Login »

Bluetrait

«Previous Page Next Page» Home | Contact | Projects | Photos | Admin
Search Posts

Categories

Bluetrait
    Coding
        WordPress
            Plugins
        PHP
        Bluetrait (Program)
    Geek
        Cisco
        IBM N2200 8363
        PCs
        Spam
        IPv6
        Apple
        NetScreen
        Internet
    General
        Uni

Popular posts

Click here if you are looking for Bluetrait, the weblog software.


Login

Username:

Password:

Racoon to Netscreen VPN (site to site)

Posted by Michael Dale on Wed, 27 Sep 2006 7:07 PM

This howto shows you how to create a site to site VPN with a Netscreen and Racoon. If you're interested in setting up a dial-up vpn, see here

Background

My Place

  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
  • Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
  • External Address of 59.167.253.89

Josh's Place

  • Gentoo running Racoon (I think it was installed through the command emerge ipsec)
  • Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
  • Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)

Site to Site VPN (Josh's network to my network)

Step 1)

Setup a dyndns address for the linux end (as this is using a dynamic ip address), use this address in the hostname option when setting up the netscreen (see next step).

Step 2)

The next step is to setup a site to site vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen, Note that example uses 10.0.4.0 as the remote network not 10.0.11.0).

Step 3)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 4)

Setup racoon.conf. Now for this process we used a combination of:

So our config looks like:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}

remote 59.167.253.89 {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo address 10.0.11.0/24 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

#listen {
# isakmp 10.0.11.15;
#}

log debug2;

Things to note:

  • remote 59.167.253.89 (The ip address of the external interface on my netscreen)
  • exchange_mode main (Remember we set the Netscreen Phase 1 to main mode)
  • my_identifier address; (The external IP address of the linux box is used as the identifier)
  • lifetime time 28800 seconds (Phase 1 lifetime)
  • encryption_algorithm des (Phase 1 DES encryption)
  • hash_algorithm md5 (Phase 1 MD5)
  • authentication_method pre_shared_key (We're using a preshared key)
  • dh_group modp1024 (On the netscreen DH Group 2)
  • sainfo address 10.0.11.0/24 any address 10.0.0.0/22 (From Josh's network to my network)
  • pfs_group modp1024 (Again DH Group 2)
  • lifetime time 3600 seconds (Phase 2 lifetime)
  • encryption_algorithm des (Phase 2 encryption)
  • authentication_algorithm hmac_md5 (Phase 2 MD5)

Step 5)

Setup ipsec.conf

So our config looks like:

flush;
spdflush;
spdadd 10.0.0.0/22 10.0.11.0/24 any -P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;
spdadd 10.0.11.0/24 10.0.0.0/22 any -P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;

You'll just need to change the IP addresses to suit your setup.

Step 6)

Setup psk.txt.

So our config looks like:

59.167.253.89 our_preshared_key

So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 7)

Test. Use both ends to debug and test.


Permalink

NetScreen

Comments?
Click for comments help.

HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.

Message

Name

Email (not shown)

WWW (optional)

Allow contact form email

Remember details

0.0755 Seconds Powered by Bluetrait 2.13 MB 9 Queries