Juniper Site-to-Site VPN  - dynamic IP - routed mode

 

 

juniper-dynamicIP-1.png

 

VPN is build between Juniper firewalls:

Katowice - SSG140 ScreenOS 6.1.0r7.0

Warsaw  - Netscreen 5GT  - ScreenOS 5.4.0r10.0

 

 

REMOTE SITE(WARSAW) - firewall with dynamic IP

 

  • configure vpn zone

ns5gt-adsl-> set zone name VPN

 new zone for vpn(for clear config)

 

  • configure tunnel interface

ns5gt-adsl-> set interface tunnel.1 zone VPN

ns5gt-adsl-> set interface tunnel.1 ip unnumbered interface untrust

tunnel interface is unnumbered because we do not need any nat,etc. 

tunnel.1 is assigned to zone VPN and interface untrust

 

  • configure IPSEC P1 proposal

ns5gt-adsl-> set ike  p1-proposal Katowice-p1 preshare group2 esp aes256 sha-1

Phase 1 proposal - by default lifetime is 28800 secs

  • configure IPSEC P2 proposal

ns5gt-adsl-> set ike p2-proposal Katowice-p2 group2 esp aes256 sha-1

Phase 2 proposal - by default lifetime is 3600 secs

  • configure ike gateway

ns5gt-adsl-> set ike gateway "to_Katowice" address 1.1.1.1 aggressive local-id warsaw.corp.com outgoing-interface Untrust preshare secret proposal Katowice-p1

1.1.1.1 - external ip of vpn terminator in  Katowice

mode - aggressive !

local-id warsaw.corp.com - necessary to specify

 

  • configure vpn

ns5gt-adsl-> set vpn Katowice gateway to_Katowice proposal Katowice-p2

 ns5gt-adsl-> set vpn Katowice proxy-id local-ip 10.20.16.0/21 remote-ip 10.0.0.0/8 any

encryption domain - what is allowed on tunnel - must match on both ends

  • assign vpn to interface tunnel.1

 ns5gt-adsl-> set  vpn Katowice bind interface tunnel.1

 

  •  configure routing

ns5gt-adsl-> set route 10.0.0.0/8 interface tunnel.1

all traffic with destination 10.0.0.0/8 will be push to our new interface(vpn)

 

  • configure policy

ns5gt-adsl-> set address Katowice 10.0.0.0/8 10.0.0.0/8 corporate_network

define address

ns5gt-adsl->set policy from Trust to VPN 10.20.16.0/21 10.0.0.0/8 any permit log

policy allows traffic  from Trust zone to VPN zone( from Warsaw network to corporate network)

ns5gt-adsl-> set policy from VPN to Trust 10.0.0.0/8 10.20.16.0/21 any permit log

 policy allows from VPN zone  to Trust zone(from corporate network to Warsaw network)

 

 CORPORATE HQ(KATOWICE) - fixed ip

 

  •  configure new zone(for internal vpn)

-> set zone name VPN

  • configure tunnel interface

-> set interface tunnel.3 zone VPN

-> set interface tunnel.3 ip unnumbered interface ethernet0/9

ethernet0/9 is connected to Internet

  • configure vpn

-> set ike p1-proposal Warsaw-p1 group2 esp aes256 sha-1

-> set ike p2-proposal Warsaw-p2 group2 esp aes256 sha-1

-> set ike gateway to_Warsaw dynamic warsaw.corp.com aggressive outgoing-interface ethernet0/9 preshare secret proposal Warsaw-p1

ethernet0/9 is connected to Internet

warsaw.corp.com - peer-id - must match with local-id on Warsaw firewall

 

-> set vpn Warsaw gateway to_Warsaw proposal Warsaw-p2

-> set vpn Warsaw proxy-id local-ip 10.0.0.0/8 remote-ip 10.20.16.0/21 any

  • bind vpn to interface "tunnel.3"

-> set vpn Warsaw bind interface tunnel.3

  • configure routing

-> set route 10.20.16.0/21 interface tunnel.3

 

  • enable monitor,optimizing and rekey

set vpn "Warsaw" monitor source-interface ethernet0/9 optimized rekey

 

  • configure policy

-> set address VPN 10.20.16.0/21 10.20.16.0/21 Warsaw

-> set policy from Trust to VPN 10.0.0.0/8 10.20.16.0/21 any permit log

-> set policy from VPN to Trust 10.20.16.0/21 10.0.0.0/8 any permit log

 

Check vpn tunnel

 

-> get sa

00000080<   2.2.2.2  500 esp:a256/sha1 84f2deac  3498 unlim A/-    -1 0

00000080>   2.2.2.2  500 esp:a256/sha1 f35016f9  3498 unlim A/-    -1 0

VPN is established

 

 

 dzbanek 2013-01-22

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.