How do I create a Route Based LAN to LAN VPN by using preshared secrets (ScreenOS 6.0 and later)?
This article provides information on how to create a Route Based LAN to LAN VPN by using preshared secrets in ScreenOS 6.x.
Environment:
- Preshared secrets
- Route Based VPN
- Static IP Addresses on both gateways of VPN
- This example assumes that static IP addresses are assigned on both of the VPN devices of the VPN tunnel.
- The tunnel interfaces are created in the Untrust zone.
- The preshared secret used is netscreen.
- The following matrix displays the IP addresses and proposals that are used for this example:
Site A B Untrust IP of Firewall 1.1.1.1 (eth0/0) 2.2.2.1 (eth0/0) Trust Network 10.1.1.0/24 172.16.10.0/24 Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha
WebUI
Site A:
- Create tunnel interface:
Click Network > Interfaces> List- In upper right corner, select pulldown 'Tunnel IF', and Click New
- Interface Name: tunnel.1
- Zone: Untrust (trust-vr)
- Click unnumbered
- Interface ethernet0/0 (trust-vr) (or whichever interface is in same zone (Untrust) that it can borrow an IP from)
- Click OK
- In upper right corner, select pulldown 'Tunnel IF', and Click New
- Click VPNs > AutoKey Advanced > Gateway
Click New- Gateway Name: Site B GW
- Remote Gateway: Click Static, and enter IP address 2.2.2.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-Defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator):
- Click Return
- Click OK
- Click VPNs > Autokey IKE
Click New- VPN Name: Site B VPN
- Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Bind To: Tunnel Interface. Select tunnel.1
- Click Proxy ID
- Local IP/Netmask: 10.1.1.0 / 24
- Remote IP/Netmask: 172.16.10.0 /24
- Service: ANY
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
- Click Policy > Policies
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 10.1.1.0/24
- Destination Address: Click New Address, and enter 172.16.10.0/24
- Service: Any
- Action: Permit (Note: Do not select Tunnel or specify Tunnel VPN because this is a route-based VPN configuration)
- Position at Top: Enabled
- Click OK
- Select From Untrust to Trust Zone, and click New
- Source Address: Click New Address, and enter 172.16.10.0/24
- Destination Address: Click New Address, and enter 10.1.1.0/24
- Service: Any
- Action: Permit (Note: Do not select Tunnel or specify Tunnel VPN because this is a route-based VPN configuration)
- Position at Top: Enabled
- Click OK
- Select From Trust to Untrust Zone, and click New
- Create static route for destination network through VPN:
- Click Network > Routing > Destination
- Click New
- Network Address / Netmask: 172.16.10.0 / 255.255.255.0
- Click Gateway
- Interface: tunnel.1
- Click OK
Site B:
- Create tunnel interface:
Click Network > Interfaces> List- In upper right corner, select pulldown 'Tunnel IF', and Click New
- Interface Name: tunnel.1
- Zone: Untrust (trust-vr)
- Click unnumbered
- Interface ethernet0/0 (trust-vr) (or whichever interface is in same zone (Untrust) that it can borrow an IP from)
- Click OK
- In upper right corner, select pulldown 'Tunnel IF', and Click New
- Click VPNs > AutoKey Advanced > Gateway
Click New- Gateway Name: Site A GW
- Remote Gateway: Click Static, and enter IP address 1.1.1.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-Defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator):
- Click Return
- Click OK
- Click VPNs > Autokey IKE
Click New- VPN Name: Site A VPN
- Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Bind To: Tunnel Interface. Select tunnel.1
- Click Proxy ID
- Local IP/Netmask: 172.16.10.0/24
- Remote IP/Netmask: 10.1.1.0/24
- Service: ANY
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
- Click Policy > Policies
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 172.16.10.0/24
- Destination Address: Click New Address, and enter 10.1.1.0/24
- Service: Any
- Action: Permit (Note: Do not select Tunnel or specify Tunnel VPN because this is a route-based VPN configuration)
- Position at Top: Enabled
- Click OK
- Select From Untrust to Trust Zone, and click New
- Source Address: Click New Address, and enter 10.1.1.0/24
- Destination Address: Click New Address, and enter 172.16.10.0/24
- Service: Any
- Action: Permit (Note: Do not select Tunnel or specify Tunnel VPN because this is a route-based VPN configuration)
- Position at Top: Enabled
- Click OK
- Select From Trust to Untrust Zone, and click New
- Create static route for destination network through VPN:
- Click Network > Routing > Destination
- Click New
- Network Address / Netmask: 10.1.1.0 / 255.255.255.0
- Click Gateway
- Interface: tunnel.1
- Click OK
NOTE:
If the tunnel interface is bound to the trust zone (i.e. you specified Zone Trust in step 1.1.2), then no policies are needed (i.e. step 4), since everything is routed. The VPN communication is effectively a trust to trust policy.
If the tunnel interface is bound to the trust zone (i.e. you specified Zone Trust in step 1.1.2), then no policies are needed (i.e. step 4), since everything is routed. The VPN communication is effectively a trust to trust policy.
CLI
Site A:
- Create tunnel interface
- set int tun.1 zone untrust
- set int tun.1 ip unnumbered interface e0/0
- Set Gateway
- set ike gateway "Site B GW" address 2.2.2.1 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha
- Set Autokey Ike
- set vpn "Site B VPN" gateway "Site B GW" proposal g2-esp-3des-sha
- set vpn "Site B VPN" bind int tun.1
- set vpn "Site B VPN" proxy-id local-ip 10.1.1.10/24 remote-ip 172.16.10.0/24 any
- set vpn "Site B VPN" monitor optimized rekey
- Set Policies
- set address trust 10.1.1.0/24 10.1.1.0/24
- set address untrust 172.16.10.0/24 172.16.10.0/24
- set policy from trust to untrust 10.1.1.0/24 172.16.10.0/24 any permit
- set policy id xx move before (name of first policy) from trust to untrust
- set policy from untrust to trust 172.16.10.0/24 10.1.1.0/24 any permit
- set policy id xx move before (name of first policy) from untrust to trust
- Create static route
- set route 172.16.10.0/24 int tun.1
- Create tunnel interface
- set int tun.1 zone untrust
- set int tun.1 ip unnumbered interface e0/0
- Set Gateway
- set ike gateway "Site A GW" address 1.1.1.1 outgoing-interface e0/0 preshare netscreen proposal pre-g2-3des-sha
- Set Autokey Ike
- set vpn "Site A VPN" gateway "Site A GW" proposal g2-esp-3des-sha
- set vpn "Site A VPN" bind int tun.1
- set vpn "Site A VPN" proxy-id local-ip 172.16.10.0/24 remote-ip 10.1.1.10/24 any
- set vpn "Site A VPN" monitor optimized rekey
- Set Policies
- set address trust 172.16.10.0/24 172.16.10.0/24
- set address untrust 10.1.1.0/24 10.1.1.0/24
- set policy from trust to untrust 172.16.10.0/24 10.1.1.0/24 any permit
- set policy id xx move before (name of first policy) from trust to untrust
- set policy from untrust to trust 10.1.1.0/24 172.16.10.0/24 any permit
- set policy id xx move before (name of first policy) from untrust to trust
- Create static route
- set route 10.1.1.0/24 int tun.1
If you have performed the following procedure,and need help with troubleshooting, refer to the VPN Configuration & Troubleshooting Guide.
No comments:
Post a Comment