{ here's the cfg, ignore the ipv6 for now}
config system interface
edit "DYNAMIC"
set vdom "root"
set type tunnel
set snmp-index 8
set interface "wan1"
next
end
config system dhcp server
edit 3
set domain "socpuppets.com"
set wins-server1 192.168.1.201
set wins-server2 192.168.1.202
set default-gateway 10.11.1.1
set netmask 255.255.255.0
set interface "DYNAMIC"
set timezone-option specify
set timezone 24
set server-type ipsec
set dns-server1 8.8.8.8
set dns-server2 8.8.4.4
set dns-server3 8.8.6.6
next
end
config system dhcp6 server
edit 1
set subnet 2001:db8:99:100::/64
set interface "DYNAMIC"
next
end
config firewall address
edit "DYNAMIC_range"
set uuid a7a40fbc-6381-51e8-4997-9d6734e501f7
set type iprange
set comment "VPN: DYNAMIC (Created by VPN wizard)"
set start-ip 10.11.1.1
set end-ip 10.11.1.100
next
end
config firewall addrgrp
edit "DYNAMIC_split"
set uuid a68a98d0-6381-51e8-ec77-cae52f49aee9
set member "NET_192_168_1" "NET_192_168_2"
set comment "VPN NETWORKS TO ALLOW"
next
end
config vpn ipsec phase1-interface
edit "DYNAMIC"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype any
set proposal aes128-sha1 aes128-md5 aes128-sha256
set localid "brooklyn.socpuppets.com"
set dpd on-idle
set comments "VPN: DYNAMIC (Created by VPN wizard)"
set dhgrp 5
set wizard-type dialup-cisco
set xauthtype auto
set authusrgrp "Guest-group"
set idle-timeout enable
set psksecret d!onthackme12345!
set dpd-retrycount 10
set dpd-retryinterval 120
next
end
config vpn ipsec phase2-interface
edit "DYNAMIC"
set phase1name "DYNAMIC"
set proposal aes256-sha256 aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
set comments "PHASE2-IPSEC-PROFILE"
next
edit "DYNAMIC_ipv6"
set phase1name "DYNAMIC"
set proposal aes256-sha256 aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
set src-addr-type name6
set dst-addr-type name6
set keylifeseconds 3600
set src-name6 "IPV6"
set dst-name6 "all"
next
end
config firewall policy
edit 2
set name "DYNAMIC_remote"
set uuid a7e11da8-6381-51e8-0bad-bbae1f5ebd7c
set srcintf "DYNAMIC"
set dstintf "internal"
set srcaddr "DYNAMIC_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments "ALLOW TRAFFIC TO INTERNAL NETWORK"
set nat enable
next
end
config firewall policy6
edit 1
set uuid caf67dac-6457-51e8-0ad7-1f663adda99a
set srcintf "DYNAMIC"
set dstintf "internal"
set srcaddr "IPV6"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
The NCP client that's running on this MACOSX machine version 10.10.5 with NCP client 3.0.0 build 38902
Now in my example, the DHCP-server is locally but we could have used a dhcp-relay also
Once the client has pass phase1/2 the firewall provide the DHCP assigned address
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment