[pfSense] [pfSense Support] RE: IPSec VPN to Juniper Netscreen Appliance
StevenS at coc.ca
Thu Jan 5 15:07:02 EST 2012
> -----Original Message-----
> From: bwynkoop [mailto:bwynkoop at investoranalytics.com]
> Sent: Thursday, January 05, 2012 11:36 AM
> To: Steven Sherwood
> Cc: bwynkoop
> Subject: [pfSense Support] RE: IPSec VPN to Juniper Netscreen
> How in the world did you get the pfsense and Juniper talking to each
> other. I have tried a couple of times with no luck. At the moment I
> have 1 pfsense and 3 junipers I need it to talk to.
> My goal is to replace the junipers with pfsense, but I have to do them
> one at a time after I get the first one talking to the existing
> If you could send me some config file excerpts that would be great!
> Brett Wynkoop
> bwynkoop at investoranalytics.com
> Mobile: 917-642-6925
I've got a Netscreen NS50 talking to my pfSense boxes. Not sure if the config will be the same as our Netscreen is pretty old by current standards, but it works just fine with pfSense 1.x.x configurations, and continues to work well with 2.x.x also.
I use 3DES and MD5 for both P1 and P2, and have multiple P2s working with the same P1 under 2.0.1 without issue. (you need a separate P2 for each different subnet that you require)
As you probably are well aware, there are many ways to setup an IPSEC tunnel, so your setup may differ greatly, but this example works for me (substitute your encryption etc. to match your requirements) :
On my Netscreen, the first step was to create a new remote Gateway object (under VPNs, AutoKey Advanced, Gateway). We use "Dynamic IP Address" for the Gateway Type (hence the need for Aggressive mode), with my peer ID matching what I've entered on the pfSense UDN (user at domain.ext). Also ensure your Preshared Key is the same here as in your pfSense P1 setup, and that you have selected the correct interface on your Juniper to associate with the VPN. Then under advanced, I defined the P1 proposal details. The P1 proposal is set to User Defined / Custom --> "pre-g2-3des-md5", with Mode (initiator) set to Aggressive, and NAT-Traversal checked. Everything else was/is at the default setting under P1.
Then create a new AutoKey IKE configuration (VPNs, AutoKey IKE), and select your predefined gateway (created above) as your Remote Gateway. Then under advanced, define your P2 details. The proposal is set to User Defined / Custom --> "nopfs-esp-3des-md5", with all other settings default.
Not to state the obvious, but you must ensure that what you select on your Netscreen/Juniper matches on your pfSense later.
Note - you must also define access policies on your Juniper to allow access through the firewall for these VPN tunnels to work. You should probably create new address book entries (Objects, Addresses, List) for your local and remote networks to keep things more straightforward. Also, please ensure that you have no overlapping subnets (ie. your local and remote sides should be on different subnets) Then it is as easy as creating a policy with your Source address being the new remote address book entry, and your destination being the local subnet (or address book entry) you wish to access. You will need to open the required services (or just open it up entirely by selecting Service = Any), and make the Action = Tunnel, with the Tunnel VPN = your remote gateway object that you created above in step 1.
>From my working pfSense config :
P1 (VPN, IPSec, Add Remote Gateway)
Interface = Your WAN interface
Remote Gateway = Remote IP/Hostname
Description = Your meaningful description
Authentication mode = Mutual PSK
Negotiation mode = aggressive
My Identifier = User distinguished name with your UDN in the form of user at domain.ext Peer Identifier = Peer IP Address Pre-Shared Key = <your secret> Policy Generation = Default Proposal Checking = Default Encryption algorithm = 3DES Hash algorithm = MD5 DH key group = 2 lifetime = 28800 seconds NAT traversal should be enabled Dead Peer Detection = checked
10 seconds - Delay between requesting peer acknowledgement
5 retries - Number of consecutive failures allowed before disconnect
P2 (you may need more than one P2 if you require access to more than 1 subnet)
Mode = Tunnel
Local Network = LAN Subnet
Remote Network, Type = Network, Address = Remote Subnet (eg. 192.168.50.0 / 24) Description = your meaningful description
Protocol = ESP
Encryption algorithms = 3DES
Hash algorithms = MD5
PFS key group = Off
Lifetime = 3600 seconds
Automatically ping host = <blank> (optional)
You'll also need to assign the proper permit rules on the pfSense firewall (Firewall, Rules, IPSec) to allow traffic through on this side of the tunnel.
Hopefully some of this will help get you going - but then, I'm not sure that my older Netscreen's setup is still all that relevant to what Juniper does today.
More information about the List