1. IKE configuration on host-1 and host-2
set ike gateway gateway1 address 1.1.1.1 aggressive outgoing-interface loopback.1 preshare test1 sec-level standard
set ike gateway gateway2 address 1.1.1.10 aggressive outgoing-interface loopback.2 preshare test1 sec-level standard
2. VPN cnfiguration on host-1 and host-2
set vpn v1 gateway gateway1 transport sec-level standard set vpn v2 gateway gateway2 transport sec-level standard
3. Proxy configuration for v1 and v2
set vpn "v1" proxy-id local-ip 4.4.4.4/32 remote-ip 6.6.6.6/32 "ANY" set vpn "v2" proxy-id local-ip 4.4.4.5/32 remote-ip 4.4.4.7/32 "ANY"
4. MIP configuration
set interface loopback.1 mip 3.3.3.3 host 6.6.6.6 set interface loopback.2 mip 3.3.3.4 host 6.6.6.7
5. IKE configuration for GW-2
set ike gateway s1 address 6.6.6.6 aggressive outgoing-interface loopback.3 preshare test1 sec-level standard
set ike gateway s2 address 6.6.6.7 aggressive outgoing-interface loopback.4 preshare test1 sec-level standard
6. VPN configuration for s1 and s2
set vpn v3 gateway s1 transport sec-level standard set vpn v4 gateway s2 transport sec-level standard
7. DIP configuration
set interface eth2 ext ip 4.4.4.4 255.255.255.255 dip 10 4.4.4.4 4.4.4.4 set interface eth2 ext ip 4.4.4.5 255.255.255.255 dip 11 4.4.4.5 4.4.4.5
8. Policy Setup Outgoing policy
set policy id 3 from trust to untrust "1.1.1.1" "3.3.3.3" any nat src dip-id 10 tunnel vpn v3
set policy id 4 from trust to untrust "1.1.1.10" "3.3.3.4" any nat src dip-id 11 tunnel vpn v4
Incoming policy
set policy id 1 from trust to untrust "1.1.1.1" "(MIP)3.3.3.3" any tunnel vpn v1 set policy id 2 from trust to untrust "1.1.1.10" "(MIP)3.3.3.4" any tunnel vpn v2
NOTE: Users need to configure the outgoing policy before configuirng the incoming policy. This is because we do policy search twice, the first one is to check the incoming packet, and the second one is to find another VPN (the outgoing VPN) through which we send the packet.
9. Flow check
set flow ply-chk-self-out-tunnel
GW-2 Configuration
8. IKE and VPN configuration to server-PC
set ike gateway gateway1 address 5.0.0.1 aggressive outgoing-interface lo.3 preshare test sec-level standard
set ike gateway gateway2 address 5.0.0.2 aggressive outgoing-interface lo.4 preshare test sec-level standard
9. VPN configuration on server-1 and server-2
set vpn v3 gateway gateway1 transport sec-level standard set vpn v4 gateway gateway2 transport sec-level standard
10.Proxy configuration for v3 and v4
set vpn "v3" proxy-id local-ip 3.3.3.3/32 remote-ip 1.1.1.1/32 "ANY" set vpn "v4" proxy-id local-ip 3.3.3.4/32 remote-ip 1.1.1.10/32 "ANY"
11. Reversed MIP (traffic is from untrust to trust)
set interface lo.3 mip 7.7.7.7 host 4.4.4.4 set interface lo.4 mip 7.7.7.8 host 4.4.4.5
12.IKE and VPN configuration to GW-1 (Client-PC)
set ike gateway h1 address 4.4.4.4 aggressive outgoing-interface lo.1 preshare test sec-level standard
set ike gateway h2 address 4.4.4.5 aggressive outgoing-interface lo.2 preshare test sec-level standard
13.VPN configuration on host-1 and host-2
set vpn v1 gateway h1 transport sec-level standard set vpn v2 gateway h2 transport sec-level standard
14.MIP
set interface lo.1 mip 6.6.6.6 host 5.0.0.1 set interface lo.2 mip 6.6.6.7 host 5.0.0.2
15.Policy setup Outgoing policy
set policy id 7 from untrust to trust "4.4.4.4" "6.6.6.6" any tunnel vpn v3 set policy id 8 from untrust to trust "4.4.4.5" "6.6.6.7" any tunnel vpn v4
set policy id 5 from untrust to trust "4.4.4.4" "(MIP)6.6.6.6" any tunnel vpn v1 set policy id 6 from untrust to trust "4.4.4.5" "(MIP)6.6.6.7" any tunnel vpn v2
1. When a packet from h-1 arrives at GW-1, the GW-1 decrypts the packet and finds the destination MIP for the packet.
2. GW-1 matches the packet against the policy (policy 1) that defines the host VPN. It does a policy search again and finds the policy (policy 3) that defines the server VPN and src-nat.
3. GW-1 then does a destination MIP, which changes the destination IP address from 3.3.3.3 to 6.6.6.6 and the source NAT, which changes the source IP address from 1.1.1.1 to 4.4.4.4.
4. GW-2 decrypts the packet and finds the destination MIP for the packet.
It matches the decrypted packet with the policy (policy 5) that defines the host VPN. It does a policy search again and finds the policy (policy 7) that defines the server VPN.
5. Before sending the packet out, GW-2 finds the reversed-MIP on lo.3 for packet's src-IP 4.4.4.4, so the src-ip is changed from 4.4.4.4 to 7.7.7.7
6. GW-2 forwards the packet to s-1 through interface 7.7.7.7
7. S-1 (5.0.0.1) processes the packet and sends it to GW-2 (6.6.6.6) through interface 7.7.7.7.
8. GW-2 identifies the reversed MIP (7.7.7.7 -> 4.4.4.4) and sends the packet to GW-1 (4.4.4.4). From GW-1, the packet is sent to h-1.
9. Flow check
Juniper Networks security devices can support dialup virtual private network (VPN) connections. You can configure a security device that has a static IP address to secure an IPsec tunnel with a NetScreen-Remote client or with another security device with a dynamic IP address.
This chapter contains the following sections:
• Dialup on page 169 • Group IKE ID on page 191 • Shared IKE ID on page 206
Dialup
You can configure tunnels for VPN dialup users individually, or you can form users into a VPN dialup group for which you need only configure one tunnel. You can also create a Group IKE ID user that allows you to define one user whose IKE ID is used as part of the IKE IDs of dialup IKE users. This approach is particularly timesaving when there are large groups of dialup users because you do not have to configure each IKE user individually.
NOTE: For more information about creating IKE user groups, see IKE User and User Groups. For more information about the Group IKE ID feature, see “Group IKE ID” on page 191.
If the dialup client can support a virtual internal IP address, which the NetScreen-Remote does, you can also create a dynamic peer dialup VPN, AutoKey IKE tunnel (with a preshared key or certificates). You can configure a Juniper Networks security gateway with a static IP address to secure an IPsec tunnel with a NetScreen-Remote client or with another security device with a dynamic IP address.
NOTE: For background information about the available VPN options, see “Internet Protocol Security” on page 3. For guidance when choosing among the various options, see“Virtual Private Network Guidelines” on page 61.
You can configure policy-based VPN tunnels for VPN dialup users. For a dialup dynamic peer client, you can configure either a policy-based or route-based VPN. Because a dialup dynamic peer client can support a virtual internal IP address, which the NetScreen-Remote does, you can configure a routing table entry to that virtual internal address through a designated tunnel interface. Doing so allows you to configure a route-based VPN tunnel between the security device and that peer.
NOTE: A dialup dynamic peer client is a dialup client that supports a virtual internal IP address.
The dialup dynamic peer is nearly identical to the Site-to-Site dynamic peer except that the internal IP address for the dialup client is a virtual address.