![\"image\"](\"\/wp-content\/uploads\/2009\/01\/image6.png\" "\\"image\\"")
<\/a> <\/p>\nNetwork 192.168.10.0\/24 is located behind a multi-homed Windows 2008 Server (2 network interfaces, one with a private IP (192.168.10.254) and one with an internet public IP (I\u2019ll use 192.168.0.0\/24 as \u2018internet\u2019, so the \u2018public\u2019 IP of the Windows Server is 192.168.0.100. Of course, this is not really a public IP, and the Juniper\u2019s public IP will be in the same range, but it is not relevant to my explanation today. Just bear in mind that both the Juniper and the 2008 Server have a public IP. Traffic to the internet, initiated by these hosts, are not subject to address translation (no NAT). They are directly connected to the internet. If you feel not confident enough putting the Windows server directly to the internet, you can also put it in a DMZ. Just make sure it has a public IP which is routable, and no NAT is used.
Network 192.168.2.0\/24 is located behind a SSG5 Juniper firewall. Eth0\/1 is connected to the internet (192.168.0.30) and eth0\/2 is connected to the private network (192.168.2.0\/24).
The goal is to allow hosts 192.168.10.1 and 192.168.2.1 to talk to each other, using an IPSec tunnel between the Windows Server and the SSG firewall.<\/p>\n
The 2 zones on the screenOS are \u201cPublic\u201d (for the internet facing interface) and \u201cLan\u201d. If you are using Juniper equipment that does not support zones other than the default trust and untrust, feel free to replace \u201cPublic\u201d with \u201cuntrust\u201d and \u201cLan\u201d with \u201ctrust\u201d<\/p>\n
The Juniper firewall is a ssg5, running screenos 6.2 (but this may work with older versions as well)<\/p>\n
Shared configuration parameters :<\/h3>\n
Phase 1 : 3DES \u2013 SHA1, DH Group2. PSK : DNCSQLsdjqkl390DNJldapfSDx <\/p>\n We\u2019ll use a route based VPN for this purpose, so we need to create a tunnel interface. We\u2019ll use an ip unnumbered tunnel interface for this. The tunnel interface will be placed in the Public zone.<\/p>\n Next, we need to create a Phase1 definition. We\u2019ll use the GUI for this :<\/p>\n Go to \u201cVPNs\u201d, \u201cAutoKey Advanced\u201d, \u201cGateway\u201d and create a new gateway. Set a gateway name, fill out the public IP of the other side (192.168.0.100 in our case) and then click advanced<\/p>\n In the advanced screen, select the following options :<\/p>\n - fill out the Preshared Key, set the outgoing interface also to eth0\/1, and set the P1 proposal to pre-g2-3des-sha<\/p>\n - make sure the P1 Mode is set to Main<\/p>\n Click \u201cReturn\u201d and then \u201cOK\u201d to save the changes<\/p>\n In the menu on the left, go to \u201cVPNs\u201d, \u201cAutoKey IKE\u201d and create a new defintion. This is Phase2<\/p>\n Pick a name, select the predefined \u201cPhase1\u201d that we have created earlier and click \u201cAdvanced\u201d<\/p>\n Under advanced :<\/p>\n Set the Phase 2 proposal to nofps-esp-3des-sha, Bind the VPN to the tunnel interface, and set the proxy ID. The Local IP and netmask is the local network (192.168.2.0\/24), the Remote IP and netmask indicates the remote network (192.168.10.0\/24). Make sure the service is set to ANY. Click \u201creturn\u201d and then \u201cOK\u201d to save. <\/p>\n Now we can set up the routing and firewall policy<\/p>\n Add a route to the 192.168.10.0\/24 network and send it to the tunnel interface :<\/p>\n Add the necessary policies so all traffic between the two networks is allowed :<\/p>\n <\/p>\n First of all, make sure the Windows 2008 Server is configured as a router. (you can configure this via \u201cRouting & Remote Access\u201d \u2013 which can be installed as part of the \u201cNetwork Policy and Access Services\u201d server role) Otherwise, the hosts behind the server would not be able to route traffic via the server, thru the tunnel, to the hosts behind the remote endpoint of the tunnel.<\/p>\n Next, create the VPN definition :<\/p>\n Open the firewall settings on the Windows 2008 Server<\/p>\n (Server Manager \u2013 Windows Firewall properties)<\/p>\n Go to the \u201cIPSec Settings\u201d tabsheet and click Customize<\/p>\n Under \u201cKey Exchange (main mode)\u201d, choose Advanced and click the Customize button<\/p>\n Set 3DES-SHA as first Security Method in the list<\/p>\n Verify that the Key Exchange method is set to Diffie-Hellman Group 2 (which should be the case by default)<\/p>\n Verify that the key lifetime is set to 480 minutes (which is 28800 seconds, the default setting on Juniper)<\/p>\n Click \u201cOK\u201d to save<\/p>\n Under \u201cData Protection (Quick Mode)\u201d (= Phase 2), choose \u201cadvanced\u201d and click \u201ccustomize\u201d<\/p>\n Look at the right hand list (Data integrity and encryption) and make sure ESP \u2013 SHA1 \u2013 3DES is set to the first one in the list. Verify that the Key Lifetime is set to 60 minutes ( = 3600 seconds, default setting on Juniper)<\/p>\n As you can see, the Key Lifetime setting in Windows Server indicates both a time (60 minutes) and Kbytes (100000). In Juniper, the default is 3600 seconds, 0 bytes. In other words, if you really want it to match (which is a requirement), you\u2019ll have to create your own P2 proposal on Juniper so the settings match :<\/p>\n Click \u201cnew\u201d to create a new proposal<\/p>\n Click OK to save<\/p>\n Now edit the AutoKey Ike definition (Phase 2) on Juniper and select this newly created proposal (under \u201cAdvanced\u201d)<\/p>\n Click \u201cReturn\u201d and \u201cOK\u201d to save <\/p>\n<\/blockquote>\n Let\u2019s continue with the Windows 2008 Server Setup<\/p>\n Enable \u201cRequire encryption for all connection security rules that use these settings\u201d<\/p>\n (otherwise, you will see stuff like this in a \u201cdebug ike detail\u201d : )<\/p>\n Click \u201cOK\u201d to save<\/p>\n These are the new default settings for IPSec rules.<\/p>\n In order to encrypt traffic and set up the tunnel, we need to set up a Connection Security Rule.<\/p>\n Click \u201cNew Rule\u201d<\/p>\n Choose \u201ctunnel connection\u201d<\/p>\n Fill out the tunnel parameters :<\/p>\n Computers in Endpoint 1 = the local subnet behind the Windows Server<\/p>\n The local tunnel computer = the public IP of the Windows Server<\/p>\n The remote tunnel computer = the public IP of the Juniper<\/p>\n Computers in Endpoint 2 : the remote subnet behind the Juniper firewall<\/p>\n Set the Preshared Key<\/p>\n \u201cWhen does this rule apply\u201d : leave all options checked (unless you know what you are doing)<\/p>\n Pick a name for the rule and click Finish<\/p>\n <\/p>\n Add a route so traffic is sent to the internet. (the default gateway probably points to the internet, so it may not be required to add a route). In my testlab, I have set a static route pointing directly to the Juniper router, but in real life, you\u2019ll probably want to point the route to your local ISP router.<\/p>\n In my testlab, I had to reboot my Windows 2008 Server before everything started working correctly, but it might not be necessary to do this<\/p>\n From the client behind the Windows Server, which has its default gateway set to 192.168.10.254, try to ping the client behind the Juniper firewall, which has its default gateway set to 192.168.2.8 :<\/p>\n From the client behind the Juniper, ping the host behind the Windows Server :<\/p>\n <\/p>\n After the first packets were sent from the host behind the WIndows 2008 Server to the host behind the Juniper, you should see Phase 1 and Phase 2 (active sa) come up on the Juniper firewall :<\/p>\n Phase 1<\/u><\/p>\n Phase 2<\/u><\/p>\n On the Windows Server, you should see the corresponding Phases :<\/p>\n Phase 1 (Main Mode)<\/p>\n Phase 2 (Quick Mode)<\/p>\n Juniper screenos logs :<\/p>\n
Phase 2 : ESP - 3DES \u2013 SHA1. We won\u2019t use PFS to start with. (In fact, this option is not available in the Windows 2008 GUI. You can use PFS\u2026 Just scroll down to the bottom of this post in order to figure out how you can do this)
If you\u2019re not sure what these Phases or parameters mean, check out this post<\/a> and this discussion<\/a> on juniperforum.com (In case you are wondering : my nickname on juniperforum.com is c0d3r)<\/p>\nScreenOS configuration :<\/h3>\n
set int tunnel.1 zone Public\nset int tunnel.1 ip unnumbered interface eth0\/1\n\nget int tun.1\nInterface tunnel.1:\n description tunnel.1\n number 20, if_info 1768, if_index 1, mode route\n link down\n vsys Root, zone Public, vr trust-vr\n admin mtu 1500, operating mtu 1500, default mtu 1500\n *ip 0.0.0.0\/0 unnumbered, source interface ethernet0\/1\n *manage ip 0.0.0.0\n pmtu-v4 disabled\n ping disabled, telnet disabled, SSH disabled, SNMP disabled\n web disabled, ident-reset disabled, SSL disabled\n\n OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled\n PIM: not configured IGMP not configured\n MLD not configured\n NHRP disabled\n bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]\n configured ingress mbw 0kbps, current bw 0kbps\n total allocated gbw 0kbps<\/pre>\n<\/div>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nset route 192.168.10.0\/24 int tunnel.1<\/pre>\n<\/div>\n
set address LAN LocalNetwork 192.168.2.0\/24 \nset address Public RemoteNetwork 192.168.10.0\/24\nset policy from LAN to Public LocalNetwork RemoteNetwork any permit\nset policy from Public to LAN RemoteNetwork LocalNetwork any permit\nsave<\/pre>\n<\/div>\n
Configure Windows 2008 Server<\/h3>\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n\n
<\/a> <\/p>\n<\/a> <\/p>\n<\/a><\/p>\n<\/a> <\/p>\n\n
## 2009-01-11 01:30:09 : IKE<192.168.0.100> proto(3)<ESP>, esp(11)<ESP_NULL>, auth(2)<SHA>, encap(1)<TUNNEL>, group(0)\n<\/font><\/strong>## 2009-01-11 01:30:09 : IKE<192.168.0.100> expect [0]:\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> atts<00000003 00000000 00000003 00000002 00000001 00000002>\n<\/font>## 2009-01-11 01:30:09 : IKE<192.168.0.100> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>, group(2)\n<\/font><\/strong>## 2009-01-11 01:30:09 : IKE<0.0.0.0 > Check P2 Proposal\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> SA life type = seconds\n## 2009-01-11 01:30:09 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 00 0e 10 \n## 2009-01-11 01:30:09 : IKE<192.168.0.100> SA life type = kilobytes\n## 2009-01-11 01:30:09 : IKE<0.0.0.0 > SA life duration (TLV) = 0x 00 01 86 a0 \n## 2009-01-11 01:30:09 : IKE<0.0.0.0 > encap mode from peer = 1.\n## 2009-01-11 01:30:09 : IKE<0.0.0.0 > encap mode after converting it to private<\/span> value = 1.\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> Phase 2 received:\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> atts<00000002 00000003 00000000 00000002 00000001 00000000>\n<\/font>## 2009-01-11 01:30:09 : IKE<192.168.0.100> proto(2)<AH>, ah(3)<AH_SHA>, auth(2)<SHA>, encap(1)<TUNNEL>, group(0)\n<\/font><\/strong>## 2009-01-11 01:30:09 : IKE<192.168.0.100> expect [0]:\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> atts<00000003 00000000 00000003 00000002 00000001 00000002>\n<\/font>## 2009-01-11 01:30:09 : IKE<192.168.0.100> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(2)<SHA>, encap(1)<TUNNEL>, group(2)\n<\/font><\/strong>## 2009-01-11 01:30:09 : IKE<0.0.0.0 > Check P2 Proposal\n## 2009-01-11 01:30:09 : IKE<192.168.0.100> SA life type = seconds<\/font><\/pre>\n<\/p><\/div>\n<\/blockquote>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n<\/a><\/p>\n<\/a> <\/p>\n<\/a> <\/p>\nget ike cookies \n\nIKEv1 SA -- Active: 1, Dead: 0, Total 1\n\n1102f\/0003, 192.168.0.30:500-><\/span>192.168.0.100:500, PRESHR\/grp2\/3DES\/SHA, xchg(2) (IKE_to_Windows2008\/grp-1\/usr-1)\nresent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28531 cert-expire 0\ninitiator, err cnt 0, send dir 0, cond 0x0\nnat-traversal map not available\nike heartbeat : disabled\nike heartbeat last rcv time: 0\nike heartbeat last snd time: 0\nXAUTH status: 0\nDPD seq local 0, peer 0\n\n\nIKEv2 SA -- Active: 0, Dead: 0, Total 0<\/pre>\n<\/p><\/div>\n<\/div>\nget sa active\nTotal active sa: 1\ntotal configured sa: 1\nHEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys\n00000001<<\/span> 192.168.0.100 500 esp:3des\/sha1 37703021 3218 unlim A\/- -1 0\n00000001><\/span> 192.168.0.100 500 esp:3des\/sha1 68b2fde4 3218 unlim A\/- -1 0<\/pre>\n<\/p><\/div>\n<\/div>\n<\/p>\n<\/a> <\/p>\n<\/a> <\/p>\n