Racoon to Netscreen VPN (dialup)

Michael Dale

So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.

Background

My Place

• Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
• Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
• External Address of 59.167.253.89

Josh's Place

• Gentoo running Racoon (I think it was installed through the command emerge ipsec)
• Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
• Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)

So I'll go through the process of setting up the dial-up VPN first.

Dial-up VPN (Single PC at Josh's Place accessing my network)

Step 1)

The first step is to setup a dial-up vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen).

Step 2)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 3)

Setup racoon.conf. Now for this process we used a combination of:

• The details from this site: http://www.prolixium.com/netscreenlinux
• The config generated by IPSecuritas on my Mac

So our config looks like:


Things to note:

• remote 59.167.253.89 (The ip address of the external interface on my netscreen)
• exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)
• my_identifier fqdn "Test.User" (The IKE Identity)
• lifetime time 28800 seconds (Phase 1 lifetime)
• encryption_algorithm des (Phase 1 DES encryption)
• hash_algorithm md5 (Phase 1 MD5)
• authentication_method pre_shared_key (We're using a preshared key)
• dh_group modp1024 (On the netscreen DH Group 2)
• sainfo address 10.0.11.15/32 any address 10.0.0.0/22 (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)
• pfs_group modp1024 (Again DH Group 2)
• lifetime time 3600 seconds (Phase 2 lifetime)
• encryption_algorithm des (Phase 2 encryption)
• authentication_algorithm hmac_md5 (Phase 2 MD5)

Step 4)

Setup ipsec.conf

So our config looks like:


You'll just need to change the IP addresses to suit your setup.

Step 5)

Setup psk.txt.

So our config looks like:

So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 6)

Test. Use both ends to debug and test.

Setting up a dial-up VPN to connect to a Netscreen

Michael Dale

I've been getting lots of hits to the post about a site to site VPN setup with a netscreen. So I've decided to do one for a dial-up VPN user connecting to a netscreen.

A dial-up user is anyone who needs access into the network and has a dynamic ip address. We don't wish to be able to access them (the dial-up user) from within the network. This is how we setup most connections at work. This allows people to access file shares and outlook (without the need to setup RPC over HTTP).

Background

• Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
• Netscreen Remote 8.7 (The Windows VPN client)
• Local Network (the one in which the vpn users want to access) of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
• External Address of 59.167.253.89

Setting up the Netscreen

1) First we need to create a user. This can be found in Objects -> Users -> Local (Note: Follow the screen shot below, you don't need a password here, you do need the IKE User info though)



So we have our user, Test.User

2) Create Phase 1 of the VPN tunnel. This can be found in VPNs -> AutoKey Advanced -> Gateway (Note: Security level is set to custom, password for VPN is entered here, Outgoing interface is your untrust interface).



3) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Mode is set to Aggressive)



Now click return and okay to save your settings.

4) Now we'll create the Phase 2 information. This can be found in VPNs -> AutoKey IKE (Note: Security level is set to custom, Remote Gateway is set to "Test.UserP1")



5) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Replay Protection is on)



Now click return and okay to save your settings.

6) Now we'll need to create a policy. This will go from untrust to trust. This can be found in Policies.



Click new (Note: Source Address is Any-IPv4 or just Any if IPv6 is disabled, Destination Address is your local subnet, tunnel the connection though the VPN user "Test.UserP2")



Now the Netscreen has been setup.

Setting up Netscreen Remote

1) Open the policy editor in Netscreen Remote



2) Create a new connection (Note: Type in the remote subnet details and set the secure gateway to your netscreens external address)



3) Now we'll setup the login details (Note: The Certificate is None, The ID Type is Domain Name and the value is "Test.User")



4) Now click Pre-Shared Key (Note: Type in the password you used when setting up the connection in the netscreen)



5) Now we'll set the connection to aggressive (Note: Enable PFS, DH is Group 2 and Enable Replay Dection)



6) Now we'll setup the Phase 1 details (Note: We're using DES and MD5 here. SA Life is 28800 seconds)



7) Now we'll setup the Phase 2 details (Note: The SA Life here is 3600 Seconds)



8) Save the settings and Test!

That should be all you need to do.

Notes

• The VPN may not work behind some NAT routers. You can try turning on NAT-T within the netscreen, although I find it doesn't normally work (newer versions such as 5.4 and 6.x seem to work just fine).
• Make sure the details in the Netscreen and Netscreen Remote Match (i.e Phase 1 policies etc)
• You can check the logs from both Netscreen and Netscreen Remote
• You cannot connect to the VPN while within the local subnet
• Netscreen Remote should be disabled when you're directly connected to the network
• Only traffic for the subnet is passed over the VPN.

Site to Site VPN with Netscreen 5GT and Netgear DG834G

Michael Dale

I purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G, great value for money.

Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).

So the technical background:

My place:
1) Static IP address (59.167.253.89)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254

Parents place:
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254

Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.

To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.

See below:


So lets setup the netscreen site first.

1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)




2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:

Select your preshared key here too.

Now select Advanced (note you could use 3DES, but in this case I just use DES):



3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE



Then select advanced:


4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.

In Policies under Trust to Untrust create this policy.



5) Now time to setup the netgear. Create an auto VPN account



Note the preshared key must be the same for each device.



That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.

If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.

To start the debugging process type:


To finish the debugging type: