Setting up a dial-up VPN to connect to a Netscreen

Michael Dale

I've been getting lots of hits to the post about a site to site VPN setup with a netscreen. So I've decided to do one for a dial-up VPN user connecting to a netscreen.


A dial-up user is anyone who needs access into the network and has a dynamic ip address. We don't wish to be able to access them (the dial-up user) from within the network. This is how we setup most connections at work. This allows people to access file shares and outlook (without the need to setup RPC over HTTP).

Background

• Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)


• Netscreen Remote 8.7 (The Windows VPN client)


• Local Network (the one in which the vpn users want to access) of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)


• External Address of 59.167.253.89

Setting up the Netscreen

1) First we need to create a user. This can be found in Objects -> Users -> Local (Note: Follow the screen shot below, you don't need a password here, you do need the IKE User info though)



So we have our user, Test.User

2) Create Phase 1 of the VPN tunnel. This can be found in VPNs -> AutoKey Advanced -> Gateway (Note: Security level is set to custom, password for VPN is entered here, Outgoing interface is your untrust interface).




3) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Mode is set to Aggressive)




Now click return and okay to save your settings.


4) Now we'll create the Phase 2 information. This can be found in VPNs -> AutoKey IKE (Note: Security level is set to custom, Remote Gateway is set to "Test.UserP1")




5) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Replay Protection is on)




Now click return and okay to save your settings.


6) Now we'll need to create a policy. This will go from untrust to trust. This can be found in Policies.




Click new (Note: Source Address is Any-IPv4 or just Any if IPv6 is disabled, Destination Address is your local subnet, tunnel the connection though the VPN user "Test.UserP2")




Now the Netscreen has been setup.

Setting up Netscreen Remote

1) Open the policy editor in Netscreen Remote




2) Create a new connection (Note: Type in the remote subnet details and set the secure gateway to your netscreens external address)




3) Now we'll setup the login details (Note: The Certificate is None, The ID Type is Domain Name and the value is "Test.User")




4) Now click Pre-Shared Key (Note: Type in the password you used when setting up the connection in the netscreen)




5) Now we'll set the connection to aggressive (Note: Enable PFS, DH is Group 2 and Enable Replay Dection)




6) Now we'll setup the Phase 1 details (Note: We're using DES and MD5 here. SA Life is 28800 seconds)




7) Now we'll setup the Phase 2 details (Note: The SA Life here is 3600 Seconds)




8) Save the settings and Test!


That should be all you need to do.

Notes

• The VPN may not work behind some NAT routers. You can try turning on NAT-T within the netscreen, although I find it doesn't normally work (newer versions such as 5.4 and 6.x seem to work just fine).


• Make sure the details in the Netscreen and Netscreen Remote Match (i.e Phase 1 policies etc)


• You can check the logs from both Netscreen and Netscreen Remote


• You cannot connect to the VPN while within the local subnet


• Netscreen Remote should be disabled when you're directly connected to the network


• Only traffic for the subnet is passed over the VPN.

Exams Over

Michael Dale

I finished my last exam yesterday morning. Awesome, five weeks off uni!

Bluetrait 0.4.9

Michael Dale

Bluetrait 0.4.9 is now out. This version provides some bug fixes over BETA 1 (Think of it as BETA 1 Release 2).


The following have been fixed from BETA 1:

• If upgrading from an old version, the version number in the database is not changed with the upgrade. An error message is triggered saying that the upgrade failed.


• Upgrade will not detect version 0.4.7 as a valid upgrade path.


• You are not be able to log in if the site is install in http://localhost/. You require a fully qualified domain name

The full change log can be seen here.

phpBB 3 BETA 1

Michael Dale

phpBB 3 BETA 1 has finally been released. I should try it out some time.

Macbook running hot

Michael Dale

My macbook has been running great. Although every now and then it seems to get pretty hot. I check activity monitor to find that both of the cores are running at about 50% load each. Yet no process seems to be taking up anywhere near that much (even combined). I've tracked it down to "Windows Sharing". For some reason, maybe samba has gone crazy or something, but switching off Windows Sharing seems to bring it right back down to a normal temperature. Once you've turned off Windows Sharing you can turn it back on and have no issues. It mainly seems to happen after coming out of sleep. I'll have to try and track down the main reason to the problem. Some software bug somewhere (this is on 10.4.6). I didn't have this problem on my g4 ibook. Although this is really the only problem with my macbook, and it is very minor.

macBook

Michael Dale

Ordered Monday night, was delivered about 1pm today. Awesome! Cannot wait to get home! ;)

Akismet

Michael Dale

I've just added support to my blog for Akismet through the use of this php class. I'm currently waiting on my API key before I enable it.

Spam

Michael Dale

Looks like some spam is finally getting past my spam filter. I'm going to look into adding support for this

trackback spam

Michael Dale

I've been getting my fair share of trackback spam in the last month or so. I've decided to disable trackbacks for the time being. Unfortunately I cannot use my spamblock code on them (which works great for normal comments).

MacBook

Michael Dale

Well the MacBook is finally out. I'm contemplating getting one.

Also I've noticed that my last post broke IE and really anyone running sub 1600x1050. Sorry about that, go buy a bigger screen ;)

On another note, I got an email from one of my friends at usyd:

Sydney Uni is selling original iMacs for $50!!! I don't know if you have any
use for super cheap old computers, but I thought I'd tell you anyway. The
School of Languages is trying to get rid of them. Maybe for spare parts,
extra storage space (although the one I saw I had a hard drive of a whopping
4 GB - not much storage space there!)???? Anyway, I thought you might like
to know.

So if anyone wants cheap macs. I think I've got enough. On last count we now have 6 macs in the house :)