Michael Dale
So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.
Background
My Place
- Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
- Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
- External Address of 59.167.253.89
Josh's Place
- Gentoo running Racoon (I think it was installed through the command emerge ipsec)
- Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
- Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)
So I'll go through the process of setting up the dial-up VPN first.
Dial-up VPN (Single PC at Josh's Place accessing my network)
Step 1)
The first step is to setup a dial-up vpn on the Netscreen. I've covered this process
here (only do
Setting up the Netscreen).
Step 2)
Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).
Step 3)
Setup racoon.conf. Now for this process we used a combination of:
So our config looks like:
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}
remote 59.167.253.89 {
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier fqdn "Test.User";
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.11.15/32 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
listen {
isakmp 10.0.11.15;
}
log debug2;
Things to note:
- remote 59.167.253.89 (The ip address of the external interface on my netscreen)
- exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)
- my_identifier fqdn "Test.User" (The IKE Identity)
- lifetime time 28800 seconds (Phase 1 lifetime)
- encryption_algorithm des (Phase 1 DES encryption)
- hash_algorithm md5 (Phase 1 MD5)
- authentication_method pre_shared_key (We're using a preshared key)
- dh_group modp1024 (On the netscreen DH Group 2)
- sainfo address 10.0.11.15/32 any address 10.0.0.0/22 (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)
- pfs_group modp1024 (Again DH Group 2)
- lifetime time 3600 seconds (Phase 2 lifetime)
- encryption_algorithm des (Phase 2 encryption)
- authentication_algorithm hmac_md5 (Phase 2 MD5)
Step 4)
Setup ipsec.conf
So our config looks like:
#!/usr/sbin/setkey -f
#nat_traversal=yes
flush;
spdflush;
#out
spdadd 10.0.11.15/32 10.0.0.0/22 any
-P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;
#in
spdadd 10.0.0.0/22 10.0.11.15/32 any
-P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;
You'll just need to change the IP addresses to suit your setup.
Step 5)
Setup psk.txt.
So our config looks like:
59.167.253.89 our_preshared_key
So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen
Step 6)
Test. Use both ends to debug and test.