We’ll assume that all traffic to from the client to the 192.68.0.0/16 networks needs to pass via the client VPN tunnel. Clients will use dynamic IP addresses (either public or behind a nat router that is capable of handling IPSec passthrough)
The VPN connection must use the following encryption and hashing parameters and PSK:
* Phase 1 : aes-128, sha-1, DH Group2, PSK : This1sNot4GoodPSK3y
* Phase 2 : aes-128, sha-1, replay protection, PFS with DH Group2
Network Layout
The Juniper firewall has 3 zones:
1. Public (eth2, connected to the internet, static public IP),
2. LAN (eth1, connected to the LAN) and
3. A separate zone called VPNBuffer, not attached to any interface.
* This is just an empty zone, a placeholder, so we can create proper policies (instead of defining policies from Public to LAN, we will be able to use policies from VPNBuffer to LAN, thus separating the internet-to-lan traffic policies from the vpn-to-lan policies. It just looks better…)
* All interfaces are in route mode.
In the LAN network, there is a Domain Controller at 192.168.0.6, which will be configured as IAS (Radius) server. (The IAS does not need to be a DC, just a domain member will do)
This is what needs to be done
* Juniper : Configure an auth server (Radius)
* Windows : Set up Radius
* IAS on Windows 2003 or
* NPS on Windows 2008
* Juniper : Define IP Pool / Subnet
* Juniper : Create tunnel interface
* Juniper : Set up routing
* Juniper : Define IKE user/group and External Group for XAuth (Radius)
* Juniper : Set XAuth defaults
* Juniper : Configure Phase 1
* Juniper : Configure Phase 2
* Juniper : Configure policies
* Client : Configure Netscreen Remote
* Client : Connect .
Written by Zifra Permana
Read more: http://www.articlesbase.com/internet-articles/netscreen-remote-dialup-vpn-with-ad-radius-authentication-and-route-based-vpn-tunnel-interface-892208.html
0 comments:
Post a Comment