Title: How to Configure a VPN for Interface Failover ......local-id "ns5xt.dial.com" outgoing-interface "serial" preshare "netscreen" proposal "pre-g2-3des-sha" Step 3 – Create IPSec

Title: figure a VPN for I terface FailoverHow to Con nDocument Number: VPN-4.0.0-DIAL-001 Version: 1.0 OS Ver: ScreenOS 4.0.0-DIAL, 4.0.0-DIAL2 HW Platform this paper applies to: NS5XT Audience (Internal or External): External

Purpose This paper goes through basic procedures of configuring a route-based VPN for interface failover using ScreenOS 4.0.0-DIAL in Trust-Untrust Operational Mode with the backup interface as the serial modem port. Description: ScreenOS 4.0.0-DIAL allows you to have physical link redundancy. If the untrust interface link goes down, a backup interface can take over (either serial modem or untrust ethernet interface). Special configuration is required in order for VPN tunnels to remain up when the interface fails over to backup, and when it reverts back. Please note that only route-based VPNs can be implemented in order for the physical link redundancy to work. The procedures remain the same for ScreenOS 4.0.0-DIAL2. Minimum Requirements: For configuring the VPN to work with interface failover via serial modem, the minimum requirements must be first met before continuing:

• Operational Mode: Trust-Untrust or Home-Work Zone • Initial Configuration of the NetScreen-5XT as described in the NetScreen New Features

Guide for ScreenOS 4.0.0-DIAL or NetScreen New Features Guide for ScreenOS 4.0.0-DIAL2

Initial Configuration and Topology: • Serial modem port is used as failover interface • Aggressive mode VPN from NetScreen-5XT to NetScreen-50

Configuring Using the WebUI: Step 1 – Create tunnel.1 interface bound for Primary Interface

• Go to Network Interfaces Click New

8/11/2003 Page 1 of 14 TAR Netscreen Technologies, Inc.

http://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdf

• Click Unnumbered • Select untrust (trust-vr)

Step 2 – Create tunnel.2 interface bound to the Backup Interface

• Go to Network Interfaces Click New • Click Unnumbered • Select serial (trust-vr)


Step 3 – Create Phase 1 IKE for Primary Interface

• Click VPNs Autokey Advanced Gateways • Click New • Configure Phase 1 to connect to static Gateway • Specify Local ID ns5xt.dial.com to be used by remote gateway, and specified as peer id • Select Untrust as outgoing interface

• Click Advanced


• Under Security Level click User Defined Custom • P1 Proposal: pre-g2-3des-sha • Mode: Aggressive • Click Return • Click OK


Step 4 – Create Phase 1 IKE for Failover Interface • Click VPNs Autokey Advanced Gateways • Click New • Configure Phase 1 to connect to static Gateway • Specify Local ID ns5xt.dial.com to be used by remote gateway, and specified as peer id • Select serial as outgoing interface

• Click Advanced


• Under Security Level, click User Defined Custom • P1 Proposal: pre-g2-3des-sha • Mode: Aggressive • Click Return • Click OK


Step 5 – Create Phase 2 for Primary Interface

• •Click VPNs Autokey • •Click New • •For Remote Gateway Choose Predefined choose NS50

• Click Advanced • Click Custom


• Choose g2-esp-3des-sha • Click Bind to Tunnel Interface • Select tunnel.3 • Click Proxy-ID • Local: 172.16.1.0/24 • Remote: 10.1.1.0/24 • Click Return • Click OK

Step 6 – Create Phase 2 for Failover Interface

• •Click VPNs Autokey • •Click New • •For Remote Gateway, Predefined, choose NS50

• Click Advanced • Click Custom


• Choose g2-esp-3des-sha • Click Bind to Tunnel Interface • Select tunnel.3 • Click Proxy-ID • Local: 172.16.1.0/24 • Remote: 10.1.1.0/24 • Click Return • Click OK


Step 7 – Add Route for Primary Route VPN

• Click Routing Routing Table • Click New • Network Address/Netmask172.16.1.0 / 255.255.255.0 • Gateway: Interface tunnel.3 • Click OK

Step 8 – Add Route for Failover Route VPN

• Click Routing Routing Table • Click New • Network Address/Netmask172.16.1.0 / 255.255.255.0 • Gateway: Interface tunnel.4 • Click OK


Step 9 – Create Policies for the VPN

• Click Policies • Select from Trust to Untrust • Src 10.1.1.0/24 • Dst 172.16.1.0/24 • Service Any • Action Permit • Select from Untrust to Trust • Src 172.16.1.0/24 • Dst 10.1.1.0/24 • Service Any • Action Permit


Configuring Using the CLI Step 1 – Create Tunnel Interfaces

• Create tunnel interfaces for the primary and the backup interface ns5xt -> set interface “tunnel.1” zone “untrust” ns5xt -> set interface “tunnel.2” zone “untrust”

Step 2 – Create IKE Phase 1 for Primary and Backup Interfaces • Create IKE Gateways for both interfaces.. All parameters are identical except the name

of the gateway ns5xt ->set ike gateway "NS50" ip 2.2.2.10 Aggressive local-id "ns5xt.dial.com" outgoing-interface "untrust" preshare "netscreen" proposal "pre-g2-3des-sha“ ns5xt ->set ike gateway "NS50-backup" ip 2.2.2.10 Aggressive local-id "ns5xt.dial.com" outgoing-interface "serial" preshare "netscreen" proposal "pre-g2-3des-sha"

Step 3 – Create IPSec P2 for Primary and Backup Interfaces

• Create IPSec VPN for both interfaces. All parameters are identical except the name of the gateway and the tunnel referenced by the VPN ns5xt ->set ike gateway "NS50" ip 2.2.2.10 Aggressive local-id "ns5xt.dial.com" outgoing-interface "untrust" preshare "netscreen" proposal "pre-g2-3des-sha“ ns5xt ->set ike gateway "NS50-backup" ip 2.2.2.10 Aggressive local-id "ns5xt.dial.com" outgoing-interface "serial" preshare "netscreen" proposal "pre-g2-3des-sha"



Step 4 – Add Routes for the VPN Routes

• Add routes for the destination network going through the tunnel interface ns5xt ->set route 172.16.1.0/24 interface tunnel.1 ns5xt ->set route 172.16.1.0/24 interface tunnel.2

Step 5 – Add Policies

• Add policies for the VPN tunnel for both directions ns5xt ->set policy id 3 from "Trust" to "Untrust" "10.1.1.0/24" "172.16.1.0/24" "ANY" Permit log ns5xt ->set policy id 2 from "Untrust" to "Trust" "172.16.1.0/24" "10.1.1.0/24" "ANY" Permit log

Common Errors

• Make sure the backup or failover Phase 2 definitions refer to the appropriate gateway. Remember to check that you don’t have the failover Phase 2 refer to the primary Phase 1.

• Check the route table to ensure only one active route per network. An asterisk (*) indicates the active route

Additional Information:

• For information on configuring route-based VPNs using the Dual Untrust Operational Mode, please see the NetScreen New Features Guide for ScreenOS 4.0.0-DIAL or NetScreen New Features Guide for ScreenOS 4.0.0-DIAL2

• For information on creating VPNs, please see the NetScreen Concepts & Examples Vol. 4 Virtual Private Networks Guide for ScreenOS 4.0.0

Conclusion By use of an example and by showing actual screenshots, we have shown how to successfully create a VPN with physical link redundancy. Your remote locations and users will now be able to connect via VPN to the local network and vice versa with minimal or no packet loss.

http://www.netscreen.com/services/support/product/downloads/screen_os/new_dial.pdfhttp://www.netscreen.com/services/support/product/downloads/400_dial2_new.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/ce_v4.pdfhttp://www.netscreen.com/services/support/product/downloads/screen_os/ce_v4.pdf

PurposeDescription:Minimum Requirements:Initial Configuration and Topology:�Configuring Using the WebUI:Common ErrorsMake sure the backup or failover Phase 2 definiti

Additional Information:For information on configuring route-based VPNs using the Dual Untrust Operational Mode, please see the NetScreen New Features Guide for ScreenOS 4.0.0-DIAL or NetScreen New Features Guide for ScreenOS 4.0.0-DIAL2

Conclusion

Documents

Title: How to Configure a VPN for Interface Failover ......local-id "ns5xt.dial.com" outgoing-interface "serial" preshare "netscreen" proposal "pre-g2-3des-sha" Step 3 – Create IPSec