 |
 |
As Nick said, my team is happy to talk to you about setting up the firewall and VPN, and Nicholas is the right person. I'm not certain what version of ScreenOS you are running, but I picked 6.2 for my example. Other versions will have different sections and page numbers. If you look in the Concepts and Examples guide (CE) there is a section on VPNs. In 6.2 it is volume 5. Within the VPN section you likely will want to use the dialup VPN example for your installation. Chapter 5 is about Dialup VPNS, starting on page 173. I hope this helps. Joe -- Joe Budzyn [log in to unmask] 301 Computer Center Ph: (517) 432-7448 Michigan State University East Lansing, MI 48824 On Thu, Oct 15, 2009 at 09:24:26AM -0400, Kwiatkowski, Nicholas wrote: > Stefan, > > You may want to contact the ATS Network Security group for this. They got this working for us in exactly the mode you are looking for. Nicholas Oas is our contact and is pretty familiar with our setup. > > What it boils down to is you have to setup a static user-id that allows authentication for phase-1 authentication with a PSK. You would then need to setup Extended Authentication that you can tie to the Active-Directory authentication. Without turning on that Extended Authentication mode, you can only have one person connected at a time per account configuration. > > We currently have about 150+ users configured in this mode, some of them use it 8 hours a day. It works really well. > > If you continue to use the NetScreen Remote software, you can actually bake all the settings into a configuration file, so all the user would have to do is double click the configuration file and everything is setup. For Mac OSX, we've deployed VPN Tracker from Equinux which is a pretty nice program as well (but does cost money). > > -Nick Kwiatkowski > MSU Telecom Systems > > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Stefan Ozminski > Sent: Wednesday, October 14, 2009 7:58 PM > To: [log in to unmask] > Subject: [MSUNAG] Juniper SSG 140 configuration with LDAP authentication (Active Directory) > > We have a Juniper Secure Services Gateway 140 (a firewall), which is a > model that does not support the web based authentication and vpn > connection used at vpn.msu.edu. The software that Juniper offers is > Netscreen-Remote for the client (supported on Windows, and not the Mac). > > Admittedly, the Juniper SSG 140 has good security protocols for the vpn, > and there are some nice pictures in the documentation. But the > documentation is voluminous and the numerous restrictions for what > options can be combined are not documented well. But the client > software is not well integrated with the secure gateway server. The > options for the different phases of negotiating the encryption for the > vpn tunnel are in very different places, and the names are not the same > between the server interface and the client configuration interface. > > I can create a single user vpn that supports L2TP with IPsec and a > dynamic address (i.e. DHCP) on the client. > > I can create a multiple user vpn that only works with a fixed address on > the client. > > If I try to mix the two, the SSG 140 won't let me get past the Phase 1 > negotiations. I looked through the documentation several times, and > searched the Juniper website, and the multiple user vpn with dynamic > address combination is not offered as an option. > > Has anyone found a configuration that supports a dynamic address on the > client, a preshared key, a single IKE user account that permits multiple > logins, and extended authentication through LDAP to a Windows Active > Directory domain? > > If you have done it with certificates, I would like to hear about that too. > > If I get any responses, I can summarize to the list. > > -Stefan > > KBS Computer Services Helpdesk: > [log in to unmask] > 269-671-2100 (from campus 199-2100) > > Stefan Ozminski > Computer Services > W.K. Kellogg Biological Station > Michigan State University > 3700 E. Gull Lake Dr. > Hickory Corners, MI 49060 > Phone: 269-671-4427 (from campus 199-4427) > [log in to unmask]