Michael Dale
This howto shows you how to create a site to site VPN with a Netscreen and Racoon. If you're interested in setting up a dial-up vpn, see
hereBackground
My Place
- Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
- Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
- External Address of 59.167.253.89
Josh's Place
- Gentoo running Racoon (I think it was installed through the command emerge ipsec)
- Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
- Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)
Site to Site VPN (Josh's network to my network)
Step 1)
Setup a dyndns address for the linux end (as this is using a dynamic ip address), use this address in the hostname option when setting up the netscreen (see next step).
Step 2)
The next step is to setup a site to site vpn on the Netscreen. I've covered this process
here (only do
Setting up the Netscreen, Note that example uses 10.0.4.0 as the remote network not 10.0.11.0).
Step 3)
Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).
Step 4)
Setup racoon.conf. Now for this process we used a combination of:
So our config looks like:
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}
remote 59.167.253.89 {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.11.0/24 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
#listen {
# isakmp 10.0.11.15;
#}
log debug2;
Things to note:
- remote 59.167.253.89 (The ip address of the external interface on my netscreen)
- exchange_mode main (Remember we set the Netscreen Phase 1 to main mode)
- my_identifier address; (The external IP address of the linux box is used as the identifier)
- lifetime time 28800 seconds (Phase 1 lifetime)
- encryption_algorithm des (Phase 1 DES encryption)
- hash_algorithm md5 (Phase 1 MD5)
- authentication_method pre_shared_key (We're using a preshared key)
- dh_group modp1024 (On the netscreen DH Group 2)
- sainfo address 10.0.11.0/24 any address 10.0.0.0/22 (From Josh's network to my network)
- pfs_group modp1024 (Again DH Group 2)
- lifetime time 3600 seconds (Phase 2 lifetime)
- encryption_algorithm des (Phase 2 encryption)
- authentication_algorithm hmac_md5 (Phase 2 MD5)
Step 5)
Setup ipsec.conf
So our config looks like:
flush;
spdflush;
spdadd 10.0.0.0/22 10.0.11.0/24 any -P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;
spdadd 10.0.11.0/24 10.0.0.0/22 any -P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;
You'll just need to change the IP addresses to suit your setup.
Step 6)
Setup psk.txt.
So our config looks like:
59.167.253.89 our_preshared_key
So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen
Step 7)
Test. Use both ends to debug and test.