Documentation

User and Admin Guides

Quick Install & Test
Quickstart Guide
Advanced Guide
winOTP Guide
mobileOTP Guide

Application Notes

Netscreen IPsec VPN

Whitepapers

Software Architecture
Passcode Guessing
 		 

App Note: Netscreen IPsec VPN

v1.0 (2007/04/20)

Introduction

This application note describes how to configure a Netscreen IPsec VPN to utilize OTP authentication. Readers are expected to already be familiar with IPsec VPN configuration in general on the Netscreen, and only OTP-specific information is presented. Readers are also expected to be familiar with TRI-D Systems' OTP software (otpd et al.) and configuration, and no information on that is presented, as there are no Netscreen-specific parameters to be configured.

In order to use OTP authentication with an IPsec VPN, a client that supports xauth authentication must be used. Most IPsec VPN clients support this. Because of the wide range of IPsec VPN clients, no configuration guidelines are given for them. However, configuring xauth on the client is a trivial task, once the other VPN settings are setup.

Configuration

First, the Netscreen has to be configured to use RADIUS authentication. This example configures a RADIUS server named 'radius' at IP address '192.168.0.1' and backup server at IP address '192.168.0.2', with the RADIUS secret 'secret': 

netscreen-> set auth-server radius
netscreen-> set auth-server radius server-name 192.168.0.1
netscreen-> set auth-server radius backup1 192.168.0.2
netscreen-> set auth-server radius account-type xauth
netscreen-> set auth-server radius radius port 1812
netscreen-> set auth-server radius radius secret secret

Note that the primary and backup RADIUS servers must use the same secret. Also note that this is not a load-balanced configuration. The primary server (192.168.0.1 in this example) is always used first and only after timeout is the backup server contacted.

The default RADIUS timeout on the Netscreen is 3 seconds, with 3 retries. This is compatible with the default otpd timeout setting of 11700ms. The Netscreen RADIUS timeout and retry setting is simple to verify: 

netscreen-> get auth-server radius
Id     :   1                 Auth Server   : radius
Type   : Radius              Server Name/IP: 192.168.0.1
Backup1: 192.168.0.2         Backup2       :
Idle Timeout:   10           Account Type  : xauth
Forced Timeout: 0 (Disabled)
Fail-over revert interval: Disabled
Radius shared secret: ...
Radius server port  : 1812
Radius retry timeout: 3 second(s), Number of retries: 3

If the timeout and retry settings are not as above, then otpd's timeout setting will need to be adjusted to match. Consult the otpd configuration file (/etc/otpd.conf by default) for detailed notes on the proper timeout setting.

The RADIUS servers will, of course, have to be configured to add the Netscreen as a client.

After configuring the RADIUS server on the Netscreen, the IKE gateway must be configured to use xauth using the RADIUS server to authenticate. This example configures the gateway named 'dialup' to use xauth using the RADIUS server configured above: 

netscreen-> set ike gateway dialup xauth server radius

Please contact support@tri-dsystems.com if you require further assistance.

Copyright © 2005-2008 TRI-D Systems, Inc. All Rights Reserved.