VPN Configuration Guide

Juniper Networks NetScreen / SSG / ISG Series

equinux AG and equinux USA, Inc.

Apple, the Apple logo, iBook, Mac, Mac OS, MacBook, PowerBook are trademarks of
Apple Computer, Inc., registered in the U.S. and other countries.

© 2009 equinux USA, Inc. All rights reserved.
Juniper Networks, NetScreen, and ScreenOS are registered trademarks of Juniper
Networks, Inc. in the U.S. and other countries.

Under the copyright laws, this manual may not be copied, in whole or in part, without
the written consent of equinux AG or equinux USA, Inc. Your rights to the software are
governed by the accompanying software license agreement.

equinux shall have absolutely no liability for any direct or indirect, special or
other consequential damages in connection with the use of the quick setup guide
or any change to the router generally, including without limitation, any lost
profits, business, or data, even if equinux has been advised of the possibility of
such damages.

The equinux logo is a trademark of equinux AG and equinux USA, Inc., registered in the
U.S. and other countries.
Every effort has been made to ensure that the information in this manual is accurate.
equinux is not responsible for printing or clerical errors.
www.equinux.com

2

Introduction .....................................................................5

No Access to the Remote Network ............................................................31

Important Prerequisites.....................................................................................6
Scenario ...................................................................................................................7
Terminology ...........................................................................................................8

Appendix .........................................................................33
Predefined Security Levels.............................................................................33

My VPN Gateway Configuration ..................................9
Task 1 – Configure Your VPN Gateway .....................10
Step 1– Set up an IP address pool..............................................................10
Step 2 – Create a Shared IKE User ..............................................................12
Step 3 – Create a Group for the Shared IKE User .................................13
Step 4 – Create Extended Authentication (XAUTH) Users................14
Step 5 – Configure the XAUTH Settings ..................................................15
Step 6 – Configure the Phase 1 Settings (Gateway Settings) .........16
Step 7 – Configure the Phase 2 Settings (VPN Settings) ..................19
Step 8 – Add a Policy.......................................................................................21
Step 9 – Find Your VPN Gateway’s Public IP Address .........................22

Task 2 – Configure VPN Tracker .................................23
Step 1 - Create a New Connection ............................................................23
Step 2 – Configure the VPN Connection .................................................24

Task 3 – Test the VPN Connection ............................25
It‘s time to go out!.............................................................................................25
Start your connection .....................................................................................25

Supporting Multiple Users .........................................28
Adding Users on the VPN Gateway ...........................................................28
Deploying VPN Connections to Your Users.............................................29

Troubleshooting ............................................................30
VPN Connection Fails to Establish ..............................................................30

3

4 .

Troubleshooting Troubleshooting tips can be found in the last part of tis guide. the instructions included with your firewall/IPsec VPN device. Your device’s configuration has strong interdependencies between settings. Note This documentation is only a supplement to. VPN Gateway Configuration The first part of this guide will show you how to configure a VPN tunnel on your Juniper Networks firewall/IPsec VPN device. we strongly recommend you start out with the tutorial-style setup in the first and second part of this document. We have also included an appendix with additional useful information. this guide will show you how to configure VPN Tracker to easily connect to your newly created VPN tunnel. Tip If you are setting up VPN on your device for the first time. 5 . Please be sure to read those instructions and understand them before starting. so it is recommended to follow the order laid out in this guide when setting up the device.Introduction This document describes how VPN Tracker can be used to establish a connection between a Mac running Mac OS X and a Juniper Networks firewall/IPsec VPN device running the ScreenOS firmware. not a replacement for. VPN Tracker Configuration In the second part.

Wherever we are aware of these differences.vpntracker.com/ interop for details) • SSG series • ISG series • NetScreen series1 ‣ Make sure you have the newest ScreenOS version installed that is available for your device. you should be running the latest ScreenOS version available for your particular device.vpntracker. Make sure you have all available updates installed.5 ‣ The configuration described in this guide requires at least VPN Tracker 6.Important Prerequisites Your VPN Gateway ‣ This guide applies to the following Juniper Networks firewall/IPsec VPN devices running ScreenOS (see http://www.02 Your Mac ‣ VPN Tracker runs on Mac OS X 10. This guide is based on ScreenOS 6. we have noted them in italics next to the affected setting. The latest VPN Tracker release can always be obtained from http://www. some settings may look different. 2 If you are using a different ScreenOS version. In that case.com 1 The most recent ScreenOS version may not be available for your NetScreen device. 6 .2.4 or 10.

In our example.Scenario In our example. The following diagram illustrates this scenario: VPN Connection Juniper Networks VPN Gateway Mac running VPN Tracker vpn.0/24 (which is the same as 192.0/255. the office network has the IP range 192. and can be accessed through a static IP address or DNS host name.0 / 255.13. we will be using a host name: vpn.example. The office's NetScreen (or SSG.13.255. In our example setup.255.com Office Network 192.13. or ISG) device (the “VPN gateway”) is also already connected to the Internet.168. This is the network that will be accessed from the employee’s Mac through the VPN. 7 .com. It is called the “Remote Network” in VPN Tracker.255. The VPN gateway has a second network interface which is connected to the internal office network (LAN).168.168.0).0 This guide assumes that the Mac running VPN Tracker already has internet connectivity.example.255. we need to connect an employee's Mac to an office network.

while its own settings are considered to be “local”. called a “Host” establishes a VPN tunnel to an entire “Network” behind the VPN gateway. That means a “local” setting from VPN Tracker’s perspective. the settings on the other endpoint are considered to be “remote”. 8 . Every VPN tunnel is established between two “endpoints” (or “peers”).Terminology A VPN connection is often called a “tunnel” (or “VPN tunnel”). Please note that for each endpoint. and vice versa. In our example one endpoint is VPN Tracker and the other endpoint is the VPN gateway. The sample configuration described in this guide is called a “Host to Network” configuration: A single computer. is a “remote” setting from the VPN gateway’s perspective.

You can print out this form to help keep track of the various settings of your Juniper Networks device. . . . there are certain pieces of information that are needed later on for configuring VPN Tracker. . 9 or hostname . . ➊ IKE Identity: ➋ XAUTH User Name: _ ➌ XAUTH Password: _ ➍ Pre-Shared Key: ➎ Remote Network: or ➏ . This information is marked with red numbers to make it easier to reference it later. / . . / VPN Gateway’s Public (WAN) IP Address: . . .My VPN Gateway Configuration Throughout this guide. .

try to keep to these configuration steps as closely as possible. Should you encounter any problems with the web configuration interface. and in the order outlined in this document. ‣ If you have not already done so. If you are unfamiliar with the device’s configuration. log into your device’s web configuration interface now. you might want to try using a different web browser for this task. or your entire company. 10 .Task 1 – Configure Your VPN Gateway The ScreenOS configuration interface is quite complex and may be a bit daunting at first. They will provide you with a VPN configuration that works well – for one user. Step 1– Set up an IP address pool The “virtual” IP addresses VPN clients use on the device’s LAN are distributed from the IP address pool that you will configure in this step. the ScreenOS web configuration interface did not work very well with the Safari web browser. ‣ Go to the section “Objects > IP Pools” ‣ Click “New” Note At the time of writing.

we are using the IP address 10.255 ‣ 172.172.255.16. in particular.‣ IP Pool Name: Enter a name that will allow you to recognize this IP pool later ‣ Start IP: Enter the first IP address in the range of IP addresses the IP pool should contain.) that are being accessed through the VPN Private Subnets ‣ 10. we are using the IP address 10.255.13.10.192. If multiple logins for the same user are to be permitted.0 .98. additional IP addressees must be available.0 .13. In our example. It should also not be used by any of the resources (servers etc.0. it may not be part of the LAN. Refer to the guidelines below when selecting a range suitable for your particular scenario.0 .199 ‣ Click “OK” to save your new IP address pool Guidelines for selecting a suitable range of IP addresses: ‣ The range of IP addresses must come from one of the IP address ranges that are reserved for internal use (“private subnets”) ‣ The range of IP addresses may not overlap with any of the networks used on your VPN gateway device.0. 11 .255 ‣ The address pool must contain enough IP addresses to supply an IP address to each possible user of the VPN connection. In our example.168.0.255.168.100. ‣ End IP: Enter the last IP address in the range of IP addresses the IP pool should contain.255 ‣ 192. It is usually a good idea to choose the pool to be at least twice as large as the maximum number of expected users.31.255.98.0.

it is possible to use any host name or an email address. By separating this shared user object (“IKE user”) from the user objects that we will create later for each individual user (“XAUTH users”). However. ‣ Click “OK” to save the new user 12 . This identifier will be the “Local Identifier” in VPN Tracker ➊ A good identifier is “vpntracker. ‣ Leave the default values for all other settings.Step 2 – Create a Shared IKE User ‣ Go to the section “Objects > Users > Local” ‣ Click “New” ‣ User Name: Enter a user name that you will be able to recognize later ‣ Check the box “IKE User” and select “Simple Identity” ‣ IKE Identity: Enter an identifier for the VPN connection. we can prevent complex dependencies when modifying individual users in the future. keep in mind that you will have to change the “Local Identifier” type in VPN Tracker to “Email (User FQDN)”. ! Note The user object that created in this step is shared by all users of the VPN connection.local”. If you do choose to use an email address here.

select the shared IKE user created in Step 2. ‣ Click the “<<“ button to move the shared IKE user to the list of group members ‣ Click “OK” to save the new group Note This group is only for the shared IKE user.Step 3 – Create a Group for the Shared IKE User ‣ Go to the section “Objects > Users > Local Groups” ‣ Click “New” ‣ Group Name: Enter a group name that you will be able to recognize later ‣ In the “Available Members” list. Do not add any of the XAUTH users that will create in the next step! 13 .

14 . repeat this step for each user.Step 4 – Create Extended Authentication (XAUTH) Users ‣ Go to the section “Objects > Users > Local” ‣ Click “New” ! ‣ User Name: Enter a user name ➋ ‣ Check the box “XAUTH User” ‣ User Password: Enter a password for the user ➌ Both the user name and the password are casesensitive ‣ Confirm User Password: Repeat the password ➌ ‣ Leave all other settings at their default values ‣ Click “OK” to add the new user " " Note To create additional users.

‣ Click “Apply” 15 .Step 5 – Configure the XAUTH Settings ‣ Go to the section “VPNs > AutoKey Advanced > XAuth Settings” ‣ IP Pool Name: Select the IP address pool you created in Step 1 ‣ DNS Primary Server IP (optional): If you operate a DNS server in your network. you can enter its IP address here to automatically transmit the DNS settings to your VPN clients. you can enter its IP address here to automatically transmit the DNS settings to your VPN clients. ‣ DNS Secondary Server IP (optional): If you operate a secondary (backup) DNS server in your network.

Step 6 – Configure the Phase 1 Settings (Gateway Settings) ‣ Go to the section “VPNs > AutoKey Advanced > Gateway” ‣ Click “New” ‣ Gateway Name: Enter a gateway name that you will be able to recognize later ‣ Version: Make sure “IKEv1” is selected ‣ Remote Gateway Type: Set to “Dialup User Group” ‣ Group: Select the group you created earlier for the shared IKE user 16 .

! ‣ Outgoing Interface: Select the network interface that your VPN connections arrive on. Usually. and SHA-1 hashes will be used for phase 1. ‣ Mode (Initiator): Set the mode to “Aggressive” ‣ Check the box “Enable NAT-Traversal” ‣ Click “Return” to leave the advanced settings ‣ Click “OK” to save the phase 1 settings Advanced Users “Standard” security level means that Diffie-Hellman Group 2 (1024 bit). its dependence on the peer’s IP address makes it unsuitable for use with VPN clients (as opposed to static VPN tunnels between two VPN gateways). see Step 4). you will find this and the following two settings among the main settings. ‣ Security Level: Make sure the Security Level is set to “Standard”.‣ Click “Advanced” to edit additional settings ‣ Preshared Key: Enter a pre-shared key ➍ The preshared key is a password that is shared among all users of the connection (individual user passwords are configured for each XAUTH user separately. 17 . 3DES or AES-128 encryption. this will be the “untrust” (WAN) interface. If you are running an earlier version of ScreenOS. you must match these settings in VPN Tracker (Advanced > Phase 1) Advanced Users While Main Mode is considered to be more secure. If you choose a different level.

Enable Extended Authentication (XAUTH) ‣ Go to “VPNs > AutoKey Advanced > Gateway” ‣ Click “Xauth” in the “Configure” column ‣ Select “XAuth Server” ‣ Make sure “Use Default Xauth Settings” is selected to use the settings configured previously (see Step 5) ‣ Click “OK” to save your changes Advanced Users Using CHAP is more secure. 18 . not all VPN clients support it. you can safely switch to the “CHAP only” authentication type. If you are only using VPN Tracker as a client for your VPN connection. however.

Step 7 – Configure the Phase 2 Settings (VPN Settings) ‣ Go to the section “VPNs > AutoKey IKE” ‣ Click “New” ‣ VPN Name: Enter a VPN name that you will be able to recognize later ‣ Remote Gateway: Select “Predefined” and select the gateway you created in Step 6 ‣ Click “OK” to save the phase 2 settings 19 .

SHA-1 authentication and Perfect Forward Secrecy (PFS) with Diffie-Hellman Group 2 (1024 bit) will be used for phase 2. you will find the “Security Level” in the main settings. If you are running an earlier version of ScreenOS.‣ Click “Advanced” to edit additional settings ‣ Security Level: Make sure the security level is set to “Standard”. Advanced Users “Standard” security level means that 3DES or AES-128 encryption. If you choose a different level. you must match these settings in VPN Tracker (Advanced > Phase 2) 20 .

Step 8 – Add a Policy ‣ Go to the section “Policies” ‣ From: Select “Untrust” ‣ To: Select “Trust” ‣ Click “New” ‣ Name: Enter a name for the new policy (optional. please select that entry. ‣ Action: Select “Tunnel” ‣ Tunnel: Select the previously created VPN ‣ Check the box “Position at Top” ‣ Click “OK” to save the new policy 21 . but recommended) ‣ Source Address: Select “Address Book Entry” and select “Dial-Up VPN” from the popup list ! ‣ Destination Address: Select “New Address” and enter the network you want to access through the VPN tunnel ➎ Most likely this will be the LAN network of your VPN gateway Note If there is already an entry for the desired network in the device’s address book.

In our example. 22 .73 ! If you know your VPN gateway’s public (WAN) IP address or host name. and almost always be assigned to the “Untrust” zone 194.73/24 Advanced Users ‣ Write down the IP address of the public (WAN) interface as ➏ Don’t write down the part that comes after the slash (“/”). it will be the “ethernet 0/0” interface.236.236.Step 9 – Find Your VPN Gateway’s Public IP Address ‣ Go to “Network > Interfaces > List” ‣ Find your public (WAN) interface in the list. we would write down 194.145. In many cases. Write down the IP address or host name as ➏ on your VPN gateway configuration checklist.145. you can skip this step.

Task 2 – Configure VPN Tracker This section describes how to configure VPN Tracker to connect to your Juniper Networks VPN gateway. please refer back to “Task 1 – Configure your VPN Gateway”. You will need the configuration information you collected during Task 1. Step 1 . If you are missing any information.Create a New Connection ‣ Start VPN Tracker ‣ Click the “+” button in the main window You will be asked to select a device profile for the new connection: ‣ Select “Juniper Networks” from the list ‣ Select your device from the list of Juniper Networks devices ‣ Connection Name: Choose a name for your connection (e. “Office”) ‣ Click “OK” 23 .g.

we configured the device’s IKE identity to be “vpntracker. ➏ ‣ Remote Networks: Enter the network address of the network that is being accessed through the VPN tunnel ➎ Separate the subnet mask with a forward slash (“/”) ➎ ➊ ‣ Local Identifier: Enter the IKE Identity from your Juniper Networks device (in this example.com but we could also use the device’s public IP address (194.145. check “Use Remote DNS Server” and “Receive DNS Settings from VPN Gateway” 24 .73) from Step 9.example. if available ➏ In our example.Step 2 – Configure the VPN Connection ‣ VPN Gateway: Enter your VPN gateway’s public IP address or its hostname. the device is reachable using the hostname vpn.236.local”) ➊ ‣ DNS (optional): If you have configured a DNS server during Step 5.

Task 3 – Test the VPN Connection This section explains how to start and test your VPN connection. For example. If you are setting up a VPN connection to your home network. In order to test your connection. test it from home. It‘s time to go out! You will not be able to test and use your VPN connection from within the internal network that you want to connect to. Start your connection ‣ Connect to the Internet ‣ Make sure that your Internet connection is working – open your Internet browser and try to connect to http://www.equinux. or go visit a friend. you will need to connect from a different location.com ‣ Start VPN Tracker if it’s not already running ‣ Slide the On/Off slider for the connection you have just configured to On 25 . test it from an Internet cafe. if you are setting up a VPN connection to your office.

check the box “Store in Keychain” to save the password in your keychain so you are not asked for it again when connecting the next time ‣ Click “OK” If you are prompted for your Extended Authentication (XAUTH) credentials: ‣ User Name: Enter the name of the user configured on the VPN gateway ➋ ‣ Password: Enter the password for this user ➌ 2 3 ‣ Optionally. ➍ ‣ Optionally.If you are prompted for your pre-shared key: ‣ Pre-shared key: Enter the pre-shared key that you configured on the VPN gateway ➍. check the box “Store in Keychain” to save the user name and password in your keychain so you are not asked for it again when connecting the next time ‣ Click “OK” 26 .

or after entering your pre-shared key or your XAUTH credentials. you have successfully established a connection Congratulations! 27 . please read the Troubleshooting section of this document ‣ If the slider goes to On and turns green after a while.‣ If the slider goes back to Off after starting the connection.

all you’ll need to change in VPN Tracker is the XAUTH user name and password. Please refer to your device’s data sheet for specific information. There is no need to modify the actual connection settings. VPN Tracker makes it easy to distribute pre-configured connections to your users. simply follow “Step 4 – Create Extended Authentication (XAUTH) Users” of “Task 1 – Configure Your VPN Gateway”. In addition to purely technical considerations. Note The total number of users and concurrent VPN connections on your VPN gateway may be limited by the hardware’s capabilities and firmware restrictions. 28 . Note Make sure the IP address pool created in “Step 1 – Set up an IP address pool” is large enough to support the maximum number of concurrent users you expect for the VPN.Supporting Multiple Users Adding multiple users to your VPN connection on a ScreenOS-based device is easy – simply add more Extended Authentication (XAUTH) users. and prevent the modification of VPN connections and access to confidential data. Choose a different user name and password for each user. Adding Users on the VPN Gateway To add more users on the VPN gateway.

you can create a custom VPN Tracker application with a pre-configured connection and a license voucher. Further information on deploying connections to users is available in the VPN Tracker manual. 29 . Simply click “Deploy…” to get started.Deploying VPN Connections to Your Users VPN Tracker Professional Edition offers a number of ways to easily distribute pre-configured connections to users. Tip To deploy VPN Tracker to many users. It is even possible to create a custom VPN Tracker application that contains a pre-configured connection and a license voucher for your users.

please read on. your connection should work fine if you follow the instructions above. please make sure you have entered all the required information. please go to the “Log” tab to get more information about the error (or click the warning triangle to be automatically taken to the “Log” tab). 30 .Troubleshooting In most cases. VPN Connection Fails to Establish On/Off Slider goes back to “Off” right away If the slider goes back to “Off” right away. Depending on the actual problem. If you cannot connect. VPN Tracker will display detailed suggestions for a solution. On/Off Slider goes back to “Off” after a while If the connection ON/OFF slider goes back to “OFF” a while after attempting to start the connection. VPN Tracker will highlight fields that are missing or obviously incorrect information.

test results could become outdated by changes to the local router. server. However. so it is a good idea to test again if there are problems. but you cannot access resources (servers.42). For a VPN connection to be established through such a router. but not all of them may be supported by your local router or your VPN gateway. VPN Tracker can use different methods. but are using a host name (e. email.No Access to the Remote Network If the connection slider goes to ON and turns green. Test VPN Availability again In many networks your Mac will be behind a router that performs Network Address Translation (NAT). If the connection works when using the IP address.com). 31 . VPN Tracker automatically runs a test to detect the proper method for your particular Internet connection when you first connect using this Internet connection. please make sure that your Mac’s DNS server or the “Remote DNS” server that you have configured in VPN Tracker is able to resolve this host name to an IP address. etc. Also double-check the network mask that you have configured for the remote network(s) in VPN Tracker.example.1. ‣ Select “Tools > Test VPN Availability” from the menu ‣ Click “Test Again” and wait until the test has completed ‣ Try connecting again Check that the IP address you are connecting to is part of the VPN’s remote network Check that the IP address you are connecting to is actually part of the remote network(s). 192. please try using the resource’s IP address instead.g.) in the VPN.g. Connect to an IP address (instead of a host name) If you are not connecting to the resource by IP address (e. please check the following points.168. but not when using a host name.

Make sure the VPN gateway is the default gateway in the remote network If it is not. you will have to ensure that responses to all IP addresses in the address pool (see Step 1) are routed to the VPN gateway. or by adding individual routes on each host that VPN clients need to communicate with. in particular all VPN settings ‣ A detailed description of the problem and the troubleshooting steps you have taken 32 .com/support If you need to contact equinux Technical Support If you can’t resolve your issue with the information available on our website or in this guide and would like to contact Technical Support through our website. Further Questions? You can find the latest news and compatibility information on our support and FAQ website: http://www.equinux. either by adding a general route on the network’s default gateway. please be sure to include at least the following information: ‣ The manufacturer and model and firmware revision of the VPN gateway ‣ A Technical Support Report from VPN Tracker (Help > Generate Technical Support Report) ‣ Screenshots of what you have configured on your VPN gateway.

Appendix Predefined Security Levels Phase 1 Phase 2 Standard (recommended) Compatible Basic ‣ 3DES or AES-128 ‣ 3DES or DES ‣ DES ‣ SHA-1 ‣ SHA1 or MD5 ‣ SHA1 or MD5 ‣ Diffie-Hellman Group 2 (1024 bit) ‣ Diffie-Hellman Group 2 (1024 bit) ‣ Diffie-Hellman Group 1 (768 bit) ‣ 3DES or AES-128 ‣ 3DES or DES ‣ DES ‣ HMAC SHA-1 ‣ HMAC SHA1 or HMAC MD5 ‣ HMAC SHA1 or HMAC MD5 ‣ Perfect Forward Secrecy (PFS) with Diffie-Hellman Group 2 (1024 bit) ‣ no Perfect Forward Secrecy (PFS) ‣ no Perfect Forward Secrecy (PFS) 33 .

Sign up to vote on this title
UsefulNot useful