Professional Documents
Culture Documents
If u feel any problem let me know and also the outcome of above. Kashif Rana 00971555962393
JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP ----------------------------------------------------------------------------------------------------------------------------- ---------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Message 15 of 33 (13,738 Views)
Reply mkusan
Contributor
Reply Kashif-rana
Trusted Expert
hi, a) yes u can do, rite now test this scenario with just one user b) yes c) yes u don't have u to remove ur existing dialup vpn policy Kashif Rana 00971555962393 JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP ----------------------------------------------------------------------------------------------------------------------------- ---------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Message 17 of 33 (13,719 Views)
Reply mkusan
Contributor
Reply Kashif-rana
Trusted Expert
a)In vpn->autokey advance->gateway->Edit->remote gateway type->Dialup user->user> u should select correct dailup vpn user as u created in step 2. b)vpn->autokey advance->gateway->Edit->Advance check the outgoing interface should be untrust interface c) vpn->autokey ike-> make sure u selected the correct gateway The policies u created should have action permit with no tunnel select. I configuration i suggested u sorry i fogort to mention two things. Please correct them. Following is modified version of configuration i suggested u.
On firewall: Steps: 1) Create dialup vpn pool: policy elements-> objects-> users-> IP Pool-> Here define IP pool name and range ip ip pool (say 30.30.30.1->30.30.30.10) 2) Create dialup vpn user: policy elements-> objects-> users-> local-> Here define user name, check IKE user and simple identity then give any email address (say test@test.com) in IKE identity field then check Xauth User and define password. Then IP pool->select ip pool u created in step 1. 3) Create tunnel interface: Network->interfaces->New->zone untrsut (trust-vr)->Unnumbered interface eth0/0 (untrust interface) 4) Create vpn like previous with two changes: a) vpn->autokey ike->advance->proxy id local ip-> 0.0.0.0/0 and remote ip->255.255.255.255/32 b) vpn->autokey ike->advance-> Bind to ->tunnel.1 5) vpn->autokey advance-> click Xauth->check xauth server then check generic, check local authentication and then check allow any 6) Create Policies: a) Untrust to trust with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 10....../23 b) Untrust to vpn with source 30.30.30.0/24 (dialup vpn pool as created in step 1), destination 192.168.0.0./16 6) Routing: set vr tust-vr rotue 192.168.0.0/16 interface eth0/4 gateway 172...... set vr trsut-vr route 30.30.30.0/24 interface tunnel.1 (without gateway) On Remote device: Add reverse route for 30.30.30.0/24 next hop 172... On Netscreen Remote: Create vpn with followings to be noted:
1) Remote party identity and addressing: 0.0.0.0/0 2) My identity-> Secure interface configuration->virtual adapter (select preferred) 3) Security policy-> Authentication (phase 1)->proposal 1->Authentication Method (select preshared key extended authentication)
If u feel any problem let me know and also the outcome of above.
Kashif Rana 00971555962393 JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP --------------------------------------------------------------------------------------------------------------------------------------If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Message 19 of 33 (13,657 Views)
Reply mkusan
Contributor