Setup Juniper SSG or Netscreen to support IPsec VPN client connectivity with Shrew Soft VPN Client
Introduction
This guide provides information that can be used to configure a Juniper SSG or Netscreen device running firmware version 5.4+ to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been tested with Juniper products to ensure interoperability.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the push configuration method to acquire the following parameters automatically from the gateway.
- IP Address
- IP Netmask
- DNS Servers
- WINS Servers
Gateway Configuration
Create a Phase1 ID
Create a user that is used to define the phase1 id parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
- User Name = vpnclient_ph1id
- Status = Enabled
- IKE User = Checked
- Simple Identity = Selected
- IKE ID Type = AUTO
- IKE Identity = client.domain.com
Create a Local Key Group
Create a Local Group that can be assigned to an Auto Key Advanced Gateway. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the group name as vpnclient_group. Also add the vpnclient_ph1id user object as a group member.
Create an Auto Key Advanced Gateway
Create an auto key advanced gateway to configure the phase1 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
- Gateway Name = vpnclient_gateway
- Security Level = Custom
- Remote Gateway Type = Dialup User Group
- Group = vpnclient_group
- Preshared Key = mypresharedkey
- Local ID = vpngw.domain.com
Define Advanced Parameters
Click the Advanced button and define the following parameters.
- Security Level – Custom
- Phase 1 Proposal
- pre-g2-3des-sha
- pre-g2-3des-md5
- pre-g2-aes128-sha
- pre-g2-aes128-md5
- Phase 1 Proposal
- Mode = Aggressive
- Enable NAT-Traversal = Checked
- Keepalive Frequency = 20
- Peer Status Detection
- DPD = Selected
- Interval = 30
- Retry = 5
- DPD = Selected
When finished click Return.
Define Xauth Parameters
You will now see your auto key advanced gateway listed. Click non the Xauth button in the Configure column.
Define the following parameters.
- Xauth Server = Selected
- Allowed Authentication Type = Generic
- Local Authentication = Selected
- Allow Any = Selected
When finished click OK.
Create an Auto Key IKE Gateway
Create an auto key IKE gateway to configure the phase2 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define the following parameters.
- VPN Name = vpnclient_tunnel
- Security Level = Custom
- Remote Gateway Predefined = vpnclient_gateway
Define Advanced Parameters
Click the Advanced button and define the following parameters.
- Security Level = Custom
- nopfs-esp-3des-sha
- nopfs-esp-3des-md5
- nopfs-esp-aes128-sha
- nopfs-esp-aes128-md5
- Replay Protection = Checked
When finished click Return.
Create a Client Address Pool
Create a pool of addresses to be assigned to VPN clients. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define an IP Pool. For example, you could define a pool named vpnclient with a start IP address of 10.2.21.1 and and end address of 10.2.21.254.
Set Client Configuration Parameters
The client configuration parameters are stored in the global Auto Key Advanced XAuth parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Define the following parameters.
- Reserve Private IP for XAuth User – 480 minutes
- Default Authentication Server = Local
- Query Client Settings on Default Server – Unchecked
- CHAP – Unchecked
- IP Pool Name = vpnclient
- DNS Primary Server IP = [ private DNS server address ]
- DNS Secondary Server IP = [ private DNS secondary address ]
- WINS Primary Server IP = [ private WINS server address ]
- WINS Secondary Server IP = [ private WINS secondary address ]
Configure IPsec Policies
The last step for the tunnel configuration is to define policies that allow protected traffic to pass into your private network from the client. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
To create a new IPsec Policy, the from and to zones must be specified. An IPsec VPN Client policy is defined. Select the following zones and click the New button.
- From = Untrust
- To = Trust
Define the following parameters.
- Name = vpnclient_inbound
- Source Address
- Address Book Entry = Dial-UP VPN
- Destination Address
- New Address = 10.1.2.0/24
- Service = ANY
- Application = None ( means ANY )
- Action = Tunnel
- Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]
Create Local User Accounts
Create local user accounts that will be used during Xauth. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the new button and define the following parameters.
- User Name – joe ( the xauth user name )
- Status – Enable
- XAuth User – Checked
- User Password – **** ( the xauth user password )
- Confirm Password – **** ( the same user password )
When finished press OK.
Client Configuration
The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.
General Tab
The Remote Host section must be configured. This Host Name or IP Address is defined to match the Junipers public interface address. The Auto Configuration mode should be set to ike config push.
Phase 1 Tab
The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Auto Key IKE Advanced definition.
Authentication Tab
The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.
Local Identity Tab
The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of “client.domain.com” to match the Phase1 User ID value.
Remote Identity Tab
The Remote Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of “vpngw.domain.com” to match the Auto Key Advanced Gateway ID value.
Credentials Tab
The Credentials Pre Shared Key is defined as “mypresharedkey” to match the Auto Key Advanced Gateway Preshared Key value.
Policy Tab
The IPsec Policy information must be manually configured when communicating with Juniper gateways. Create an include Topology entry for each IPsec Policy network created on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.
More Info
http://www.the-internet-guy.com/pdf/Juniper_firewall_setup_for_Shrewsoft_VPN_connectivity.pdf
http://www.the-internet-guy.com/pdf/Shrew_VPN_Client_Setup_for_Juniper_Connectivity.pdf
Categorised as: Juniper
Leave a Reply
You must be logged in to post a comment.