Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Sat, 13 May 2006 10:13 AM

Site to Site VPN with Netscreen 5GT and Netgear DG834G

Michael Dale
I purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G, great value for money.


Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).


So the technical background:


My place:

1) Static IP address (59.167.253.89)

2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2

3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)

4) Router on address 10.0.0.254


Parents place:

1) Dynamic IP address

2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)

3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)

4) Router on address 10.0.4.254


Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.


To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.


See below:
Dyndns Netgear


So lets setup the netscreen site first.


1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case

10.0.0.0/22 TRUST (local)

10.0.4.0/25 UNTRUST (remote)
IP address object
IP address object
ip address object


2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.

Add a new connection like below:
VPN gateway

Select your preshared key here too. VPN gateway


Now select Advanced (note you could use 3DES, but in this case I just use DES):

VPN gateway


3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Autokey
AutoKey IKE


Then select advanced:
autokey


4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.


In Policies under Trust to Untrust create this policy.

VPN policy


5) Now time to setup the netgear. Create an auto VPN account

Netgear VPN policy


Note the preshared key must be the same for each device.

netgear


That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.


If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.


To start the debugging process type:


set console dbuf

clear dbuf

debug ike detail




To finish the debugging type:



undebug all

get dbuf stream