[ScreenOS] How do I create a Policy Based LAN to LAN VPN using Preshared Keys (ScreenOS 6.0 and later)
Policy-based VPN - Both Sides have Static IPs using Pre-shared Keys in ScreenOS 6.x
Environment:
- Preshared secrets
- Policy Based VPN
- Static IP Addresses on both gateways of VPN
This example assumes static IP addresses are assigned on both VPN devices in the VPN tunnel.
The preshared secret used is netscreen.
The matrix below will show the proposals we will use for this example:
The preshared secret used is netscreen.
The matrix below will show the proposals we will use for this example:
Site A B Untrust IP of Firewall 1.1.1.1 (eth0/0) 2.2.2.1 (eth0/0) Trust Network 10.1.1.0/24 172.16.10.0/24 Phase 1 Proposal pre-g2-3des-sha pre-g2-3des-sha Phase 2 Proposal g2-esp-3des-sha g2-esp-3des-sha
Intructions via the WebUI and CLI are provided below.
WebUI - Site A:
- Click VPNs > AutoKey Advanced > Gateway
- Click New
- Gateway Name: Site B GW
- Remote Gateway: Click Static, and enter IP address 2.2.2.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
- Click VPNs > Autokey IKE
- Click New
- VPN Name: Site B VPN
- Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
- Click Policy > Policies
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 10.1.1.0/24
- Destination Address: Click New Address, and enter 172.16.10.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site B VPN
- Check Modify matching bidirectional VPN policy
- Position at Top: Enabled
- Click Ok
WebUI - Site B:
- Click VPNs > AutoKey Advanced > Gateway
- Click New
- Gateway Name: Site A GW
- Remote Gateway: Click Static, and enter IP address 1.1.1.1
- Click Advanced
- Preshared Key: netscreen
- Outgoing Interface: ethernet0/0 (or whichever interface goes out to the Internet)
- Security Level, User-defined: Select Custom, and select Phase 1 Proposal: pre-g2-3des-sha
- Mode (Initiator): Main
- Click Return
- Click OK
- Click VPNs > Autokey IKE
- Click New
- VPN Name: Site A VPN
- Remote Gateway: Click Predefined, and select Site A GW from the pulldown menu
- Click Advanced
- Security Level, User Defined: Select Custom, and select Phase 2 Proposal: g2-esp-3des-sha
- Click VPN Monitor (recommended)
- Click Optimized (recommended)
- Click Rekey (recommended)
- Click Return
- Click OK (Important)
- Click Policy > Policies
- Select From Trust to Untrust Zone, and click New
- Source Address: Click New Address, and enter 172.16.10.0/24
- Destination Address: Click New Address, and enter 10.1.1.0/24
- Service: Any
- Action: Tunnel
- Tunnel: Site A VPN
- Check Modify matching bidirectional VPN policy
- Position at Top: Enabled
- Click Ok
CLI - Site A:
- Set interfaces:
set interface e1/1 zone trust
set interface e1/1 ip 10.1.1.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 1.1.1.1/24 - Create address book entries:
- Create a preshared key VPN:
- Create policies:
set address Trust "10.1.1.0/24" 10.1.1.0/24
set address Untrust "172.16.10.0/24" 172.16.10.0/24
set ike gateway "site B GW" address 2.2.2.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site B VPN" gateway "site B GW" proposal "g2-esp-3des-sha"
set vpn "site B VPN" monitor optimized rekey
set policy id 1 top from trust to untrust "10.1.1.0/24" "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 2
set policy id 2 top from untrust to trust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site B VPN" pair-policy 1
save
CLI - Site B:
- Set interfaces:
set interface e1/1 zone trust
set interface e1/1 ip 172.16.10.1/24
set interface e1/1 nat
set interface e1/2 zone untrust
set interface e1/2 ip 2.2.2.2/24 - Create address book entries:
- Create a preshared key VPN:
- Create policies:
set address trust "172.16.10.0/24" 172.16.10.0/24
set address untrust "10.1.1.0/24" 10.1.1.0/24
set ike gateway "site A GW" address 1.1.1.1 main outgoing-interface e1/2 preshare netscreen proposal pre-g2-3des-sha
set vpn "site A VPN" gateway "site A GW" proposal "g2-esp-3des-sha"
set vpn "site A VPN" monitor optimized rekey
set policy id 1 top from trust to untrust "172.16.10.0/24" "10.1.1.0/24" any tunnel vpn "site A VPN" pair-policy 2
set policy id 2 top from untrust to trust "10.1.1.0/24" "172.16.10.0/24" any tunnel vpn "site A VPN" pair-policy 1
save
Note:Configuration Examples in Technical Documentation: ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks Chapter 4 -- Site-to-Site Virtual Private Networks “Policy-Based Site-to-Site VPN, AutoKey IKE” Example “Policy-Based Site-to-Site VPN, Dynamic Peer Example “Policy-Based Site-to-Site VPN, Manual Key” Example “Transparent Mode VPN” Example |
Hence, it can be said that most of the social networking sites take the help of the VPN providers to attain more security and the Twitter account can be unblocked with the help of this network. Best free vpn
ReplyDeleteThere are too many environments and moments where you need a VPN, but to make some understanding of VPN usage, I will explain the most common reasons where many people are using it daily.
ReplyDeleteReason Where You Need a VPN