhcp 0 mask "255.255.255.0"
dhcp 0 gateway "10.101.10.99"
dhcp 0 DNS "10.101.10.99"
dhcp 0 lease 60
ppp 0 timeout 300
ppp 1 r_chap OFF
ppp 1 IPaddr "0.0.0.0"
ppp 1 username "gprs"
ppp 1 epassword "Py9kSQ=="
ppp 1 phonenum "*98*1#"
ppp 1 timeout 0
ppp 1 use_modem 1
ppp 1 aodion 1
ppp 1 autoassert 1
ppp 1 ipsec 2
ppp 1 ipanon ON
ppp 2 epassword "A==="
ppp 3 defpak 16
ppp 4 defpak 16
ike 0 encalg "3DES"
ike 0 authalg "SHA1"
ike 0 aggressive ON
ike 0 ikegroup 2
ike 1 encalg "3DES"
ike 1 authalg "SHA1"
ike 1 aggressive ON
ike 1 ikegroup 2
modemcc 0 asy_add "mux1"
modemcc 0 info_asy_add "mux2"
modemcc 0 init_str "+CGQREQ=1,0,0,0,0,0"
modemcc 0 init_str1 "+CGQMIN=1,0,0,0,0,0"
modemcc 0 apn "gprs.promonte.com"
modemcc 0 epin "aWYmCQ=="
modemcc 0 link_retries 10
modemcc 0 stat_retries 30
modemcc 0 sms_interval 1
modemcc 0 sms_access 1
modemcc 0 sms_concat 0
modemcc 0 init_str_2 "+CGQREQ=1,0,0,0,0,0"
modemcc 0 init_str1_2 "+CGQMIN=1,0,0,0,0,0"
modemcc 0 apn_2 "Your.APN.goes.here"
modemcc 0 link_retries_2 10
modemcc 0 stat_retries_2 30
modemcc 1 link_retries 10
ana 0 anon ON
ana 0 l1on ON
ana 0 lapdon 0
ana 0 asyon 1
ana 0 logsize 45
cmd 0 unitid "ss%s>"
cmd 0 cmdnua "99"
cmd 0 hostname "ss.2000r"
cmd 0 asyled_mode 2
cmd 0 tremto 120
cmd 1 gpson 1
cmd 3 cfilton 1
user 0 name "Sarian"
user 0 epassword "HQ0iCxQc"
user 0 access 0
user 1 name "username"
user 1 epassword "KD5lSVJDVVg="
user 1 access 0
user 2 access 0
user 3 access 0
user 4 access 0
user 5 access 0
user 6 access 0
user 7 access 0
user 8 access 0
user 9 name "juniperfw"
user 9 epassword "LDplTg=="
scep 0 app "pkiclient.exe"
 
The Sarian configuration above was tested on a Sarian ER4110 with version 4816 firmware:
 
ati5
Sarian Systems. Sarian ER4110 EDGE Router
Software Build 4816.  Dec 07 2005 12:08:36  YW
ARM Sarian Bios Ver 3.13 v21 200MHz B64-M64-F80-O100,0  
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search