-
Title: figure a VPN for I terface FailoverHow to Con nDocument
Number: VPN-4.0.0-DIAL-001 Version: 1.0 OS Ver: ScreenOS
4.0.0-DIAL, 4.0.0-DIAL2 HW Platform this paper applies to: NS5XT
Audience (Internal or External): External
Purpose This paper goes through basic procedures of configuring
a route-based VPN for interface failover using ScreenOS 4.0.0-DIAL
in Trust-Untrust Operational Mode with the backup interface as the
serial modem port. Description: ScreenOS 4.0.0-DIAL allows you to
have physical link redundancy. If the untrust interface link goes
down, a backup interface can take over (either serial modem or
untrust ethernet interface). Special configuration is required in
order for VPN tunnels to remain up when the interface fails over to
backup, and when it reverts back. Please note that only route-based
VPNs can be implemented in order for the physical link redundancy
to work. The procedures remain the same for ScreenOS 4.0.0-DIAL2.
Minimum Requirements: For configuring the VPN to work with
interface failover via serial modem, the minimum requirements must
be first met before continuing:
• Operational Mode: Trust-Untrust or Home-Work Zone • Initial
Configuration of the NetScreen-5XT as described in the NetScreen
New Features
Guide for ScreenOS 4.0.0-DIAL or NetScreen New Features Guide
for ScreenOS 4.0.0-DIAL2
Initial Configuration and Topology: • Serial modem port is used
as failover interface • Aggressive mode VPN from NetScreen-5XT to
NetScreen-50
Configuring Using the WebUI: Step 1 – Create tunnel.1 interface
bound for Primary Interface
• Go to Network Interfaces Click New
8/11/2003 Page 1 of 14 TAR Netscreen Technologies, Inc.
http://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdf
-
• Click Unnumbered • Select untrust (trust-vr)
Step 2 – Create tunnel.2 interface bound to the Backup
Interface
• Go to Network Interfaces Click New • Click Unnumbered • Select
serial (trust-vr)
8/11/2003 Page 2 of 14 TAR Netscreen Technologies, Inc.
-
Step 3 – Create Phase 1 IKE for Primary Interface
• Click VPNs Autokey Advanced Gateways • Click New • Configure
Phase 1 to connect to static Gateway • Specify Local ID
ns5xt.dial.com to be used by remote gateway, and specified as peer
id • Select Untrust as outgoing interface
• Click Advanced
8/11/2003 Page 3 of 14 TAR Netscreen Technologies, Inc.
-
• Under Security Level click User Defined Custom • P1 Proposal:
pre-g2-3des-sha • Mode: Aggressive • Click Return • Click OK
8/11/2003 Page 4 of 14 TAR Netscreen Technologies, Inc.
-
Step 4 – Create Phase 1 IKE for Failover Interface • Click VPNs
Autokey Advanced Gateways • Click New • Configure Phase 1 to
connect to static Gateway • Specify Local ID ns5xt.dial.com to be
used by remote gateway, and specified as peer id • Select serial as
outgoing interface
• Click Advanced
8/11/2003 Page 5 of 14 TAR Netscreen Technologies, Inc.
-
• Under Security Level, click User Defined Custom • P1 Proposal:
pre-g2-3des-sha • Mode: Aggressive • Click Return • Click OK
8/11/2003 Page 6 of 14 TAR Netscreen Technologies, Inc.
-
Step 5 – Create Phase 2 for Primary Interface
• •Click VPNs Autokey • •Click New • •For Remote Gateway Choose
Predefined choose NS50
• Click Advanced • Click Custom
8/11/2003 Page 7 of 14 TAR Netscreen Technologies, Inc.
-
• Choose g2-esp-3des-sha • Click Bind to Tunnel Interface •
Select tunnel.3 • Click Proxy-ID • Local: 172.16.1.0/24 • Remote:
10.1.1.0/24 • Click Return • Click OK
Step 6 – Create Phase 2 for Failover Interface
• •Click VPNs Autokey • •Click New • •For Remote Gateway,
Predefined, choose NS50
• Click Advanced • Click Custom
8/11/2003 Page 8 of 14 TAR Netscreen Technologies, Inc.
-
• Choose g2-esp-3des-sha • Click Bind to Tunnel Interface •
Select tunnel.3 • Click Proxy-ID • Local: 172.16.1.0/24 • Remote:
10.1.1.0/24 • Click Return • Click OK
8/11/2003 Page 9 of 14 TAR Netscreen Technologies, Inc.
-
Step 7 – Add Route for Primary Route VPN
• Click Routing Routing Table • Click New • Network
Address/Netmask172.16.1.0 / 255.255.255.0 • Gateway: Interface
tunnel.3 • Click OK
Step 8 – Add Route for Failover Route VPN
• Click Routing Routing Table • Click New • Network
Address/Netmask172.16.1.0 / 255.255.255.0 • Gateway: Interface
tunnel.4 • Click OK
8/11/2003 Page 10 of 14 TAR Netscreen Technologies, Inc.
-
Step 9 – Create Policies for the VPN
• Click Policies • Select from Trust to Untrust • Src
10.1.1.0/24 • Dst 172.16.1.0/24 • Service Any • Action Permit •
Select from Untrust to Trust • Src 172.16.1.0/24 • Dst 10.1.1.0/24
• Service Any • Action Permit
8/11/2003 Page 11 of 14 TAR Netscreen Technologies, Inc.
-
8/11/2003 Page 12 of 14 TAR Netscreen Technologies, Inc.
-
Configuring Using the CLI Step 1 – Create Tunnel Interfaces
• Create tunnel interfaces for the primary and the backup
interface ns5xt -> set interface “tunnel.1” zone “untrust” ns5xt
-> set interface “tunnel.2” zone “untrust”
Step 2 – Create IKE Phase 1 for Primary and Backup Interfaces •
Create IKE Gateways for both interfaces.. All parameters are
identical except the name
of the gateway ns5xt ->set ike gateway "NS50" ip 2.2.2.10
Aggressive local-id "ns5xt.dial.com" outgoing-interface "untrust"
preshare "netscreen" proposal "pre-g2-3des-sha“ ns5xt ->set ike
gateway "NS50-backup" ip 2.2.2.10 Aggressive local-id
"ns5xt.dial.com" outgoing-interface "serial" preshare "netscreen"
proposal "pre-g2-3des-sha"
Step 3 – Create IPSec P2 for Primary and Backup Interfaces
• Create IPSec VPN for both interfaces. All parameters are
identical except the name of the gateway and the tunnel referenced
by the VPN ns5xt ->set ike gateway "NS50" ip 2.2.2.10 Aggressive
local-id "ns5xt.dial.com" outgoing-interface "untrust" preshare
"netscreen" proposal "pre-g2-3des-sha“ ns5xt ->set ike gateway
"NS50-backup" ip 2.2.2.10 Aggressive local-id "ns5xt.dial.com"
outgoing-interface "serial" preshare "netscreen" proposal
"pre-g2-3des-sha"
8/11/2003 Page 13 of 14 TAR Netscreen Technologies, Inc.
-
8/11/2003 Page 14 of 14 TAR Netscreen Technologies, Inc.
Step 4 – Add Routes for the VPN Routes
• Add routes for the destination network going through the
tunnel interface ns5xt ->set route 172.16.1.0/24 interface
tunnel.1 ns5xt ->set route 172.16.1.0/24 interface tunnel.2
Step 5 – Add Policies
• Add policies for the VPN tunnel for both directions ns5xt
->set policy id 3 from "Trust" to "Untrust" "10.1.1.0/24"
"172.16.1.0/24" "ANY" Permit log ns5xt ->set policy id 2 from
"Untrust" to "Trust" "172.16.1.0/24" "10.1.1.0/24" "ANY" Permit
log
Common Errors
• Make sure the backup or failover Phase 2 definitions refer to
the appropriate gateway. Remember to check that you don’t have the
failover Phase 2 refer to the primary Phase 1.
• Check the route table to ensure only one active route per
network. An asterisk (*) indicates the active route
Additional Information:
• For information on configuring route-based VPNs using the Dual
Untrust Operational Mode, please see the NetScreen New Features
Guide for ScreenOS 4.0.0-DIAL or NetScreen New Features Guide for
ScreenOS 4.0.0-DIAL2
• For information on creating VPNs, please see the NetScreen
Concepts & Examples Vol. 4 Virtual Private Networks Guide for
ScreenOS 4.0.0
Conclusion By use of an example and by showing actual
screenshots, we have shown how to successfully create a VPN with
physical link redundancy. Your remote locations and users will now
be able to connect via VPN to the local network and vice versa with
minimal or no packet loss.
http://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/ce_v4.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/ce_v4.pdf
PurposeDescription:Minimum Requirements:Initial Configuration
and Topology:�Configuring Using the WebUI:Common ErrorsMake sure
the backup or failover Phase 2 definiti
Additional Information:For information on configuring
route-based VPNs using the Dual Untrust Operational Mode, please
see the NetScreen New Features Guide for ScreenOS 4.0.0-DIAL or
NetScreen New Features Guide for ScreenOS 4.0.0-DIAL2
Conclusion