Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Dial Up VPN

    Hochgeladen von

    AntonioMarvel
    46 Ansichten6 Seiten
    The document provides instructions for configuring a route-based VPN connection between a SSG-20 firewall and a remote device to allow access between multiple zones/networks. The instructions include: 1) Creating a dial-up VPN user and IP pool on the firewall 2) Configuring a tunnel interface on the firewall 3) Binding the VPN configuration to the tunnel interface 4) Creating firewall policies to allow traffic between the VPN and trusted networks 5) Configuring routing and the remote device's configuration The responder then provides additional clarification and modifications to the instructions, noting that the XAuth server and authentication method must be correctly configured on the remote device for XAuth to work properly.

    Originalbeschreibung:

    Originaltitel

    dial-up--vpn

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document provides instructions for configuring a route-based VPN connection between a SSG-20 firewall and a remote device to allow access between multiple zones/networks. The instructions include: 1) Creating a dial-up VPN user and IP pool on the firewall 2) Configuring a tunnel interface on the firewall 3) Binding the VPN configuration to the tunnel interface 4) Creating firewall policies to allow traffic between the VPN and trusted networks 5) Configuring routing and the remote device's configuration The responder then provides additional clarification and modifications to the instructions, noting that the XAuth server and authentication method must be correctly configured on the remote device for XAuth to work properly.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    46 Ansichten6 Seiten

    Dial Up VPN

    Hochgeladen von

    AntonioMarvel
    The document provides instructions for configuring a route-based VPN connection between a SSG-20 firewall and a remote device to allow access between multiple zones/networks. The instructions include: 1) Creating a dial-up VPN user and IP pool on the firewall 2) Configuring a tunnel interface on the firewall 3) Binding the VPN configuration to the tunnel interface 4) Creating firewall policies to allow traffic between the VPN and trusted networks 5) Configuring routing and the remote device's configuration The responder then provides additional clarification and modifications to the instructions, noting that the XAuth server and authentication method must be correctly configured on the remote device for XAuth to work properly.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    Trusted Expert

    Posts: 416 Registered: 01-29-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-10-2008 10:48 PM ok. Lets try route based vpn: On firewall: Steps: 1) Create dialup vpn pool: policy elements-> objects-> users-> IP Pool-> Here define IP pool name and range ip ip pool (say 30.30.30.1->30.30.30.10) 2) Create dialup vpn user: policy elements-> objects-> users-> local-> Here define user name, check IKE user and simple identity then give any email address (say test@test.com) in IKE identity field then check Xauth User and define password. Then IP pool->select ip pool u created in step 1. 3) Create tunnel interface: Network->interfaces->New->zone untrsut (trust-vr)->Unnumbered interface eth0/0 (untrust interface) 4) Create vpn like previous with two changes: a) vpn->autokey ike->advance->proxy id local ip-> 0.0.0.0/0 and remote ip->255.255.255.255/32 b) vpn->autokey ike->advance-> Bind to ->tunnel.1 5) Create Policies: a) Untrust to trust with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 10....../23 b) Untrust to vpn with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 192.168.0.0./16 6) Routing: set vr tust-vr rotue 192.168.0.0/16 interface eth0/4 gateway 172...... On Remote device: Add reverse route for 30.30.30.0/24 next hop 172... On Netscreen Remote: Create vpn with followings to be noted: 1) Remote party identity and addressing: 0.0.0.0/0 2) My identity-> Secure interface configuration->virtual adapter (select preferred) 3) Security policy-> Authentication (phase 1)->proposal 1->Authentication Method (select preshared key extended authentication)

    If u feel any problem let me know and also the outcome of above. Kashif Rana 00971555962393

    JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP ----------------------------------------------------------------------------------------------------------------------------- ---------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
    Message 15 of 33 (13,738 Views)

    Reply mkusan
    Contributor

    Posts: 20 Registered: 04-09-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-11-2008 04:01 AM Hi Kashif-rana, sorry for not replying sooner. I will try your instruction after working hours and inform you of the outcome.Just to clarify few things: a.) with this setup can I have multiple users with same IKE id connecting at the same time? b.) with xauth I can specify internal DNS server so I can use names instead of IPs, correct? c.) i dont have to remove existing dial-up policy on the firewall, at least until this setup becomes functional ? Thanks
    Message 16 of 33 (13,727 Views)

    Reply Kashif-rana
    Trusted Expert

    Posts: 416 Registered: 01-29-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-11-2008 05:01 AM

    hi, a) yes u can do, rite now test this scenario with just one user b) yes c) yes u don't have u to remove ur existing dialup vpn policy Kashif Rana 00971555962393 JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP ----------------------------------------------------------------------------------------------------------------------------- ---------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
    Message 17 of 33 (13,719 Views)

    Reply mkusan
    Contributor

    Posts: 20 Registered: 04-09-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-11-2008 05:56 AM Right now I have the following situation. I cannot connect and the error is "Rejected an IKE packet on ethernet0/0 from 77.237.97.229:500 to x.x.x.x:500 with cookies 1d8d7a9b1ef47be6 and 0000000000000000 because An initial Phase 1 packet arrived from an unrecognized peer gateway. Regarding the new policies shoud i use tunnel as action, because if i choose tunnel error is "peer dialup.gateway have vpn with tunnel interface bindi ng, vpn invalid or not exists" so it is action permit now.
    Message 18 of 33 (13,714 Views)

    Reply Kashif-rana
    Trusted Expert

    Posts: 416 Registered: 01-29-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-11-2008 10:29 PM hi, This particular error may have two reasons. Check two things:

    a)In vpn->autokey advance->gateway->Edit->remote gateway type->Dialup user->user> u should select correct dailup vpn user as u created in step 2. b)vpn->autokey advance->gateway->Edit->Advance check the outgoing interface should be untrust interface c) vpn->autokey ike-> make sure u selected the correct gateway The policies u created should have action permit with no tunnel select. I configuration i suggested u sorry i fogort to mention two things. Please correct them. Following is modified version of configuration i suggested u.

    On firewall: Steps: 1) Create dialup vpn pool: policy elements-> objects-> users-> IP Pool-> Here define IP pool name and range ip ip pool (say 30.30.30.1->30.30.30.10) 2) Create dialup vpn user: policy elements-> objects-> users-> local-> Here define user name, check IKE user and simple identity then give any email address (say test@test.com) in IKE identity field then check Xauth User and define password. Then IP pool->select ip pool u created in step 1. 3) Create tunnel interface: Network->interfaces->New->zone untrsut (trust-vr)->Unnumbered interface eth0/0 (untrust interface) 4) Create vpn like previous with two changes: a) vpn->autokey ike->advance->proxy id local ip-> 0.0.0.0/0 and remote ip->255.255.255.255/32 b) vpn->autokey ike->advance-> Bind to ->tunnel.1 5) vpn->autokey advance-> click Xauth->check xauth server then check generic, check local authentication and then check allow any 6) Create Policies: a) Untrust to trust with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 10....../23 b) Untrust to vpn with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 192.168.0.0./16 6) Routing: set vr tust-vr rotue 192.168.0.0/16 interface eth0/4 gateway 172...... set vr trsut-vr route 30.30.30.0/24 interface tunnel.1 (without gateway) On Remote device: Add reverse route for 30.30.30.0/24 next hop 172... On Netscreen Remote: Create vpn with followings to be noted:

    1) Remote party identity and addressing: 0.0.0.0/0 2) My identity-> Secure interface configuration->virtual adapter (select preferred) 3) Security policy-> Authentication (phase 1)->proposal 1->Authentication Method (select preshared key extended authentication)

    If u feel any problem let me know and also the outcome of above.

    Kashif Rana 00971555962393 JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP --------------------------------------------------------------------------------------------------------------------------------------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
    Message 19 of 33 (13,657 Views)

    Reply mkusan
    Contributor

    Posts: 20 Registered: 04-09-2008

    Re: Dial-up VPN to SSG-20 (multiple zones)


    Options 04-12-2008 11:32 PM Quote: "hi, This particular error may have two reasons. Check two things: a)In vpn->autokey advance->gateway->Edit->remote gateway type->Dialup user->user> u should select correct dailup vpn user as u created in step 2. b)vpn->autokey advance->gateway->Edit->Advance check the outgoing interface should be untrust interface c) vpn->autokey ike-> make sure u selected the correct gateway" Re: i checked and double checked a),b) and c) to no avail However if I create IKE user without xauth, with netsreen remote virtual adapter back to disabled and Authentication Method just preshared key i can connect. So I beleive my phase 1 and 2 are properly configured. Is there something else in netsreen remote which needs to be configured fox xauth?

    Thanks in advance Marko

    Das könnte Ihnen auch gefallen