Create an VPN Connection with a Juniper Netscreen 5GT (Part 1)

I created this post because I really hate the juniper site with their links to other documents instead of displaying the whole document all together.

To configure an L2TP over IPSec tunnel, perform the following steps:

clip_image001Configure an L2TP over IPSec user on the Juniper Firewall. For more information on configuring an L2TP over IPSec user, go to Configuring an L2TP over IPSec User on the Juniper Firewall.
clip_image002Configure an L2TP user group on the Juniper Firewall. For more information on configuring an L2TP user group, go to Configuring an L2TP User Group on the Juniper Firewall.
clip_image003Configure an L2TP group gateway on the Juniper Firewall. For more information on configuring an L2TP group gateway, go to Configuring an L2TP Group Gateway and VPN on the Juniper Firewall.
clip_image004Configure an L2TP IP pool on the Juniper Firewall. For more information on configuring an L2TP IP pool, go to Configuring an L2TP IP Pool on the Juniper Firewall.
clip_image005Configure the L2TP VPN default settings on the Juniper Firewall. For more information on configuring the L2TP VPN default settings, go to Configuring the L2TP VPN Default Settings on the Juniper Firewall.
clip_image006Configure an L2TP VPN tunnel on the Juniper Firewall. For more information on configuring the L2TP VPN tunnel, go to Configuring the L2TP VPN Tunnel on the Juniper Firewall.
clip_image007Configure an L2TP VPN policy on the Juniper Firewall. For more information on configuring the L2TP VPN policy, go to Configuring an L2TP VPN Policy on the Juniper Firewall.
clip_image008Configure an L2TP Connection on the Remote Side. For more information on configuring an L2TP connection on the remote side, go to Configuring an L2TP Connection on the Remote Side.
clip_image009Make an L2TP Connection from Windows 2000. For more information on making an L2TP connection from Windows 2000, go to Making an L2TP Connection from Windows 2000.


To make an L2TP connection using Windows 2000, perform the following steps:

clip_image001[1]From the Start menu, select Settings, select Network and Dial-up Connections, and then click Make New Connection.

clip_image010

clip_image002[1]From the Network Connection Wizard, click Next.

clip_image011

clip_image003[1]From Network Connection Type, click to select Connect to a private network through the Internet, and then click Next.

clip_image012

clip_image004[1]From Public Network, click to select the dial-up connection that connects you to your ISP. If your physical connection is an Ethernet connection, select Do not dial initial connection. If the physical connection is through an ISP, select Automatically dial this initial connection. Click Next.

clip_image013

clip_image014For this example, we used Do not dial the initial connection.

clip_image005[1]From Destination Address, in the Host name or IP address box, enter the IP address or hostname of your Juniper Firewall's Untrust interface, and then click Next.

clip_image015

clip_image014[1]For this example, we have used 1.1.1.1 as the Untrust IP address.

clip_image006[1]From Connection Availability, click to select For all users, and then click Next.

clip_image016

clip_image007[1]From the Completing the Network Connection Wizard, enter a connection name, and then click Finish.

clip_image017

clip_image008[1]Click Properties.

clip_image018

clip_image009[1]Click to select the Security tab, click to select Advanced (custom settings), and then click Settings.

clip_image019

clip_image020From Advanced Security Settings, from the Data encryption drop-down menu, click to select Optional encryption (connect even if no encryption).

clip_image021

clip_image022From Logon security, click to select Allow these protocols. Click to select only Unencrypted password (PAP) and Challenge Handshake Authentication Protocol (CHAP). Click to clear any protocols that do not apply.

clip_image023

clip_image024Click OK.

clip_image025Click to select the Networking tab. From the Type of VPN server I am calling drop-down menu, click to select Layer-2 Tunneling Protocol (L2TP).

clip_image026

clip_image027Click OK.

clip_image028From Network and Dial-up Connections, double-click the Dial-up Connection.

clip_image029

clip_image030Enter your User name and Password.

clip_image014[2]The User name and Password matches the username and password of the L2TP user configured on the Firewall.

clip_image031

clip_image032Click Connect


To configure an L2TP user group on the Juniper Firewall, perform the following steps:

clip_image001[2]Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
clip_image002[2]From the ScreenOS options menu, click Objects, select User Group, and then click Local.

clip_image033

clip_image003[2]Click New.

clip_image034

clip_image004[2]From the Edits screen, enter a Group Name.
clip_image014[3]For this example, we have entered usergroup1.

clip_image035

clip_image005[2]Click to select an Available Member, and then click the Add Group Members button.
clip_image014[4]For this example, we have selected John Doe.
clip_image014[5]For more information on configuring an L2TP user, go to Configuring an L2TP User on the Juniper Firewall.
clip_image006[2]Click OK.

clip_image036


To configure an L2TP group gateway and VPN on the Juniper Firewall, perform the following steps:

clip_image001[3]Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
clip_image002[3]From the ScreenOS options menu, click VPNs, select AutoKey Advanced, and then click Gateway.

clip_image037

clip_image003[3]Click New.

clip_image034[1]

clip_image004[3]From the Edit screen, enter a Gateway Name. From Security Level, click Custom.
clip_image014[6]For this example, we entered JohnDoeGate.

clip_image038

clip_image005[3]From Remote Gateway Type, click to select Dialup User Group. From the Group drop-down menu, click to select your group.
clip_image014[7]For this example, we selected usergroup1.
clip_image006[3]From the Preshared Key text box, enter a Preshared Key.
clip_image014[8]For this example, we have entered Password9.

clip_image039

clip_image007[2]From Outgoing Interface, click to select untrust. Click Advanced.

clip_image040

clip_image008[2]From Phase 1 Proposal drop-down menu, click to choose a proposal.
clip_image014[9]For this example, we chose pre-g2-des-sha. When choosing the Phase 1 Proposal, you must select pre for the proposal.

clip_image041

clip_image009[2]From Mode (Initiator), click to select Aggressive.
clip_image020[1]Click Return.

clip_image042

clip_image022[1]Click OK.

clip_image043

clip_image024[1]From the ScreenOS options menu, click VPNs, select AutoKey IKE.

clip_image044

clip_image025[1]Click New.

clip_image045

clip_image027[1]From VPN Name, enter a VPN Name. Click to select Custom.
clip_image014[10]For this example, we entered JohnDoeIke.

clip_image046

clip_image028[1]From the Remote Gateway drop-down menu, click to select a Remote Gateway.
clip_image014[11]For this example, we chose JohnDoeGate.
clip_image030[1]Click Advanced.

clip_image047

clip_image032[1]From User Defined, click to select Custom. From the Phase 2 Proposal drop-down menus, click to choose the Phase 2 Proposal settings.
clip_image014[12]For this example, we chose nopfs-esp-des-md5, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-3des-sha.

clip_image048

clip_image049From Transport Mode, click (For L2TP-over-IPSec only). From Bind to, click None.
clip_image050Click Return.

clip_image051

clip_image052Click OK.

clip_image053


To configure an L2TP IP pool on the Juniper Firewall, perform the following steps:

clip_image001[4]Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
clip_image002[4]From the ScreenOS options menu, click Objects, and then click IP Pools.

clip_image054

clip_image003[4]Click New.

clip_image034[2]

clip_image004[4]From the Edit screen, enter an IP Pool Name, a Start IP, and an End IP.
clip_image014[13]For this example, we have chosen an IP Pool Name of global, a Start IP of 10.10.2.100, and an End IP of 10.10.2.180.
clip_image055To avoid potential routing problems, make sure the IP Pool is on a different IP Subnet than the Trust Zone.

clip_image056

clip_image005[4]Click OK.

To configure the L2TP VPN default settings on the Juniper Firewall, perform the following steps:

clip_image014[14]If L2TP/Xauth Remote settings are not configured, the L2TP VPN default settings will be used. For more information on configuring an L2TP over IPSec user, go to Configuring an L2TP over IPSec user on the Juniper Firewall.

clip_image001[5]Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
clip_image002[5]From the ScreenOS options menu, click VPNs, select L2TP, and then click Default Settings.

clip_image057

clip_image003[5]From the Default Settings screen, from the IP Pool Name drop-down menu, click to select global, and then from the PPP Authentication drop-down menu, click to select CHAP.
clip_image014[15]For more information on configuring an L2TP IP pool, go to Configuring an L2TP IP Pool on the Juniper Firewall.

clip_image058

clip_image014[16]DNS Primary Server IP, and DNS Secondary Server IP values are optional, and are not required for the L2TP tunnel to work. If DNS settings are set, they will be pushed down to the L2TP PC client.
clip_image014[17]For this example, for the DNS Primary Server IP, we have entered 210.11.40.3, and for the DNS Secondary Server IP, we have entered 210.11.50.2.
clip_image004[5]Click Apply.

clip_image059


Technorati Tags: , , , , , , ,

Comments

Post a Comment

Popular posts from this blog

Exchange Server Error -1018: How Microsoft IT Recovers Damaged Exchange Databases

Image
I found this paper on the showcase site from microsoft I hope it is of help to you. It sure helped me!     Technical White Paper Published: August 1, 2005 Executive Summary Error –1018 (JET_errReadVerifyFailure) is a familiar—and dreaded—error in Microsoft® Exchange Server. It indicates that an Exchange database file has been damaged by a failure or problem in the underlying file system or hardware. This paper explains the conditions that result in error –1018. It also covers the detection mechanisms that Exchange uses to discover and recover from damage to its database files. The Microsoft Information Technology group (Microsoft IT) runs one of the most extensive Exchange Server organizations in the world. Exchange administrators at Microsoft have investigated and recovered from dozens of –1018 error problems. This paper shows you how Microsoft IT monitors fo
Read more

Server and Domain Isolation Using IPsec and Group Policy

Image
Microsoft Solutions for Security and Compliance Server and Domain Isolation Using IPsec and Group Policy © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents Chapter 1: Introduction to Server and Domain Isolation. 1 Executive Summary. 1 Who Should Read This Guide. 2 The Business Challenge. 3 The Business Benefits. 3 The Technology Challenge. 4 Creating a Project Team.. 6 Guide Overview.. 7 Chapter 1: Introduction to Server and Domain Isolation. 7 Chapter 2: Understanding Server and Domain Isolation. 7 Chapter 3: Determining the Current State of Your IT Infrastructure. 7 Chapter 4: Designing and Planning Isolation Groups. 8 Chapter 5: Creating IPsec Policies for Isolation Groups.
Read more

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

Image
I had the error below in my application eventlog.     Event Type:    Error Event Source:    Userenv Event Category:    None Event ID:    1085 Date:        30-09-2008 Time:        15:20:30 User:        NT AUTHORITY\SYSTEM Computer:    TBG-TS01 Description: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   My problem was with my site to zone assignment list I used a wildcard like this: “ *microsoft.com ” but what you need to do is this “ *.microsoft.com ” So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot. Below is the microsoft explaination:   This policy setting allows you to manage a list of sites that you want to associate with a particular s
Read more