Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 19:57

    The situation :

    I have two sites (A and B) that I link using 2 SSG5s over a 1mb/s link.

    Both sites have different subnets

    I have a number of users that time to time are required to connect to the network via VPN.  I am not happy with our current solution and am looking to get the remote users to Connect using the NS remote client.

    The users will be runnig VoIP softclients, email, and require access to shared drives AT BOTH EXISTING SITE.

    All clients will connect to site A.

     

    I have read though the examples but I am really not sure where to start. From my way of thinking I need to have my remote clients in a third subnet configured in SSG5-A that can then be routed from site B to a tunnel interface from there the SSG5 can sort out which client it goes to.

     

    Site B 10.0.1.X <---> Site A 10.0.0.X <-->VPN clients 10.0.2.X

     

    When someone is connected I want them to be for all intents and purposes on a different subnet on the company LAN.

     

    Site A has, amoung others, 3 Zones that I think will be needed. Internet, Trust and Link (contains the tunnel inteface for reaching site B)

     

    Should I be creating anohter Zone VPN clients and sticking a tunnel interface in there? (I like being able to see everything)

    Am I thinking straight? Can someone point me in the right direction?

     

    Thanks!



  • 2.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 20:13

    It also doesn't help that all the examples linked to in the NS remote documentation fail because of DNS problems.

     

    http://remote.support.netscreen.safeharbor.com/knowbase/root/public/ns10446.htm?

     

    Surely thats not just me?



  • 3.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 22:03

    Hi

     

    can u summarize ur requirements? As i understood remote users connect to site A via VPN and then through site A want to access site B?

     

     



  • 4.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 22:12

    Sorry thats what I was trying to do in my first post. 🙂

     

    I want my remote users to connect to a static IP at Site A. Once connected they want to be as if they plugged in in the office. That is communicate with servers on both sites and make and receive internal VoIP calls using a soft client linked to our internal phone system.


    I only have 10 remote users.

     

    I will want the clients ping-able from the rest of the network. 

    Message Edited by Cowgoesmoo on 09-02-2008 10:14 PM


  • 5.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 22:31

    -Create site to site route based VPN between Site A and site B. Refet to http://kb.juniper.net/KB4178

    -Create Route based dialup VPN between remote users and site A. Refer to thread: http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=739&view=by_date_ascending&page=2 

     

    In case of any ambiguity u can ask here.

     

    Thanks 



  • 6.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 09-02-2008 22:34

    Thanks! I have had the Site A <--> Site B working solidly for a while now.

    Will have a look at that article you posted and let you know how I go!



  • 7.  RE: Site <--> Site VPN + NS Remote Clients
    Best Answer

    Posted 12-11-2008 18:03

     After much messing arround I have this working for me now. Here is a copy of my personal setup docs so that I can do it again next time I need to! I hope it helps!

    The setup allows users to connect to my juniper at site one with out certificates with a unique username and password while still requireing an admin (or someone who knows the admin passwords) to do the set up. My main concern going into this was that I didn't want people being able to set up a VPN connection from just any computer. Now if they don't know they admin password they can't!

    Only issues I am having ATM is not passing trafic when the VPN is established through a phone running Windows Mobile 6. I have yet to do some testing with the NAT traversal stuff.

     

    Setting up the juniper to accept remote vpn connections

    STEP 1.

    Create an IP pool called VPN and allocate the ip addresses set the DNS and WINS to the internal network servers


    STEP 2.

    Create a user with the following settings under objects -> local users.
    Name: VPN
    Status :enable
    Select IKE user -> simple identity
    Number of Multiple Logins with Same ID = 20.
    IKE Identity  =  VPN@MYDOMAIN.com
    Set the PASSWORD for the VPN user. Remember it. It is important.
    Select X AUTH user.
    Set the primary DNS and WINS server to the internal server.

     

    STEP 3.

    Create a local User Group called Remote Access
    Add the VPN user to the group.
     

    STEP 4.

    Ceate a VPN Gateway called Remote Access Gateway under ->VPNs -> Auto Key Advanced -> Gateway.
    Select the type as Dialup User Group and select the Remote access user group.
    From memory nothing needs to be done in the advanced section except set the mode to aggressive.

     

    STEP 5.

    On the VPN’s -> Auto Key Advanced tab select xauth beside the Remote Access Gateway.
    Select XAUTH server
    Select Local Authentication
    Select Allow Any

     

    STEP 6.

    Create a VPN called Remote Access VPN under -> VPNs -> Auto Key IKE.
    Select the Gateway as predefined  : Remote Access Gateway
    Select the Advanced button.
    Bind the VPN to the appropriate tunnel interface.
    Select proxy id.
    Set the local IP and sub net appropriately. (this needs to include all the ip ranges that should be accessible by the client.
    The remote IP and sub net needs to be 255.255.255.255/32

     STEP 7 - Creating Users.

    Create a user with the following settings under objects -> local users.
    Name: username
    Status :enable
    Set the PASSWORD for the VPN user.
    Select X AUTH user.

     

    SETTING UP THE REMOTE SOFTWARE

     

    Most of it should be pretty self explanitory. My person guide is all screen shots for this stage which I dont want to post here.

    Will just point out a few issues that I had.


    For my set up above in the My Identity section I have none selected fo rthe certificate. The preshared KEY is the password for the  VPN@MYDOMAIN.com user that was added to the remote access Group. If you dont tell anyone this password noone can set up a VPN connection with out you configuring the software for them.

    Security Policy needs to be Agressive Mode.

     Authentication -> proposal 1 needs to be set to pre-shared key; Extended authentication.

    This will force the user to ender their own personal username and password that you set up for them in  Step 7 above. Maybe able to do it with radius. Havn't tried yet. Am not too concerned only have a few users and even if people get their username and password they also have to steal their computer because they dont know the admin password ot set up the VPN!

    Hope that helps someone!



  • 8.  RE: Site <--> Site VPN + NS Remote Clients

    Posted 12-12-2008 03:12

     

    Cowgoesmoo wrote:

    It also doesn't help that all the examples linked to in the NS remote documentation fail because of DNS problems.

     

    http://remote.support.netscreen.safeharbor.com/knowbase/root/public/ns10446.htm?

     

    Surely thats not just me?

     

     Hmmm...I thought we killed all of those. If you search in the KB using the part in bold above, you'll find these in the new kb at http://kb.juniper.net. In this case it's http://kb.juniper.net/KB4386