In this example, an AutoKey IKE tunnel using either a preshared key or a pair of certificates (one at each end of the tunnel) provides the secure communication channel between the IKE user Wendy and the UNIX server. The tunnel again uses ESP with 3DES encryption and SHA-1 authentication.
NOTE:The preshared key is h1p8A24nG5. It is assumed that both participants already have certificates. For more information about certificates, see “Certificates and CRLs” on page 39.
Setting up the AutoKey IKE tunnel using AutoKey IKE with either a preshared key or certificates requires the following configuration at the corporate site:
1. Configure interfaces for the Trust and Untrust zones, both of which are in the trust-vr routing domain.
2. Enter the address of the UNIX server in the Trust zone address book.
3. Define Wendy as an IKE user.
4. Configure the remote gateway and AutoKey IKE VPN.
5. Set up a default route.
6. Create a policy from the Untrust zone to the Trust zone permitting access to the UNIX from the dialup user.
Figure 44: Policy-Based Dialup VPN, AutoKey IKE
The preshared key is h1p8A24nG5. This example assumes that both participants already have RSA certificates issued by Verisign and that the local certificate on the
NetScreen-Remote contains the U-FQDN [email protected]. (For information about obtaining and loading certificates, see“Certificates and CRLs” on page 39.) For the Phase 1 and 2 security levels, you specify one Phase 1 proposal—either pre-g2-3des-sha for the preshared key method or rsa-g2-3des-sha for certificates—and select the predefined “Compatible” set of proposals for Phase 2.
WebUI
1. Interfaces
Network > Interfaces > Edit (for ethernet1): Enter the following, then clickApply:
Zone Name: Trust
Static IP: (select this option when present) IP Address/Netmask: 10.1.1.1/24
Select the following, then clickOK: Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, then clickOK:
Zone Name: Untrust
Static IP: (select this option when present) IP Address/Netmask: 1.1.1.1/24
2. Address
Policy > Policy Elements > Addresses > List > New: Enter the following, then clickOK:
Address Name: UNIX IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/32 Zone: Trust
3. User
Objects > Users > Local > New: Enter the following, then clickOK:
User Name: Wendy Status: Enable (select) IKE User: (select)
4. VPN
VPNs > AutoKey Advanced > Gateway > New: Enter the following, then clickOK:
Gateway Name: Wendy_NSR Security Level: Custom Remote Gateway Type:
Dialup User: (select), User: Wendy
Certificates
Outgoing Interface: ethernet3
> Advanced: Enter the following advanced settings, then clickReturnto return to the basic Gateway configuration page:
Security Level: Custom
Phase 1 Proposal (For Custom Security Level): rsa-g2-3des-sha Mode (Initiator): Aggressive
Preferred Certificate (optional): Peer CA: Verisign
Peer Type: X509-SIG
VPNs > AutoKey IKE > New: Enter the following, then clickOK:
VPN Name: Wendy_UNIX Security Level: Compatible Remote Gateway:
Predefined: (select), Wendy_NSR
(or)
Preshared Key
CAUTION: Aggressive mode is insecure. Because of protocol limitations, main mode IKE in combination with preshared key (PSK) is not possible for dialup VPN users. In addition, it is never advisable to use aggressive mode because this mode has inherent security problems. Consequently, it is strongly advisable to configure dialup VPN users with PKI certificates and main mode.
Preshared Key: h1p8A24nG5 Outgoing Interface: ethernet3
> Advanced: Enter the following advanced settings, then clickReturnto return to the basic Gateway configuration page:
Security Level: Custom
Phase 1 Proposal (For Custom Security Level): pre-g2-3des-sha Mode (Initiator): Aggressive
5. Route
Network > Routing > Routing Entries > trust-vr New: Enter the following, then click OK:
Network Address/Netmask: 0.0.0.0/0 Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
6. Policy
Policies > (From: Untrust, To: Trust) New: Enter the following, then clickOK:
Source Address:
Address Book Entry: (select), Dial-Up VPN Destination Address:
Address Book Entry: (select), UNIX Service: ANY
Action: Tunnel
Tunnel VPN: Wendy_UNIX
Modify matching bidirectional VPN policy: (clear) Position at Top: (select)
CLI
1. Interfaces
set interface ethernet1 zone trust set interface ethernet1 ip 10.1.1.1/24 set interface ethernet1 nat
set interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24
2. Address
set address trust unix 10.1.1.5/32
3. User
set user wendy ike-id u-fqdn [email protected]
4. VPN Certificates
set ike gateway wendy_nsr dialup wendy aggressive outgoing-interface ethernet3 proposal rsa-g2-3des-sha
set ike gateway wendy_nsr cert peer-ca 1
set ike gateway wendy_nsr cert peer-cert-type x509-sig set vpn wendy_unix gateway wendy_nsr sec-level compatible
NOTE: The number 1 is the CA ID number. To discover the CA’s ID number, use the following command:get pki x509 list ca-cert.
(or)
Preshared Key
CAUTION: Aggressive mode is insecure. Due to protocol limitations, main mode IKE in combination with preshared key (PSK) is not possible for dialup VPN users. In addition, it is never advisable to use aggressive mode
strongly advisable to configure dialup VPN users with PKI certificates and main mode.
set ike gateway wendy_nsr dialup wendy aggressive outgoing-interface ethernet3 preshare h1p8A24nG5 proposal pre-g2-3des-sha
set vpn wendy_unix gateway wendy_nsr sec-level compatible
5. Route
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
6. Policy
set policy top from untrust to trust “Dial-Up VPN” unix any tunnel vpn wendy_unix save
NetScreen-Remote Security Policy Editor
1. ClickOptions > Secure > Specified Connections.
2. ClickAdd a new connection, and typeUNIXnext to the new connection icon that appears.
3. Configure the connection options:
Connection Security: Secure
Remote Party Identity and Addressing: ID Type: IP Address, 10.1.1.5
Protocol: All
Connect using Secure Gateway Tunnel: (select) ID Type: IP Address, 1.1.1.1
4. Click thePLUSsymbol, located to the left of the UNIX icon, to expand the connection policy.
5. ClickMy Identity: Do either of the following:
ClickPre-shared Key>Enter Key: Typeh1p8A24nG5, then clickOK. ID Type: (selectE-mail Address), and [email protected]. (or)
Select a certificate from the Select Certificate drop-down list. ID Type: (selectE-mail Address)
NOTE: The email address from the certificate automatically appears in the identifier field.
6. Click theSecurity Policyicon, then selectAggressive Modeand clearEnable Perfect Forward Secrecy (PFS).
7. Click thePLUSsymbol, located to the left of the Security Policy icon, and then the PLUSsymbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further.
8. ClickAuthentication (Phase 1)>Proposal 1: Select the following authentication method and algorithms:
Authentication Method: Pre-Shared Key
(or)
Authentication Method: RSA Signatures Encrypt Alg: Triple DES
Hash Alg: SHA-1
Key Group: Diffie-Hellman Group 2
9. ClickKey Exchange (Phase 2)>Proposal 1: Select the following IPsec protocols:
Encapsulation Protocol (ESP): (select) Encrypt Alg: Triple DES
Hash Alg: SHA-1 Encapsulation: Tunnel
10.ClickKey Exchange (Phase 2)>Create New Proposal: Select the following IPsec protocols:
Encapsulation Protocol (ESP): (select) Encrypt Alg: Triple DES
Hash Alg: MD5 Encapsulation: Tunnel
11. ClickKey Exchange (Phase 2)>Create New Proposal: Select the following IPsec protocols:
Encapsulation Protocol (ESP): (select) Encrypt Alg: DES
Hash Alg: SHA-1 Encapsulation: Tunnel
12.ClickKey Exchange (Phase 2)>Create New Proposal: Select the following IPsec protocols:
Encapsulation Protocol (ESP): (select) Encrypt Alg: DES
Hash Alg: MD5 Encapsulation: Tunnel
13.ClickFile > Save Changes.