Juniper SSG5 設定 L2TP VPN
Configuring an L2TP over IPSec User on the Juniper Firewall
Open the WebUI. For an example of how to access the WebUI, consult:KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click Objects, select Users, and then click Local.
Click New.
From the Edit screen, enter a User Name.
For this example, we entered John Doe
.
Click to select Enable.
Click to select IKE User.
Click to choose Simple Identity or Use Distinguished Name For ID. From IKE Identity, enter an identity name.
For this example, we have selected Simple Identity. From IKE Identity, we have entered jdoe@netscreen.com.
Click to select L2TP User. Enter the User Password, and then Confirm Password
.
If you would like this user to use specific settings, from L2TP/XAuth Remote Settings, enter WINS, DNS, and select the IP Pool to bind to. Otherwise, use the default settings for L2TP.
Click OK.
(2)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click Objects, select User Group, and then click Local.
Note that on some newer versions of ScreenOS, the menu options may be Objects > Users > Local Groups.
Click New.
From the Edits screen, enter a Group Name.
For this example, we have entered usergroup1
.
Click to select an Available Member, and then click the Add Group Members button.
For this example, we have selected John Doe.
For more information on configuring an L2TP user, go to Configuring an L2TP User on the Juniper Firewall.
Click OK.
(3)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click VPNs, select AutoKey Advanced, and then click Gateway
.
Click New.
From the Edit screen, enter a Gateway Name. From Security Level, click Custom.
For this example, we entered JohnDoeGate
.
From Remote Gateway Type, click to select Dialup User Group. From the Group drop-down menu, click to select your group.
For this example, we selected usergroup1.
From the Preshared Key text box, enter a Preshared Key.
For this example, we have entered Password9.
From Outgoing Interface, click to select your external interface. Then click Advanced.
For this example, the public external interface is the untrust interface on a 5GT in trust-untrust mode.
From Phase 1 Proposal drop-down menu, click to choose a proposal.
For this example, we chose pre-g2-des-sha. When choosing the Phase 1 Proposal, you must select pre for the proposal.
From Mode (Initiator), click to select Aggressive.
Click Return.
Click OK
.
From the ScreenOS options menu, click VPNs, select AutoKey IKE.
Click New
.
From VPN Name, enter a VPN Name. Click to select Custom.
For this example, we entered JohnDoeIke.
From the Remote Gateway drop-down menu, click to select a Remote Gateway.
For this example, we chose JohnDoeGate.
Click Advanced
.
From User Defined, click to select Custom. From the Phase 2 Proposal drop-down menus, click to choose the Phase 2 Proposal settings.
For this example, we chose nopfs-esp-des-md5, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-3des-sha.
From Transport Mode, click (For L2TP-over-IPSec only). From Bind to, click None.
Click Return
.
Click OK.
(4)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click Objects, and then click IP Pools.
Click New
.
From the Edit screen, enter an IP Pool Name, a Start IP, and an End IP.
For this example, we have chosen an IP Pool Name of global, a Start IP of 10.10.2.100, and an End IP of 10.10.2.180.
To avoid potential routing problems, make sure the IP Pool is on a different IP Subnet than the Trust Zone.
(5)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click VPNs, select L2TP, and then click Default Settings.
From the Default Settings screen, from the IP Pool Name drop-down menu, click to select global, and then from the PPP Authentication drop-down menu, click to select CHAP.
For more information on configuring an L2TP IP pool, go to Configuring an L2TP IP Pool on the Juniper Firewall
.
DNS Primary Server IP, DNS Secondary Server IP and WINS server setting
values are optional, and are not required for the L2TP tunnel to work.
If DNS and/or WINS settings are set, they will be pushed down to the
L2TP PC client.
For this example, for the DNS Primary Server IP, we have entered 210.11.40.3, and for the DNS Secondary Server IP, we have entered 210.11.50.2.
Click Apply.
(6)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click VPNs, select L2TP, and then click Tunnel
.
Click New.
From the Tunnel screen, enter a Name.
For this example, we entered sales_corp.
From the Authentication Server drop-down menu, select Local.
From the Outgoing Interface drop-down menu, select your external interface from which your L2TP client will be connecting.
For this example, we chose ethernet3. The Outgoing Interface could be either ethernet3 or untrust depending on your Firewall device model.
For Peer IP, enter 0.0.0.0.
Host Name and Secret are optional, and are used with a Radius server. Host Name is the name of the computer acting as the L2TP access concentrator (LAC). Secret is a secret shared between the LAC and the L2TP network server (LNS).
From Keep Alive, enter a value.
For this example, we have entered 60 (the
default). The Keep Alive value is the number of seconds of inactivity
before the Juniper Firewall device sends an L2TP hello signal to the
LAC.
Click OK.
(7)
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the ScreenOS options menu, click Policies
.
From the Policies screen, in the From drop-down menu, select Untrust. From the To drop-down menu, click to select Trust.
Click New.
From the Policies screen, in Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Dial-Up VPN
.
From Destination Address, click to choose New Address or Address Book.
For this example, we have selected New Address, and have entered 192.168.1.50/24.
From the Service drop-down menu, click to select Any, and then from the Action drop-down menu, click to select Tunnel.
From the Tunnel VPN drop-down menu, click to select a VPN.
For this example, we have selected JohnDoeIKE
.
From the L2TP drop-down menu, click to select an L2TP tunnel.
For this example, we have used sales_corp as the tunnel name. For more information on configuring the L2TP VPN tunnel, go to Configuring the L2TP VPN Tunnel on the Juniper Firewall.
Click to select Position at Top.
Click OK.
(8)
From the Start menu, click Programs, click NetScreen-Remote, and then click to select Security Policy Editor.
With newer versions of NetScreen-Remote, the start menu may be Juniper Networks > NetScreen-Remote
.
From the Security Policy Editor, click the Add a new connection icon.
Enter a name for your new connection.
For this example, we used the default name New Connection.
From Remote Party Identity and Addressing, in the ID Type drop-down menu, click to select IP Address
.
Enter the Untrust Interface IP Address of the Juniper Firewall you are trying to reach.
For this example, we used 1.1.1.1 as the Untrust interface IP address.
From the Protocol drop-down menu, click to select UDP. From the Port drop-down menu, click to select L2TP.
Click the + to expand New Connection
.
Click My Identity, and then from the Select Certificate drop-down menu, click to select None.
Click Pre-Shared Key
.
Click Enter Key, and then enter the Pre-Shared Key.
The Pre-Shared Key will need to match the one configured on the Firewall device for this connection.
Click OK.
Click Security Policy, and then click to select Aggressive Mode.
Click My Identity
.
From the ID Type drop-down menu, click to select E-mail Address.
Enter the email address corresponding to the ID.
For this example, we have used jdoe@netscreen.com. This is the IKE user's simple identity and not their username. The E-mail Address can be a username or an actual email address. However, this needs to match the settings on the Juniper Firewall.
Click the + to expand Security Policy
.
Click the + to expand Authentication (Phase 1).
Click to select Proposal 1.
From the Encrypt Alg drop-down menu, click to select encryption type. From the Hash Alg drop-down menu, click to select authentication type.
For this example, we have used DES for Encrypt Alg and SHA-1 for Hash Alg
.
From the Key Group drop-down menu, click to select Diffie-Hellman Group 2.
Click the + to expand Key Exchange (Phase 2).
Click Proposal 1.
From the Encrypt Alg drop-down menu, click to select encryption type. From the Hash Alg drop-down menu, click to select authentication type.
(9)
From the Start menu, select Settings, select Network and Dial-up Connections, and then click Make New Connection.
For Windows XP, goto Control Panel and select Network Connections. Then click Create a new connection
.
From the Network Connection Wizard, click Next.
From Network Connection Type, click to select Connect to a private network through the Internet, and then click Next.
For Windows XP, choose Connect to the network at my workplace. Then select Virtual Private Network connection
.
You may see the Public Network
screen at this time. Click to select the dial-up connection that
connects you to your ISP. If your physical connection is an Ethernet
connection, select Do not dial initial connection. If the physical connection is through an ISP, select Automatically dial this initial connection. Click Next.
For Windows XP, you will be prompted first for a connection name first.
For this example, we used Do not dial the initial connection.
From Destination Address, in the Host name or IP address box, enter the IP address or hostname of your Juniper Firewall's Untrust interface, and then click Next.
For this example, we have used 1.1.1.1 as the Untrust IP address.
From Connection Availability, click to select For all users, and then click Next.
From the Completing the Network Connection Wizard, enter a connection name, and then click Finish.
For Windows XP, the connection name was entered before step 4.
Click Properties
.
Click to select the Security tab, click to select Advanced (custom settings), and then click Settings.
From Advanced Security Settings, from the Data encryption drop-down menu, click to select Optional encryption (connect even if no encryption)
.
From Logon security, click to select Allow these protocols. Click to select only Unencrypted password (PAP) and Challenge Handshake Authentication Protocol (CHAP). Click to clear any protocols that do not apply.
Click OK.
Click to select the Networking tab. From the Type of VPN server I am calling drop-down menu, click to select Layer-2 Tunneling Protocol (L2TP).
For Windows XP, select L2TP IPSec VPN.
Click OK.
From Network and Dial-up Connections, double-click the Dial-up Connection.
Enter your User name and Password.
The User name and Password matches the username and password of the L2TP user configured on the Firewall.
Click Connect.
留言列表
網路相關技術 (3)
