Configuring the PC or Laptop

You can use a preshared key operation when the NetScreen-Remote client has either a fixed or dynamically assigned IP address. There are three steps to setting up a NetScreen-Remote client for a VPN tunnel with a preshared key:

1.  Creating a New Connection
2.  Creating the Preshared Key
3.  Defining the IPsec Protocols

Creating a New Connection

First initiate a new connection. Then name the connection, define it as secure, and determine the identification and location of the other end of the eventual VPN tunnel.

Figure 137 shows the NetScreen-Remote Client Icon in the Task Bar page.

Figure 137: NetScreen-Remote Client Icon

Figure 138 shows the Security Policy Editor page.

Figure 138: Security Policy Editor

New Connection appears in the Network Security Policy list, as shown in Figure 139.

Figure 139: Configure Connection

Figure 140 shows the Configuring the New Connection page.

Figure 140: Configuring the New Connection

1. Double-click the NetScreen-Remote icon in the Windows taskbar (Figure 137). The Security Policy Editor screen appears (Figure 138).
2. Click the New Connection icon to create a new connection.
3. Give the new connection a unique name—for example, VPN to HQ.
4. In the Connection Security area (to the right of the Network Security Policy list), select Secure.
5. In the Remote Party Identity and Addressing area, select an identifier for the other party from the ID Type list, and enter the required information.
6. Choose either IP Address or IP Subnet. Other choices will not work.
7. Select the protocol you want to use for the Connection. The default is All.
   • All—This choice allows the connection to use any IP protocol.
   • TCP—Transmission Control Protocol, the protocol that controls data transfer on the Internet
   • UDP—User Datagram Protocol, a protocol within the TCP/IP protocol suite that provides very few error recovery services (for example, a lost packet is simply ignored) and is used primarily for broadcasting
   • ICMP—Internet Control Message Protocol, a protocol tightly integrated with the Internet Protocol (IP) that supports packets containing error, control, and informational messages related to network operations
   • GRE—Generic Routing Encapsulation, a protocol that encapsulates the packets of one kind of protocol within GRE packets, which can then be contained within the packets of another kind of protocol
8. If you are using tunnel mode to connect to a J-series router running JUNOS software, select Connect using Secure Gateway Tunnel.

   The Secure Gateway Tunnel ID Type and IP Address fields are enabled.

9. Select IP Address as an identifier for the other party from the ID Type list and enter the IP address. See Figure 140.

Creating the Preshared Key

After you have created a new connection called VPN to HQ, create the preshared key to be used in identifying the communicating parties during the Phase 1 negotiations.

Figure 141 shows the My Identity and Internet Interface page.

Figure 141: My Identity and Internet Interface

Figure 142 shows the Per-Shared Key Dialog Box page.

Figure 142: Pre-Shared Key Dialog Box

1. Double-click the VPN to HQ icon from the Security Policy list in the left panel.

   My Identity and Security Policy icons appear in the Network Security Policy list.

2. Click My Identity. The My Identity and Internet Interface areas appear in the right panel (Figure 141).
3. Select None from the Select Certificate drop-down list.
4. From the ID Type drop-down list, select E-mail Address and type vpn@customer.com as the ID for the IKE user.
5. Click Pre-Shared Key. The Pre-Shared Key dialog box appears (see Figure 142).
6. Click the Enter Key to enable the Pre-Shared Key field.
7. Type a key with a length between 8 and 58 characters. A longer key length results in stronger encryption.
8. Click OK to save the entry.

Defining the IPsec Protocols

The Security Policy area appears on the right, and the Authentication (Phase 1) icon and Key Exchange (Phase 2) icon appear in the Network Security Policy list, as shown in Figure 143.

Figure 143: Security Policy

Figure 144 shows the Algorithims Area page.

Figure 144: Algorithms Area

Figure 145: IPsec Protocols Area

To define the Internet Protocol Security (IPsec) protocols for securing the VPN tunnel:

1. Double-click Security Policy in the Network Security Policy list.
2. Select Aggressive Mode in the Security Policy area.
3. Select Enable Perfect Forward Secrecy (PFS). PFS allows generation of a new encryption key that is independent from and unrelated to the preceding key.
4. In the PFS Key Group drop-down list, select Diffie-Hellman Group 2.
5. In the Security Policy List (left panel), select Authentication (Phase 1). Proposal 1 appears below the Authentication (Phase 1) icon.
6. Select Proposal 1 to display the Authentication Method and Algorithms area, as shown in Figure 141.
7. Select Pre-Shared Key; Extended Authentication from the Authentication Method. This allows you to use XAuth.

   Note: XAuth must also be enabled on the J-series router running JUNOS software. XAuth allows password-prompt authentication in addition to a preshared key. If enabled, you are prompted for a password when initiating a VPN. See Configuring an Access Profile for XAuth and Configuring an IKE Gateway for more information on configuring XAuth.

8. In the Authentication and Algorithms area, define the Encryption Algorithm AES-128 and the Hash Algorithm SHA-1. See Table 89 for brief descriptions of these protocols.
9. From the Key Group drop-down list, select Diffie-Hellman Group 2.
10. In the left panel, double-click the Key Exchange Phase (2) icon. Proposal 1 appears below the icon.
11. Select Proposal 1 to display the IPsec Protocols area as shown in Figure 145.
12. In the IPsec Protocols area, define the SA Life (the lifetime of the security association) in either seconds or bytes, or leave it as Unspecified.

    Note: Unspecified lifetimes (Phase I and II) cause the NetScreen-Remote client to accept the values proposed by the router.

13. Select Encapsulation Protocol (ESP). ESP provides encryption, authentication, and an integrity check for IP datagrams.
14. Select the encryption algorithm AES-128, the hash algorithm SHA-1, and Tunnel.for the encapsulation

    Note: If you select the Connect using Secure Gateway Tunnel check box when defining Remote Party Identity and Addressing, the encapsulation method must be Tunnel—no other option is available.

15. Click Save in the toolbar, or choose Save Changes from the File menu.

    The configuration for the NetScreen-Remote end of an eventual VPN tunnel using a preshared key is complete.

    Table 89: Encryption and Hash Algorithms

    DES	Data Encryption Standard. A cryptographic block algorithm with a 56-bit key.
    Triple DES	A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key.
    AES protocols	Advanced encryption standard. These protocols provide maximum security for the key. The higher the AES value, the more secure the key is. AES values can be AES-128, the least secure, AES-192, medium security, and AES-256, the most secure.
    MD5	Message Digest version 5. An algorithm that produces a 128-bit message digest or hash from a message of arbitrary length. The resulting hash is used, like a fingerprint of the input, to verify authenticity.
    SHA-1	Secure Hash Algorithm-1. An algorithm that produces a 160-bit hash from a message of arbitrary length. SHA-1 is generally regarded as more secure than MD5 because of the larger hashes it produces.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.