30
Dec/08
61

Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices

Juniper devices are my personal favorites. While they are as robust and complicated as Cisco they are being sold at a fraction of what Cisco sells their similar products. We are currently using Netscreen and SA boxes exclusively to provide secure VPN connection between our 20+ offices across the US.

While Netscreen built-in help is quite comprehensive and easy to follow, it does not eliminate the need for a rookie to quickly setup a tunnel between two locations. I am going to cut the extra steps out of these instructions, and assuming you already have it setup and have Internet connection I jump right to the quick and dirty tunnel setup.

Almost all Netscreen devices, even the oldest and cheapest models are VPN capable. Most older models like NS5 have one trust (WAN side) and one untrust (LAN side). From this point forward I will refer to LAN and WAN connection as trust and untrust. Devices like NS5GT have a 4 port router built-in through which you can directly connect multiple computers to trust ports. However, it is also possible to isolate those ports and set them as untrust/trust (default mode), home/work (two home and two work ports to separate work and home networks), dual untrust (redundant WAN), and combined (redundant untrust, two home and one work zones). We will be covering the default port mode which is trust/untrust port mode. I just give you a tip if you decide to setup a home/work zone: once you are done with your tunnels you will have to create policies to allow access from home to work or the other way around!

This tutorial explains a quick and dirty setup to create a VPN tunnel between two NS5GT devices. If I don’t explain an options it means it’s not absolutely necessary for a VPN tunnel, so leave it alone and play around with them once you’ve learned how it’s done. Basics are all the same and can be found in pretty much the same spot on different devices. Here are given values:

Site A:
WAN IP: 8.8.8.1/27
LAN IP: 10.10.0.0/22

Site B:
WAN IP: 8.8.9.1/26
LAN IP: 192.168.36.0/24

Steps are identical on both devices, except when you will have to enter WAN and LAN info. So basically you will have to follow the steps below on both devices. I am going to start with the device installed in Site A:

  1. Expand Policies – Policy Elements – Addresses and click on List.
  2. With Untrust zone selected, click New.
  3. Give your site a name and Enter LAN information for Site B in IP box (Site A for device installed in Site B): 192.168.36.0/24. If you don’t know what /24 means simply enter your subnet mask in its entirety (255.255.255.0). Leave zone as Untrust and click OK.
  4. Now in Addresses screen, select Trust from pull down menu and hit New. Then enter LAN info for the site in which your device is installed (Site A, Site B for device installed in Site B). Same procedure as step 3 above.
  5. Expand VPNs – AutoKey Advanced and click on Gateway.
  6. Click New.
  7. Give your Gateway a name, enter Site B WAN address (Site A for device installed in Site B): 8.8.9.1/26. Leave everything else alone, then click Advanced.
  8. Enter a preshared key. That’s basically a password to secure communications between the VPN devices. This password should be the same for both Sites A and B.
  9. Select your local interface on which your VPN tunnel will operate, which is your WAN port. If you’re not sure which port is your WAN, expand Network – Interfaces and click List. Interface assigned to your public IP is the one you need.
  10. The simplest tunnel will be Predefined, Standard. For more complicated algorithm you can select User Defined, Custom. Since it’s a quick and dirty tutorial we are going to use Predefined.
  11. Click Return to go back, then click OK.
  12. Under the same menu (VPNs) click on AutoKey IKE.
  13. Click New.
  14. Give your VPN a name, like “Site A to Site B”.
  15. You should now see “Site B” in Predefined Remote Gateway box – select it.
  16. Leave everything else in that screen alone and click Advanced.
  17. If you want VPN monitoring check the box VPN Monitor towards the bottom of the screen. Hit return and then OK.

At this point our VPN tunnel is complete. However, to allow access from one site to the other, we will have to create a policy.

  1. Expand Policy and click on Policies.
  2. At top, for “From” field select Untrust and for “To” select Trust from the pull down menus, then hit New.
  3. Give your policy a name (optional).
  4. In Source Address, select Site B from pull down menu (Site A for device installed in Site B).
  5. In Destination, select Site A (Site B for device installed in Site B).
  6. In action, select Tunnel.
  7. In Tunnel, select the VPN name you chose in step 14 above.
  8. If you want to allow bi-directional access, check the box next to Modify matching bidirectional VPN. Leave that box unchecked if you’d like to have a one way policy to allow access from Site A to B, but not the other way around.
  9. If you want to enable logging, check the appropriate box.
  10. Click OK.

w00t… you’re done. Once you complete the steps in both sites you should be able to ping Site B computers from Site A and vice versa!

Creative Commons License
Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices by Ali, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at insanelabs.com.

Comments (61) Trackbacks (0)
  1. zyprexa
    11:43 PM on March 3rd, 2009
    Internet Explorer 5.5 Internet Explorer 5.5 Windows 98 Windows 98
    Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

    Very interesting site. Thank you.

  2. pisto_21
    11:28 AM on March 25th, 2009
    Firefox 3.0.7 Firefox 3.0.7 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

    How to Juniper Site to Client VPN Tutorial?

  3. Ali
    11:47 AM on March 25th, 2009
    Firefox 2.0.0.20 Firefox 2.0.0.20 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)

    Basically the same. You create a tunnel from subnet to subnet or if you have an SA box (Juniper Secure Access) you can run NetConnect. Works exactly like Cisco VPN Client.

  4. Ted
    1:04 AM on April 16th, 2009
    Firefox 3.0.8 Firefox 3.0.8 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

    Ali,

    I already have an existing site2site VPN tunnel with one remote network 192.168.1.0.
    Now I need to add another remote network 10.10.10.0 behind the other VPN endpoint.
    I created a new network under address and added the 2 policies (trust to untrust, untrust to trust).
    However, I couldn’t ping any ip on the 10.10.10.0 network from behind my local VPN endpoint (192.168.9.0)
    I am wondering what i am missing.

  5. Ali
    2:03 AM on April 16th, 2009
    Firefox 2.0.0.20 Firefox 2.0.0.20 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)

    Hey Ted,

    In order to be able to access the 3rd network in policy based tunneling, you will have to create new tunnels to connect the new network to your existing. For instance, if you have site A, B and C, a tunnel from A to B with bi-directional VPN policies allows those two sites to see each other. Now, if you want your site C to see A, you will need the another tunnel with a bi-directional policy between them. If C also wants to see B, then another tunnel and set of policies is required. Basically you will need three tunnels and set of policies to connect three networks. Note that you can have one way policies if you only want to allow one site to see the other, and not the other way around.

    There is another way of creating tunnels called Route Based. With route based tunnels you can create a hub and spoke or main and branch type network, where sites can communicate with each other through the hub or main nodes. I was thinking about adding that next week… so either try new tunnels or check back late next week.

    Ali

  6. Ted
    4:41 AM on April 16th, 2009
    Firefox 3.0.8 Firefox 3.0.8 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

    I really appreciate your quick response.

    I think I didn’t explain configuration clearly.
    I already have a tunnel between office A and office B (remote office). Office A has private network 192.168.9.0 and Office B has private 192.168.1.0 . Up to this point, traffic between offices A & B is fine.

    Problem: Office B (the remote office) just added another private network 10.10.10.0 to its LAN. Its LAN now has 2 networks (192.168.1.0 and 10.10.10.0) Users (PCs) from this new network (10.10.10.0) need to be able access my office A network (192.168.9.0). Its traffic is to go out its office existing VPN gateway to my existing office A VPN gateway and reach my office private network.

    Can one tunnel handle 2 or multiple private networks behind the same remote VPN gateway? This is not different sites. Just 2 sites with site B has 2 networks on its LAN.
    I’m told everything was set up on that end. I think office B has a Cisco ASA

    Thanks again.
    Ted

  7. Ali
    2:20 PM on April 16th, 2009
    Firefox 2.0.0.20 Firefox 2.0.0.20 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)

    Got it… You will still need a trust relationship between the networks as your remote site does not know about the existence of the 2nd subnet, but you can use the existing tunnel between the sites. Did you use a tunnel to create a policy or only created a permit policy? Permit won’t work in policy based tunneling… it has to be a tunnel policy. Create an untrust network for 10.10.10.0 and then create a tunnel policy like this:

    NS

    That should do it.

  8. Ted
    9:00 PM on April 16th, 2009
    Firefox 3.0.8 Firefox 3.0.8 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

    Hello, Ali.

    Thank you so much for your help.
    It works now. The remote office B net admin disabled icmp echo. That’s why I could not ping. But they never told me that. I asked them test accessing my network from there. They never replied. It was an urgent request to establish the route. I spent my odd hours figuring out the configuration.

    I am in a process to selecting a pair of vpn/fw boxes (failover/hot standby capable). I am thinking about ASA 5510. Is ASA a router as well?
    Would you recommend Cisco or Juniper equipment?
    I don’t have a team of network engineers. Just me. I need stability, simplicity, lower expenses.
    Thanks again.
    Ted

  9. Ali
    9:12 PM on April 16th, 2009
    Firefox 2.0.0.20 Firefox 2.0.0.20 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)

    Well that explains it!

    I would rather work with Juniper than Cisco. We don’t use Cisco equipment in any of our 23 offices and our average uptime is around 280 days for each unit. They use JunOS on all their units so if you learn one you can use all. Their command line interface is very user friendly and a lot easier than Cisco. Cisco has the broader market share, but that does not necessarily make it the best. If you are a CCNA or CCNP, then you might have some fun configuring Cisco routers… but what can buy you one Cisco router will buy you two or more Juniper units. Their units and support contracts are cheaper than Cisco as well. You will pay average 8% of a unit price to get three years professional Juniper support, vs I don’t know how much for Cisco. Cisco is better for you resume, though… so you will trade your resume with simplicity, stability and lower expense. They can be a big pain to maintain too.

  10. Ted
    3:21 PM on April 17th, 2009
    Firefox 3.0.8 Firefox 3.0.8 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

    Thank you for your advice (career wise, and everything).
    I want to proficient in both Juniper and Cisco networking equipment. Maybe, this is a chance for me to have 2 products in production. My company is getting a new colo site for hosting. I will use Cisco in the colo.

    What is the one Juniper box that you would recommend for a VPN/FW job? I have 3 NS 204 boxes.

    I am looking forward to your advanced VPN configuration articles.
    Thank you for sharing your knowledge with the world.

  11. Ali
    3:32 PM on April 17th, 2009
    Firefox 2.0.0.20 Firefox 2.0.0.20 Windows Server 2003 Windows Server 2003
    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)

    They just announced NS-204’s end of life and are recommending SSG140 and above. If you don’t need more than 25 VPN tunnels and 40mbit WAN then I recommend SSG5, but if you have many users and 100mbit WAN bandwidth then you may want to look at SSG20 or 140. SSG20 has a built-in T1 modem as well.

  12. Ash
    3:49 AM on May 28th, 2009
    Internet Explorer 8.0 Internet Explorer 8.0 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

    Hi I have two SSG20, working perfectly as you mentioned your tutorial. but i am now trying to add teh third SSG20 for anew office.

    So Site B and Site A work perfectly, and flawlessy. but i am now trying to get site C connected to Site A, but i have a problem, i have created new tunnels, separate from Site B so have 2 tunnels. problem i have is, that it connects, then the connection is lost. i keep getting this problem. all SSG20 untis have the latest firmware also. I stumped to where the problem is. further great and simple tutorial.

  13. Ali
    8:58 AM on May 28th, 2009
    Firefox 3.0.10 Firefox 3.0.10 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

    So I assume that you were able to find and fix the problem, right?

  14. Derek Gentry
    3:37 PM on September 15th, 2009
    Firefox 3.5.3 Firefox 3.5.3 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

    Hey Ali,

    I have two NetScreen 5GT routers that will not establish a VPN with each other. I ran thru the config last night and then wiped it and started over again today. I really need some help. Would you be willing to help me out?

    Derek

  15. Ali
    1:23 PM on September 24th, 2009
    Firefox 3.5.2 Firefox 3.5.2 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

    Sorry for late approval. I’m currently on vacation and will be back Friday… try to help you out as much as I can.

  16. Murtuza
    12:31 PM on September 27th, 2009
    Google Chrome 3.0.195.21 Google Chrome 3.0.195.21 Windows Vista Windows Vista
    Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.21 Safari/532.0

    I have 3 sites and all the sites are interconnected with netscreen (Site-to-Site Connectivity).
    Site A: 10.83.1.0
    Site B: 10.83.2.0
    Site C: 10.83.3.0

    Now i have a vpn client connection to site A. What i want is if i am connected to site A through a VPN client connection, i should be able to access all three sites i.e along with Site A i should be able to access site B and C. I dont understand if i am having a client vpn connection to site A and as site A is interconnected to Site B and C why i m not being able to access site b and c with the client vpn connection. Please any help would be appreciated. Thanks

  17. Ali
    9:02 AM on September 29th, 2009
    Firefox 3.5.2 Firefox 3.5.2 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

    So… for clarification, you have tunnels from A to B, A to C, and B to C. Which site is inaccessible from which site? Do you have bi-directional policies between all these sites?

  18. Ali
    9:02 AM on September 29th, 2009
    Firefox 3.5.2 Firefox 3.5.2 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

    Derek – did you figure this out?

  19. Chop
    11:55 PM on November 25th, 2009
    Internet Explorer 8.0 Internet Explorer 8.0 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

    Hi Ali,
    Out of curiosity, we have an SSG20 device that we want to set up in a similar fasion, however the “branch office” has a non-juniper device – I have tried setting up the VPN between the 2 locations with different hardware and about to lodge a support call. Is this even possible with a non-Juniper device? FYI its a linksys router at the other end the supposedly supports this.

  20. Ali
    11:23 AM on November 28th, 2009
    Firefox 3.5.5 Firefox 3.5.5 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 GTB6 (.NET CLR 3.5.30729)

    I think it’s possible but I’ve never done it. I just googled “vpn tunned linksys and juniper” and a few results came up :)

  21. Rory
    10:23 AM on December 17th, 2009
    Internet Explorer 8.0 Internet Explorer 8.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; Creative AutoUpdate v1.40.01)

    Ali,

    I’ve been reading this thread and it is helpful. What approach would you suggest to connect two offices with multiple networks at each office and limited services allowed.
    Site A: 10.10.5.0/24 Data, 10.10.6.0/24 Voice
    Site B: 10.11.5.0/24 Data, 10.11.6.0/24 Voice

    Allow ping, ssh, http between data networks
    Allow h.322 between voice networks

    When I add a bidirectional policy it does not allow me to select multiple services.

  22. Ali
    10:45 AM on December 17th, 2009
    Firefox 3.5.6 Firefox 3.5.6 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTBDFff GTB7.0 (.NET CLR 3.5.30729)

    If your subnets can see each other then nothing needs to be done. A tunnel to one should allow devices to see the other subnet. If subnets are isolated then you will have to use proper routing to make them visible to each other or connect them to your unused ports and create new tunnels.

  23. Rory
    9:20 AM on December 18th, 2009
    Internet Explorer 8.0 Internet Explorer 8.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; Creative AutoUpdate v1.40.01)

    When I add a bidirectional policy it does not allow me to select multiple services.

    Do I need to create a bidirectional policy for each service I want to allow? Or should I be using two policies, one for each direction?

    I don’t want to allow all services.

  24. Ali
    10:34 AM on December 18th, 2009
    Firefox 3.5.6 Firefox 3.5.6 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTBDFff GTB7.0 (.NET CLR 3.5.30729)

    What you are trying to do goes against the idea of an IPSec tunnel. Tunnels are created to allow two trusted sites to communicate with no limit – if you just want to allow services create policies and allow services, like the good old fashion port forwarding or hosting a server behind a firewall.

  25. Mohamed Nabih
    11:58 PM on March 21st, 2010
    Safari 4.0.3 Safari 4.0.3 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1

    dear Ali
    good day
    i have a juniper ssg20 and i want to publish a werver from my internal lan on the internet so i can access it fromany where by real IP … can you help me …
    the server local ip is 10.0.0.44 and i have a real IP …
    thank you

  26. Ali
    11:40 AM on March 22nd, 2010
    Firefox 3.5.8 Firefox 3.5.8 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTBDFff GTB7.0 (.NET CLR 3.5.30729)

    I masked your public IP.

    I assume you are trying to access your admin console. You can configure it by going to Network, Interfaces, List, find your public port, click edit and select services you want to allow under Service Options (WebUI to be specific). Then go to Configuration, Admin, Management to configure security options.

  27. val
    5:33 AM on August 27th, 2010
    Firefox 3.6.8 Firefox 3.6.8 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0C)

    Hi,

    I would like to know if it is possible to set up a route based vpn and a policy based vpn with the same gateway on a juniper SSG5 ??

    Thank you

  28. Ali
    9:16 AM on August 30th, 2010
    Firefox 3.6.8 Firefox 3.6.8 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0C)

    Yes, it is possible.

  29. saboteaur
    11:53 AM on September 22nd, 2010
    Firefox 3.6.10 Firefox 3.6.10 Mac OS X 10.6 Mac OS X 10.6
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; pt-BR; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

    excellent!

  30. ibrahim
    4:33 AM on October 20th, 2010
    Opera 10.63 Opera 10.63 Windows 7 Windows 7
    Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.63

    thanks

    but i need to connect 2 branch one of them have juniper and the other only cisco router so this solution will work with it too

  31. wedding party
    12:54 PM on February 6th, 2011
    Firefox 3.0.14 Firefox 3.0.14 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)

    i tried viewing your blog through my mobile but the site layout was messed up.is your site not optimized for mobile or is my mobile the problem.i am using sony ericson xperia.

  32. Ali
    10:16 AM on February 7th, 2011
    Firefox 3.6.13 Firefox 3.6.13 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0E)

    Seems fine on Droid, IPhone and BlackBerry.

  33. Vidya
    8:47 PM on February 21st, 2011
    Internet Explorer 7.0 Internet Explorer 7.0 Windows Vista Windows Vista
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 3.0.30729)

    Could you please share the cli version of the great information provided.
    Thanks in advance.

  34. Balaji
    2:38 AM on February 22nd, 2011
    Firefox 3.6.13 Firefox 3.6.13 Ubuntu 10.10 Ubuntu 10.10
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13

    Hi Ali,

    Need your help. below is the setup.

    Site A: two networks (Firewall knows the two networks – directly connected)
    Site B: Multiple networks (Firewall knows only one network, rest of the network is handled by local LAN L3 switch)

    If i create a policy based vpn between these two sites, will i be able to create multiple policies with the same tunnel. is it achievable ?

  35. Ali
    11:35 AM on February 22nd, 2011
    Firefox 3.6.13 Firefox 3.6.13 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0E)

    Yes. Assign a network to each trust port and then create the policy, but in tunnel drop down use the tunnel you have already created.

  36. Ali
    11:36 AM on February 22nd, 2011
    Firefox 3.6.13 Firefox 3.6.13 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0E)

    Unfortunately I don’t have a CLI script to post.

  37. min
    1:37 AM on March 2nd, 2011
    Safari 5.0.3 Safari 5.0.3 Mac OS X 10.6.6 Mac OS X 10.6.6
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4

    Hello Ali,
    Can you help with my netscreen25 issue. I want to set up a MIP, public IP (3.3.3.3/32)pointing to my private IP(172.x.x.x/32). I’m trying to create vpn tunnel to remote site with 2 public IPs (1.1.1.1/32, 1.1.1.2/32). The reason is we both have the same private IP sets (172.x.x.x) so we can’t use them as src and remote IPs.

    Can I do this with policy rules?

  38. Ali
    1:00 PM on March 2nd, 2011
    Firefox 3.6.14 Firefox 3.6.14 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0E)

    I don’t understand your question. MIP is used to map public IP’s to private and has nothing to do with the tunnels as far as I know. I am not exactly sure about the 2nd question, though. I don’t think you can create a tunnel between subnets with same IP, but I might be wrong.

  39. santosh
    1:44 AM on August 17th, 2011
    Firefox 3.6.18 Firefox 3.6.18 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729; .NET4.0E)

    ali,
    Is there any simulator or web demo available foe juniper ssg 140 firewall.
    i am newbie regarding ssg 140 ….want to learn for my next project

  40. Ali
    9:36 AM on August 17th, 2011
    Firefox 6.0 Firefox 6.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0

    I am not sure…

  41. tbde
    12:23 AM on September 8th, 2011
    Firefox 6.0.2 Firefox 6.0.2 Windows Vista Windows Vista
    Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

    Hi Ali,

    Am a newbie to the Juniper world and my enquiry is similar to one raisd by Murtuza. Forgive if I missed the answer. Site-to-Site IPSEC VPN exists between LAN (router)A and LAN (router)B. Client VPNs terminate on router A but have no connection to LAN B. Appreciate your help

  42. tbde
    3:39 AM on September 8th, 2011
    Firefox 6.0.2 Firefox 6.0.2 Windows Vista Windows Vista
    Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

    Just to add more flesh to my earlier post,
    Site-to-Site VPN is Route-Based (configured on router A btw internet interface in untrust zone and remote peer device; Dialup VPN is Policy-Based and the remote clients have access to all resources on the LAN but as earlier indicated, do not have access to resources on LAN B.

  43. Stena
    4:03 AM on October 20th, 2011
    Internet Explorer 8.0 Internet Explorer 8.0 Windows 7 Windows 7
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; EasyBits GO v1.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0)

    Ali,

    I need you expert advise. I have to connect my office site with a service providers site over site to site ipsec vpn tunnel. I’m using juniper ssg5. Now the service provider is not giving me access to their subnet but to specific host ip’s within their network eg.192.168.4, 192.168.1.9 and 192.168.1.11.

    So how do i configure these remote ip details in the AUTOKE IKE screen of the Pase 2 proposal because on that screen it allows you to enter only 1 remote ip /netmask ?

  44. Ali
    9:33 AM on October 20th, 2011
    Firefox 7.0.1 Firefox 7.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

    Creating a tunnel from a subnet to subnet doesn’t necessarily mean you will have access to every computer or service on the other side. In a policy based tunnel you will have to create a policy after a tunnel is created to allow access from one side to the other. Therefore, you can have the provider’s IT limit their policy to allow your subnet access to those IP’s only instead of creating a two way any-any policy. There might be other ways of doing that but this is what I would recommend.

    As far as multiple IP’s, you can either create three policies or add the IP’s in Policy Elements, then select Multiple when you are creating the policy.

  45. Stena
    12:05 AM on October 21st, 2011
    Internet Explorer 8.0 Internet Explorer 8.0 Windows 7 Windows 7
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; EasyBits GO v1.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; Tablet PC 2.0)

    Ali, perfect. Thanks.

  46. Kamron Batman
    1:53 AM on June 13th, 2012
    Firefox 12.0 Firefox 12.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0

    I set up a site-to-site VPN for a client with static IPs on both sides. The side with the juniper has 5 static IPs. For some reason I cannot access the webUI remotely from the main IP. I am also not sure how to set up any of the other IPs in the block for this. Help!

  47. Ali
    10:09 AM on June 13th, 2012
    Wordpress App 2.1.2 Wordpress App 2.1.2 Android 2.1.2 Android 2.1.2
    wp-android/2.1.2

    You have to bind management console to a port or IP.

  48. Jerry
    8:29 AM on August 15th, 2012
    Firefox 14.0.1 Firefox 14.0.1 Windows XP Windows XP
    Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

    Hi Ali,
    You know how many site tot site VPN’s can be setup using Juniper SSG5?

    We have 2 ADSL connections, and need both to be handled by the SSG5.

    One part of the network(LAN) will use one site-to-site VPN using one ADSL conecction to connect to remote site A
    Other part of the network(LAN) will use site-to-site VPN using the other ADSL connection to connect to remote site B

    Thanks, Jerry

  49. Ali
    3:48 PM on August 15th, 2012
    Firefox 14.0.1 Firefox 14.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1

    Hello… it depends on your licensing. I believe they come in increments of 5, so if you have one you can most definitely connect up to 5 sites out of the box.

  50. Vadella
    9:00 AM on September 13th, 2012
    Google Chrome 21.0.1180.89 Google Chrome 21.0.1180.89 Windows 7 Windows 7
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

    Hello All,

    How can I setup second VPN connection on untrust zone which has already another VPN interface?
    Please show me if there some manual how to perform that task.

    Thanks in advance,

  51. Ali
    10:25 AM on September 13th, 2012
    Firefox 15.0.1 Firefox 15.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1

    Same exact way you setup the first tunnel. You can several tunnels using one untrust port as your licensing allows.

  52. Vadella
    9:55 AM on September 14th, 2012
    Google Chrome 21.0.1180.89 Google Chrome 21.0.1180.89 Windows 7 Windows 7
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

    Hi Ali,

    Since I’m relatively new to all VPN/Juniper stuff, I have following question:
    When I set up second tunnel, can I use the same untrust IP address(wich I got from my ISP) as the first VPN using for the second tunnel or should I provide different IP address?
    For example I have: 192.92.99.1 (UnTrust IP address).
    Should I define : 192.92.99.2?

    Thanks a lot for your first answer.

  53. Ali
    9:56 AM on September 14th, 2012
    Firefox 15.0.1 Firefox 15.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1

    Yes you can. Like I said, exact same procedure and you should be fine :)

  54. Vadella
    10:18 AM on September 14th, 2012
    Google Chrome 21.0.1180.89 Google Chrome 21.0.1180.89 Windows 7 Windows 7
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

    Great!
    Thanks a lot for quick response.

  55. Jochen
    10:02 AM on January 3rd, 2013
    Firefox 12.0 Firefox 12.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0

    Hi Ali,
    in the moment we’re trying to migrate a NS 5GT+ to SSG20. After edtiting the current config of NS 5GT+ and importing to SSG20 all base setup is up and running perfect, except the Lan-2-Lan VPN. After many attempts, we setup the VPN from scratch on the SSG20 according to the old configuration on NS 5GT+ but it’s still not working. All IP’s are the same. We configured the interfaces on SSG20 in groups for getting the NS 5GT+ base with UT+DMZ+DMZ+HOME+HOME.
    The thing is that it seems to be action on the tunnel and the remote gateway is pingable, but it stuck with Pase 2 error.
    Do you have any hint for me here. It’s route based Lan-2-Lan VPN with static IP’s, shared key and it’s still working on NS 5GT+
    Best regards,
    Jochen

  56. Jochen
    5:16 AM on January 8th, 2013
    Firefox 12.0 Firefox 12.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0

    Anybody here!!

  57. Ali
    12:12 PM on January 8th, 2013
    Firefox 17.0 Firefox 17.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

    Yes!

  58. Ali
    12:14 PM on January 8th, 2013
    Firefox 17.0 Firefox 17.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

    I thought I replied to your question.

    Quite honestly it is not easy to troubleshoot without access. If everything is working except what you mentioned I suggest that you rebuild the tunnel. Seems to be an incompatible encryption or wrong IP.

  59. Jochen
    4:12 AM on January 9th, 2013
    Firefox 12.0 Firefox 12.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0

    Hi Ali,
    thanks for your response. Adapting the NS5GT+ port scheme UT, DMZ,DMZ,T,T to SSG20 group layout, could please give me a group/interface relation map for SSG20 to which group/interface VPN has to be bound to?
    Best regards,
    Jochen

  60. Ali
    10:30 AM on January 9th, 2013
    Firefox 17.0 Firefox 17.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0

    There is no pre-set mapping except they are usually grouped. Go to Interfaces and you can unbind ports from a group, then use each accordingly.

  61. Sli
    4:24 PM on February 13th, 2013
    Internet Explorer 9.0 Internet Explorer 9.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

    I have a ssg20. What kind of vpn should I set up to allow user access from anywhere then login to webmail? Is it possible to set up?

Leave a comment

*

No trackbacks yet.