7
sept
0

How To: Create Route based Dial Up VPN using same IKE ID (ScreenOS 6.0 and later) sous Juniper NetScreen

 

How To: Create Multiple Dial Up Route based VPN (for bi-directional communication) using same IKE ID

Environment:

  • Shared IKE ID
  • Deploy large number of remote clients
  • Bi-Directional VPN set-up
  • Route-based VPN

Solution:

Example:  Assume two users, Mike and Joe, are trying to Dropbox Uploader 0.12 Released [Bash Script To Access Dropbox Via Command Line] » href= »http://www.adminreseau.fr/dropbox-uploader-0-12-released-bash-script-to-access-dropbox-via-command-line/ »>access a server on the trusted side of the Juniper Firewall. The Administrator wants to deploy a single VPN Dial-up User configuration and have each user authenticated individually.

Note:  With the following configuration, the VPN connection must start from the Dial-up client.  

 

 
 

  

NetScreen-Remote

NetScreen

Shared IKE User

  

Remote_Sales

Shared IKE ID

sales@ns.com

sales@ns.com

User Group

  

R_S

XAuth User 1/ Password

Joe/netscreen

  

XAuth User 2 / Password

Mike/support

  

Phase 1 Proposals

Preshared Secret;Extended Authentication
Triple DES; SHA; Diffie-Hellman Group 2

pre-g2-3des-sha

Phase 2 Proposals

Triple DES; SHA-1

nopfs-esp-3des-sha

 
The basic steps in deploying this configuration are as follows:

Note:  A route-based VPN is configured in this article, so that bi-directional communication can be obtained.  For a policy-based VPN, which is the typical Dial Up VPN configuration, refer to KB14883

Juniper Firewall Side:

  1. Define an IKE ID User (Without xauth authentication)
  2. Assign the IKE ID User from step 1 to a new Dial Up User Group
  3. Define separate XAuth Users (with no IKE ID configuration)
  4. Define IKE Phase 1 Gateway, and DO NOT SELECT « Use as Seed »
  5. Define IKE Phase 2 VPN as usual
  6. Define policy as usual

NetScreen-Download AirDroid 2 APK, Now With Remote Camera, Find My Phone Features [Android] » href= »http://www.adminreseau.fr/download-airdroid-2-apk-now-with-remote-camera-find-my-phone-features-android/ »>Remote VPN Client Side:

  1. Enter Remote Party Identity and Address, and File Sync Between Computers Using P2P Technology [Public Alpha] » href= »http://www.adminreseau.fr/bittorrent-sync-secure-file-sync-between-computers-using-p2p-technology-public-alpha/ »>Secure Gateway Tunnel as normal
  2. Under My Identity, select ID type email address, and enter the IKE ID from step 2 on the NetScreen Side procedure
  3. Click Pre-Shared Key, and enter the preshared key defined from step 4 on the NetScreen Side procedure
  4. Configure Phase 1 for Xauth and Phase 2 to match the configuration on the NetScreen side

WebUI Configuration of Firewall Side:

  1. Unity Might Finally Get The Minimize On Click Feature [Ubuntu 14.04] » href= »http://www.adminreseau.fr/unity-might-finally-get-the-minimize-on-click-feature-ubuntu-14-04/ »>Click Objects > Users > Available Via Window Manager Tweaks [Xfce] » href= »http://www.adminreseau.fr/xfce4-composite-editor-easily-change-compositor-settings-not-available-via-window-manager-tweaks-xfce/ »>Easily Send Files To Other Machines On The Local Network [Linux, Windows] » href= »http://www.adminreseau.fr/nitroshare-easily-send-files-to-other-machines-on-the-local-network-linux-windows/ »>Local
    1. Click New
      1. Username: Remote_Sales
      2. Enable IKE User (Do not select XAuth User)
      3. Number of Multiple Logins with Same ID: 250 (Choose whatever number of simultaneous users you want logging in under this IKE ID.
      4. Click Simple Identity
      5. IKE ID Type: AUTO
      6. IKE Identity: sales@ns.com (Note: IKE ID must be an e-mail address)
      7. Click OK
    2. Click New
      1. Username: Joe
      2. Click XAuth User (Do not select IKE User)
      3. User Password: netscreen
      4. Confirm Password: netscreen
      5. Click OK
    3. Click New
      1. Username: Mike
      2. Click XAuth User (Do not select IKE User)
      3. User Password: Support For Opening The Menu Using A Keyboard Shortcut, Other Enhancements [Xfce] » href= »http://www.adminreseau.fr/whisker-menu-update-brings-support-for-opening-the-menu-using-a-keyboard-shortcut-other-enhancements-xfce/ »>support
      4. Confirm Password: support
      5. Click OK
  2. Click Objects > Users > Local Groups
    1. Click New
      1. Group Name: R_S
      2. Under Available Members, select Remote_Sales, and click << directional button
      3. 3Click OK
  3. Click Objects > IP Pools (In case you want 254 users)
    1. Click New
      1. IP Pool Name: VPN Pool
      2. Start IP:10.1.1.1
      3. End IP :10.1.1.254
      4. Click OK
  4. Click Network >Interfaces >List
    1. Create a New Tunnel Interface(From Drop Down)
    2. Select the Zone: Untrust (trust-vr) (From Drop Down)
    3. Select the Unnumbered: Interface (Untrust Interface)
    4. Click OK
  5. Click VPNs > AutoKey Advanced > XAuth Settings
    1. Select the IP Pool, VPN Pool from the Drop Down
    2. If you want to add the DNS you can give the IP address here.
    3. Click On Apply
  6. Click VPNs > AutoKey Advanced > Gateway
    1. Click New
      1. Gateway Name: Sales
      2. Click Dialup User Group, and select R_S from the Group pulldown menu
      3. Click Advanced
      4. Preshared Key: sharedikeid  (Do not enable « Use as Seed »; parameter to be used when configuring Group IKE ID with Global Pro/Express)
      5. Outgoing Interface: ethernet0/0 (Choose whatever interface is your outgoing interface to the Internet)
      6. Click Security Level: Select Custom, and select Phase 1 Proposal pre-g2-3des-sha
      7. Click Mode (Initiator): Aggressive
      8. Click Enable NAT-Traversal
      9. Click Return
      10. Click OK

    Note: If you do not have an Authentication Server configured for XAuth, refer to the Example: RADIUS Auth Server on p.33 of the ScreenOS Concepts & Examples Guide – Vol 9 – Authentication Servers.

  7. Click VPNs > AutoKey Advanced >  Gateway >XAuth Settings
    1. Check on XAuth Sever
    2. Check on Use Default XAuth settings
    3. Click Apply
  8. Click VPNs > AutoKey IKE
    1. Click New
      1. VPN Name: Sales VPN
      2. Remote Gateway: Click Predefined, and select Sales from the pulldown menu
      3. Click Advanced
      4. Security Level: Select Custom, and select Phase 2 Proposal nopfs-esp-3des-sha
      5. Bind to tunnel interface (Tunnel.1)
      6. Select the Proxy ID
      7. Local IP :172.16.10.0/24
      8. Remote IP :255.255.255.255/32
      9. Click OK
  9. Click Policy > Policies
    1. Select From Untrust to Trust zone, and click New
      1. Source Address:Click New Address and Enter 10.1.1.0/24
      2. Destination Address: Click New Address, and enter 172.16.10.0/24
      3. Service: ANY
      4. Action: Permit
      5. Click OK
    2. Select From Trust to Untrust zone, and click New
      1. Source Address:Click New Address and Enter 172.16.10.0/24
      2. Destination Address: Click New Address, and enter 10.1.1.0/24
      3. Service: ANY
      4. Action: Permit
      5. Click OK
  10. Click Network >Routing >Destination
    1. Click New
    2. IPv4/Net mask or IPv6/Prefix Length : 10.1.1.0/24
    3. Check Gateway
    4. Select the Interface :Tunnel.1(New tunnel Interface Created)
    5. Click OK


NetScreen-Remote Side:

  1. Create New Policy by clicking the New Connection icon on upper left corner. Label this new connection Corporate.
  2. On Remote Party Identity and Addressing
    1. ID Type: IP Subnet
    2. Subnet: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click Connect using Secure Gateway Tunnel
    5. ID Type: IP Address: 1.1.1.1 (Public IP address of the Firewall)
  3. Expand the connection Corporate
    1. Click Security Policy
      1. Select Phase 1 Negotiation Mode: Aggressive
      2. De-Select Enable Perfect Forward Secrecy (PFS)
      3. De-select « Enable Replay Detection »
    2. Click My Identity
      1. Select Certificate: None
      2. ID Type: Email address: sales@ns.com
      3. Click Pre-Shared Key
        1. Click Enter Key
        2. Enter the Pre-shared key sharedikeid
        3. Click OK
    3. Expand Security Policy
      1. Expand Authentication (Phase 1)
        1. Select Proposal 1
        2. Authentication Method: Pre-Shared Key;Extended Authentication
        3. Encryption Alg: Triple DES
        4. Hash Alg: SHA
        5. SA Life: Unspecified
        6. Key Group: Diffie-Hellman Group 2
      2. Expand Key Exchange (Phase 2)
        1. Select Proposal 1
        2. Encrypt Alg. Triple DES
        3. Hash Alg. SHA
        4. Encapsulation: Tunnel
  4. Click Save


How this works:


During Phase 1 negotiations, the Firewall device first authenticates the VPN client by matching the VPN Tunnel IKE ID and preshared key sent from the client with that configured on the Firewall device. If there is a match, then the Firewall device will use XAuth to authenticate the individual user. A login prompt is sent from the Firewall to the user at the remote site. This occurs between Phase 1 and Phase 2 IKE negotiations. If the remote user successfully logs on with the correct user name and password, Phase 2 negotiations begin.

Now when the user is connected a virtual adapter is created by the Netscreen Remote Client on the Client Machine and IP address is assigned to it from the IP pool. In this case the IP pool is VPN Pool.
One can communicate to the remote side and even can get an IP address and DNS address from the Juniper Firewall.


If you followed the steps above, and now you need help troubleshooting, refer to the VPN Configuration and Troubleshooting Guide
.

Enjoyed reading this post?
Subscribe to the RSS feed and have all new posts delivered straight to you.
Post your comment




Celadon theme by the Themes Boutique