Categories

Bluetrait
        Bluetrait
            Coding
            Geek
            General
            Coding
                PHP
                Bluetrait
                WordPress
                    Plugins
                PHP
                Bluetrait (Program)
            Geek
                Juniper
                Cisco
                IBM N2200 8363
                PCs
                Spam
                IPv6
                Apple
                NetScreen
                Internet
            General
                Uni

Thu, 31 Jan 2008 9:22 AM

Setting up a route based site-to-site vpn using aggressive mode

Michael Dale

The following howto guide explains how to setup a route based site-to-site VPN with one site using a firewalled internet connection and a dyanmic ip address.

So the background:
We have a client who is currently uses a Next G wireless connection who requires a link back into head office.

The wireless connection is limited in the follownig ways:

  • No public ip address
  • No static ip address
  • No port forwarding capabilities

So the connection is locked down.

The client required a site-to-site vpn for their business to operate (main application is running in head office).

So the following guide will show you how to set this up.

Network Details:
Head Office

  • Real internet connection with a static IP address
  • 192.168.0.x internal network

Remote Office

  • Internet connection without public ip address and/or port forwards
  • 192.168.6.x internal network

Head Office Setup

  1. Create a new IKE user (Objects->Users->Local)
  2. Create a new Unnumbered Tunnel Interface mapped to the untrust zone (Network->Interfaces (List)) and connected to your untrust Interface
  3. Create a new "Dialup User" VPN Gateway (VPNs->AutoKey Advanced->Gateway),
    1. Dialup user being the one you created in step 1.
    2. Outgoing interface is your untrust port.
    3. Enter a preshared key.
    4. In the advanced settings:
      1. Mode (Initiator) Aggressive
      2. Enable NAT-Traversal
  4. Create a new AutoKey IKE (VPNs->AutoKey IKE).
    1. Security Level: Custom
    2. Remote gateway is the one you setup in step 3
    3. In the advanced settings
      1. Replay Protection
      2. Bind to the Tunnel Interface you created in step 2
      3. VPN Monitor
      4. Rekey
  5. Create Routes (Network->Routing->Routing Entries)
    1. Network (remote network): 192.168.6.0/255.255.255.0
    2. Gateway
    3. Interface: Tunnel Interface you created in step 2
  6. Create polcies:
    1. From Trust to Untrust:
      1. Source: 192.168.0.0/24
      2. Destination: 192.168.6.0/24 
    2. From Untrust to Trust: 
      1. Source: 192.168.6.0/24
      2. Destination: 192.168.0.0/24
          

Remote Office Setup

  1. Create a new Unnumbered Tunnel Interface mapped to the untrust zone (Network->Interfaces (List)) and connected to your untrust Interface
  2. Create a new "Dialup User" VPN Gateway (VPNs->AutoKey Advanced->Gateway),
    1. Local ID being the IKE Identity you created in step 1 on the Head Office setup.
    2. Outgoing interface is your untrust port.
    3. Enter a preshared key (same as Head Office setup).
    4. In the advanced settings:
      1. Mode (Initiator) Aggressive
      2. Enable NAT-Traversal
  3. Create a new AutoKey IKE (VPNs->AutoKey IKE).
    1. Security Level: Custom
    2. Remote gateway is the one you setup in step 2
    3. In the advanced settings
      1. Replay Protection
      2. Bind to the Tunnel Interface you created in step 1
      3. VPN Monitor
      4. Rekey
  4. Create Routes (Network->Routing->Routing Entries)
    1. Network (remote network): 192.168.0.0/255.255.255.0
    2. Gateway
    3. Interface: Tunnel Interface you created in step 1
  5. Create polcies:
    1. From Trust to Untrust:
      1. Source: 192.168.6.0/24
      2. Destination: 192.168.0.0/24 
    2. From Untrust to Trust: 
      1. Source: 192.168.0.0/24
      2. Destination: 192.168.6.0/24

So that should be all you need to do. The Remote Office will be the side that starts the VPN. Make sure the encryption settings are the same for each side.

The good thing about this setup is that you don't need to use a service like DynDNS so it should be a bit more reliable.

If I get a chance I'll try and add some screen shots.


Comments

Comments?

HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.

Message

Name

Email (not shown)

WWW (optional)

Allow contact form email

Remember details