Howto Juniper SSG - Shrew Soft Inc

HOME SOFTWARE DOWNLOAD SHOP SUPPORT CONTACT ABOUT

SUPPORT > WIKI

Howto Juniper SSG

From Shrew Soft IncContents

1 Introduction2 Overview3 Gateway Configuration

3.1 Create a Phase1 ID3.2 Create a Local Key Group3.3 Create an Auto Key Advanced Gateway

3.3.1 Define Advanced Parameters3.4 Define Xauth Parameters3.5 Create an Auto Key IKE Gateway

3.5.1 Define Advanced Parameters3.6 Create a Client Address Pool3.7 Set Client Configuration Parameters3.8 Configure IPsec Policies3.9 Create Local User Accounts

4 Client Configuration4.1 General Tab4.2 Phase 1 Tab4.3 Authentication Tab

4.3.1 Local Identity Tab4.3.2 Remote Identity Tab4.3.3 Credentials Tab

4.4 Policy Tab5 Known Issues6 Resources

Introduction

This guide provides information that can be used to configure a Juniper SSG or Netscreen device running firmware version 5.4+ to support IPsec VPN

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

1 de 18 15/11/2013 11:00

client connectivity. The Shrew Soft VPN Client has been tested with Juniper products to ensure interoperability.

Overview

The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses thepush configuration method to acquire the following parameters automatically from the gateway.

IP AddressIP NetmaskDNS ServersWINS Servers

Gateway Configuration

This example assumes you have knowledge of the Juniper gateway Web configuration interface. For more information, please consult your Juniperproduct documentation.

Create a Phase1 ID

Create a user that is used to define the phase1 id parameters. Navigate to the following screen using the tree pane on the left hand side of the browserinterface.

Click the New button and define the following parameters.

User Name = vpnclient_ph1idStatus = EnabledIKE User = Checked

Simple Identity = SelectedIKE ID Type = AUTOIKE Identity = client.domain.com

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

2 de 18 15/11/2013 11:00

Create a Local Key Group

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

3 de 18 15/11/2013 11:00

Create a Local Group that can be assigned to an Auto Key Advanced Gateway. Navigate to the following screen using the tree pane on the left handside of the browser interface.

Click the New button and define the group name as vpnclient_group. Also add the vpnclient_ph1id user object as a group member.

Create an Auto Key Advanced Gateway

Create an auto key advanced gateway to configure the phase1 parameters. Navigate to the following screen using the tree pane on the left hand sideof the browser interface.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

4 de 18 15/11/2013 11:00

Click the New button and define the following parameters.

Gateway Name = vpnclient_gatewaySecurity Level = CustomRemote Gateway Type = Dialup User GroupGroup = vpnclient_groupPreshared Key = mypresharedkeyLocal ID = vpngw.domain.com

Define Advanced Parameters

Click the Advanced button and define the following parameters.

Security Level - CustomPhase 1 Proposalpre-g2-3des-shapre-g2-3des-md5pre-g2-aes128-shapre-g2-aes128-md5

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

5 de 18 15/11/2013 11:00

Mode = AggressiveEnable NAT-Traversal = Checked

Keepalive Frequency = 20Peer Status Detection

DPD = SelectedInterval = 30Retry = 5

When finished click Return.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

6 de 18 15/11/2013 11:00

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

7 de 18 15/11/2013 11:00

Define Xauth Parameters

You will now see your auto key advanced gateway listed. Click non the Xauth button in the Configure column.

Define the following parameters.

Xauth Server = SelectedAllowed Authentication Type = GenericLocal Authentication = SelectedAllow Any = Selected

When finished click OK.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

8 de 18 15/11/2013 11:00

Create an Auto Key IKE Gateway

Create an auto key IKE gateway to configure the phase2 parameters. Navigate to the following screen using the tree pane on the left hand side of thebrowser interface.

Clicking the New button and define the following parameters.

VPN Name = vpnclient_tunnelSecurity Level = Custom

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

9 de 18 15/11/2013 11:00

Remote Gateway Predefined = vpnclient_gateway

Define Advanced Parameters

Click the Advanced button and define the following parameters.

Security Level = Customnopfs-esp-3des-shanopfs-esp-3des-md5nopfs-esp-aes128-shanopfs-esp-aes128-md5

Replay Protection = Checked

When finished click Return.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

10 de 18 15/11/2013 11:00

Create a Client Address Pool

Create a pool of addresses to be assigned to VPN clients. Navigate to the following screen using the tree pane on the left hand side of the browserinterface.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

11 de 18 15/11/2013 11:00

Clicking the New button and define an IP Pool. For example, you could define a pool named vpnclient with a start IP address of 10.2.21.1 and and endaddress of 10.2.21.254.

Set Client Configuration Parameters

The client configuration parameters are stored in the global Auto Key Advanced XAuth parameters. Navigate to the following screen using the tree paneon the left hand side of the browser interface.

Define the following parameters.

Reserve Private IP for XAuth User - 480 minutesDefault Authentication Server = LocalQuery Client Settings on Default Server - UncheckedCHAP - UncheckedIP Pool Name = vpnclientDNS Primary Server IP = [ private DNS server address ]DNS Secondary Server IP = [ private DNS secondary address ]

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

12 de 18 15/11/2013 11:00

WINS Primary Server IP = [ private WINS server address ]WINS Secondary Server IP = [ private WINS secondary address ]

Configure IPsec Policies

The last step for the tunnel configuration is to define policies that allow protected traffic to pass into your private network from the client. Navigate to thefollowing screen using the tree pane on the left hand side of the browser interface.

To create a new IPsec Policy, the from and to zones must be specified. An IPsec VPN Client policy is defined. Select the following zones and click theNew button.

From = UntrustTo = Trust

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

13 de 18 15/11/2013 11:00

Define the following parameters.

Name = vpnclient_inboundSource Address

Address Book Entry = Dial-UP VPNDestination Address

New Address = 10.1.2.0/24Service = ANYApplication = None ( means ANY )Action = TunnelTunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

14 de 18 15/11/2013 11:00

Create Local User Accounts

Create local user accounts that will be used during Xauth. Navigate to the following screen using the tree pane on the left hand side of the browserinterface.

Click the new button and define the following parameters.

User Name - joe ( the xauth user name )

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

15 de 18 15/11/2013 11:00

Status - EnableXAuth User - Checked

User Password - **** ( the xauth user password )Confirm Password - **** ( the same user password )

When finished press OK.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

16 de 18 15/11/2013 11:00

Client Configuration

The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

17 de 18 15/11/2013 11:00

settings listed below in the following tabs.

General Tab

The Remote Host section must be configured. This Host Name or IP Address is defined to match the Junipers public interface address. The AutoConfiguration mode should be set to ike config push.

Phase 1 Tab

The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Auto Key IKEAdvanced definition.

Authentication Tab

The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.Local Identity Tab

The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "client.domain.com" to match the Phase1 User IDvalue.

Remote Identity Tab

The Remote Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "vpngw.domain.com" to match the Auto KeyAdvanced Gateway ID value.Credentials Tab

The Credentials Pre Shared Key is defined as "mypresharedkey" to match the Auto Key Advanced Gateway Preshared Key value.

Policy Tab

The IPsec Policy information must be manually configured when communicating with Juniper gateways. Create an include Topology entry for each IPsecPolicy network created on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.

Known Issues

None reported.

Resources

Media:juniperssg.vpn.txtRetrieved from "https://www.shrew.net/support/index.php?title=Howto_Juniper_SSG&oldid=349"

HOME | SOFTWARE | DOWNLOAD | SHOP | SUPPORT | CONTACT | ABOUT | PRIVACY 2013 Shrew Soft Inc.

Howto Juniper SSG - Shrew Soft Inc https://www.shrew.net/support/Howto_Juniper_SSG

18 de 18 15/11/2013 11:00