In order to enforce policy based on a source user group for PSK+User authenticated netscreen remote clients with splt tunneling enabled, I've done the following (pulling this from memory while looking at a firewall GUI, so it may be off a bit):
- Create your IP pool for each group of users. "Remote-VPN-IPPool-Admin"
- Create the user "username" as simple identity, IKE user with email address as the IKE Identity "username@comapny.com". Should be XAuth User with a password defined. The IP Pool should match the group this user is being placed in. ""Remote-VPN-IPPool-Admin"
- Create the Local Groups, in this case "Remote-VPN-Users-Admin" for our Admin users. Add the appropriate users to your groups.
- Create tunnel interface for your VPN Users. In my case tunnel.10 is unnumbered on your external interface and terminated in the Untrust zone.
- Create a new zone called "VPN".
- Place the tunnel.10 interface into the VPN zone. default or fixed-IP 0.0.0.0/0 is fine.
- Under VPN->AutoKey Advanced->Gateway, create your Phase 1 config for each group. In this case, "Remote-VPN-Gateway-Admin". Set the gateway to use the Dial-Up user group "Remote-VPN-IPPool-Admin". Click the advanced button and set a PSK, your desired proposal, set mode agressive, and enabled NAT-T.
- Now click the XAuth configure link back at your list of gateways for each gateway and set Xauth server generic and ocal authentication of the appropriate user group, "Remote-VPN-Users-Admin".
- Now setup Phase 2 for each group in Autokey IKE. Mine is named "Remote-VPN-Admin". Set the remote gateway to pre-defined "Remote-VPN-Gateway-Admin". Click advanced and set your proposals, replay protection, bind to the tunnel interface you created above for this group, in my case tunnel.10, check proxy-id and specify the corporate network subnet.
- Now under VPN->AutoKey Advanced->XAuth settings, define global settings like DNS and WINS. Do not specificy an IP Pool here.
- Finally, create policy to/from the VPN Zone using the IP addresses you defined in your IP Pool's above to identify source user groups. Easy to use valid subnets for your IP pool ranges that way you dont have to define a bunch of /32 objects for your policy.
Hopefully that makes sense!