Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway. A laptop with Netscreen remote client software can be used from home or road to connect to branch office RN300 VPN gateway. The secure tunnel can be established between laptop and central/branch office over the Internet or any public network that uses IPSec. Required 1. RN300 VPN Gateway device should be running RanchOS-3.0.9 or above 2. Ensure VPN Feature is enabled on RN300 device. This can be verified from System Configuration Image Configuration Version Info screen. VPN Basic or VPN Advanced must be listed in Features Enabled column. 3. Install and configure RN300 device at branch office. Create two Zones (Internet and Local). Connect Internet zone (10.1.2.0 subnet) to public router and Local zone (10.1.9.0 subnet) to your protected network. Configure required firewall security policies for systems from LAN to access Internet services such as http, https, dns, ftp etc. 4. Install NetScreen Remote client software on home laptop. A laptop running with Windows 2000 professional and NetScreen Remote Client with Security Policy Editor 10.5.1 (Build 8) version is used in this example. Ensure that you have internet connectivity and can reach public interface (10.1.2.2) of branch office RN300. Ensure the connectivity between Site A and Site B RN300 devices. 5. Admin privileges on both RN300 and Laptop Network Diagram
Background IPSec is a set of open standard protocols to support secure exchange of data packets at IP layer. It provides data confidentiality, data integrity, and data origin authentication between IPSec peers. There are two Internet Key Exchange (IKE) phases. Step by Step configuration on branch office RN300 Briefly: a) Configure VPN Global configuration. MY IKE ID is defined to self identify the RN unit. Ex. IP Address 10.1.2.2 for Site A (VPN Global Config) b) Define Phase 2 profile (VPN Tunnel Setup Phase 2 proposals) c) Define Remote to Local Profile (VPN Tunnel Setup Tunnel Config) d) Create Tunnel & Phase 1 (VPN Tunnel Setup Tunnel Config) e) Define Local to Remote Policies and associate them to Phase 2 proposals (VPN Tunnel Setup Tunnel Config) f) Edit each Local to Remote Policy and define traffic rules that were originating from local subnets (from behind Site A) to remote subnets (to behind Site B) (VPN Tunnel Setup Tunnel Config) g) Define traffic rules that were originating from remote subnets (from behind Site B) to local subnets (to behind Site A) (Firewall configuration Firewall rules to Security profiles) 1. Login to web GUI 2. Go to VPN Global Config menu
3. Under Negotiation tab, select IP Address as ID Type and enter 10.1.2.2 Select Allow NAT Traversal
4. Go to VPN Tunnel Set Up Tunnel Config menu 5. Click on Remote To Local Profile to create policy profile for traffic to flow from remote Laptop to branch office local site. This profile contains all firewall rules for hosts from Laptop (Remote) those can access branch office (Local) resources. Enter following details and click on Add Profile Profile Name NSRemote-to-Local Description NSRemote-to-Local
Click on Done to close this window 6. Select the following options in the following menu and click Save Configuration
Tunnel Name NSRemote-to-RN300 Tunnel Description NSRemote-to-RN300 Tunnel Type Remote Access Remote End Point 10.1.2.42 User Profile Id NSRemote-to-Local IKE Configuration (Phase 1) IKE ID Type FQDN Peer IKE ID laptop.rn300.com Authentication Method Shared Key Shared Key secretpassword Verify Shared key secretpassword Encryption 3DES Hash Algorithm MD5 Mode Auto Life time 86400 sec Continue Phas1 & 2 Uncheck NAT Traversal Check Compute UDP Checksum Uncheck Keep Alive interval 10 secs 7. Now, we need to define policies for traffic originating from Latop (Remote site) and coming to branch office RN300 (Local site) Go to Firewall Configuration Security Profiles menu
Browse for NSRemote-to-RN300 profile that was created in Tunnel configuration
By default, all traffic is blocked from remote site to local site trough tunnel. Click on Add/Modify button to create a number of firewall rules.
This example allows FTP (Rule Number 50) and ICMP (Rule Number 51). Once all parameters are configured, click on Add Rule
Rule Number 50 Source Zone Name Any Destination Zone Name Any Source IP/NetMask Any Source Port Any Destination IP/NetMask 10.1.9.0/24 Destination Port List 21 IP Protocol TCP Action To Take Accept
Rule Number 51 Source Zone Name Any Destination Zone Name Any Source IP/NetMask Any Source Port Any Destination IP/NetMask 10.1.9.0/24 Destination Port List Any IP Protocol ICMP Action To Take Accept
Step by Step configuration on Laptop (NetScreen Remote Client) Briefly: a) Configure VPN Global configuration. MY IKE ID is defined to self identify the RN unit. Ex. IP Address 10.1.2.27 for Site B (VPN Global Config) b) Define Phase 2 profile (VPN Tunnel Setup Phase 2 proposals) c) Define Remote to Local Profile (VPN Tunnel Setup Tunnel Config) d) Create Tunnel & Phase 1 (VPN Tunnel Setup Tunnel Config) e) Define Local to Remote Policies and associate them to Phase 2 proposals (VPN Tunnel Setup Tunnel Config) f) Edit each Local to Remote Policy and define traffic rules that were originating from local subnets (from behind Site B) to remote subnets (to behind Site A) (VPN Tunnel Setup Tunnel Config) g) Define traffic rules that were originating from remote subnets (from behind Site A) to local subnets (to behind Site B) (Firewall configuration Firewall rules to Security profiles) 1. Install Netscreen Remote client software (Security Policy Editor 10.5.1 - Build 8) on Latpop 2. Create New Connection with following parameters
Connection Security Secure Remote Party Identity and Addressing ID Type IP Address Range From 10.1.9.0 To 10.1.9.255 Protocol All Connect using Secure Gateway Tunnel ID Type IP Address 10.1.2.2 3. Go to My Identity menu
Select Certificate ID Type None Domain Name Laptop.rn300.com 4. Click on Pre-Shared key button, enter secrepassword and click OK 5. Go to Security Policy, select Aggressive Mode and check Enable Replay Protection
6. Go to Authentication (Phase 1) and create Proposal 1 Authentication Method Pre-Shared Key Encryption Alg Triple DES Hash Alg MD5 SA Life 1200 Seconds Key Group Deffie-Hellman Group 2
7. Go to Key Exchange (Phase 2) menu and create Proposal 1 SA Life 1200 Seconds Compression None Encapsulation Protocol (ESP) Check Encrypt Alg Triple DES Hash Alg MD5 Encapsulation Tunnel
Connection Verification 1. Tunnel can be established by initiating traffic from Laptop towards RN300 s branch office local net. For example, initiate PING traffic from laptop to 10.1.9.2
2. FTP data transfer also will work as this service is allowed in NSRemoteto-RN300 profile. If you require other services such as telnet, ssh or http etc, you need to define and allow in NSRemote-to-RN300 profile 3. Ensure that the traffic is secure and encrypted by capturing data packets between laptop and RN300. We can do this by placing a hub in between and capture data packets on a ethereal host as shown followed
The packet capture available is as followed. Note that traffic from laptop (10.1.2.42) to any other host (10.1.2.107) is clear text where as traffic to brach office network (host 10.1.9.2) is encapsulated and encrypted in IP ESP packets.