VPN Configuration Guide

Juniper Networks NetScreen / SSG / ISG Series

equinux AG and equinux USA, Inc.

Apple, the Apple logo, iBook, Mac, Mac OS, MacBook, PowerBook are trademarks of
Apple Computer, Inc., registered in the U.S. and other countries.

© 2009 equinux USA, Inc. All rights reserved.
Juniper Networks, NetScreen, and ScreenOS are registered trademarks of Juniper
Networks, Inc. in the U.S. and other countries.

Under the copyright laws, this manual may not be copied, in whole or in part, without
the written consent of equinux AG or equinux USA, Inc. Your rights to the software are
governed by the accompanying software license agreement.

equinux shall have absolutely no liability for any direct or indirect, special or
other consequential damages in connection with the use of the quick setup guide
or any change to the router generally, including without limitation, any lost
profits, business, or data, even if equinux has been advised of the possibility of
such damages.

The equinux logo is a trademark of equinux AG and equinux USA, Inc., registered in the
U.S. and other countries.
Every effort has been made to ensure that the information in this manual is accurate.
equinux is not responsible for printing or clerical errors.
www.equinux.com

2

Introduction .....................................................................5

No Access to the Remote Network ............................................................31

Important Prerequisites.....................................................................................6
Scenario ...................................................................................................................7
Terminology ...........................................................................................................8

Appendix .........................................................................33
Predefined Security Levels.............................................................................33

My VPN Gateway Configuration ..................................9
Task 1 – Configure Your VPN Gateway .....................10
Step 1– Set up an IP address pool..............................................................10
Step 2 – Create a Shared IKE User ..............................................................12
Step 3 – Create a Group for the Shared IKE User .................................13
Step 4 – Create Extended Authentication (XAUTH) Users................14
Step 5 – Configure the XAUTH Settings ..................................................15
Step 6 – Configure the Phase 1 Settings (Gateway Settings) .........16
Step 7 – Configure the Phase 2 Settings (VPN Settings) ..................19
Step 8 – Add a Policy.......................................................................................21
Step 9 – Find Your VPN Gateway’s Public IP Address .........................22

Task 2 – Configure VPN Tracker .................................23
Step 1 - Create a New Connection ............................................................23
Step 2 – Configure the VPN Connection .................................................24

Task 3 – Test the VPN Connection ............................25
It‘s time to go out!.............................................................................................25
Start your connection .....................................................................................25

Supporting Multiple Users .........................................28
Adding Users on the VPN Gateway ...........................................................28
Deploying VPN Connections to Your Users.............................................29

Troubleshooting ............................................................30
VPN Connection Fails to Establish ..............................................................30

3

4 .

Your device’s configuration has strong interdependencies between settings. 5 .Introduction This document describes how VPN Tracker can be used to establish a connection between a Mac running Mac OS X and a Juniper Networks firewall/IPsec VPN device running the ScreenOS firmware. not a replacement for. Troubleshooting Troubleshooting tips can be found in the last part of tis guide. VPN Gateway Configuration The first part of this guide will show you how to configure a VPN tunnel on your Juniper Networks firewall/IPsec VPN device. we strongly recommend you start out with the tutorial-style setup in the first and second part of this document. Note This documentation is only a supplement to. so it is recommended to follow the order laid out in this guide when setting up the device. Tip If you are setting up VPN on your device for the first time. Please be sure to read those instructions and understand them before starting. VPN Tracker Configuration In the second part. this guide will show you how to configure VPN Tracker to easily connect to your newly created VPN tunnel. the instructions included with your firewall/IPsec VPN device. We have also included an appendix with additional useful information.

vpntracker. 2 If you are using a different ScreenOS version. Wherever we are aware of these differences. Make sure you have all available updates installed. we have noted them in italics next to the affected setting.4 or 10.vpntracker.5 ‣ The configuration described in this guide requires at least VPN Tracker 6.2.com/ interop for details) • SSG series • ISG series • NetScreen series1 ‣ Make sure you have the newest ScreenOS version installed that is available for your device. The latest VPN Tracker release can always be obtained from http://www. In that case.02 Your Mac ‣ VPN Tracker runs on Mac OS X 10.Important Prerequisites Your VPN Gateway ‣ This guide applies to the following Juniper Networks firewall/IPsec VPN devices running ScreenOS (see http://www.com 1 The most recent ScreenOS version may not be available for your NetScreen device. some settings may look different. you should be running the latest ScreenOS version available for your particular device. This guide is based on ScreenOS 6. 6 .

and can be accessed through a static IP address or DNS host name.13.255.13. The office's NetScreen (or SSG. or ISG) device (the “VPN gateway”) is also already connected to the Internet. The following diagram illustrates this scenario: VPN Connection Juniper Networks VPN Gateway Mac running VPN Tracker vpn.0).example.13.168.com.0/255.0 / 255. It is called the “Remote Network” in VPN Tracker.255. In our example setup.Scenario In our example. the office network has the IP range 192. In our example. 7 . we will be using a host name: vpn. This is the network that will be accessed from the employee’s Mac through the VPN. we need to connect an employee's Mac to an office network.255.0/24 (which is the same as 192.168.0 This guide assumes that the Mac running VPN Tracker already has internet connectivity.com Office Network 192.example.255. The VPN gateway has a second network interface which is connected to the internal office network (LAN).168.

In our example one endpoint is VPN Tracker and the other endpoint is the VPN gateway. while its own settings are considered to be “local”. That means a “local” setting from VPN Tracker’s perspective. and vice versa. called a “Host” establishes a VPN tunnel to an entire “Network” behind the VPN gateway. 8 .Terminology A VPN connection is often called a “tunnel” (or “VPN tunnel”). Every VPN tunnel is established between two “endpoints” (or “peers”). The sample configuration described in this guide is called a “Host to Network” configuration: A single computer. Please note that for each endpoint. the settings on the other endpoint are considered to be “remote”. is a “remote” setting from the VPN gateway’s perspective.

/ VPN Gateway’s Public (WAN) IP Address: . . . . . . . / . . You can print out this form to help keep track of the various settings of your Juniper Networks device. there are certain pieces of information that are needed later on for configuring VPN Tracker. . 9 or hostname . This information is marked with red numbers to make it easier to reference it later. .My VPN Gateway Configuration Throughout this guide. ➊ IKE Identity: ➋ XAUTH User Name: _ ➌ XAUTH Password: _ ➍ Pre-Shared Key: ➎ Remote Network: or ➏ .

10 . ‣ Go to the section “Objects > IP Pools” ‣ Click “New” Note At the time of writing. Step 1– Set up an IP address pool The “virtual” IP addresses VPN clients use on the device’s LAN are distributed from the IP address pool that you will configure in this step. log into your device’s web configuration interface now.Task 1 – Configure Your VPN Gateway The ScreenOS configuration interface is quite complex and may be a bit daunting at first. ‣ If you have not already done so. try to keep to these configuration steps as closely as possible. Should you encounter any problems with the web configuration interface. the ScreenOS web configuration interface did not work very well with the Safari web browser. or your entire company. you might want to try using a different web browser for this task. They will provide you with a VPN configuration that works well – for one user. If you are unfamiliar with the device’s configuration. and in the order outlined in this document.

192. 11 . In our example.31.255.100. we are using the IP address 10. It should also not be used by any of the resources (servers etc. In our example.13.0. Refer to the guidelines below when selecting a range suitable for your particular scenario.‣ IP Pool Name: Enter a name that will allow you to recognize this IP pool later ‣ Start IP: Enter the first IP address in the range of IP addresses the IP pool should contain.168.13.199 ‣ Click “OK” to save your new IP address pool Guidelines for selecting a suitable range of IP addresses: ‣ The range of IP addresses must come from one of the IP address ranges that are reserved for internal use (“private subnets”) ‣ The range of IP addresses may not overlap with any of the networks used on your VPN gateway device.255 ‣ 172. If multiple logins for the same user are to be permitted. it may not be part of the LAN.168. in particular.10.255.98.0.16.255.0 .0 .255 ‣ The address pool must contain enough IP addresses to supply an IP address to each possible user of the VPN connection.0 .255 ‣ 192. we are using the IP address 10. It is usually a good idea to choose the pool to be at least twice as large as the maximum number of expected users.98.0.172.255. additional IP addressees must be available. ‣ End IP: Enter the last IP address in the range of IP addresses the IP pool should contain.0.) that are being accessed through the VPN Private Subnets ‣ 10.

‣ Leave the default values for all other settings.Step 2 – Create a Shared IKE User ‣ Go to the section “Objects > Users > Local” ‣ Click “New” ‣ User Name: Enter a user name that you will be able to recognize later ‣ Check the box “IKE User” and select “Simple Identity” ‣ IKE Identity: Enter an identifier for the VPN connection. we can prevent complex dependencies when modifying individual users in the future. This identifier will be the “Local Identifier” in VPN Tracker ➊ A good identifier is “vpntracker. it is possible to use any host name or an email address. ‣ Click “OK” to save the new user 12 . If you do choose to use an email address here. However. keep in mind that you will have to change the “Local Identifier” type in VPN Tracker to “Email (User FQDN)”. ! Note The user object that created in this step is shared by all users of the VPN connection. By separating this shared user object (“IKE user”) from the user objects that we will create later for each individual user (“XAUTH users”).local”.

‣ Click the “<<“ button to move the shared IKE user to the list of group members ‣ Click “OK” to save the new group Note This group is only for the shared IKE user.Step 3 – Create a Group for the Shared IKE User ‣ Go to the section “Objects > Users > Local Groups” ‣ Click “New” ‣ Group Name: Enter a group name that you will be able to recognize later ‣ In the “Available Members” list. select the shared IKE user created in Step 2. Do not add any of the XAUTH users that will create in the next step! 13 .

Step 4 – Create Extended Authentication (XAUTH) Users ‣ Go to the section “Objects > Users > Local” ‣ Click “New” ! ‣ User Name: Enter a user name ➋ ‣ Check the box “XAUTH User” ‣ User Password: Enter a password for the user ➌ Both the user name and the password are casesensitive ‣ Confirm User Password: Repeat the password ➌ ‣ Leave all other settings at their default values ‣ Click “OK” to add the new user " " Note To create additional users. repeat this step for each user. 14 .

you can enter its IP address here to automatically transmit the DNS settings to your VPN clients. ‣ Click “Apply” 15 . you can enter its IP address here to automatically transmit the DNS settings to your VPN clients. ‣ DNS Secondary Server IP (optional): If you operate a secondary (backup) DNS server in your network.Step 5 – Configure the XAUTH Settings ‣ Go to the section “VPNs > AutoKey Advanced > XAuth Settings” ‣ IP Pool Name: Select the IP address pool you created in Step 1 ‣ DNS Primary Server IP (optional): If you operate a DNS server in your network.

Step 6 – Configure the Phase 1 Settings (Gateway Settings) ‣ Go to the section “VPNs > AutoKey Advanced > Gateway” ‣ Click “New” ‣ Gateway Name: Enter a gateway name that you will be able to recognize later ‣ Version: Make sure “IKEv1” is selected ‣ Remote Gateway Type: Set to “Dialup User Group” ‣ Group: Select the group you created earlier for the shared IKE user 16 .

its dependence on the peer’s IP address makes it unsuitable for use with VPN clients (as opposed to static VPN tunnels between two VPN gateways). this will be the “untrust” (WAN) interface.‣ Click “Advanced” to edit additional settings ‣ Preshared Key: Enter a pre-shared key ➍ The preshared key is a password that is shared among all users of the connection (individual user passwords are configured for each XAUTH user separately. and SHA-1 hashes will be used for phase 1. you will find this and the following two settings among the main settings. If you choose a different level. ‣ Security Level: Make sure the Security Level is set to “Standard”. ! ‣ Outgoing Interface: Select the network interface that your VPN connections arrive on. see Step 4). 17 . If you are running an earlier version of ScreenOS. ‣ Mode (Initiator): Set the mode to “Aggressive” ‣ Check the box “Enable NAT-Traversal” ‣ Click “Return” to leave the advanced settings ‣ Click “OK” to save the phase 1 settings Advanced Users “Standard” security level means that Diffie-Hellman Group 2 (1024 bit). you must match these settings in VPN Tracker (Advanced > Phase 1) Advanced Users While Main Mode is considered to be more secure. 3DES or AES-128 encryption. Usually.

Enable Extended Authentication (XAUTH) ‣ Go to “VPNs > AutoKey Advanced > Gateway” ‣ Click “Xauth” in the “Configure” column ‣ Select “XAuth Server” ‣ Make sure “Use Default Xauth Settings” is selected to use the settings configured previously (see Step 5) ‣ Click “OK” to save your changes Advanced Users Using CHAP is more secure. not all VPN clients support it. you can safely switch to the “CHAP only” authentication type. however. If you are only using VPN Tracker as a client for your VPN connection. 18 .

Step 7 – Configure the Phase 2 Settings (VPN Settings) ‣ Go to the section “VPNs > AutoKey IKE” ‣ Click “New” ‣ VPN Name: Enter a VPN name that you will be able to recognize later ‣ Remote Gateway: Select “Predefined” and select the gateway you created in Step 6 ‣ Click “OK” to save the phase 2 settings 19 .

‣ Click “Advanced” to edit additional settings ‣ Security Level: Make sure the security level is set to “Standard”. If you are running an earlier version of ScreenOS. you will find the “Security Level” in the main settings. Advanced Users “Standard” security level means that 3DES or AES-128 encryption. SHA-1 authentication and Perfect Forward Secrecy (PFS) with Diffie-Hellman Group 2 (1024 bit) will be used for phase 2. If you choose a different level. you must match these settings in VPN Tracker (Advanced > Phase 2) 20 .

Step 8 – Add a Policy ‣ Go to the section “Policies” ‣ From: Select “Untrust” ‣ To: Select “Trust” ‣ Click “New” ‣ Name: Enter a name for the new policy (optional. please select that entry. ‣ Action: Select “Tunnel” ‣ Tunnel: Select the previously created VPN ‣ Check the box “Position at Top” ‣ Click “OK” to save the new policy 21 . but recommended) ‣ Source Address: Select “Address Book Entry” and select “Dial-Up VPN” from the popup list ! ‣ Destination Address: Select “New Address” and enter the network you want to access through the VPN tunnel ➎ Most likely this will be the LAN network of your VPN gateway Note If there is already an entry for the desired network in the device’s address book.

236. 22 .145.145.73/24 Advanced Users ‣ Write down the IP address of the public (WAN) interface as ➏ Don’t write down the part that comes after the slash (“/”). and almost always be assigned to the “Untrust” zone 194. it will be the “ethernet 0/0” interface. In our example. we would write down 194. In many cases.Step 9 – Find Your VPN Gateway’s Public IP Address ‣ Go to “Network > Interfaces > List” ‣ Find your public (WAN) interface in the list. Write down the IP address or host name as ➏ on your VPN gateway configuration checklist.73 ! If you know your VPN gateway’s public (WAN) IP address or host name. you can skip this step.236.

“Office”) ‣ Click “OK” 23 .Task 2 – Configure VPN Tracker This section describes how to configure VPN Tracker to connect to your Juniper Networks VPN gateway.Create a New Connection ‣ Start VPN Tracker ‣ Click the “+” button in the main window You will be asked to select a device profile for the new connection: ‣ Select “Juniper Networks” from the list ‣ Select your device from the list of Juniper Networks devices ‣ Connection Name: Choose a name for your connection (e. If you are missing any information.g. please refer back to “Task 1 – Configure your VPN Gateway”. You will need the configuration information you collected during Task 1. Step 1 .

73) from Step 9. if available ➏ In our example.145.com but we could also use the device’s public IP address (194.236. check “Use Remote DNS Server” and “Receive DNS Settings from VPN Gateway” 24 .local”) ➊ ‣ DNS (optional): If you have configured a DNS server during Step 5. ➏ ‣ Remote Networks: Enter the network address of the network that is being accessed through the VPN tunnel ➎ Separate the subnet mask with a forward slash (“/”) ➎ ➊ ‣ Local Identifier: Enter the IKE Identity from your Juniper Networks device (in this example. we configured the device’s IKE identity to be “vpntracker.Step 2 – Configure the VPN Connection ‣ VPN Gateway: Enter your VPN gateway’s public IP address or its hostname. the device is reachable using the hostname vpn.example.

It‘s time to go out! You will not be able to test and use your VPN connection from within the internal network that you want to connect to. For example. If you are setting up a VPN connection to your home network. test it from an Internet cafe.equinux. you will need to connect from a different location. Start your connection ‣ Connect to the Internet ‣ Make sure that your Internet connection is working – open your Internet browser and try to connect to http://www. In order to test your connection.Task 3 – Test the VPN Connection This section explains how to start and test your VPN connection. if you are setting up a VPN connection to your office. test it from home. or go visit a friend.com ‣ Start VPN Tracker if it’s not already running ‣ Slide the On/Off slider for the connection you have just configured to On 25 .

If you are prompted for your pre-shared key: ‣ Pre-shared key: Enter the pre-shared key that you configured on the VPN gateway ➍. ➍ ‣ Optionally. check the box “Store in Keychain” to save the user name and password in your keychain so you are not asked for it again when connecting the next time ‣ Click “OK” 26 . check the box “Store in Keychain” to save the password in your keychain so you are not asked for it again when connecting the next time ‣ Click “OK” If you are prompted for your Extended Authentication (XAUTH) credentials: ‣ User Name: Enter the name of the user configured on the VPN gateway ➋ ‣ Password: Enter the password for this user ➌ 2 3 ‣ Optionally.

or after entering your pre-shared key or your XAUTH credentials. you have successfully established a connection Congratulations! 27 .‣ If the slider goes back to Off after starting the connection. please read the Troubleshooting section of this document ‣ If the slider goes to On and turns green after a while.

28 . Note Make sure the IP address pool created in “Step 1 – Set up an IP address pool” is large enough to support the maximum number of concurrent users you expect for the VPN. There is no need to modify the actual connection settings. Choose a different user name and password for each user. In addition to purely technical considerations. VPN Tracker makes it easy to distribute pre-configured connections to your users. Adding Users on the VPN Gateway To add more users on the VPN gateway. and prevent the modification of VPN connections and access to confidential data. all you’ll need to change in VPN Tracker is the XAUTH user name and password. Note The total number of users and concurrent VPN connections on your VPN gateway may be limited by the hardware’s capabilities and firmware restrictions.Supporting Multiple Users Adding multiple users to your VPN connection on a ScreenOS-based device is easy – simply add more Extended Authentication (XAUTH) users. Please refer to your device’s data sheet for specific information. simply follow “Step 4 – Create Extended Authentication (XAUTH) Users” of “Task 1 – Configure Your VPN Gateway”.

Further information on deploying connections to users is available in the VPN Tracker manual. you can create a custom VPN Tracker application with a pre-configured connection and a license voucher. 29 . It is even possible to create a custom VPN Tracker application that contains a pre-configured connection and a license voucher for your users.Deploying VPN Connections to Your Users VPN Tracker Professional Edition offers a number of ways to easily distribute pre-configured connections to users. Simply click “Deploy…” to get started. Tip To deploy VPN Tracker to many users.

VPN Connection Fails to Establish On/Off Slider goes back to “Off” right away If the slider goes back to “Off” right away. On/Off Slider goes back to “Off” after a while If the connection ON/OFF slider goes back to “OFF” a while after attempting to start the connection. 30 . VPN Tracker will display detailed suggestions for a solution. your connection should work fine if you follow the instructions above.Troubleshooting In most cases. please read on. please go to the “Log” tab to get more information about the error (or click the warning triangle to be automatically taken to the “Log” tab). VPN Tracker will highlight fields that are missing or obviously incorrect information. Depending on the actual problem. If you cannot connect. please make sure you have entered all the required information.

please check the following points. please try using the resource’s IP address instead.g. If the connection works when using the IP address.example. test results could become outdated by changes to the local router. server. VPN Tracker automatically runs a test to detect the proper method for your particular Internet connection when you first connect using this Internet connection.No Access to the Remote Network If the connection slider goes to ON and turns green.1. 31 . Also double-check the network mask that you have configured for the remote network(s) in VPN Tracker. For a VPN connection to be established through such a router. but not all of them may be supported by your local router or your VPN gateway. Test VPN Availability again In many networks your Mac will be behind a router that performs Network Address Translation (NAT). etc. please make sure that your Mac’s DNS server or the “Remote DNS” server that you have configured in VPN Tracker is able to resolve this host name to an IP address. However. ‣ Select “Tools > Test VPN Availability” from the menu ‣ Click “Test Again” and wait until the test has completed ‣ Try connecting again Check that the IP address you are connecting to is part of the VPN’s remote network Check that the IP address you are connecting to is actually part of the remote network(s). but you cannot access resources (servers. but not when using a host name. email. VPN Tracker can use different methods. 192. so it is a good idea to test again if there are problems. Connect to an IP address (instead of a host name) If you are not connecting to the resource by IP address (e.com).) in the VPN.g.168.42). but are using a host name (e.

Make sure the VPN gateway is the default gateway in the remote network If it is not. Further Questions? You can find the latest news and compatibility information on our support and FAQ website: http://www.equinux. you will have to ensure that responses to all IP addresses in the address pool (see Step 1) are routed to the VPN gateway. please be sure to include at least the following information: ‣ The manufacturer and model and firmware revision of the VPN gateway ‣ A Technical Support Report from VPN Tracker (Help > Generate Technical Support Report) ‣ Screenshots of what you have configured on your VPN gateway. or by adding individual routes on each host that VPN clients need to communicate with. either by adding a general route on the network’s default gateway. in particular all VPN settings ‣ A detailed description of the problem and the troubleshooting steps you have taken 32 .com/support If you need to contact equinux Technical Support If you can’t resolve your issue with the information available on our website or in this guide and would like to contact Technical Support through our website.

Appendix Predefined Security Levels Phase 1 Phase 2 Standard (recommended) Compatible Basic ‣ 3DES or AES-128 ‣ 3DES or DES ‣ DES ‣ SHA-1 ‣ SHA1 or MD5 ‣ SHA1 or MD5 ‣ Diffie-Hellman Group 2 (1024 bit) ‣ Diffie-Hellman Group 2 (1024 bit) ‣ Diffie-Hellman Group 1 (768 bit) ‣ 3DES or AES-128 ‣ 3DES or DES ‣ DES ‣ HMAC SHA-1 ‣ HMAC SHA1 or HMAC MD5 ‣ HMAC SHA1 or HMAC MD5 ‣ Perfect Forward Secrecy (PFS) with Diffie-Hellman Group 2 (1024 bit) ‣ no Perfect Forward Secrecy (PFS) ‣ no Perfect Forward Secrecy (PFS) 33 .

Sign up to vote on this title
UsefulNot useful