// post · 455
Site to Site VPN with Netscreen 5GT and Netgear DG834G
I purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G, great value for money.
Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).
So the technical background:
My place:
1) Static IP address (59.167.253.89)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254
Parents place:
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254
Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.
To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.
See below:
So lets setup the netscreen site first.
1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)
2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:
Select your preshared key here too.
Now select Advanced (note you could use 3DES, but in this case I just use DES):
3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Then select advanced:
4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.
In Policies under Trust to Untrust create this policy.
5) Now time to setup the netgear. Create an auto VPN account
Note the preshared key must be the same for each device.
That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.
If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.
To start the debugging process type:
set console dbuf
clear dbuf
debug ike detail
To finish the debugging type:
undebug all
get dbuf stream
Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).
So the technical background:
My place:
1) Static IP address (59.167.253.89)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254
Parents place:
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254
Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.
To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.
See below:
So lets setup the netscreen site first.
1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)
2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:
Select your preshared key here too.
Now select Advanced (note you could use 3DES, but in this case I just use DES):
3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Then select advanced:
4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.
In Policies under Trust to Untrust create this policy.
5) Now time to setup the netgear. Create an auto VPN account
Note the preshared key must be the same for each device.
That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.
If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.
To start the debugging process type:
set console dbuf
clear dbuf
debug ike detail
To finish the debugging type:
undebug all
get dbuf stream
// leave a comment
HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>
Your comment may need to be reviewed before it is published.
// comments
I haven't had this problem with my netgear. Although when I setup a Netcomm NB5580W I was unable to access its web admin page (or ping the device) through the VPN, yet everything behind it worked fine. This seems to be a bug within the netcomm firmware (which I think has been fixed, but I haven't tried the newer firmware).
When you say you cannot access any web based tools, do you mean on the remote vpn device or the computers behind the remote device?
For any computer on the lan which you wish to access you must have the gateway on them pointing to the vpn device.
I'm wondering if the Netgear 3DES is broken ?
considering doing the same thing but like you say need to be able to point VPN by host name (have seen the dns link you put - very handy) but do you know of a router apart from the juniper, and say for about £40 or $80 that would allow this in the configuration?
thanks in advance
vinny
Thanks for your reply, didn't you mention above that the netgear only used "main mode" and if I only have a dynamic IP address then I need a router that can point at a hostname - which I think you said the netscreen enabled you to do. I have one router which is the netgear DG834 wireless and need to get another. DO I need another router that can allow me to point to a hostname?
thanks again
Vinny (UK)
See this screen shot.
I haven't tried it myself, but it should work.
One setting not metioned in this walkthrough that ended up breaking my Phase 2 negotation was the "Proxy ID", which is specified in VPNs --> Autokey IKE --> Edit Your VPN Tunnel --> Advanced --> and Enable Proxy-ID. For Local IP/Netmask and Remote IP/Netmask I had to set this to be reverse (obviously) of the LOCAL LAN & REMOTE LAN settings on the Netgear Firewall.
I was also able to bump up the encyrption to AES128/SHA-1 without any problems.
Thanks Much!
Anyone know the reason why I can't ping the firewall of one lan from the other?
I'm using NS-5 and Netgear dg834G.
Thanks.
Network -> DNS -> DDNS (you need to enable Config DDNS Client, Enable DDNS Client)
The help page can be be found here (for ScreenOS 6):
http://help.juniper.net/help/english/6.0.0/nt_ddns_entry_edit_cnt.htm
If you don't want to use dyndns you need to set it up via the command line, more info here:
http://www.juniperforum.com/index.php/topic,4132.0.html
can i have the full steps in order to configure VPN connection between two site using juniper 5gt?
i am using dynamic IP address
Contact Form
The configuration is exactly like what's on bluetrait, except my version of DG834 doesn't have enable NetBIOS tick box (this model is the one without wireless), no other VPN connection, plain vanilla configuration except on the DMZ zone which is irrelevant to this issue.
OR... should I put the rule on the top position?
when you mean before any any rule, is it deny any any or permit any any. By the way, I browse thru the manual but couldn't find the rule on netscreen implied rule, for example if the policy from trust to untrust is empty what's the implied rule, implicit deny or implicit accept.
btw, I got a funny problem outside this vpn, am trying to use webproxy and block trust to untrust connection, however, one pc needs direct outside connection then i enabled particularly for that pc. what happened is, the rest of the pc in the trust then can access directly. juniper cust support is helpful, but with this issue, they haven;t got back to me yet. got any idea, michael?
iman
The netscreen has an implicit deny any any policy.
For your other problem is your source correct? Maybe you should email me your configuration.
How do you VPN two Netscreen Routers.
I assume the netscreen configuation you have is to listen for the VPN request.
But in my case I need one netscreen (Dynamic IP/Hostname) to request the connection and the other netscreen (Static IP) to listen.
Would I follow the same process if I wanted to set-up a Juniper VPN server for a windows based VPN connection ? Scenario like this. I'm on sky broadband with a DDNS.org set-up (dynamic IP). When I am at work in an alternate location I would like to use windows New network wizard to set-up a VPN using IP-SEC to my Juniper on it's DDNS set-up. Is this feasible since both ends will be on dynamis IP's ? Would this effectively put me on the local LAN so I could use DAAP on my Thecus NAS box ?
Any help appreciated.
Simon
Does anyone know how to route all traffic down the VPN tunnel at the Netgear end? The Netgear not let you enter 0.0.0.0 / 0.0.0.0 as the remote site. Sadly i suspect this is either not possible, perhaps only by hacking the Netgear box via the hidden telnet interface - i can think of no other way around it :( Can anyone help?
Like one of the guys above i had to set the proxy ID on the Netscreen manually before phase2 would complete, i think this is only required if you use a routed VPN (route traffic to a tunnel interface). Only with a policy based VPN does the Netscreen work things out itself.
The VPN are established successfully, I see computers on the VPN (throught ping), i make "remote desktop" successfully but I can't share files and printers. Why? Someone knows what are happen with this connection?!
Thank you very much.
Please can someone help?
I want to set up a site-to-site using 2 x Juniper SSG 20's. Do I just apply the same config as in these screen shots for the Junipers at both ends?
--As for the posts in regards to Windows print and file shares: be sure to modify your local machine firewalls. You'll need to add the new address scopes to your "local/home/trusted" zones/profiles.
Just because you are using DDNS services to create Host (A) record to point at a dynamic IP, does not mean FQDN authentication will work.
This is because a PTR record is different then an A record. FQDN Authentication uses Reverse DNS to check that the initiating peer's address matched the Fuly Qualified Domain Name specified in the target peers configuration.
For instance, lets say you are using Dynanic DNS from DynDns.org. Your IP is 4.5.12.22 and is registered correctly with DynDNS. Run nslookup from your Windows XP/2000/NT4/Vista workstation.
Type 4.5.12.22. (or your Public IP). You will notice that the result does NOT match your DynDNS name (server.dyndns.org).
This is because PTR records are controlled by the ISP. Lets say you have a static IP and you have mail server. Even though your Domain/DNS panel will let you point mail.mydomain.com to that public IP, the reverse DNS entry will reflect the ISP's entry - which is usually something like (ip)-(ip).city.network.domain.net.
When you have a Static IP, you can request that your ISP make a Reverse DNS entry for you so that the PTR record matches the A record. This is especially important for an email server since many email providers - like AOL - reverse DNS the sending SMTP server's IP to make sure that it matches the domain name of the email address' domain name to prevent SPAM.
What does this mean to you? Overall, you are better using Aggressive Mode (when available) with email address authentication if you have a dynamically-assigned IP address.
Trust me. I set these things up every day. It's a much better solution.
Jeremy Ward
Network Architect
Trust me
Thanks for your comment. I have not had this problem before and use this setup to a few of my family connections. I will need to look into it.
The main reason for using Main Mode auth is that the Netgear does not support aggressive mode.
Anyhow, I did understand that the reason that you were using Main Mode authentication was because the Netgear did not support Aggressive mode.
The way I look at it is that if it's working for you, then all the better.
I posted my comment for the greater benefit of everyone else, not necessarily in response to your issue.
Given all of the talk about DynDNS, I figured that someone might attempt to use FQDN authentication in Main Mode an not understand why that might not work with a DynDNS host record.
Hope it's helpful!
i want to create a VPN between sonic firwall to juniper.can you please explain me in detail.
thanx in advance
i am having a netscreen NS5GT ADSL router in my office. I need to creat a VPn between my home router(D-link +ADSL) & office.
can help me on this
I found this to be very useful. I was configuring VPN tunnels between two remote Cradlepoint MBR1200's and a NetScreen5gt in a central office. My "How To" for that configuation can be found here.
I am setting up a similar tunnel between two DG834's (v5) both using ddns, one in england, one in france.
All devices on the French LAN are clients which only need to access the Internet, I wish to route all of this traffic to the english gateway, and to break out to the internet from there. Is there a way to set up this policy?
Thanks
Glyn