ScreenOS Firewalls (NOT SRX)
Reply
New User
Banging
Posts: 2
Registered: ‎01-12-2009
0

Help with a VPN bypass scenario on SSG-140

Hi,

 

We use rsa/securid with tokens to authenticate our users over our vpn tunnel.  We need to give an outside vendor the ability to vpn in but do not want to give them token but would rather give them a username/password, what I would call a bypass.  Any help would be greatly appreciated!

 

Thanks,

 

Josh

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Help with a VPN bypass scenario on SSG-140

Hi

 

I think you can set up a separate VPN for your vendor with a local username and password. You can then remove the local user on the FW when you are done:

 

(1) Set up the guest user

 

set user "Guest" uid 1
set user "Guest" ike-id u-fqdn "x@x.com" share-limit 1
set user "Guest" type  auth ike xauth
set user "Guest" password <password>
set user "Guest" "enable"


(2) Set up the user group so you can add additional users if necessary

 

set user-group "VPN Group" id 1
set user-group "VPN Group" user "Guest"

(3) Set up the vpn

set ike gateway "VPN" dialup "VPN Group" Aggr outgoing-interface <interface> preshare <passwd> proposal <proposal>

 

Hope this helps

****pls click the button " Accept as Solution" if my post helped to solve your problem****
New User
Banging
Posts: 2
Registered: ‎01-12-2009
0

Re: Help with a VPN bypass scenario on SSG-140

Thank you very much for the reply - I have a couple quick question inline

 

(1) Set up the guest user

 

set user "Guest" uid 1  (What is the significance of naming the user "Guest" with uid 1?)
set user "Guest" ike-id u-fqdn "x@x.com" share-limit 1
set user "Guest" type  auth ike xauth
set user "Guest" password <password>
set user "Guest" "enable"


(2) Set up the user group so you can add additional users if necessary

 

set user-group "VPN Group" id 1
set user-group "VPN Group" user "Guest"

(3) Set up the vpn

set ike gateway "VPN" dialup "VPN Group" Aggr outgoing-interface <interface> preshare <passwd> proposal <proposal> (is it possible for this conflict with the existing vpn's? - I'm not familiar with the proposal piece of this command)

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Help with a VPN bypass scenario on SSG-140

Hi

 

For your questions:

(1) uid 1 has no significance, it was just the first user, if you were to use the WebUI to create it, you will not even see the uid. It gets generated automatically.

 

(2) The proposal simply denotes the type of proposal you will be using for the VPN meaning that you will need to configure the same on the VPN client (ie you need to set up the same proposals as in the Netscreen Remote Client).

 

The dial-up vpn should be distinguished by the u-fqdn and the user group you are binding in and should not affect the other vpns you have.

 

Take a look at the following guide we have and it should have a more details explanation of what the configuration should look like:

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf

Ref to Cpt 5 Dialup Virtual Private Networks -> Shared IKE ID -> Pg 196 Fig50.

 

Hope this is will match your requirements more accurately.

Thanks

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.