-
HOME SOFTWARE DOWNLOAD SHOP SUPPORT CONTACT ABOUT
SUPPORT > WIKI
Howto Juniper SSG
From Shrew Soft IncContents
1 Introduction2 Overview3 Gateway Configuration
3.1 Create a Phase1 ID3.2 Create a Local Key Group3.3 Create an
Auto Key Advanced Gateway
3.3.1 Define Advanced Parameters3.4 Define Xauth Parameters3.5
Create an Auto Key IKE Gateway
3.5.1 Define Advanced Parameters3.6 Create a Client Address
Pool3.7 Set Client Configuration Parameters3.8 Configure IPsec
Policies3.9 Create Local User Accounts
4 Client Configuration4.1 General Tab4.2 Phase 1 Tab4.3
Authentication Tab
4.3.1 Local Identity Tab4.3.2 Remote Identity Tab4.3.3
Credentials Tab
4.4 Policy Tab5 Known Issues6 Resources
Introduction
This guide provides information that can be used to configure a
Juniper SSG or Netscreen device running firmware version 5.4+ to
support IPsec VPN
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
1 de 18 15/11/2013 11:00
-
client connectivity. The Shrew Soft VPN Client has been tested
with Juniper products to ensure interoperability.
Overview
The configuration example described below will allow an IPsec
VPN client to communicate with a single remote private network. The
client uses thepush configuration method to acquire the following
parameters automatically from the gateway.
IP AddressIP NetmaskDNS ServersWINS Servers
Gateway Configuration
This example assumes you have knowledge of the Juniper gateway
Web configuration interface. For more information, please consult
your Juniperproduct documentation.
Create a Phase1 ID
Create a user that is used to define the phase1 id parameters.
Navigate to the following screen using the tree pane on the left
hand side of the browserinterface.
Click the New button and define the following parameters.
User Name = vpnclient_ph1idStatus = EnabledIKE User =
Checked
Simple Identity = SelectedIKE ID Type = AUTOIKE Identity =
client.domain.com
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
2 de 18 15/11/2013 11:00
-
Create a Local Key Group
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
3 de 18 15/11/2013 11:00
-
Create a Local Group that can be assigned to an Auto Key
Advanced Gateway. Navigate to the following screen using the tree
pane on the left handside of the browser interface.
Click the New button and define the group name as
vpnclient_group. Also add the vpnclient_ph1id user object as a
group member.
Create an Auto Key Advanced Gateway
Create an auto key advanced gateway to configure the phase1
parameters. Navigate to the following screen using the tree pane on
the left hand sideof the browser interface.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
4 de 18 15/11/2013 11:00
-
Click the New button and define the following parameters.
Gateway Name = vpnclient_gatewaySecurity Level = CustomRemote
Gateway Type = Dialup User GroupGroup = vpnclient_groupPreshared
Key = mypresharedkeyLocal ID = vpngw.domain.com
Define Advanced Parameters
Click the Advanced button and define the following
parameters.
Security Level - CustomPhase 1
Proposalpre-g2-3des-shapre-g2-3des-md5pre-g2-aes128-shapre-g2-aes128-md5
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
5 de 18 15/11/2013 11:00
-
Mode = AggressiveEnable NAT-Traversal = Checked
Keepalive Frequency = 20Peer Status Detection
DPD = SelectedInterval = 30Retry = 5
When finished click Return.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
6 de 18 15/11/2013 11:00
-
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
7 de 18 15/11/2013 11:00
-
Define Xauth Parameters
You will now see your auto key advanced gateway listed. Click
non the Xauth button in the Configure column.
Define the following parameters.
Xauth Server = SelectedAllowed Authentication Type =
GenericLocal Authentication = SelectedAllow Any = Selected
When finished click OK.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
8 de 18 15/11/2013 11:00
-
Create an Auto Key IKE Gateway
Create an auto key IKE gateway to configure the phase2
parameters. Navigate to the following screen using the tree pane on
the left hand side of thebrowser interface.
Clicking the New button and define the following parameters.
VPN Name = vpnclient_tunnelSecurity Level = Custom
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
9 de 18 15/11/2013 11:00
-
Remote Gateway Predefined = vpnclient_gateway
Define Advanced Parameters
Click the Advanced button and define the following
parameters.
Security Level =
Customnopfs-esp-3des-shanopfs-esp-3des-md5nopfs-esp-aes128-shanopfs-esp-aes128-md5
Replay Protection = Checked
When finished click Return.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
10 de 18 15/11/2013 11:00
-
Create a Client Address Pool
Create a pool of addresses to be assigned to VPN clients.
Navigate to the following screen using the tree pane on the left
hand side of the browserinterface.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
11 de 18 15/11/2013 11:00
-
Clicking the New button and define an IP Pool. For example, you
could define a pool named vpnclient with a start IP address of
10.2.21.1 and and endaddress of 10.2.21.254.
Set Client Configuration Parameters
The client configuration parameters are stored in the global
Auto Key Advanced XAuth parameters. Navigate to the following
screen using the tree paneon the left hand side of the browser
interface.
Define the following parameters.
Reserve Private IP for XAuth User - 480 minutesDefault
Authentication Server = LocalQuery Client Settings on Default
Server - UncheckedCHAP - UncheckedIP Pool Name = vpnclientDNS
Primary Server IP = [ private DNS server address ]DNS Secondary
Server IP = [ private DNS secondary address ]
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
12 de 18 15/11/2013 11:00
-
WINS Primary Server IP = [ private WINS server address ]WINS
Secondary Server IP = [ private WINS secondary address ]
Configure IPsec Policies
The last step for the tunnel configuration is to define policies
that allow protected traffic to pass into your private network from
the client. Navigate to thefollowing screen using the tree pane on
the left hand side of the browser interface.
To create a new IPsec Policy, the from and to zones must be
specified. An IPsec VPN Client policy is defined. Select the
following zones and click theNew button.
From = UntrustTo = Trust
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
13 de 18 15/11/2013 11:00
-
Define the following parameters.
Name = vpnclient_inboundSource Address
Address Book Entry = Dial-UP VPNDestination Address
New Address = 10.1.2.0/24Service = ANYApplication = None ( means
ANY )Action = TunnelTunnel = vpnclient_tunnel [ Auto Key IKE vpn
name ]
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
14 de 18 15/11/2013 11:00
-
Create Local User Accounts
Create local user accounts that will be used during Xauth.
Navigate to the following screen using the tree pane on the left
hand side of the browserinterface.
Click the new button and define the following parameters.
User Name - joe ( the xauth user name )
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
15 de 18 15/11/2013 11:00
-
Status - EnableXAuth User - Checked
User Password - **** ( the xauth user password )Confirm Password
- **** ( the same user password )
When finished press OK.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
16 de 18 15/11/2013 11:00
-
Client Configuration
The client configuration in this example is straight forward.
Open the Access Manager application and create a new site
configuration. Configure the
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
17 de 18 15/11/2013 11:00
-
settings listed below in the following tabs.
General Tab
The Remote Host section must be configured. This Host Name or IP
Address is defined to match the Junipers public interface address.
The AutoConfiguration mode should be set to ike config push.
Phase 1 Tab
The Proposal section must be configured. The Exchange Type is
set to aggressive and the DH Exchange is set to group 2 to match
the Auto Key IKEAdvanced definition.
Authentication Tab
The client authentication settings must be configured. The
Authentication Method is defined as Mutual PSK + XAuth.Local
Identity Tab
The Local Identity parameters are defined as Fully Qualified
Domain Name with a FQDN String of "client.domain.com" to match the
Phase1 User IDvalue.
Remote Identity Tab
The Remote Identity parameters are defined as Fully Qualified
Domain Name with a FQDN String of "vpngw.domain.com" to match the
Auto KeyAdvanced Gateway ID value.Credentials Tab
The Credentials Pre Shared Key is defined as "mypresharedkey" to
match the Auto Key Advanced Gateway Preshared Key value.
Policy Tab
The IPsec Policy information must be manually configured when
communicating with Juniper gateways. Create an include Topology
entry for each IPsecPolicy network created on the gateway. For our
example, a single Topology Entry is defined to include the
10.1.2.0/24 network.
Known Issues
None reported.
Resources
Media:juniperssg.vpn.txtRetrieved from
"https://www.shrew.net/support/index.php?title=Howto_Juniper_SSG&oldid=349"
HOME | SOFTWARE | DOWNLOAD | SHOP | SUPPORT | CONTACT | ABOUT |
PRIVACY 2013 Shrew Soft Inc.
Howto Juniper SSG - Shrew Soft Inc
https://www.shrew.net/support/Howto_Juniper_SSG
18 de 18 15/11/2013 11:00