That with a comination of figuring out the NCP client worked! So I will post on here how I got it to work for other people to walk through. It's been a pain trying figure this out and I appreciate your help!
I want to thank Shrew Soft Inc. for this information as it was EXTREMELY valuable in helping me get this to work!!
Configuring VPN on NetScreen 5GT
Introduction ¶
This guide provides information that can be used to configure a Juniper SSG or Netscreen device running firmware version 5.4+ to support IPsec VPN client connectivity.
Overview ¶
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the push configuration method to acquire the following parameters automatically from the gateway.
- IP Address
- IP Netmask
- DNS Servers
- WINS Servers
Gateway Configuration ¶
This example assumes you have knowledge of the Juniper gateway Web configuration interface. For more information, please consult your Juniper product documentation.
Create a Phase1 ID ¶
Create a user that is used to define the phase1 id parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
- User Name = vpnclient_ph1id
- Status = Enabled
- IKE User = Checked
- Simple Identity = Selected
- IKE ID Type = AUTO
- IKE Identity = client.domain.com
Create a Local Key Group ¶
Create a Local Group that can be assigned to an Auto Key Advanced Gateway. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the group name as vpnclient_group. Also add the vpnclient_ph1id user object as a group member.
Create an Auto Key Advanced Gateway ¶
Create an auto key advanced gateway to configure the phase1 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
- Gateway Name = vpnclient_gateway
- Security Level = Custom
- Remote Gateway Type = Dialup User Group
- Group = vpnclient_group
- Preshared Key = mypresharedkey
- Local ID = vpngw.domain.com
- Outgoing interface MUST BE YOUR UNTRUST INTERFACE
Define Advanced Parameters ¶
Click the Advanced button and define the following parameters.
- Security Level - Custom
- Phase 1 Proposal
- pre-g2-3des-sha
- pre-g2-3des-md5
- pre-g2-aes128-sha
- pre-g2-aes128-md5
- Mode = Aggressive
- Enable NAT-Traversal = Checked
- Peer Status Detection
When finished click Return.
Define Xauth Parameters ¶
You will now see your auto key advanced gateway listed. Click non the Xauth button in the Configure column.
Define the following parameters.
- Xauth Server = Selected
- Allowed Authentication Type = Generic
- Local Authentication = Selected
When finished click OK.
Create an Auto Key IKE Gateway ¶
Create an auto key IKE gateway to configure the phase2 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define the following parameters.
- VPN Name = vpnclient_tunnel
- Security Level = Custom
- Remote Gateway Predefined = vpnclient_gateway
Define Advanced Parameters ¶
Click the Advanced button and define the following parameters.
- Security Level = Custom
- nopfs-esp-3des-sha
- nopfs-esp-3des-md5
- nopfs-esp-aes128-sha
- nopfs-esp-aes128-md5
- Replay Protection = Checked
When finished click Return.
Create a Client Address Pool ¶
Create a pool of addresses to be assigned to VPN clients. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define an IP Pool. For example, you could define a pool named vpnclient with a start IP address of 10.2.21.1 and and end address of 10.2.21.254. I have found that you can NOT use your existing internal networks. SO, for example, if you have a 10.0.1.1 network use a 192.168.x.x network here.
Set Client Configuration Parameters ¶
The client configuration parameters are stored in the global Auto Key Advanced XAuth parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Define the following parameters.
- Reserve Private IP for XAuth User - 480 minutes
- Default Authentication Server = Local
- Query Client Settings on Default Server - Unchecked
- CHAP - Unchecked
- IP Pool Name = vpnclient
- DNS Primary Server IP = [ private DNS server address ]
- DNS Secondary Server IP = [ private DNS secondary address ]
- WINS Primary Server IP = [ private WINS server address ]
- WINS Secondary Server IP = [ private WINS secondary address ]
Configure IPsec Policies ¶
The last step for the tunnel configuration is to define policies that allow protected traffic to pass into your private network from the client. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
To create a new IPsec Policy, the from and to zones must be specified. An IPsec VPN Client policy is defined. Select the following zones and click the New button.
Define the following parameters.
- Name = vpnclient_inbound
- Source Address
- Address Book Entry = Dial-UP VPN
- Destination Address
- New Address = 10.1.2.0/24
- I'm not sure how this works so I selected ANY. I'm sure with some work and better understanding you can adjust this to resources you only want your VPN clients going to.
- Service = ANY
- Application = None ( means ANY )
- Action = Tunnel
- Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]
Create Local User Accounts ¶
Create local user accounts that will be used during Xauth. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the new button and define the following parameters.
- User Name - joe ( the xauth user name )
- Status - Enable
- XAuth User - Checked
- User Password - **** ( the xauth user password )
- Confirm Password - **** ( the same user password )
When finished press OK.