VPN is build between Juniper firewalls:
Katowice – SSG140 ScreenOS 6.1.0r7.0
Warsaw – Netscreen 5GT – ScreenOS 5.4.0r10.0
REMOTE SITE(WARSAW) – firewall with dynamic IP
- configure vpn zone
ns5gt-adsl-> set zone name VPN
new zone for vpn(for clear config)
- configure tunnel interface
ns5gt-adsl-> set interface tunnel.1 zone VPN
ns5gt-adsl-> set interface tunnel.1 ip unnumbered interface untrust
tunnel interface is unnumbered because we do not need any nat,etc.
tunnel.1 is assigned to zone VPN and interface untrust
- configure IPSEC P1 proposal
ns5gt-adsl-> set ike p1-proposal Katowice-p1 preshare group2 esp aes256 sha-1
Phase 1 proposal – by default lifetime is 28800 secs
- configure IPSEC P2 proposal
ns5gt-adsl-> set ike p2-proposal Katowice-p2 group2 esp aes256 sha-1
Phase 2 proposal – by default lifetime is 3600 secs
- configure ike gateway
ns5gt-adsl-> set ike gateway “to_Katowice” address 1.1.1.1 aggressive local-id warsaw.corp.com outgoing-interface Untrust preshare secret proposal Katowice-p1
1.1.1.1 – external ip of vpn terminator in Katowice
mode – aggressive !
local-id warsaw.corp.com – necessary to specify
-
configure vpn
ns5gt-adsl-> set vpn Katowice gateway to_Katowice proposal Katowice-p2
ns5gt-adsl-> set vpn Katowice proxy-id local-ip 10.20.16.0/21 remote-ip 10.0.0.0/8 any
encryption domain – what is allowed on tunnel – must match on both ends
- assign vpn to interface tunnel.1
ns5gt-adsl-> set vpn Katowice bind interface tunnel.1
- configure routing
ns5gt-adsl-> set route 10.0.0.0/8 interface tunnel.1
all traffic with destination 10.0.0.0/8 will be push to our new interface(vpn)
- configure policy
ns5gt-adsl-> set address Katowice 10.0.0.0/8 10.0.0.0/8 corporate_network
define address
ns5gt-adsl->set policy from Trust to VPN 10.20.16.0/21 10.0.0.0/8 any permit log
policy allows traffic from Trust zone to VPN zone( from Warsaw network to corporate network)
ns5gt-adsl-> set policy from VPN to Trust 10.0.0.0/8 10.20.16.0/21 any permit log
policy allows from VPN zone to Trust zone(from corporate network to Warsaw network)
CORPORATE HQ(KATOWICE) – fixed ip
- configure new zone(for internal vpn)
-> set zone name VPN
- configure tunnel interface
-> set interface tunnel.3 zone VPN
-> set interface tunnel.3 ip unnumbered interface ethernet0/9
ethernet0/9 is connected to Internet
- configure vpn
-> set ike p1-proposal Warsaw-p1 group2 esp aes256 sha-1
-> set ike p2-proposal Warsaw-p2 group2 esp aes256 sha-1
-> set ike gateway to_Warsaw dynamic warsaw.corp.com aggressive outgoing-interface ethernet0/9 preshare secretproposal Warsaw-p1
ethernet0/9 is connected to Internet
warsaw.corp.com – peer-id – must match with local-id on Warsaw firewall
-> set vpn Warsaw gateway to_Warsaw proposal Warsaw-p2
-> set vpn Warsaw proxy-id local-ip 10.0.0.0/8 remote-ip 10.20.16.0/21 any
- bind vpn to interface “tunnel.3”
-> set vpn Warsaw bind interface tunnel.3
- configure routing
-> set route 10.20.16.0/21 interface tunnel.3
-
enable monitor,optimizing and rekey
set vpn “Warsaw” monitor source-interface ethernet0/9 optimized rekey
- configure policy
-> set address VPN 10.20.16.0/21 10.20.16.0/21 Warsaw
-> set policy from Trust to VPN 10.0.0.0/8 10.20.16.0/21 any permit log
-> set policy from VPN to Trust 10.20.16.0/21 10.0.0.0/8 any permit log
Check vpn tunnel
-> get sa
00000080< 2.2.2.2 500 esp:a256/sha1 84f2deac 3498 unlim A/- -1 0
00000080> 2.2.2.2 500 esp:a256/sha1 f35016f9 3498 unlim A/- -1 0
VPN is established
dzbanek 2013-01-22