Screen OS

I have a customer who has purchased some Netscreen-Remote licenses. We set it up using a simple IKE user id and am connected to the entire subnet.

My question is will it be possible to limit access based on users?

For example, I have IKE user: user.one with 10.0.0.0/8 in their subnet identification on the client and can connect and access anything.

If I have IKE user: user.two with the same settings, can I limit the access based on a policy without having to mess with the proxy-id settings.

Hi

If i got this correct, your dial-up VPN users get IPs from a pool 10.0.0.1-10.0.0.254 or something like this.

First, you should set your VPN up as route-based in case if you have policy-based.

And then you should be able to use WebAuth with policyes. When using WebAuth, the IP address of the user gets authenticated for a known period of time (by default 10 minutes) so that traffic can pass according to the policy.

Now, i'm not sure if you can do WebAuth with VPNs and tunnel interfaces, I have done it just for traffic from Trust to UnTrust so check and inform back if what i have described is not correct.

Yes. Thank you for the response.

There is two groups who have specific needs. I tried to set it up as a policy based on that sends all Dialup VPN users into the tunnel and XAuth to give them IPs but I can not create policies based on the IKE users.

IT Department Users

       - Full network access and IP's.

Clients

      - Only access to 3 IP addresses

I have setup a bunch of remote LAN to LAN sites using route based VPNs but never set one up with the netscreen-remote client. Any docs for that would be great.

In order to enforce policy based on a source user group for PSK+User authenticated netscreen remote clients with splt tunneling enabled, I've done the following (pulling this from memory while looking at a firewall GUI, so it may be off a bit):

- Create your IP pool for each group of users.  "Remote-VPN-IPPool-Admin"

- Create the user "username" as simple identity, IKE user with email address as the IKE Identity "username@comapny.com".  Should be XAuth User with a password defined.  The IP Pool should match the group this user is being placed in.  ""Remote-VPN-IPPool-Admin" 

-  Create the Local Groups, in this case "Remote-VPN-Users-Admin" for our Admin users.  Add the appropriate users to your groups.

- Create tunnel interface for your VPN Users.  In my case tunnel.10 is unnumbered on your external interface and terminated in the Untrust zone.

- Create a new zone called "VPN".

- Place the tunnel.10 interface into the VPN zone. default or fixed-IP 0.0.0.0/0 is fine. 

- Under VPN->AutoKey Advanced->Gateway, create your Phase 1 config for each group.  In this case, "Remote-VPN-Gateway-Admin".  Set the gateway to use the Dial-Up user group "Remote-VPN-IPPool-Admin".  Click the advanced button and set a PSK, your desired proposal, set mode agressive, and enabled NAT-T.

- Now click the XAuth configure link back at your list of gateways for each gateway and set Xauth server generic and ocal authentication of the appropriate user group,  "Remote-VPN-Users-Admin".

- Now setup Phase 2 for each group in Autokey IKE.  Mine is named "Remote-VPN-Admin".  Set the remote gateway to pre-defined "Remote-VPN-Gateway-Admin".  Click advanced and set your proposals, replay protection, bind to the tunnel interface you created above for this group, in my case tunnel.10, check proxy-id and specify the corporate network subnet.

- Now under VPN->AutoKey Advanced->XAuth settings, define global settings like DNS and WINS.  Do not specificy an IP Pool here.

- Finally, create policy to/from the VPN Zone using the IP addresses you defined in your IP Pool's above to identify source user groups.  Easy to use valid subnets for your IP pool ranges that way you dont have to define a bunch of /32 objects for your policy.

Hopefully that makes sense! 

That is exactly what I just drew on my board.

Make it route based so it has a tunnel interface in the untrust zone and then have two groups of users.

xAuth has two IP pools and then base permissions on the ips it hands out.

Thanks for the help

Excellent!

Someone responded super quick to my post with help so I figured I'd give a little back 🙂