![\"Diagram](\"http:\/\/www.linuxpoweruser.com\/wp-content\/uploads\/2010\/02\/VPN_Example.jpg\" "\\"VPN")
<\/a>First we will start with the Netscreen configuration, which is best performed from the netscreen command line.\u00a0 Keep in mind that this will work on several Netscreen models sold over the last few years.\u00a0 This includes the Netscreen 5XT, and 5GT.\u00a0 These units can be found on Ebay for less than $100, and are highly recommended for use as a home or small office firewall.<\/p>\nNote:\u00a0 It is best to have a static IP for the VPN gateway side of the connection.\u00a0 Dynamic will work, however it will become difficult to track the ip as the ISP reassigns addressing to the Juniper via DHCP or other means.\u00a0 Newer Juniper Netscreens can support dynamic dns registration with DDNS providers such as dyndns.org, which would make tracking the ip easier.<\/p>\n
So, lets get started.\u00a0 From an ssh or telnet session, login to your netscreen.\u00a0 The first thing we need to do is define VPN users and a group – here is an example of creating a user “rwalters”.\u00a0 This user id is used for IKE negotiation.<\/p>\n
Phase 1: (IKE gateway negotiation)<\/p>\n
User definition: Here we create a group called dialupusers: Next, we will define the Phase 2 tunnel.\u00a0 An example is below: The last piece of Netscreen configuration is the Firewall policy to allow the encrypted traffic to the internal network.\u00a0 This policy is actually used as part of phase 2 as well, since phase 2 requires the exchange and agreement on the ip addresses that will be allowed to traverse the tunnel (known as a policy based VPN in Juniper terminology).<\/p>\n In this example we will create an address object for the local LAN: Linux IPSEC has a few requirements.\u00a0 If using Ubuntu, all the kernel requirements are already fulfilled.\u00a0 If you’re using Gentoo or a custom kernel, make sure the following is set in your kernel config:<\/p>\n Under networking: Three files files need to be customized for Linux IPSEC VPNs to work with a Juniper Netscreen.\u00a0 The first file, ipsec-tools.conf, usually resides in \/etc, and the second, psk.txt in \/etc\/racoon. The third file, is racoon.conf, which is also in the \/etc\/racoon directory.<\/p>\n The ipsec-tools.conf file handled Phase 2 security association, and the racoon.conf\/psk.txt file provide IKE (Phase 1) and dynamic re-keying of encryption between two VPN endpoints.\u00a0 Here is an example of an ipsec-tools.conf file that would work for our sample VPN diagram and Juniper configuration above. The other two files \/etc\/racoon\/psk.txt, and \/etc\/racoon\/racoon.conf are relatively static. \u00a0 The first file, psk.txt, is essentially a list of IP addresses of remote VPN gateways and the pre-shared key to use for a password when doing IKE with that gateway.<\/p>\n The password in this file should match the password used in the netscreen Phase 1 IKE configuration shown above.\u00a0 Here is a sample of that file: Here is a sample racoon.conf: Note also the “aggressive mode” statement – this should match the Phase 1 definition on the Juniper as well.<\/p>\n So, after the files have been configured correctly, you need to start the VPN.\u00a0 The first step is to run the ipsec-tools.conf file, so it should be executable.\u00a0 The last step is to start racoon.\u00a0 Here are the example commands. So – what if it doesn’t work?\u00a0 Double check your configuration.\u00a0 Juniper ScreenOS event log (command: get event) is very helpful in determing what is happening.\u00a0 The linux \/var\/log\/daemon.log and \/var\/log\/messages will also be helpful.<\/p>\n Ok – so this seems like a lot of work, modifying files and starting services – I agree its not quite optimal, at least on the Linux side.\u00a0 So, I wrote a couple of scripts – one to determine your PC\/Laptop’s IP address, create the ipsec-tools.conf file, run it, and then run racoon.\u00a0 As a bonus, it also replaces your resolv.conf with another resolve.conf – in case there is a dns server for your remote network you would like to use to be able to resolve machine names on your protected LAN.\u00a0 The second script clears the ipsec-tools.conf policies, and stops racoon, and replaces the resolv.conf with the original one.<\/p>\n With the scripts below, starting a VPN to your office or home lan is as simple as connecting to the internet, and running a the script.\u00a0 Afterwards, the to undo the changes, you run another script.\u00a0 This way, there are only one time changes needed to \/etc\/racoon\/psk.txt and \/etc\/racoon\/racoon.conf<\/p>\n Here is the script for starting the vpn: And for stopping the VPN: While some purists may say, why not use linux for both ends of the tunnel. While this can be done, its hard to beat the price and usability of Juniper’s Netscreen line. It is an excellent firewall, and used units can be found on Ebay for less than $100 now – look for Netscreen 5GT or 5XT.<\/p>\n I have tried to cover some key concepts of IPSEC VPNs, but this is by no means a complete overview, but more of a implementation for a specific application. There are several IPSEC references available on the internet via this<\/a> Wikipedia article.<\/p>\n","protected":false},"excerpt":{"rendered":" Today, as promised I am going to show everyone how to set up a client IPSEC VPN to a Juniper Netscreen FW\/VPN appliance from a Linux machine.\u00a0 Juniper is a market leader in the Firewall and VPN space, and provides appliances from the Small office Home Office footprint all the way up to the largest […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[20,38,39,43,48,72],"_links":{"self":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53"}],"version-history":[{"count":0,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxpoweruser.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\nset user \"rwalters\" uid 1
\nset user \"rwalters\" ike-id u-fqdn \"rettw@rtwnetwork.com\" share-limit 1
\nset user \"rwalters\" type ike
\nset user \"rwalters\" \"enable\"
\n<\/code>
\nAfter creating a user, we should add that user to a group.\u00a0 While not required, if you want more than one client VPN to be active at one time, you should add your user to a group, as the group will be used in the IKE gateway definition, and any of the users in the group will be allowed to authenticate in Phase 1.<\/p>\n
\n
\nset user-group \"dialupusers\" id 1
\nset user-group \"dialupusers\" user \"rwalters\"
\n<\/code>
\nNext we will define the IKE Phase 1 gateway definition.\u00a0 In most cases, we use pre-shared key authentication, which is basically a password.\u00a0 Other forms of credentials can be used as well such as RADIUS or X-AUTH but those are beyond the scope of this tutorial.\u00a0 Here is an example of the ScreenOS command for IKE gateway definition:
\n
\nset ike gateway \"Publicdialupvpn\" dialup \"dialupusers\" Aggr outgoing-interface \"ethernet0\/0\" preshare \"<password>\" proposal \"pre-g2-3des-sha\"
\nset ike gateway \"Publicdialupvpn\" nat-traversal udp-checksum
\nset ike gateway \"Publicdialupvpn\" nat-traversal keepalive-frequency 5
\n<\/code>
\nThe first command creates an IKE gateway called “Publicdialupvpn” and associates the “dialupusers” group with it.\u00a0 It also defines the outgoing interface, ethernet0\/0 and the preshared key or password.\u00a0 You should use a complex password in place of the <password> shown in the command.\u00a0\u00a0\u00a0 The Aggr means aggressive mode, which is used when the IP address of one of the gateways is dynamic – this case the laptop will almost always have a dynamic IP address.\u00a0 The remaining commands set nat-traversal capabilities.\u00a0 Without NAT-T, Phase 2 will not come up if a NAT-Router or firewall is present in the middle of the network.\u00a0 The last piece is the encryption used for IKE traffic – in this case 3DES, with SHA-1 hashing algorithm.<\/p>\n
\n
\nset vpn \"Publicdialupvpn\" gateway \"Publicdialupvpn\" no-replay tunnel idletime 0 proposal \"g2-esp-3des-sha\"
\n<\/code>
\nThis command is pretty simple.\u00a0 It defines a VPN (or tunnel) called Publicdialupvpn, using the IKE gateway definition of the same name. It also turns on no-replay, which prevents replaying of traffic (a common method of hacking VPNs) and sets the transport to ESP, and encryption to 3DES, with SHA-1 hashing.<\/p>\n
\n
\nset address \"Trust\" \"Local LAN\" 192.168.0.0 255.255.255.0
\n<\/code>
\nThen we will create a policy to allow it to be tunnelled to from the outside.\u00a0 Note that Dial-Up VPN is a default address book entry that ships with ScreenOS.\u00a0 Note that you can limit the ports\/protocols allowed through the tunnel by changing the “ANY” to a specific service, such as http, for instance.
\n
\nset policy id 8 from \"Untrust\" to \"Trust\" \"Dial-Up VPN\" \"Local LAN\" \"ANY\" tunnel vpn \"Publicdialupvpn\" id 0x3 log
\nset policy id 8
\nset log session-init
\nexit
\n<\/code>
\nSo, that should take care of the Netscreen side of the equation.\u00a0 Next we will tackle the Linux side which is the fun part.\u00a0 The beauty of Linux IPSEC is that its one of those built in features that you would have to pay for if using one of those operating systems made in Redmond, WA.<\/p>\n
\n
\nCONFIG_INET_AH=m
\nCONFIG_INET_ESP=m
\nCONFIG_INET_IPCOMP=m
\nCONFIG_INET_XFRM_TUNNEL=m
\nCONFIG_INET_TUNNEL=m
\nCONFIG_INET_XFRM_MODE_TRANSPORT=m
\nCONFIG_INET_XFRM_MODE_TUNNEL=m
\nCONFIG_INET_XFRM_MODE_BEET=m
\n<\/code>
\nUnder Cypto\/Block:
\n
\nCONFIG_CRYPTO_MD5=y
\nCONFIG_CRYPTO_SHA1=m
\n<\/code>
\nUnder Crypto\/Ciphers:
\n
\nCONFIG_CRYPTO_AES=m
\nCONFIG_CRYPTO_AES_X86_64=m
\nCONFIG_CRYPTO_DES=m
\n<\/code>
\nLinux IPSEC is handed by the kernel in conjunction with two different packages:\u00a0 ipsec-tools, and racoon.\u00a0 Both of these must be installed and configured for our VPN to work properly.\u00a0 On Ubuntu you can install these with:
\n
\napt-get install ipsec-tools
\n<\/code>
\n
\napt-get install racoon
\n<\/code>
\nOn gentoo, just a simple:
\n
\nemerge ipsec-tools
\n<\/code>
\nShould install the necessary software.<\/p>\n
\n
\n#!\/usr\/sbin\/setkey -f
\n<\/code>
\n
\nflush;
\nspdflush;
\n<\/code>
\n
\n#outbound
\nspdadd 99.99.99.99 192.168.0.0\/24 any
\n-P out ipsec esp\/tunnel\/99.99.99.99-77.77.77.77\/require;
\n<\/code>
\n
\n#inbound
\nspdadd 192.168.0.0\/24 99.99.99.99 any
\n-P in ipsec esp\/tunnel\/77.77.77.77-99.99.99.99\/require;
\n<\/code>
\nThe information in this file is pretty straight forward.\u00a0 Essentially its a tunnelling policy.\u00a0 It basically states that all traffic to 192.168.0.0\/24, which is our remote LAN behind the Juniper from 99.99.99.99 (the Internet IP of our laptop) be tunnelled through the esp tunnel between 77.77.77.77 (the internet IP of our Juniper) and 99.99.99.99 (our laptop) and vice versa.\u00a0 Note that is file must be updated with the existing IP address on the laptop or remote PC every time a VPN is started. For instance if your laptop gets an ip address of 101.100.111.1 from the ISP your using to connect to the internet, all of the 99.99.99.99 ip addresses in the ipsec-tools.conf file will have to be changed to 101.100.111.1.<\/p>\n
\n
\n# IPv4\/v6 addresses
\n77.77.77.77\u00a0\u00a0\u00a0 <your pre-shared key password>
\n10.160.94.3\u00a0\u00a0 \u00a0mekmitasdigoat
\n172.16.1.133\u00a0\u00a0 \u00a00x12345678
\n194.100.55.1\u00a0\u00a0 \u00a0whatcertificatereally
\n3ffe:501:410:ffff:200:86ff:fe05:80fa\u00a0\u00a0 \u00a0mekmitasdigoat
\n3ffe:501:410:ffff:210:4bff:fea2:8baa\u00a0\u00a0 \u00a0mekmitasdigoat
\n# USER_FQDN
\nfoo@kame.net\u00a0\u00a0 \u00a0mekmitasdigoat
\n# FQDN
\nfoo.kame.net\u00a0\u00a0 \u00a0hoge
\n<\/code>
\nThe last file, racoon.conf controls Phase 1 IKE negotiation, Phase 2 VPN SA setup and VPN re-key.\u00a0 This file rarely changes for a particular vpn definition.<\/p>\n
\n
\npath pre_shared_key \"\/etc\/racoon\/psk.txt\";
\n<\/code>
\n
\n# Remote host
\nremote 77.77.77.77
\n{
\nexchange_mode aggressive;
\n<\/code>
\n
\n# Change this to your local ID
\nmy_identifier user_fqdn \"rettw@rtwnetwork.com\";
\nlifetime time 28800 sec;
\nproposal {
\nencryption_algorithm 3des;
\nhash_algorithm sha1;
\nauthentication_method pre_shared_key;
\ndh_group modp1024;
\n}
\n}
\n<\/code>
\n
\n# A sample sainfo section
\n# Create one for each subnet you want to access, etc.
\n#sainfo address 172.20.0.3 any address 192.168.0.0\/24 any
\nsainfo anonymous
\n{
\npfs_group modp1024;
\nlifetime time 3600 sec;
\nencryption_algorithm 3des;
\nauthentication_algorithm hmac_sha1;
\ncompression_algorithm deflate;
\n}
\n<\/code>
\nGenerally there are two sections to racoon.conf.\u00a0 The first section controls IKE parameters, and Phase 1 negotiations.\u00a0 The second section controls Phase 2 negotiations.\u00a0 There are a couple of things I would like to point out about.\u00a0 First, notice the local id or user fqdn.\u00a0 This should be the same as one of the users created on the Juniper side.\u00a0\u00a0 The second item is the lifetime and encryption types.\u00a0 The first lifetime value in the IKE\/Phase 1 section dictates the length of time the two gateways will trust each other without re-identification.\u00a0 The Phase 2 section has its own lifetime parameter as well.\u00a0 This controls the re-key time on the tunnel, in this case every 3600 seconds or one hour, the tunnel encryption keys will be renegotiated.<\/p>\n
\n
\n\/etc\/ipsec-tools.conf
\n<\/code>
\n
\n\/etc\/init.d\/racoon start
\n<\/code>
\nAfter the racoon daemon is started, try to ping something on the remote LAN – for example, 192.168.0.2.\u00a0 The ping will start the IPSEC negotiations.\u00a0 Watching your \/var\/log\/daemon.log or \/var\/log\/messages will show you what is happening.<\/p>\n
\n
\n#!\/usr\/bin\/python
\n<\/code>
\n
\n#script to find outgoing internet interface (by opening a socket to google.com)
\n#and build a vpn policy file for ... and turn up the VPN tunnel
\n<\/code>
\n
\nimport socket
\nimport os
\n<\/code>
\n
\ndef OutputSpace2file():
\nfilehandle.write ( ' ' )
\ns = socket.socket()
\n# Connect to google.com to find out going IP address
\ns.connect(('google.com',80))
\nipport = s.getsockname()
\nipaddr = ipport[0]
\ndestip = '77.77.77.77'
\ndestsubnet = '192.168.0.0\/24'
\nprint \"Setting VPN tunnel up from Source:\",ipaddr,\"To IP address:\",destip
\nprint \"For destination subnet\",destsubnet
\nprint \"Generating ipsec-tools.conf file in \/etc\"
\nfilehandle = open ('\/etc\/ipsec-tools.conf','w')
\nfilehandle.write ( '#!\/usr\/sbin\/setkey -fn' )
\nfilehandle.write ( 'n')
\nfilehandle.write ( 'flush;n' )
\nfilehandle.write ( 'spdflush;nn' )
\nfilehandle.write ( '#outboundn' )
\nfilehandle.write ( 'spdadd ' )
\nfilehandle.write ( ipaddr )
\nOutputSpace2file()
\nfilehandle.write ( destsubnet )
\nOutputSpace2file()
\nfilehandle.write ( 'anyn' )
\nfilehandle.write ( '\u00a0\u00a0\u00a0 -P out ipsec esp\/tunnel\/' )
\nfilehandle.write ( ipaddr )
\nfilehandle.write ( '-' )
\nfilehandle.write ( destip )
\nfilehandle.write ( '\/require;nn' )
\nfilehandle.write ( '#inboundn' )
\nfilehandle.write ( 'spdadd ' )
\nfilehandle.write ( destsubnet )
\nOutputSpace2file()
\nfilehandle.write ( ipaddr )
\nOutputSpace2file()
\nfilehandle.write ( 'anyn' )
\nfilehandle.write ( '\u00a0\u00a0\u00a0 -P in ipsec esp\/tunnel\/' )
\nfilehandle.write ( destip )
\nfilehandle.write ( '-' )
\nfilehandle.write ( ipaddr )
\nfilehandle.write ( '\/require;n' )
\nfilehandle.close()
\n# set permissions on new policy file
\nrc = os.system( 'chmod a+x \/etc\/ipsec-tools.conf' )
\n# Check return code for permissions command
\nif rc != 0:
\nprint \"Error Setting permissions!\"
\nos._exit(1)
\n# Continue by runninng ipsec-tools.conf script
\nprint \"Running ipsec-tools.conf script.\"
\nrc = os.system( '\/etc\/ipsec-tools.conf' )
\n# Check return code for command
\nif rc != 0:
\nprint \"Error running ipsec-tools.conf script!\"
\nos._exit(1)
\n# Continue by reloading racoon
\nprint \"Reloading racoon IKE server.\"
\nrc = os.system( '\/etc\/init.d\/racoon reload' )
\n# Check return code for command
\nif rc != 0:
\nprint \"Error running \/etc\/init.d\/racoon reload!\"
\nos._exit(1)
\n<\/code>
\n
\n# backup existing \/etc\/resolv.conf and build new one for remote lan
\n<\/code>
\n
\nprint \"Backing up \/etc\/resolv.conf and setting resolv.conf to rtwsecurenet.com DNS\"
\nrc = os.system( 'mv \/etc\/resolv.conf \/etc\/resolv.conf.bak' )
\nif rc != 0:
\nprint \"Error backing up \/etc\/resolv.conf\"
\nos._exit(1)
\nfilehandle = open ('\/etc\/resolv.conf','w')
\nfilehandle.write ( '# File created by LPU vpn-start.py scriptn' )
\nfilehandle.write ( 'search homelan.comn' )
\nfilehandle.write ( 'nameserver 192.168.0.17n' )
\nfilehandle.close()
\n<\/code><\/p>\n
\n
\n#!\/usr\/bin\/python
\n<\/code>
\n
\n#script to stop vpn started by vpn-start.py and restore resolv.conf
\n<\/code>
\n
\nimport socket
\nimport os
\n<\/code>
\n
\n# stop vpn by flushing ipsec policies
\nprint \"Flushing IPSEC policies\"
\nrc = os.system( '\/usr\/sbin\/setkey -FP' )
\n# Check return code for permissions command
\nif rc != 0:
\nprint \"Error flushing policies!\"
\nos._exit(1)
\n# Continue by runninng ipsec-tools.conf script
\nprint \"Restoring \/etc\/resolv.conf to previous state\"
\nrc = os.system( 'cp \/etc\/resolv.conf.bak \/etc\/resolv.conf' )
\n# Check return code for command
\nif rc != 0:
\nprint \"Error restoring \/etc\/resolv.conf - name resolution will not work properly!\"
\nos._exit(1)
\n# Continue by reloading racoon
\nprint \"Stopping racoon IKE server.\"
\nrc = os.system( '\/etc\/init.d\/racoon stop' )
\n# Check return code for command
\nif rc != 0:
\nprint \"Error running \/etc\/init.d\/racoon stop!\"
\nos._exit(1)
\n<\/code>
\nSo, there you have it.\u00a0 I use this type of vpn set up regularly to access my home network when on the road.\u00a0 So far, I haven’t found anything that keeps it from working, unless the hotel ISP network assigns my laptop a 192.168.0 IP.\u00a0 This of course would render the vpn useless, since you can’t tunnel from 192.168.0.0 to 192.168.0.0 as it will confuse the ip stack and routing processes.\u00a0 Feel free to use these scripts in your own environment.<\/p>\n