How to configure VPN between Netscreen 5 and Sonicwall Pro

IPSec Security Association

IP Sec Keying Mode: IKE with preshared secret is used.



Name: The name of the SA. This is an important field. You need to enter
this as the local ID on the netscreen device. It should not contain any
blanks.



IPSec Gateway Address: use 0.0.0.0 since the ns5 will have a dynamic IP and it will initiate the session.






Security Policy



Phase 1 Policy

I used DF Group 2.

SA Life of 86400 , this must match the Phase 1 proposal time on the NS5

3DES/SHA1



Phase 2 Policy

ESP 3DES HMAC SHA1



Shared Secret can be anything you like. I use the following command on my unix box to generate a new shared secret.

% openssl rand -base64 16



Next you need to set up the network. This network needs to match the

LAN network on the remote netcreen. In my case, the ns units LAN

address was in the 172.16.1.x range.

Next use the Advance settings tab. I set mine as follows:

Save the configuration on the Sonicwall and now you can configure the Netscreen device.



First we will configure our Phase 1 and Phase 2 proposals.



Go to the Phase 1 proposal menu and create a new proposal called
sonicwall , using preshared secret, DH group 2, 3DES/SHA and setting
the SA life to 86400.







Similarly we will create a sonicwall Phase 2 proposal. The SA lifetime must match what was used in the Phase 1 proposal.







Note thate we do not use perfect forwared security, just ESP , 3DES and
SHA with an SA life of 86400. Now that we have our proposals set, we
can establish a gateway to the sonicwall.







On the VPN Page, configure the Sonicwall as a remote gateway. I gave
mine the name TestNet, the company that has the sonicwall. I choose
Static IP address since the sonicwall has a static IP. The PEER ID is
the sonic walls unique identifier from the VPN menu on the sonic wall.



Make sure you choose Agressive mode since I was unable to get Main mode to work.



Ener the same preshared secret you entered on the sonciwall. Enter the
SA name you used on the sonicwall as the Local ID. This is not
optional. It must be present and match the name you use on the sonic
wall.



Hit OK and save the gateway.



Now we will configure the Auto IKE portion with the proper phase 2 policy. Go to the Auto IKE and configure a new entry.







Enter a name that you will use to refer to this tunel in you Policy section in the NS5.



Configure this auto IKE to use the gateway you just established.



Select the sonicwall phase 2 policy previously defined.



You may enable the VPN monitor if you like. If you get a bunch of
mesasges in the Sonicwall log about illegal IPsec packets from your NS5
then you can disable this.



This concludes the configuration of the Gateway and AutoIKE entries. We
now need to add policies to the NS5 to use the new VPN.



Start by configuring the LAN address range on the NS5 as an address entry. Go to the address menu on the NS5.







Create an entry called MyLAN that represents the local (LAN) address
space on the remote NS5. These is the address space the sonicwall will
know is remote.



Now create a policy for using the newly created tunel.







Make sure when you create the policy you select the "create matching
incoming policy" as well. Also make sure the policy comes before policy
0.



Start the VPN by issuing a ping from the remote NS5 to an address on
the Sonicwall side. This will initiate the tunnel. You should see the
sonicwall log go thru the phase 1 and 2 negotiations and create the
tunnel.



Thats it.



Setting up remote NS5 with Dynamic IP to another NS5 with Fixed IP.



The procedure to do this is very similar on the remote side.




On the remote NS5



Create a new Gateway to the main NS5

Use the static IP address of the main NS5

Use aggressive mode (main mode won't work with shared keys)

Pick a P1 policy

Enter the shared secret.

Enter a LOCAL ID that matches the PEER ID on the main NS5.



Create an AutoKey IKE entry on the remote NS5

Specify the gateway created above.

Pick a P2 policy.



Create a new Policy for the incoming and outgoing traffic.

Add a policy from the local LAN (not address any!) to tunnel using the AutoKey IKE tunnel created above.



On the Main NS5



Modify the user that will be the remote to have IKE privs. The user should have the IKE type listed and the identity/cypher

should be the name used as the PEER ID on the main NS5 and the LOCAL ID on the remote NS5 Gateway.



Create a Gateway on the Main NS5

Select Dynamic IP and set the PEER ID to be the IKE Identity for the remote user.

Use aggressive mode

Select the same P1 policy used on the remote NS5

Enter the preshared secret.



Create an AutoKey IKE entry on the main ns5

Use the gateway created above as the tunnel

Select the same P2 policy as used on the remote NS5



Add a Policy for incoming and outgoing traffic that uses the new AutoIKE tunnel created above.



Initate a connection from the remote NS5, the tunnel should be created and traffic should flow in both directions.

Set the VPN Monitor on the remote end to ensure the tunnel stays up.




Thats it