Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

Similar documents
Configuring VPN from Proventia M Series Appliance to NetScreen Systems

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

How to create the IPSec VPN between 2 x RS-1200?

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

FAQ about Communication

Configuring VPNs in the EN-1000

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VPNC Scenario for IPsec Interoperability

Virtual Tunnel Interface

How to Configure IPSec Tunneling in Windows 2000

Netscreen NS-5GT. TheGreenBow IPSec VPN Client. Configuration Guide.

Chapter 6 Virtual Private Networking

Case 1: VPN direction from Vigor2130 to Vigor2820

OneSecure VPN Remote User Installation & Configuration Guide

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

KB How to Configure IPSec Tunneling in Windows 2000

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Integration Guide. Oracle Bare Metal BOVPN

Netscreen Remote VPN To Netscreen Device With XAuth

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Service Managed Gateway TM. Configuring IPSec VPN

Efficient SpeedStream 5861

Configuration of an IPSec VPN Server on RV130 and RV130W

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

The EN-4000 in Virtual Private Networks

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Netsh commands for Internet Protocol security Updated: January 21, 2005

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Sample excerpt. Virtual Private Networks. Contents

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Cisco ASA 5500 LAB Guide

Virtual Private Networks

Configuring Dynamic VPN

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

HOW TO CONFIGURE AN IPSEC VPN

L2TP Over IPsec Between Windows 2000 and VPN 3000 Concentrator Using Digital Certificates Configuration Example

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Setting IPSec VPN connection between two SMC BR21VPN

Connecting the DI-804V Broadband Router to your network

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

VPN Setup for CNet s CWR g Wireless Router

Defining IPsec Networks and Customers

Firepower Threat Defense Site-to-site VPNs

VPN Ports and LAN-to-LAN Tunnels

Table of Contents 1 IKE 1-1

VPN Tracker for Mac OS X

Configuring IPSec tunnels on Vocality units

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Abstract. Avaya Solution & Interoperability Test Lab

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Configuring a Hub & Spoke VPN in AOS

Configuring LAN-to-LAN IPsec VPNs

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Secure Entry CE Client & Watchguard Firebox 700 A quick configuration guide to setting up the NCP Secure Entry CE Client in a simple VPN scenario

VPN Auto Provisioning

Chapter 5 Virtual Private Networking

Setting up VPN connection: DI-804HV to DI-804V

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Internet Key Exchange

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

Google Cloud VPN Interop Guide

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

VPN Overview. VPN Types

VPN Configuration Guide. NETGEAR FVS318v3

Manual Key Configuration for Two SonicWALLs

Appendix B NETGEAR VPN Configuration

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

VPN Tracker for Mac OS X

Vendor: Juniper. Exam Code: JN Exam Name: FWV, Specialist (JNCIS-FWV) Version: Demo

IKE and Load Balancing

Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen

Firewalls, Tunnels, and Network Intrusion Detection

Configuring VPN Policies

Transcription:

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures Purpose The purpose of this paper is to help give an explanation on how to set up Windows 2000 for preshared IKE VPN. This paper is written for a VPN setup assuming that you have a static IP address on both sides of the tunnel. You must create two tunnels on the Windows 2000 client (Inbound and outbound). Procedures Windows 2000 Setup 1. Bring up the Control Panel 2. Click on Admin Tools 3. Click on Local Security Policy 4. Click on IP Security Policies on Local Machine 5. Go to Action 6. Select Create IP Security Policy 7. Click on Next 8. Name the policy (for example w2k-ns100 ) and input a description 9. Click on Next. Leave the Activate the default response rule checked 10. Click on Next 11. Select Use this string to protect the key exchange (pre-shared key) option 12. Input pre-shared key 13. Click on Next. Leave the Edit properties option checked 14. Click on Finish 15. This will bring up w2k-ns100 Policy Properties window For this window there are two tabs: General and Rules. The General tab represents the phase one policy; the Rules tab represents the phase two policy. For the General window, we suggest that you setup at least 4 proposals to match with Netscreen s default proposals so that Windows 2000 client can do an encrypted hand shake with Netscreen. These proposals are pre-g2-des-md5, pre-g2-des-sha, pre-g2-3des-md5, and pre-g2-3des-sha, where g2 represents Diffie-Hellman Group 2. Since w2k has default pre-g2-3des-md5 and pre-g2-3des-sha, you need to add only at least 2 more proposals, see steps 19-26. Make sure you uncheck the dynamic IP filter. 16. Click on General tab, leave the default policy change time for 180 minutes 17. Click on the Advanced button In this window leave the Master Key Perfect Forward Secrecy off. The default rekey time for w2k is 480 minutes (8 hours), you can change this if you wish. The default phase 1 rekey time on NS devices is 28800 seconds (also 8 hours). 18. Click on the Methods button 19. Click on the Add button 20. Select MD5, DES, and Diffie-Hellman Group Medium (2) 21. Click OK 22. Click on the Add button 23. Select SHA1 and DES, and Diffie-Hellman Group Medium (2) 24. Click OK 25. Now in this Key Exchange Security Methods window, move up the newly added proposals to the top. Together with 4 default proposals, there should have total 6 proposals on the list.

26. Click OK 27. Click OK Outgoing Rule 28. Click on the Rules tab, uncheck Use Add Wizard. 29. Click on the Add button, New Rule Properties window pops up, there are 5 tabs in this window: IP Filter List, Filter Action, Authentication Method, Tunnel Setting, and Connection Type. 30. Click the Add button on the IP Filter List page, IP Filter List window pops up 31. Enter Outgoing as the name, and some description to help recall the name, then click on Add button, Filter Properties window pops up 32. On the Addressing page, select My IP Address as the source address 33. For the destination address, select A specific IP subnet. This will be the trust-side subnet of the NS device that w2k is to communicate to. See following example: My IP Address IP Address 10.10.10.0 Subnet Mask 255.255.255.0 34. Uncheck the Mirrored button 35. Click on the Protocol page. Select default Any or any desired protocol 36. Click on description page. Since this is for outgoing security policy, enter something that will describe that action to help you recall the policy. 37. Click on OK 38. Click on Close to close IP Filter List window 39. Click on Tunnel Setting page, select the tunnel endpoint, input the untrust interface IP address of the Netscreen device 40. Click on Connection Type page, select All network connections 41. Click on Authentication Methods page, click Add button, New Authentication Method Properties window pops up 42. Select Use this string to protect the key exchange (preshared key) option, then enter the preshared key, click OK 43. On Authentication Methods page, highlight Kerberos, click Remove, make the Preshared Key the only item listed on the Authentication Method preference order, then click Close 44. Click on Filter Action page, uncheck Use Add Wizard, click on Add, New Filter Action Properties window pops up, there are 2 tabs: Security Methods and General 45. On Security Methods page, select Negotiate security option, leave default Accept unsecured communication, but always respond using IPSec checked, click on Add, New Security Method window pops up 46. On Security Method page, select Custom, click on Settings, Custom Security Method Settings window pops up 47. In this window you can select one of these 10 settings: ESP_3des/sha1, ESP_3des/md5, ESP_des/sha1, ESP_des/md5, ESP_3des/none, ESP_des/none, ESP_none/sha1, ESP_none/md5, AH_sha1, AH_md5; then enter the session key rekey time (or size), w2k default rekey time is 3600 seconds, same as NS device s default phase 2 life time, then click OK 48. Click on OK again, this newly selected security method should appear on the Security Method preference order list, at this point you can also check (or uncheck) Session key Perfect Forward Secrecy, which together with the selected security method should match with NS device s phase 2 proposal 49. Click on General page, enter the name and description for this filter action, then click OK 50. Now back on Filter Action page, this newly added Filter Action should be on the list, select it, then click on the Close button to close the Edit Rule Properties window

Incoming Rule 51. Now back on Rules page, you should see Outgoing on the IP Security Rules list, one more rule is needed on this list, which is Incoming : Click on the Add button, New Rule Properties window pops up, there are 5 tabs in this window: IP Filter List, Filter Action, Authentication Method, Tunnel Setting, and Connection Type. 52. Click the Add button on the IP Filter List page, IP Filter List window pops up 53. Enter Incoming as the name, and some description to help recall the name, then click on Add button, Filter Properties window pops up 54. For Incoming, change the IP Filter source address to NS device s trust-side subnet, destination address to My IP Address. IP Address 10.10.10.0 Subnet Mask 255.255.255.0 My IP Address 55. Uncheck the Mirrored button 56. Click on the Protocol page. Select default Any or any desired protocol 57. Click on description page. Since this is for incoming security policy, enter something that will describe that action to help you recall the policy. 58. Click on OK 59. Click on Close to close IP Filter List window 60. Click on Tunnel Setting page, select the tunnel endpoint, input the IP address of the Windows 2000 PC (This is the machine you are on.). 61. Click on Connection Type page, select All network connections 62. Click on Authentication Methods page, click Add button, New Authentication Method Properties window pops up. 63. Select Use this string to protect the key exchange (preshared key) option, then enter the Preshared key, click OK (This password should be the same as step 42). 64. On Authentication Methods page, highlight Kerberos, click Remove, make the Preshared Key the only item listed on the Authentication Method preference order, then click Close 65. Click on Filter Action page, uncheck Use Add Wizard, click on Add, New Filter Action Properties window pops up, there are 2 tabs: Security Methods and General

66. On Security Methods page, select Negotiate security option, leave default Accept unsecured communication, but always respond using IPSec checked, click on Add, New Security Method window pops up. 67. On Security Method page, select Custom, click on Settings, Custom Security Method Settings window pops up. 68. In this window you can select one of these 10 settings: ESP_3des/sha1, ESP_3des/md5, ESP_des/sha1, ESP_des/md5, ESP_3des/none, ESP_des/none, ESP_none/sha1, ESP_none/md5, AH_sha1, AH_md5; then enter the session key rekey time (or size), w2k default rekey time is 3600 seconds, same as NS device s default phase 2 life time, then click OK. 69. Click on OK again, this newly selected security method should appear on the Security Method preference order list, at this point you can also check (or uncheck) Session key Perfect Forward Secrecy, which together with the selected security method should match with NS device s phase 2 proposal. 70. Click on General page, enter the name and description for this filter action, then click OK 71. Now back on Filter Action page, this newly added Filter Action should be on the list, select it, then click on the Close button to close the Edit Rule Properties window. 72. After you see both Incoming and Outgoing IP Sec Rules on the list, check one of them, click Close button to close w2k-ns100 Policy Properties window. 73. On Local Security Settings window, right-click w2k-ns100, choose Assign, this will activate the security policy that you have just created. This is the final for the setup of the Win2k client. Procedures - Netscreen Setup 1. Bring up the Netscreen through your desired web browser and log in to it. 2. Select the VPN tab under the Network group tab, select the Gateway tab, input a name, a pre-shared key (same as the one entered in w2k) and select the phase1 proposal that begins with the prefix, pre. There are four choices for the pre selection. Here is an example of one pre-g2-des-md5. Scroll down to the middle of the page and select Remote Gateway/Fixed IP Address, input the IP address of the WIN2k client in the IP address box. Click on main mode, click OK and go onto the next step. 3. Select the AutoKey IKE tab, input the name for the tunnel, select the remote Gateway tunnel Name. Select the same phase 2 proposal as in w2k (Filter Action). Click OK then go on to the next step. 4. Select the address tab, select the untrust tab, input the IP address of the Win2k client Example 63.40.50.2 255.255.255.255. Click OK. 5. Select the trust tab, input the internal IP subnet and netmask address. Example: 192.168.1.0 255.255.255.0 Click OK.

6. Select the policy tab, select the incoming tab, select the w2k s IP as the Source, select trust subnet address as the Destination, select the desired Service, select encrypt for Action, select the tunnel that was created in the previous step. Click OK. At this point your done setting up the Netscreen. Make sure you select the trusted subnet address for the source of the Netscreen and not inside any. Conclusion: Verify the connection by pinging the internal IP address of the Netscreen. If you get a response you have successfully setup the VPN IKE tunnel. If you do not get a response, please recheck all of your settings. You can also run some debugs on the Netscreen to see the error messages you are getting. These debugs are the following: set console dbuf debug ike detail get dbuf stream clear dbuf debug flow basic get dbuf stream This information will help you determine if the Netscreen is decrypting and encrypting. If you are still having problems contact Netscreen Technical Support.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback