Allied Telesis NetScreen Routers User Manual

AlliedWareTM OS

How To |

Create a VPN between an Allied Telesis and a NetScreen Router

Today’s network managers often need to incorporate other vendors’ equipment into their networks, as companies change and grow. To support this challenge, Allied Telesis routers are designed to inter-operate with a wide range of equipment.

This How To Note details one of the inter-operation solutions from Allied Telesis: creating virtual private networks between Allied Telesis and NetScreen routers. It shows you how to configure a VPN between a local Allied Telesis router and a remote NetScreen router, stepby-step. On the Allied Telesis router, it uses the Site-To-Site VPN wizard for the VPN configuration.

The wizard runs on selected AR400 Allied Telesis routers from the router’s web-based GUI (graphical user interface). It asks you to enter a few details and from those it configures the following settings:

z encryption to protect traffic over the VPN

z ISAKMP with a preshared key to manage the VPN

z the firewall, to protect the LANs and to allow traffic to use the VPN

z Network Address Translation (NAT), so that you can access the Internet from the private

LAN through a single public IP address. This Internet access does not interfere with the VPN solution.

You can use the command line to set up an equivalent configuration on AR700 and other AR400 Series routers. See "The router commands" on page 28 for a complete list of the commands the configuration uses.

C613-16099-00 REV D

www.alliedtelesis.com

What information will you find in this document?

This How To Note begins with the following information:

z "Related How To Notes" on page 2

z "Which products and software version does it apply to?" on page 2

Then it describes the configuration, in the following sections:

z "The network" on page 3

z "How to configure the Allied Telesis router" on page 4

z "How to configure the NetScreen router" on page 13

z "How to test the tunnel" on page 26

z "The router commands" on page 28

Related How To Notes

Allied Telesis offers How To Notes with a wide range of VPN solutions, from quick and simple solutions for connecting home and remote offices, to advanced multi-feature setups. Notes also describe how to create a VPN between an Allied Telesis router and equipment from a number of other vendors.

For a complete list of VPN How To Notes, see the Overview of VPN Solutions in How To Notes in the How To Library at www.alliedtelesis.com/resources/literature/howto.aspx.

Which products and software version does it apply to?

The VPN wizard is available on the following Allied Telesis routers, running Software Version

or later:

2.9.

z AR4

z AR440S, AR44

We created this example with a NetScreen 25, running ScreenOS 4.0.3r4.0.

The screenshots in this Note are from an Internet Explorer 6.0 browser running on Windows XP and Windows 2000.

S, AR442S

Page 2 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

The network

at-netscreen.eps

The following diagram shows the LANs and their interfaces and addresses.

Allied Telesis

router

NetScreen

router

eth0:

100.100.100.1/30

100.100.100.2/30

Internet

200.200.200.2/30

ethernet 3:

200.200.200.1/30

vlan1:

192.168.1.1

workstation:

192.168.1.100 by

automatic address

assignment

VPN

tunnel

ethernet 1:

192.168.2.1

workstation:

192.168.2.100 by

automatic address

assignment

Page 3 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

How to configure the Allied Telesis router

Before you

start

1. Access the router via its GUI.

2. Customise the router and set up vlan

always uses vlan interface is configured on vlan

as the local LAN for the VPN connection, so you must make sure an IP

as the LAN interface. The site-to-site VPN wizard

before running the wizard.

3. Create a security officer. If you use the Basic Setup wizard to customise the router, this

creates one security officer, with a username of “secoff”.

4. Set up the WAN interface appropriately for your connection type. This example shows

the steps for both a fixed IP address on the WAN interface (as in the figure above) and a PPPoE interface with a dynamically-assigned address.

The router setup of steps

-4 is described in How To Use the Allied Telesis GUI to Customise the

Router and Set Up An Internet Connection, which is available from www.alliedtelesis.com/

resources/literature/howto.aspx.

In this example, the Allied Telesis router has the following settings:

Interface Address Mask

Allied Telesis router LAN vlan

Allied Telesis router WAN:

if fixed IP address eth0

if dynamic IP address ppp0 0.0.0.0 0.0.0.0

Remote site’s WAN settings 200.200.200.

Remote site’s LAN settings

92.168.1.

00.100.100.

92.168.2.1 255.255.255.0

255.255.255.0

255.255.255.252

Page 4 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

Create the

VPN tunnel

1. Open the Configuration Wizards page

Log in as either the manager or the security officer. If you log in as the manager, the router changes to secure mode when you finish the VPN wizard and at that stage prompts you to log in again as the security officer.

The Site-To-Site VPN wizard is one of the options on the GUI’s Configuration Wizards page. Make sure your browser’s pop-up blocker is disabled—the wizard needs to open pop-ups. If you access the Internet through a proxy server, make sure your browser bypasses the proxy for this address.

The GUI opens at this page the first time you configure your router. After initial configuration it may open at the System Status page instead. If so, click on the Wizards button in the lefthand menu to open the Configuration Wizards page.

Page 5 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

2. Start the Site-to-Site VPN wizard

Click on the Site-to-Site VPN button. The wizard starts by displaying a welcome message.

Click the Next button.

3. Name the VPN connection

Enter an appropriate VPN connection name.

Click the Next button. If you have multiple possible WAN interfaces configured on the router, the wizard next lets you select the appropriate interface. In this example there is only one WAN interface, so the wizard selects it automatically and moves directly to the remote site settings.

Page 6 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

4. Enter the remote site’s WAN IP address

Enter the public IP address of the other end of the tunnel. In this example, this is 200.200.200.

Note that you can use the Tab key to move between fields when entering the address, but should not use the . key (the period).

Click the Next button.

5. Enter the remote site’s LAN IP address

Enter the NetScreen router’s LAN

subnet address and mask. In this

example, this is of 255.255.255.0.

Click the Next button.

92.168.2.0 and a mask

Page 7 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

6. Enter the shared secret key

Enter the secret key, which is an alphanumeric string between 2 and 64 characters long. Both routers must use the same secret key. On the NetScreen router, this is the Preshared Secret.

Click the Next button.

7. Check the settings

Check the summary. If necessary, use the wizard’s Back button to return and correct any settings you want to change.

Once you are happy with the settings, click the Advanced Settings button to configure additional settings that allow interoperation with the NetScreen router.

Page 8 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

8. Configure additional settings

This step has two alternatives:

z if your WAN connection has a static IP address, you need to configure Perfect Forward

Secrecy. This is the first alternative

z if your WAN connection has a dynamic IP address, you need to use Aggressive Mode,

configure Perfect Forward Secrecy, and give the peer a local ID. This is the second alternative, shown on the next page

Static

address

If you have a static address, then in the middle of the Advanced Settings page, select the Use Perfect Forward Secrecy checkbox and set the DH Group for PFS to Group 2.

Then click the OK button.

Page 9 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

Dynamic

address

If you have a dynamic address, then on the Advanced Settings page:

z at the top, select Aggressive Mode

z in the middle, select the Use Perfect

Forward Secrecy checkbox and set the DH Group for PFS to Group 2

z towards the bottom, enter a Local

ID. This ID lets the NetScreen router validate the Allied Telesis router. Therefore, it must match the Remote User ID value that you enter on the NetScreen router

Then click the OK button.

Static

address

9. Check the settings again

Check the summary.

If you have a static address, the summary now includes the Perfect Forward Secrecy setting.

Page 10 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

Dynamic

address

If you have a dynamic address, the summary now includes Aggressive Mode, the Perfect Forward Secrecy settings, and the Local ID.

Security

officer

If necessary, correct any settings you want to change. When all the settings are correct, click the Apply button.

10. Finish the wizard

If you are logged in as the security officer, the GUI displays a completion message. Click the Finish button to finish the Wizard and save the VPN settings.

Page 11 | AlliedWare™ OS How To Note: VPNs with NetScreen routers

+ 23 hidden pages

Allied Telesis NetScreen Routers User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

What information will you find in this document?

Related How To Notes

Which products and software version does it apply to?

The network

How to configure the Allied Telesis router