Ipsec Vpn - Juniper ISG 2000 User Manual

ISG 2000 User's Guide

IPSec VPN

Figure 10: IPSec VPN Tunnel
Trust Zone
ethernet2/1
10.1.1.1/24
10.1.1.0/24
NOTE:
16

IPSec VPN

This section presents a configuration for a route-based VPN tunnel between the ISG
2000 and a remote peer with a dynamically assigned IP address. The NetScreen
device at the remote peer site is a NetScreen-5GT in Trust-Untrust mode. Because it
receives its address dynamically through PPPoE or DHCP, Phase 1 negotiations
must be in aggressive mode. The tunnel configuration uses the following elements:
Tunnel interface: tunnel.1 in Untrust zone
Outgoing interface:
ISG 2000: ethernet1/1
NetScreen-5GT: Untrust
Phase 1 exchange mode: Aggressive
Phase 1 and Phase 2 proposal security levels: Compatible
Proxy IDs: local 0.0.0.0/0; remote 0.0.0.0/0; service ANY
Preshared key: Iwb715iSF
IKE ID for remote peer: peer1@jnpr.net
VPN Tunnel: vpn1
Security Level for P1 and P2:
ethernet1/1
1.1.1.1/30
IKE ID for NetScreen-5GT:
Tunnel Interface
tunnel.1
Preshared Key: Iwb715iSF
NetScreen-ISG 2000
PWR ALARM TEMP STA TUS HA
FAN MOD1 MOD2 MOD3 FLASH ISG 2000
Untrust Zone
NetScreen ScreenOS offers a rich variety of options for IPSec VPN tunnels. For
information about the many available options, refer to the VPNs volume in the
NetScreen Concepts & Examples ScreenOS Reference Guide.
The VPN tunnel configuration for the NetScreen devices at both ends is provided.
Untrust Zone
Agressive Mode
Compatible
peer1@jnpr.net
Internet
Tunnel Interface
Untrust Interface
10.2.2.0/24
1 2 3 4 UNTRUSTED
POWER STA TUS LINK/ACTIVIT Y
10/100
®
NetScreen-5GT
Trust Interface
tunnel.1
10.2.2.1/24
unnumbered
Dynamically
Trust Zone
Assigned
IP Address