Just a brief list of instructions I made some time ago which may be useful:

Set up a VPN with a NetScreen using a preshared key walkthrough (using the web interface) of a route-based VPN solution between two NetScreens:
Scenario:
Firewall A -> Internet -> Firewall B
1. Log into Firewall A through the web interface
2. Configure your tunnel interface
•   Click Network -> Interfaces
•   Make sure the dropdown in the top left says Tunnel IF, and click New
•   I put mine in the Untrust zone because I want all of my VPN traffic to run through my Untrust->Trust policy
•   Click unnumbered and select the Untrust interface
•   click OK
3. Configure your VPN Gateway
•   Click VPNs -> AutoKey Advanced -> Gateway
•   click New
•   Name the gateway "FirewallB-gw"
I always select the custom security level, you'll see why in a following step
•   Enter the public IP address of Firewall B
•   Carefully enter your preshared key
•   Select Untrust for your outgoing interface
•   Click Advanced
•   Select User defined (custom)
•   In the first dropdown select pre-g2-aes128-sha
•   Click Return at the bottom
•   Click OK at the bottom
4. Create the VPN
•   on the menu on the left select VPNs -> Autokey Advanced
•   click New
•   name it FirewallB-vpn
•   select Custom
•   leave predefined checked and select your FirewallB-GW in the dropdown
•   click Advanced
•   select Custom
•   In the first dropdown, select g2-esp-aes128-sha
•   Turn on replay protection
•   Bind to tunnel interface, and select your tunnel interface you created in step 2
•   Turn on VPN monitor (this will bring up the VPN right away and keep it up even when there's no traffic on it)
•   Click Return
•   Click OK
5. You need to add routes to the remote network. You can configure the tunnel interfaces to run OSPF, or you can add a static. I will tell you how to add a static.
•   On the menu click Network -> Routing -> Destination
•   Click new
•   Type in the network address behind Firewall B
•   Select Gateway
•   Select your tunnel interface in the dropdown
•   Click ok
6. Add your policy to allow access to/from the remote network. If you are not in NAT mode on your trust interface, make sure you check position at top when creating a Trust->Untrust rule, or it will NAT the traffic to your Untrust IP or DIP pool and then send it across the tunnel, which you probably don't want. Create an Untrust->Trust policy which allows access from the Network behind Firewall B to hosts or the network behind Firewall B. You probably want to allow Ping at a minimum.
7. Repeat steps 1-6 on Firewall B. Substituting Firewall A's data.
The VPN should pop up and everything should work. You can also use the little wizard. If one or both of your NetScreens is behind something that does NAT, you will also have to turn on NAT traversal on both ends.
If you don't want static routes and want to use OSPF instead, create an OSPF instance under the trust VR. Make sure you add the tunnel interfaces and your internal interfaces to it, and tell it to advertise your private networks. You will then have to go under each interface that you added, and turn on OSPF. On tunnel interfaces, you can enable demand circuit and add it to the area, apply the changes, and then Enable OSPF on it.

Regards

Garnet

EH-Net

Resources => Tutorials => Topic started by: GarnetNW on August 22, 2012, 09:57:59 AM