NetScreen

  • Article

This topic describes how to configure NetScreen to work in a VPN site-to-site solution with ISA Server.

NetScreen: Preshared Secret Configuration Overview

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Preshared Secret
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds
    • ESP tunnel mode

Preshared Secret Checklist

Use the following checklist for preshared secrets.

____

Install and configure the Sonicwall device

____

Determine remote gateway external IP address

____

Determine remote networks IP address and netmask protected by the remote gateway

____

Set preshared secret

____

Configure VPN peer

____

Configure IKE

____

Configure network definitions

____

Configure encryption policies

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the NetScreen website (www.netscreen.com).

NetScreen Configuration Walk-through Procedure 1: Configuring the Preshared Secret Solution

This topic describes in detail the process to configure the NetScreen device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in NetScreen : Preshared Secret Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of NetScreen, and only the parameters directly related to the scenarios are described in detail.
We recommend that you apply your changes after each step.

Configure the VPN Peer Gateway

Use the following steps to configure the VPN peer gateway.

  1. Browse to the Web-based NetScreen Administrator Tool and log on.
  2. From the left menu, navigate to Gateway. Expand VPNs, expand AutoKey Advanced, and then select New.
  3. In the Edit Gateway screen:
    • Enter ISAServer as the Gateway Name.
    • Enter 14.15.16.17 as the IP Address.
    • Enter Cool-Dude! as the Preshared Key.
    • Select Advanced.
  4. In the Advanced Edit Gateway screen:
    • Select Custom.
    • Select pre-g2-3des-sha as the Phase 1 Proposal from the drop-down list.

Configure IKE

Use the following steps to configure IKE.

  1. From the left menu, navigate to AutoKey IKE. Expand VPNs, expand AutoKey IKE, and select then select New.
  2. In the Edit AutoKey IKE screen:
    • Enter Site-to-Site as the Gateway Name.
    • Select Predefined for the Remote Gateway.
    • Select ISAServer as the Remote Gateway from the drop-down list.
    • Select Advanced.
  3. In the Advanced Edit AutoKey IKE screen:
    • Select Custom.
    • Select g2-esp-3des-sha as the Phase 2 Proposal from the drop-down list.

Configure Network Definitions

Use the following steps to configure network definitions.

  1. From the left menu, select List by expanding the Objects and Addresses menus.
  2. Select New.
  3. In the Addresses Configuration screen:
    • Enter Internal_AL as the Address Name.
    • Enter 10.5.6.0 /24 as the IP/Netmask.
    • Select Untrust as the Zone from the drop-down list.
  4. In the Addresses Configuration screen:
    • Enter Internal_BL as the Address Name.
    • Enter 172.23.9.0 /24 as the IP/Netmask.
    • Select Trust as the Zone from the drop-down list.
  5. In the Addresses Configuration screen:
    • Enter Internal_CL as the Address Name.
    • Enter 10.4.5.0 /24 as the IP/Netmask.
    • Select Untrust as the Zone from the drop-down list.

Configure Encryption Policies

Use the following steps to configure encryption policies.

  1. From the left menu, select Policies.
  2. Select Untrusted as From from the drop-down list.
  3. Select Trusted as To from the drop-down list.
  4. Select New.
  5. In the Policies (From Untrust to Trust) screen:
    • Enter Site-to-Site-Policy_AL/BL as the Name (optional).
    • Select Interal_AL as the Source Address.
    • Select Internal_BL as the Destination Address.
    • Select Tunnel as the Action from the drop-down list.
    • Select Site-to-Site as the VPN Tunnel from the drop-down list.
    • Select Modify matching bidirectional VPN policy.
    • Select Position at Top.
  6. In the Policies (From Untrust to Trust) screen:
    • Enter Site-to-Site-Policy_CL/BL as the Name (optional).
    • Select Interal_CL as the Source Address.
    • Select Internal_BL as the Destination Address.
    • Select Tunnel as the Action from the drop-down list.
    • Select Site-to-Site as the VPN Tunnel from the drop-down list.
    • Select Modify matching bidirectional VPN policy.
    • Select Position at Top.
  7. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

NetScreen: Certificate Configuration Overview

This section outlines the IPSec settings and the specific settings required for this device to perform Certificate Authentication.

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Certificate Authentication
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds
    • ESP tunnel mode

Certificate Checklist

Use the following checklist for certificates.

____

Install and configure Cisco Concentrator 3005 VPN Concentrator

____

Determine remote gateway external IP address

____

Determine remote networks protected by the remote gateway

____

Determine certificate authority to use to create local certificate

____

Configure certificate

____

Configure VPN peer

____

Configure IKE

____

Configure network definitions

____

Configure encryption policies

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the NetScreen website (www.netscreen.com).

NetScreen Configuration Walk-through Procedure 2: Configuring the Certificate Solution

This topic describes in detail the process to configure the NetScreen device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in NetScreen : Certificate Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of NetScreen, and only the parameters directly related to the scenarios are described in detail.
We recommend that you apply your changes after each step.

Configure Certificates

Use the following steps to configure certificates.

  1. Copy the Certificate Authority’s certification authority (CA) and certificate revocation list (CRL) from the Certificate Authority to the local machine.
  2. Browse to the Web-based NetScreen Administrator Tool and log on.
  3. From the left menu, expand the Objects menu and select Certificates.
  4. In the Certificate screen:
    • Select Cert as Load.
    • Enter the local path to the CA copied from the Certificate Authority.
    • Select Load.
  5. In the Certificate screen:
    • Select Cert as Load.
    • Enter the local path to the copied CRL from the Certificate Authority.
    • Select Load.
  6. In the Certificate screen, select New.
  7. In the Cert New Request screen:
    • Enter ns25 as the Name.
    • Enter TestLab as the Unit/Department.
    • Enter Fabrikam as the Organization.
    • Enter Timonium as the Country/Locality.
    • Enter md as the State.
    • Enter us as the Country.
    • Enter 22.23.24.2 as the IP Address.
    • Enter ns25. as the FQDN.
    • Select RSA as the Key Pair Information.
    • Select 1024 as the length of the new key pair from the drop-down list**.**
  8. In the Cert Request screen:
    • Select Write to file.
    • Save the Certificate Request to a file on the local computer.
    • Transfer the new Certificate Request to the Certificate Authority for enrollment and creation of the new certificate pair.
  9. In the Certificate screen:
    • Select Cert as Load.
    • Enter the local path to the newly created certificate pair copied from the Certificate Authority.
    • Select Load.

Configure the VPN Peer Gateway

Use the following steps to configure the VPN peer gateway.

  1. From the left menu, expand VPNs, expand AutoKey Advanced, select Gateway, and then select New.
  2. In the Edit Gateway screen:
    • Enter ISAServer as the Gateway Name.
    • Enter 14.15.16.17 as the IP Address.
    • Enter Cool-Dude! as the Preshared Key.
    • Select Advanced.
  3. In the Advanced Edit Gateway screen:
    • Select Custom as the User Defined Security Level.
    • Select rsa-g2-3des-sha as the Phase 1 Proposal from the drop-down list.
    • Select CN=ns25, CN=ns25, CN=rsa-key, CN= as the Local Cert from the drop-down list. (Optional)
    • Select CN=Testlab as the Peer CA from the drop-down list. (Optional)

Configure IKE

Use the following steps to configure IKE.

  1. From the left menu, expand VPNs, select AutoKey IKE, and then select New.
  2. In the Edit AutoKey IKE screen:
    • Enter Site-to-Site as the VPN Name.
    • Select Predefined for the Remote Gateway.
    • Select ISA Server as the Remote Gateway from the drop-down list.
    • Select Advanced.
  3. In the Advanced Edit AutoKey IKE screen:
    • Select Custom.
    • Select g2-esp-3des-sha as the Phase 2 Proposal from the drop-down list.

Configure Network Definitions

Use the following steps to configure network definitions.

  1. From the left menu, expand Objects, expand Addresses, select List, and then click New.
  2. In the Addresses Configuration screen:
    • Enter Internal_AL as the Address Name.
    • Enter 10.5.6.0/24 as the IP/Netmask.
    • Select Untrust as the Zone from the drop-down list.
  3. In the Addresses Configuration screen:
    • Enter Internal_BL as the Address Name.
    • Enter 172.23.9.0 /24 as the IP/Netmask.
    • Select Trust as the Zone from the drop-down list.
  4. In the Addresses Configuration screen:
    • Enter Internal_CL as the Address Name.
    • Enter 10.4.5.0 /24 as the IP/Netmask.
    • Select Untrust as the Zone from the drop-down list.

Configure Encryption Policies

Use the following steps to configure encryption policies.

  1. From the left menu, select Policies.
  2. Select Untrusted as From from the drop-down list.
  3. Select Trusted as To from the drop-down list.
  4. Select New.
  5. In the Policies (From Untrust to Trust) screen:
    • Enter Site-to-Site-Policy_AL/BL as the Name (Optional).
    • Select Internal_AL as the Source Address.
    • Select Internal_BL as the Destination Address.
    • Select Tunnel as the Action from the drop-down list.
    • Select Site-to-Site as the VPN Tunnel from the drop-down list.
    • Select Modify matching bidirectional VPN policy.
    • Select Position at Top.
  6. In the Policies (From Untrust to Trust) screen:
    • Enter Site-to-Site-Policy_CL/BL as the Name (Optional).
    • Select Interal_CL as the Source Address.
    • Select Internal_BL as the Destination Address.
    • Select Tunnel as the Action from the drop-down list.
    • Select Site-to-Site as the VPN Tunnel from the drop-down list.
    • Check Modify matching bidirectional VPN policy.
    • Check Position at Top.
  7. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

Troubleshooting the NetScreen Scenario

The following section contains troubleshooting tips. For additional troubleshooting information, refer to the NetScreen Knowledge Base articles on the NetScreen website (www.juniper.net/netscreen\_com.html).

Configuration

Review the configuration for accuracy:

  • Local IP settings
  • Remote IP settings
  • IPSec Phase 1 settings
  • IPSec Phase 2 settings
  • Rule set

Logs

Review the Log files for any errors:

  • The default NetScreen logs can be viewed through the NetScreen Administrator Tool by selecting Monitor from the left menu.
  • The default NetScreen logs can be sent to a log server using syslog.
  • IKE Debug can be used for error review.
    This feature can only be used with the command line through a serial or Telnet connection.
    After access is established, type the following commands:
  • clear dbuf. Clears the buffer of any log entries.
  • set console dbug. Sets any debug logging to be sent to the buffer.
  • debug ike detail. Enables IKE debugging.
  • undebug all. Disables all debugging.
  • get dbuf stream. Displays any entries in the buffer to the terminal.