Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices

Juniper devices are my personal favorites. While they are as robust and complicated as Cisco they are being sold at a fraction of what Cisco sells their similar products. We are currently using Netscreen and SA boxes exclusively to provide secure VPN connection between our 20+ offices across the US.

While Netscreen built-in help is quite comprehensive and easy to follow, it does not eliminate the need for a rookie to quickly setup a tunnel between two locations. I am going to cut the extra steps out of these instructions, and assuming you already have it setup and have Internet connection I jump right to the quick and dirty tunnel setup.

Almost all Netscreen devices, even the oldest and cheapest models are VPN capable. Most older models like NS5 have one trust (WAN side) and one untrust (LAN side). From this point forward I will refer to LAN and WAN connection as trust and untrust. Devices like NS5GT have a 4 port router built-in through which you can directly connect multiple computers to trust ports. However, it is also possible to isolate those ports and set them as untrust/trust (default mode), home/work (two home and two work ports to separate work and home networks), dual untrust (redundant WAN), and combined (redundant untrust, two home and one work zones). We will be covering the default port mode which is trust/untrust port mode. I just give you a tip if you decide to setup a home/work zone: once you are done with your tunnels you will have to create policies to allow access from home to work or the other way around!

This tutorial explains a quick and dirty setup to create a VPN tunnel between two NS5GT devices. If I don’t explain an options it means it’s not absolutely necessary for a VPN tunnel, so leave it alone and play around with them once you’ve learned how it’s done. Basics are all the same and can be found in pretty much the same spot on different devices. Here are given values:

Site A:
WAN IP: 8.8.8.1/27
LAN IP: 10.10.0.0/22

Site B:
WAN IP: 8.8.9.1/26
LAN IP: 192.168.36.0/24

Steps are identical on both devices, except when you will have to enter WAN and LAN info. So basically you will have to follow the steps below on both devices. I am going to start with the device installed in Site A:

  1. Expand Policies – Policy Elements – Addresses and click on List.
  2. With Untrust zone selected, click New.
  3. Give your site a name and Enter LAN information for Site B in IP box (Site A for device installed in Site B): 192.168.36.0/24. If you don’t know what /24 means simply enter your subnet mask in its entirety (255.255.255.0). Leave zone as Untrust and click OK.
  4. Now in Addresses screen, select Trust from pull down menu and hit New. Then enter LAN info for the site in which your device is installed (Site A, Site B for device installed in Site B). Same procedure as step 3 above.
  5. Expand VPNs – AutoKey Advanced and click on Gateway.
  6. Click New.
  7. Give your Gateway a name, enter Site B WAN address (Site A for device installed in Site B): 8.8.9.1/26. Leave everything else alone, then click Advanced.
  8. Enter a preshared key. That’s basically a password to secure communications between the VPN devices. This password should be the same for both Sites A and B.
  9. Select your local interface on which your VPN tunnel will operate, which is your WAN port. If you’re not sure which port is your WAN, expand Network – Interfaces and click List. Interface assigned to your public IP is the one you need.
  10. The simplest tunnel will be Predefined, Standard. For more complicated algorithm you can select User Defined, Custom. Since it’s a quick and dirty tutorial we are going to use Predefined.
  11. Click Return to go back, then click OK.
  12. Under the same menu (VPNs) click on AutoKey IKE.
  13. Click New.
  14. Give your VPN a name, like “Site A to Site B”.
  15. You should now see “Site B” in Predefined Remote Gateway box – select it.
  16. Leave everything else in that screen alone and click Advanced.
  17. If you want VPN monitoring check the box VPN Monitor towards the bottom of the screen. Hit return and then OK.

At this point our VPN tunnel is complete. However, to allow access from one site to the other, we will have to create a policy.

  1. Expand Policy and click on Policies.
  2. At top, for “From” field select Untrust and for “To” select Trust from the pull down menus, then hit New.
  3. Give your policy a name (optional).
  4. In Source Address, select Site B from pull down menu (Site A for device installed in Site B).
  5. In Destination, select Site A (Site B for device installed in Site B).
  6. In action, select Tunnel.
  7. In Tunnel, select the VPN name you chose in step 14 above.
  8. If you want to allow bi-directional access, check the box next to Modify matching bidirectional VPN. Leave that box unchecked if you’d like to have a one way policy to allow access from Site A to B, but not the other way around.
  9. If you want to enable logging, check the appropriate box.
  10. Click OK.

w00t… you’re done. Once you complete the steps in both sites you should be able to ping Site B computers from Site A and vice versa!

CC0 1.0
To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

61 thoughts on “Juniper: Create a policy based VPN tunnel between two sites for NetScreen devices

    • Ali says:

      Basically the same. You create a tunnel from subnet to subnet or if you have an SA box (Juniper Secure Access) you can run NetConnect. Works exactly like Cisco VPN Client.

  1. Ted says:

    Ali,

    I already have an existing site2site VPN tunnel with one remote network 192.168.1.0.
    Now I need to add another remote network 10.10.10.0 behind the other VPN endpoint.
    I created a new network under address and added the 2 policies (trust to untrust, untrust to trust).
    However, I couldn’t ping any ip on the 10.10.10.0 network from behind my local VPN endpoint (192.168.9.0)
    I am wondering what i am missing.

    • Hey Ted,

      In order to be able to access the 3rd network in policy based tunneling, you will have to create new tunnels to connect the new network to your existing. For instance, if you have site A, B and C, a tunnel from A to B with bi-directional VPN policies allows those two sites to see each other. Now, if you want your site C to see A, you will need the another tunnel with a bi-directional policy between them. If C also wants to see B, then another tunnel and set of policies is required. Basically you will need three tunnels and set of policies to connect three networks. Note that you can have one way policies if you only want to allow one site to see the other, and not the other way around.

      There is another way of creating tunnels called Route Based. With route based tunnels you can create a hub and spoke or main and branch type network, where sites can communicate with each other through the hub or main nodes. I was thinking about adding that next week… so either try new tunnels or check back late next week.

      Ali

  2. Ted says:

    I really appreciate your quick response.

    I think I didn’t explain configuration clearly.
    I already have a tunnel between office A and office B (remote office). Office A has private network 192.168.9.0 and Office B has private 192.168.1.0 . Up to this point, traffic between offices A & B is fine.

    Problem: Office B (the remote office) just added another private network 10.10.10.0 to its LAN. Its LAN now has 2 networks (192.168.1.0 and 10.10.10.0) Users (PCs) from this new network (10.10.10.0) need to be able access my office A network (192.168.9.0). Its traffic is to go out its office existing VPN gateway to my existing office A VPN gateway and reach my office private network.

    Can one tunnel handle 2 or multiple private networks behind the same remote VPN gateway? This is not different sites. Just 2 sites with site B has 2 networks on its LAN.
    I’m told everything was set up on that end. I think office B has a Cisco ASA

    Thanks again.
    Ted

    • Got it… You will still need a trust relationship between the networks as your remote site does not know about the existence of the 2nd subnet, but you can use the existing tunnel between the sites. Did you use a tunnel to create a policy or only created a permit policy? Permit won’t work in policy based tunneling… it has to be a tunnel policy. Create an untrust network for 10.10.10.0 and then create a tunnel policy like this:

      NS

      That should do it.

  3. Ted says:

    Hello, Ali.

    Thank you so much for your help.
    It works now. The remote office B net admin disabled icmp echo. That’s why I could not ping. But they never told me that. I asked them test accessing my network from there. They never replied. It was an urgent request to establish the route. I spent my odd hours figuring out the configuration.

    I am in a process to selecting a pair of vpn/fw boxes (failover/hot standby capable). I am thinking about ASA 5510. Is ASA a router as well?
    Would you recommend Cisco or Juniper equipment?
    I don’t have a team of network engineers. Just me. I need stability, simplicity, lower expenses.
    Thanks again.
    Ted

    • Well that explains it!

      I would rather work with Juniper than Cisco. We don’t use Cisco equipment in any of our 23 offices and our average uptime is around 280 days for each unit. They use JunOS on all their units so if you learn one you can use all. Their command line interface is very user friendly and a lot easier than Cisco. Cisco has the broader market share, but that does not necessarily make it the best. If you are a CCNA or CCNP, then you might have some fun configuring Cisco routers… but what can buy you one Cisco router will buy you two or more Juniper units. Their units and support contracts are cheaper than Cisco as well. You will pay average 8% of a unit price to get three years professional Juniper support, vs I don’t know how much for Cisco. Cisco is better for you resume, though… so you will trade your resume with simplicity, stability and lower expense. They can be a big pain to maintain too.

  4. Ted says:

    Thank you for your advice (career wise, and everything).
    I want to proficient in both Juniper and Cisco networking equipment. Maybe, this is a chance for me to have 2 products in production. My company is getting a new colo site for hosting. I will use Cisco in the colo.

    What is the one Juniper box that you would recommend for a VPN/FW job? I have 3 NS 204 boxes.

    I am looking forward to your advanced VPN configuration articles.
    Thank you for sharing your knowledge with the world.

    • They just announced NS-204’s end of life and are recommending SSG140 and above. If you don’t need more than 25 VPN tunnels and 40mbit WAN then I recommend SSG5, but if you have many users and 100mbit WAN bandwidth then you may want to look at SSG20 or 140. SSG20 has a built-in T1 modem as well.

  5. Ash says:

    Hi I have two SSG20, working perfectly as you mentioned your tutorial. but i am now trying to add teh third SSG20 for anew office.

    So Site B and Site A work perfectly, and flawlessy. but i am now trying to get site C connected to Site A, but i have a problem, i have created new tunnels, separate from Site B so have 2 tunnels. problem i have is, that it connects, then the connection is lost. i keep getting this problem. all SSG20 untis have the latest firmware also. I stumped to where the problem is. further great and simple tutorial.

  6. Hey Ali,

    I have two NetScreen 5GT routers that will not establish a VPN with each other. I ran thru the config last night and then wiped it and started over again today. I really need some help. Would you be willing to help me out?

    Derek

  7. Murtuza says:

    I have 3 sites and all the sites are interconnected with netscreen (Site-to-Site Connectivity).
    Site A: 10.83.1.0
    Site B: 10.83.2.0
    Site C: 10.83.3.0

    Now i have a vpn client connection to site A. What i want is if i am connected to site A through a VPN client connection, i should be able to access all three sites i.e along with Site A i should be able to access site B and C. I dont understand if i am having a client vpn connection to site A and as site A is interconnected to Site B and C why i m not being able to access site b and c with the client vpn connection. Please any help would be appreciated. Thanks

    • So… for clarification, you have tunnels from A to B, A to C, and B to C. Which site is inaccessible from which site? Do you have bi-directional policies between all these sites?

  8. Chop says:

    Hi Ali,
    Out of curiosity, we have an SSG20 device that we want to set up in a similar fasion, however the “branch office” has a non-juniper device – I have tried setting up the VPN between the 2 locations with different hardware and about to lodge a support call. Is this even possible with a non-Juniper device? FYI its a linksys router at the other end the supposedly supports this.

  9. Rory says:

    Ali,

    I’ve been reading this thread and it is helpful. What approach would you suggest to connect two offices with multiple networks at each office and limited services allowed.
    Site A: 10.10.5.0/24 Data, 10.10.6.0/24 Voice
    Site B: 10.11.5.0/24 Data, 10.11.6.0/24 Voice

    Allow ping, ssh, http between data networks
    Allow h.322 between voice networks

    When I add a bidirectional policy it does not allow me to select multiple services.

    • If your subnets can see each other then nothing needs to be done. A tunnel to one should allow devices to see the other subnet. If subnets are isolated then you will have to use proper routing to make them visible to each other or connect them to your unused ports and create new tunnels.

  10. Rory says:

    When I add a bidirectional policy it does not allow me to select multiple services.

    Do I need to create a bidirectional policy for each service I want to allow? Or should I be using two policies, one for each direction?

    I don’t want to allow all services.

    • What you are trying to do goes against the idea of an IPSec tunnel. Tunnels are created to allow two trusted sites to communicate with no limit – if you just want to allow services create policies and allow services, like the good old fashion port forwarding or hosting a server behind a firewall.

  11. Mohamed Nabih says:

    dear Ali
    good day
    i have a juniper ssg20 and i want to publish a werver from my internal lan on the internet so i can access it fromany where by real IP … can you help me …
    the server local ip is 10.0.0.44 and i have a real IP …
    thank you

    • I masked your public IP.

      I assume you are trying to access your admin console. You can configure it by going to Network, Interfaces, List, find your public port, click edit and select services you want to allow under Service Options (WebUI to be specific). Then go to Configuration, Admin, Management to configure security options.

  12. val says:

    Hi,

    I would like to know if it is possible to set up a route based vpn and a policy based vpn with the same gateway on a juniper SSG5 ??

    Thank you

  13. ibrahim says:

    thanks

    but i need to connect 2 branch one of them have juniper and the other only cisco router so this solution will work with it too

  14. wedding party says:

    i tried viewing your blog through my mobile but the site layout was messed up.is your site not optimized for mobile or is my mobile the problem.i am using sony ericson xperia.

  15. Balaji says:

    Hi Ali,

    Need your help. below is the setup.

    Site A: two networks (Firewall knows the two networks – directly connected)
    Site B: Multiple networks (Firewall knows only one network, rest of the network is handled by local LAN L3 switch)

    If i create a policy based vpn between these two sites, will i be able to create multiple policies with the same tunnel. is it achievable ?

  16. min says:

    Hello Ali,
    Can you help with my netscreen25 issue. I want to set up a MIP, public IP (3.3.3.3/32)pointing to my private IP(172.x.x.x/32). I’m trying to create vpn tunnel to remote site with 2 public IPs (1.1.1.1/32, 1.1.1.2/32). The reason is we both have the same private IP sets (172.x.x.x) so we can’t use them as src and remote IPs.

    Can I do this with policy rules?

    • I don’t understand your question. MIP is used to map public IP’s to private and has nothing to do with the tunnels as far as I know. I am not exactly sure about the 2nd question, though. I don’t think you can create a tunnel between subnets with same IP, but I might be wrong.

  17. santosh says:

    ali,
    Is there any simulator or web demo available foe juniper ssg 140 firewall.
    i am newbie regarding ssg 140 ….want to learn for my next project

  18. tbde says:

    Hi Ali,

    Am a newbie to the Juniper world and my enquiry is similar to one raisd by Murtuza. Forgive if I missed the answer. Site-to-Site IPSEC VPN exists between LAN (router)A and LAN (router)B. Client VPNs terminate on router A but have no connection to LAN B. Appreciate your help

  19. tbde says:

    Just to add more flesh to my earlier post,
    Site-to-Site VPN is Route-Based (configured on router A btw internet interface in untrust zone and remote peer device; Dialup VPN is Policy-Based and the remote clients have access to all resources on the LAN but as earlier indicated, do not have access to resources on LAN B.

  20. Stena says:

    Ali,

    I need you expert advise. I have to connect my office site with a service providers site over site to site ipsec vpn tunnel. I’m using juniper ssg5. Now the service provider is not giving me access to their subnet but to specific host ip’s within their network eg.192.168.4, 192.168.1.9 and 192.168.1.11.

    So how do i configure these remote ip details in the AUTOKE IKE screen of the Pase 2 proposal because on that screen it allows you to enter only 1 remote ip /netmask ?

    • Creating a tunnel from a subnet to subnet doesn’t necessarily mean you will have access to every computer or service on the other side. In a policy based tunnel you will have to create a policy after a tunnel is created to allow access from one side to the other. Therefore, you can have the provider’s IT limit their policy to allow your subnet access to those IP’s only instead of creating a two way any-any policy. There might be other ways of doing that but this is what I would recommend.

      As far as multiple IP’s, you can either create three policies or add the IP’s in Policy Elements, then select Multiple when you are creating the policy.

  21. I set up a site-to-site VPN for a client with static IPs on both sides. The side with the juniper has 5 static IPs. For some reason I cannot access the webUI remotely from the main IP. I am also not sure how to set up any of the other IPs in the block for this. Help!

  22. Jerry says:

    Hi Ali,
    You know how many site tot site VPN’s can be setup using Juniper SSG5?

    We have 2 ADSL connections, and need both to be handled by the SSG5.

    One part of the network(LAN) will use one site-to-site VPN using one ADSL conecction to connect to remote site A
    Other part of the network(LAN) will use site-to-site VPN using the other ADSL connection to connect to remote site B

    Thanks, Jerry

    • Hello… it depends on your licensing. I believe they come in increments of 5, so if you have one you can most definitely connect up to 5 sites out of the box.

  23. Vadella says:

    Hello All,

    How can I setup second VPN connection on untrust zone which has already another VPN interface?
    Please show me if there some manual how to perform that task.

    Thanks in advance,

  24. Vadella says:

    Hi Ali,

    Since I’m relatively new to all VPN/Juniper stuff, I have following question:
    When I set up second tunnel, can I use the same untrust IP address(wich I got from my ISP) as the first VPN using for the second tunnel or should I provide different IP address?
    For example I have: 192.92.99.1 (UnTrust IP address).
    Should I define : 192.92.99.2?

    Thanks a lot for your first answer.

  25. Jochen says:

    Hi Ali,
    in the moment we’re trying to migrate a NS 5GT+ to SSG20. After edtiting the current config of NS 5GT+ and importing to SSG20 all base setup is up and running perfect, except the Lan-2-Lan VPN. After many attempts, we setup the VPN from scratch on the SSG20 according to the old configuration on NS 5GT+ but it’s still not working. All IP’s are the same. We configured the interfaces on SSG20 in groups for getting the NS 5GT+ base with UT+DMZ+DMZ+HOME+HOME.
    The thing is that it seems to be action on the tunnel and the remote gateway is pingable, but it stuck with Pase 2 error.
    Do you have any hint for me here. It’s route based Lan-2-Lan VPN with static IP’s, shared key and it’s still working on NS 5GT+
    Best regards,
    Jochen

    • I thought I replied to your question.

      Quite honestly it is not easy to troubleshoot without access. If everything is working except what you mentioned I suggest that you rebuild the tunnel. Seems to be an incompatible encryption or wrong IP.

  26. Jochen says:

    Hi Ali,
    thanks for your response. Adapting the NS5GT+ port scheme UT, DMZ,DMZ,T,T to SSG20 group layout, could please give me a group/interface relation map for SSG20 to which group/interface VPN has to be bound to?
    Best regards,
    Jochen

    • There is no pre-set mapping except they are usually grouped. Go to Interfaces and you can unbind ports from a group, then use each accordingly.

  27. Sli says:

    I have a ssg20. What kind of vpn should I set up to allow user access from anywhere then login to webmail? Is it possible to set up?

Leave a Reply

Your email address will not be published. Required fields are marked *


six + 6 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>