| | | | | - This is just an empty zone, a placeholder, so we can |
| Netscreen Remote Dial-UP VPN with AD Radius | | | | create proper policies (instead of defining policies from |
| Authentication and route based VPN / tunnel interface | | | | Public to LAN, we will be able to use policies from |
| The following procedure explains how to set up a | | | | VPNBuffer to LAN, thus separating the internet-to-lan |
| Juniper ScreenOS based firewall to accept Netscreen | | | | traffic policies from the vpn-to-lan policies. It just looks |
| Remote Client VPN connections and authenticate | | | | better…) |
| users using Active Directory (Radius via Windows | | | | - All interfaces are in route mode. |
| 2003 IAS or Windows 2008 NPS). | | | | In the LAN network, there is a Domain Controller at |
| We’ll assume that all traffic to from the client to the | | | | 192.168.0.6, which will be configured as IAS (Radius) |
| 192.68.0.0/16 networks needs to pass via the client | | | | server. (The IAS does not need to be a DC, just a |
| VPN tunnel. Clients will use dynamic IP addresses | | | | domain member will do) |
| (either public or behind a nat router that is capable of | | | | This is what needs to be done |
| handling IPSec passthrough) | | | | - Juniper : Configure an auth server (Radius) |
| The VPN connection must use the following encryption | | | | - Windows : Set up Radius |
| and hashing parameters and PSK: | | | | - IAS on Windows 2003 or |
| - Phase 1 : aes-128, sha-1, DH Group2, PSK : | | | | - NPS on Windows 2008 |
| This1sNot4GoodPSK3y | | | | - Juniper : Define IP Pool / Subnet |
| - Phase 2 : aes-128, sha-1, replay protection, PFS with | | | | - Juniper : Create tunnel interface |
| DH Group2 | | | | - Juniper : Set up routing |
| Network layout: | | | | - Juniper : Define IKE user/group and External Group |
| | | | | for XAuth (Radius) |
| | | | - Juniper : Set XAuth defaults |
| The Juniper firewall has 3 zones: | | | | - Juniper : Configure Phase 1 |
| 1. Public (eth2, connected to the internet, static public IP), | | | | - Juniper : Configure Phase 2 |
| 2. LAN (eth1, connected to the LAN) and | | | | - Juniper : Configure policies |
| 3. A separate zone called VPNBuffer, not attached to | | | | - Client : Configure Netscreen Remote |
| any interface. | | | | - Client : Connect . |