Ali Aboosaidi Umm… Unorthodox?

Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices

Juniper devices are my personal favorites. While they are as robust and complicated as Cisco they are being sold at a fraction of what Cisco sells their similar products. We are currently using Netscreen and SA boxes exclusively to provide secure VPN connection between our 20+ offices across the US.

While Netscreen built-in help is quite comprehensive and easy to follow, it does not eliminate the need for a rookie to quickly setup a tunnel between two locations. I am going to cut the extra steps out of these instructions, and assuming you already have it setup and have Internet connection I jump right to the quick and dirty tunnel setup.

Almost all Netscreen devices, even the oldest and cheapest models are VPN capable. Most older models like NS5 have one trust (WAN side) and one untrust (LAN side). From this point forward I will refer to LAN and WAN connection as trust and untrust. Devices like NS5GT have a 4 port router built-in through which you can directly connect multiple computers to trust ports. However, it is also possible to isolate those ports and set them as untrust/trust (default mode), home/work (two home and two work ports to separate work and home networks), dual untrust (redundant WAN), and combined (redundant untrust, two home and one work zones). We will be covering the default port mode which is trust/untrust port mode. I just give you a tip if you decide to setup a home/work zone: once you are done with your tunnels you will have to create policies to allow access from home to work or the other way around!

This tutorial explains a quick and dirty setup to create a VPN tunnel between two NS5GT devices. If I don’t explain an options it means it’s not absolutely necessary for a VPN tunnel, so leave it alone and play around with them once you’ve learned how it’s done. Basics are all the same and can be found in pretty much the same spot on different devices. Here are given values:

Site A:
WAN IP: 8.8.8.1/27
LAN IP: 10.10.0.0/22

Site B:
WAN IP: 8.8.9.1/26
LAN IP: 192.168.36.0/24

Steps are identical on both devices, except when you will have to enter WAN and LAN info. So basically you will have to follow the steps below on both devices. I am going to start with the device installed in Site A:

1. Expand Policies – Policy Elements – Addresses and click on List.
2. With Untrust zone selected, click New.
3. Give your site a name and Enter LAN information for Site B in IP box (Site A for device installed in Site B): 192.168.36.0/24. If you don’t know what /24 means simply enter your subnet mask in its entirety (255.255.255.0). Leave zone as Untrust and click OK.
4. Now in Addresses screen, select Trust from pull down menu and hit New. Then enter LAN info for the site in which your device is installed (Site A, Site B for device installed in Site B). Same procedure as step 3 above.
5. Expand VPNs – AutoKey Advanced and click on Gateway.
6. Click New.
7. Give your Gateway a name, enter Site B WAN address (Site A for device installed in Site B): 8.8.9.1/26. Leave everything else alone, then click Advanced.
8. Enter a preshared key. That’s basically a password to secure communications between the VPN devices. This password should be the same for both Sites A and B.
9. Select your local interface on which your VPN tunnel will operate, which is your WAN port. If you’re not sure which port is your WAN, expand Network – Interfaces and click List. Interface assigned to your public IP is the one you need.
10. The simplest tunnel will be Predefined, Standard. For more complicated algorithm you can select User Defined, Custom. Since it’s a quick and dirty tutorial we are going to use Predefined.
11. Click Return to go back, then click OK.
12. Under the same menu (VPNs) click on AutoKey IKE.
13. Click New.
14. Give your VPN a name, like “Site A to Site B”.
15. You should now see “Site B” in Predefined Remote Gateway box – select it.
16. Leave everything else in that screen alone and click Advanced.
17. If you want VPN monitoring check the box VPN Monitor towards the bottom of the screen. Hit return and then OK.

At this point our VPN tunnel is complete. However, to allow access from one site to the other, we will have to create a policy.

1. Expand Policy and click on Policies.
2. At top, for “From” field select Untrust and for “To” select Trust from the pull down menus, then hit New.
3. Give your policy a name (optional).
4. In Source Address, select Site B from pull down menu (Site A for device installed in Site B).
5. In Destination, select Site A (Site B for device installed in Site B).
6. In action, select Tunnel.
7. In Tunnel, select the VPN name you chose in step 14 above.
8. If you want to allow bi-directional access, check the box next to Modify matching bidirectional VPN. Leave that box unchecked if you’d like to have a one way policy to allow access from Site A to B, but not the other way around.
9. If you want to enable logging, check the appropriate box.
10. Click OK.

That’s it… you’re done. Once you complete the steps in both sites you should be able to ping Site B computers from Site A and vice versa!

Yes, I do love Juniper! If you have specific questions feel free to ask.

Related posts:

1. Backup Exec: Transfer scheduled jobs, database and settings to a new backup server