如何进行NETSCREEN VPN的配置
一、网络结构
假如有一远程客户端,安装了NETSCREEN-REMOTE软件,通过拨号连接到INTERNET。通过与NETSCREEN防火墙建立VPN连接,访问公司内部网络。网络拓扑图如下
假如有一远程客户端,安装了NETSCREEN-REMOTE软件,通过拨号连接到INTERNET。通过与NETSCREEN防火墙建立VPN连接,访问公司内部网络。网络拓扑图如下
二、NETSCREEN防火墙配置(WEBUI)
1、 创建一个拨号用户帐号
Click Objects > Users > Local
2、 Click New
1. Username: User1
2. Status: Enable
3. Click IKE User
4. Number of Multiple Logins: 1
5. Click Simple Identity
6. IKE Identity: user1@netscreen
7. Click OK
2、 Click New
1. Username: User1
2. Status: Enable
3. Click IKE User
4. Number of Multiple Logins: 1
5. Click Simple Identity
6. IKE Identity: user1@netscreen
7. Click OK
3、 创建拨号VPN组
Click Objects > User Groups > Local
4、 lick New
1. Group Name: User Group
将相应的用户添加到用户组当中
2. Click OK
Click Objects > User Groups > Local
4、 lick New
1. Group Name: User Group
将相应的用户添加到用户组当中
2. Click OK
5、 创建Phase 1 IKE Negotiation:
Click VPNs > AutoKey Advanced > Gateways
6、 Click New
1. Gateway Name: Dialup GW
2. Security Level: Click Custom
3. Click Dialup User Group
4. Group: Select User Group
5. Preshared Key: netscreen
6. Outgoing Interface: e3/1 (assuming interface e3/1 is bound to untrust zone)
7. Click Advanced
i. Phase 1 Proposal: pre-g2-3des-md5
ii. Mode (Initiator): Aggressive
iii. Click Return
8. Click OK
Click VPNs > AutoKey Advanced > Gateways
6、 Click New
1. Gateway Name: Dialup GW
2. Security Level: Click Custom
3. Click Dialup User Group
4. Group: Select User Group
5. Preshared Key: netscreen
6. Outgoing Interface: e3/1 (assuming interface e3/1 is bound to untrust zone)
7. Click Advanced
i. Phase 1 Proposal: pre-g2-3des-md5
ii. Mode (Initiator): Aggressive
iii. Click Return
8. Click OK
7、 建 Phase 2 IKE Negotiation:
Click VPNs > AutoKey IKE
8、 Click New
Click VPNs > AutoKey IKE
8、 Click New
1. VPN Name: Dialup VPN
2. Remote Gateway: Predefined
3. Select Dialup GW for the Predefined Remote Gateway
4. Click Advanced
i. Phase 2 Proposal: g2-esp-3des-md5
ii. Click Return
5. Click OK
2. Remote Gateway: Predefined
3. Select Dialup GW for the Predefined Remote Gateway
4. Click Advanced
i. Phase 2 Proposal: g2-esp-3des-md5
ii. Click Return
5. Click OK
9、 创建 Dial Up VPN Policy:
Click Policies
10、 Select From Untrust
11、 Select From Trust
12、 Click New
1. Source Address: Address Book: Select Dial-Up VPN
2. Destination Address: Click New Address: 172.16.10.0/24
3. Service: Any
Click Policies
10、 Select From Untrust
11、 Select From Trust
12、 Click New
1. Source Address: Address Book: Select Dial-Up VPN
2. Destination Address: Click New Address: 172.16.10.0/24
3. Service: Any
4. Action: Tunnel
5. Tunnel: Dialup VPN
6. Click Position at Top
7. Click OK
5. Tunnel: Dialup VPN
6. Click Position at Top
7. Click OK
三、配置客户端软件
1、 一个新的连接策略,命名为dial-up
1、 一个新的连接策略,命名为dial-up
2、添加远程子网和远程网关
ID Type: IP Subnet
Subnet: 172.16.10.0
Netmask: 255.255.255.0 negotiation auto
Click Connect using Secure Gateway Tunnel
ID Type: IP Address: 1.1.1.1
Subnet: 172.16.10.0
Netmask: 255.255.255.0 negotiation auto
Click Connect using Secure Gateway Tunnel
ID Type: IP Address: 1.1.1.1
3、编辑连接属性
1、Click Security Policy
1.Select Phase 1 Negotiation Mode: Aggressive
2.Select Enable Perfect Forward Secrecy (PFS)
3. PFS Key Group: Diffie-Hellman Group 2
4.De-select "Enable Replay Detection"
发表评论