Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures Purpose The purpose of this paper is to help give an explanation on how to set up Windows 2000 for preshared IKE VPN. This paper is written for a VPN setup assuming that you have a static IP address on both sides of the tunnel. You must create two tunnels on the Windows 2000 client (Inbound and outbound). Procedures Windows 2000 Setup 1. Bring up the Control Panel 2. Click on Admin Tools 3. Click on Local Security Policy 4. Click on IP Security Policies on Local Machine 5. Go to Action 6. Select Create IP Security Policy 7. Click on Next 8. Name the policy (for example w2k-ns100 ) and input a description 9. Click on Next. Leave the Activate the default response rule checked 10. Click on Next 11. Select Use this string to protect the key exchange (pre-shared key) option 12. Input pre-shared key 13. Click on Next. Leave the Edit properties option checked 14. Click on Finish 15. This will bring up w2k-ns100 Policy Properties window For this window there are two tabs: General and Rules. The General tab represents the phase one policy; the Rules tab represents the phase two policy. For the General window, we suggest that you setup at least 4 proposals to match with Netscreen s default proposals so that Windows 2000 client can do an encrypted hand shake with Netscreen. These proposals are pre-g2-des-md5, pre-g2-des-sha, pre-g2-3des-md5, and pre-g2-3des-sha, where g2 represents Diffie-Hellman Group 2. Since w2k has default pre-g2-3des-md5 and pre-g2-3des-sha, you need to add only at least 2 more proposals, see steps 19-26. Make sure you uncheck the dynamic IP filter. 16. Click on General tab, leave the default policy change time for 180 minutes 17. Click on the Advanced button In this window leave the Master Key Perfect Forward Secrecy off. The default rekey time for w2k is 480 minutes (8 hours), you can change this if you wish. The default phase 1 rekey time on NS devices is 28800 seconds (also 8 hours). 18. Click on the Methods button 19. Click on the Add button 20. Select MD5, DES, and Diffie-Hellman Group Medium (2) 21. Click OK 22. Click on the Add button 23. Select SHA1 and DES, and Diffie-Hellman Group Medium (2) 24. Click OK 25. Now in this Key Exchange Security Methods window, move up the newly added proposals to the top. Together with 4 default proposals, there should have total 6 proposals on the list.
26. Click OK 27. Click OK Outgoing Rule 28. Click on the Rules tab, uncheck Use Add Wizard. 29. Click on the Add button, New Rule Properties window pops up, there are 5 tabs in this window: IP Filter List, Filter Action, Authentication Method, Tunnel Setting, and Connection Type. 30. Click the Add button on the IP Filter List page, IP Filter List window pops up 31. Enter Outgoing as the name, and some description to help recall the name, then click on Add button, Filter Properties window pops up 32. On the Addressing page, select My IP Address as the source address 33. For the destination address, select A specific IP subnet. This will be the trust-side subnet of the NS device that w2k is to communicate to. See following example: My IP Address IP Address 10.10.10.0 Subnet Mask 255.255.255.0 34. Uncheck the Mirrored button 35. Click on the Protocol page. Select default Any or any desired protocol 36. Click on description page. Since this is for outgoing security policy, enter something that will describe that action to help you recall the policy. 37. Click on OK 38. Click on Close to close IP Filter List window 39. Click on Tunnel Setting page, select the tunnel endpoint, input the untrust interface IP address of the Netscreen device 40. Click on Connection Type page, select All network connections 41. Click on Authentication Methods page, click Add button, New Authentication Method Properties window pops up 42. Select Use this string to protect the key exchange (preshared key) option, then enter the preshared key, click OK 43. On Authentication Methods page, highlight Kerberos, click Remove, make the Preshared Key the only item listed on the Authentication Method preference order, then click Close 44. Click on Filter Action page, uncheck Use Add Wizard, click on Add, New Filter Action Properties window pops up, there are 2 tabs: Security Methods and General 45. On Security Methods page, select Negotiate security option, leave default Accept unsecured communication, but always respond using IPSec checked, click on Add, New Security Method window pops up 46. On Security Method page, select Custom, click on Settings, Custom Security Method Settings window pops up 47. In this window you can select one of these 10 settings: ESP_3des/sha1, ESP_3des/md5, ESP_des/sha1, ESP_des/md5, ESP_3des/none, ESP_des/none, ESP_none/sha1, ESP_none/md5, AH_sha1, AH_md5; then enter the session key rekey time (or size), w2k default rekey time is 3600 seconds, same as NS device s default phase 2 life time, then click OK 48. Click on OK again, this newly selected security method should appear on the Security Method preference order list, at this point you can also check (or uncheck) Session key Perfect Forward Secrecy, which together with the selected security method should match with NS device s phase 2 proposal 49. Click on General page, enter the name and description for this filter action, then click OK 50. Now back on Filter Action page, this newly added Filter Action should be on the list, select it, then click on the Close button to close the Edit Rule Properties window
Incoming Rule 51. Now back on Rules page, you should see Outgoing on the IP Security Rules list, one more rule is needed on this list, which is Incoming : Click on the Add button, New Rule Properties window pops up, there are 5 tabs in this window: IP Filter List, Filter Action, Authentication Method, Tunnel Setting, and Connection Type. 52. Click the Add button on the IP Filter List page, IP Filter List window pops up 53. Enter Incoming as the name, and some description to help recall the name, then click on Add button, Filter Properties window pops up 54. For Incoming, change the IP Filter source address to NS device s trust-side subnet, destination address to My IP Address. IP Address 10.10.10.0 Subnet Mask 255.255.255.0 My IP Address 55. Uncheck the Mirrored button 56. Click on the Protocol page. Select default Any or any desired protocol 57. Click on description page. Since this is for incoming security policy, enter something that will describe that action to help you recall the policy. 58. Click on OK 59. Click on Close to close IP Filter List window 60. Click on Tunnel Setting page, select the tunnel endpoint, input the IP address of the Windows 2000 PC (This is the machine you are on.). 61. Click on Connection Type page, select All network connections 62. Click on Authentication Methods page, click Add button, New Authentication Method Properties window pops up. 63. Select Use this string to protect the key exchange (preshared key) option, then enter the Preshared key, click OK (This password should be the same as step 42). 64. On Authentication Methods page, highlight Kerberos, click Remove, make the Preshared Key the only item listed on the Authentication Method preference order, then click Close 65. Click on Filter Action page, uncheck Use Add Wizard, click on Add, New Filter Action Properties window pops up, there are 2 tabs: Security Methods and General
66. On Security Methods page, select Negotiate security option, leave default Accept unsecured communication, but always respond using IPSec checked, click on Add, New Security Method window pops up. 67. On Security Method page, select Custom, click on Settings, Custom Security Method Settings window pops up. 68. In this window you can select one of these 10 settings: ESP_3des/sha1, ESP_3des/md5, ESP_des/sha1, ESP_des/md5, ESP_3des/none, ESP_des/none, ESP_none/sha1, ESP_none/md5, AH_sha1, AH_md5; then enter the session key rekey time (or size), w2k default rekey time is 3600 seconds, same as NS device s default phase 2 life time, then click OK. 69. Click on OK again, this newly selected security method should appear on the Security Method preference order list, at this point you can also check (or uncheck) Session key Perfect Forward Secrecy, which together with the selected security method should match with NS device s phase 2 proposal. 70. Click on General page, enter the name and description for this filter action, then click OK 71. Now back on Filter Action page, this newly added Filter Action should be on the list, select it, then click on the Close button to close the Edit Rule Properties window. 72. After you see both Incoming and Outgoing IP Sec Rules on the list, check one of them, click Close button to close w2k-ns100 Policy Properties window. 73. On Local Security Settings window, right-click w2k-ns100, choose Assign, this will activate the security policy that you have just created. This is the final for the setup of the Win2k client. Procedures - Netscreen Setup 1. Bring up the Netscreen through your desired web browser and log in to it. 2. Select the VPN tab under the Network group tab, select the Gateway tab, input a name, a pre-shared key (same as the one entered in w2k) and select the phase1 proposal that begins with the prefix, pre. There are four choices for the pre selection. Here is an example of one pre-g2-des-md5. Scroll down to the middle of the page and select Remote Gateway/Fixed IP Address, input the IP address of the WIN2k client in the IP address box. Click on main mode, click OK and go onto the next step. 3. Select the AutoKey IKE tab, input the name for the tunnel, select the remote Gateway tunnel Name. Select the same phase 2 proposal as in w2k (Filter Action). Click OK then go on to the next step. 4. Select the address tab, select the untrust tab, input the IP address of the Win2k client Example 63.40.50.2 255.255.255.255. Click OK. 5. Select the trust tab, input the internal IP subnet and netmask address. Example: 192.168.1.0 255.255.255.0 Click OK.
6. Select the policy tab, select the incoming tab, select the w2k s IP as the Source, select trust subnet address as the Destination, select the desired Service, select encrypt for Action, select the tunnel that was created in the previous step. Click OK. At this point your done setting up the Netscreen. Make sure you select the trusted subnet address for the source of the Netscreen and not inside any. Conclusion: Verify the connection by pinging the internal IP address of the Netscreen. If you get a response you have successfully setup the VPN IKE tunnel. If you do not get a response, please recheck all of your settings. You can also run some debugs on the Netscreen to see the error messages you are getting. These debugs are the following: set console dbuf debug ike detail get dbuf stream clear dbuf debug flow basic get dbuf stream This information will help you determine if the Netscreen is decrypting and encrypting. If you are still having problems contact Netscreen Technical Support.