Categories

Bluetrait
        Bluetrait
            Coding
            Geek
            General
            Coding
                PHP
                Bluetrait
                WordPress
                    Plugins
                PHP
                Bluetrait (Program)
            Geek
                Juniper
                Cisco
                IBM N2200 8363
                PCs
                Spam
                IPv6
                Apple
                NetScreen
                Internet
            General
                Uni

Sat, 13 May 2006 10:13 AM

Site to Site VPN with Netscreen 5GT and Netgear DG834G

Michael Dale

I purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G, great value for money.

Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).

So the technical background:

My place:
1) Static IP address (59.167.253.89)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254

Parents place:
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254

Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.

To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.

See below:
Dyndns Netgear

So lets setup the netscreen site first.

1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)
IP address object
IP address object
ip address object

2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:
VPN gateway
Select your preshared key here too. VPN gateway

Now select Advanced (note you could use 3DES, but in this case I just use DES):

VPN gateway

3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Autokey
AutoKey IKE

Then select advanced:
autokey

4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.

In Policies under Trust to Untrust create this policy.

VPN policy

5) Now time to setup the netgear. Create an auto VPN account

Netgear VPN policy

Note the preshared key must be the same for each device.

netgear

That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.

If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.

To start the debugging process type:

set console dbuf
clear dbuf
debug ike detail

To finish the debugging type:

undebug all
get dbuf stream

Comments

On Sun, 14 May 2006 at 9:04 AM, Nicko wrote

Place I used to work we used the DG834 for nearly all small clients. Quite reliable (unlike some earlier models) and supports some nice features for a cheap consumer grade all-in-one box.

1: Comment Link

On Thu, 15 Jun 2006 at 7:55 AM, Steve Postema wrote

Thanks for posting this, I used this as a baseline to connect a Netgear FVS318 to a NetScreen NS5XP. I noticed that with this setup, I can connect to my remote lan machines, but I cannot ping or access any web based management tools I have there...did you have this problem?

2: Comment Link

On Thu, 15 Jun 2006 at 9:02 AM, Michael Dale (of michaeldale.com.au) wrote

Hi Steve,

I haven't had this problem with my netgear. Although when I setup a Netcomm NB5580W I was unable to access its web admin page (or ping the device) through the VPN, yet everything behind it worked fine. This seems to be a bug within the netcomm firmware (which I think has been fixed, but I haven't tried the newer firmware).

When you say you cannot access any web based tools, do you mean on the remote vpn device or the computers behind the remote device?

For any computer on the lan which you wish to access you must have the gateway on them pointing to the vpn device.

3: Comment Link

On Thu, 20 Jul 2006 at 5:51 PM, Nathan wrote

Just out of curiosity, have you guys tried using 3DES on the NB5580W by any chance ? I just tested it and even when i select 3DES, it seems to always try and negotiate DES which in my case i am NOT allowing..

I'm wondering if the Netgear 3DES is broken ?

4: Comment Link

On Fri, 21 Jul 2006 at 9:56 PM, Michael Dale (of michaeldale.com.au) wrote

I haven't tried 3DES, although I can have a look into it. Which device are you more interested in, the netgear or the netcomm?

5: Comment Link

On Tue, 17 Oct 2006 at 9:56 PM, Anonymous wrote

How can I force all traffic from the netgear site to go through the VPN tunnel.

6: Comment Link

On Tue, 17 Oct 2006 at 10:30 PM, Michael Dale (of michaeldale.com.au) wrote

You could try setting the subnet to 0.0.0.0/0

7: Comment Link

On Thu, 14 Dec 2006 at 11:31 PM, Cos wrote

Am trying something very similar between mine and my parents. Both are using DG834G routers and using dyndns.org for FQDNs. I can activate the VPN tunnel no problem but I'm damned if I can connect to a remote node on the remote LAN or PING one. I don't even seem to be able to use the PING diagnostics tool in the router GUI to ping the remote router. 100% packet loss. Any ideas anyone?

8: Comment Link

On Fri, 15 Dec 2006 at 7:51 AM, Michael Dale (of michaeldale.com.au) wrote

What subnets are you using on each end?

9: Comment Link

On Tue, 09 Jan 2007 at 9:50 PM, Anonymous wrote

hi..

considering doing the same thing but like you say need to be able to point VPN by host name (have seen the dns link you put - very handy) but do you know of a router apart from the juniper, and say for about £40 or $80 that would allow this in the configuration?

thanks in advance
vinny

10: Comment Link

On Tue, 09 Jan 2007 at 10:51 PM, Michael Dale (of michaeldale.com.au) wrote

Yeah the netgear in this post should be fine. The non wireless version should be in your price range, about $AU80 I think.

11: Comment Link

On Wed, 10 Jan 2007 at 8:33 PM, Anonymous wrote

Hi Michael,

Thanks for your reply, didn't you mention above that the netgear only used "main mode" and if I only have a dynamic IP address then I need a router that can point at a hostname - which I think you said the netscreen enabled you to do. I have one router which is the netgear DG834 wireless and need to get another. DO I need another router that can allow me to point to a hostname?

thanks again
Vinny (UK)

12: Comment Link

On Wed, 10 Jan 2007 at 11:35 PM, Michael Dale (of michaeldale.com.au) wrote

Yes although it seems that you can point it to a host name.

See this screen shot.

I haven't tried it myself, but it should work.

13: Comment Link

On Tue, 08 May 2007 at 11:41 PM, Ian wrote

Thanks for this walkthrough, it was really helpful, I was able to setup my site to site VPN between a Juniper SSG5 and a Netgear FVS318v3.

One setting not metioned in this walkthrough that ended up breaking my Phase 2 negotation was the "Proxy ID", which is specified in VPNs --> Autokey IKE --> Edit Your VPN Tunnel --> Advanced --> and Enable Proxy-ID. For Local IP/Netmask and Remote IP/Netmask I had to set this to be reverse (obviously) of the LOCAL LAN & REMOTE LAN settings on the Netgear Firewall.

I was also able to bump up the encyrption to AES128/SHA-1 without any problems.

Thanks Much!

14: Comment Link

On Wed, 09 May 2007 at 9:23 AM, Michael Dale (of michaeldale.com.au) wrote

Interesting. I didn't need to manually set the proxy-id. The netscreen normally works this out based on your polices.

15: Comment Link

On Wed, 29 Aug 2007 at 4:51 PM, Anonymous wrote

Hi,

Anyone know the reason why I can't ping the firewall of one lan from the other?
I'm using NS-5 and Netgear dg834G.

Thanks.

16: Comment Link

On Mon, 24 Sep 2007 at 2:50 AM, Victor wrote

Can you guide me in setting up the DDNS

17: Comment Link

On Mon, 24 Sep 2007 at 10:42 AM, Michael Dale (of michaeldale.com.au) wrote

The settings are under:
Network -> DNS -> DDNS (you need to enable Config DDNS Client, Enable DDNS Client)

The help page can be be found here (for ScreenOS 6):
http://help.juniper.net/help/english/6.0.0/nt_ddns_entry_edit_cnt.htm

If you don't want to use dyndns you need to set it up via the command line, more info here:
http://www.juniperforum.com/index.php/topic,4132.0.html

18: Comment Link

On Thu, 13 Dec 2007 at 12:44 AM, eyad hasssn wrote

hi,
can i have the full steps in order to configure VPN connection between two site using juniper 5gt?
i am using dynamic IP address

19: Comment Link

On Tue, 08 Jan 2008 at 10:20 AM, Michael Dale (of michaeldale.com.au) wrote

Juniper offer a "Remote Firewall Configuration" service. More details can be found here.

20: Comment Link

On Fri, 01 Feb 2008 at 5:28 PM, iman wrote

I followed the instructions and both ends talking however, why I still couldn't get the subnet behind the juniper, which is mentioned on both configuration to access resources at netgear side. Anyone can enlighten me on this one? thank you

21: Comment Link

On Fri, 01 Feb 2008 at 7:01 PM, Michael Dale (of michaeldale.com.au) wrote

I'm going to need some more information. If you'd like to send me the configuration of the juniper netscreen and the netgear I can have a look.

Contact Form

22: Comment Link

On Fri, 01 Feb 2008 at 10:55 PM, iman wrote

Hi,

The configuration is exactly like what's on bluetrait, except my version of DG834 doesn't have enable NetBIOS tick box (this model is the one without wireless), no other VPN connection, plain vanilla configuration except on the DMZ zone which is irrelevant to this issue.

OR... should I put the rule on the top position?

23: Comment Link

On Fri, 01 Feb 2008 at 11:09 PM, Michael Dale (of michaeldale.com.au) wrote

the vpn rules should be before the any-any rules.

24: Comment Link

On Tue, 05 Feb 2008 at 8:37 AM, iman wrote

hi again,

when you mean before any any rule, is it deny any any or permit any any. By the way, I browse thru the manual but couldn't find the rule on netscreen implied rule, for example if the policy from trust to untrust is empty what's the implied rule, implicit deny or implicit accept.
btw, I got a funny problem outside this vpn, am trying to use webproxy and block trust to untrust connection, however, one pc needs direct outside connection then i enabled particularly for that pc. what happened is, the rest of the pc in the trust then can access directly. juniper cust support is helpful, but with this issue, they haven;t got back to me yet. got any idea, michael?

iman

25: Comment Link

On Tue, 05 Feb 2008 at 10:10 AM, Michael Dale (of michaeldale.com.au) wrote

Just make sure your vpn rule is at the top of the list (i.e it is the first rule to be run).

The netscreen has an implicit deny any any policy.

For your other problem is your source correct? Maybe you should email me your configuration.

26: Comment Link

On Thu, 21 Feb 2008 at 3:49 PM, Joel Greene wrote

Again, like the guy said above.
How do you VPN two Netscreen Routers.
I assume the netscreen configuation you have is to listen for the VPN request.
But in my case I need one netscreen (Dynamic IP/Hostname) to request the connection and the other netscreen (Static IP) to listen.

27: Comment Link

On Thu, 08 May 2008 at 11:31 PM, Simon wrote

Hi,
Would I follow the same process if I wanted to set-up a Juniper VPN server for a windows based VPN connection ? Scenario like this. I'm on sky broadband with a DDNS.org set-up (dynamic IP). When I am at work in an alternate location I would like to use windows New network wizard to set-up a VPN using IP-SEC to my Juniper on it's DDNS set-up. Is this feasible since both ends will be on dynamis IP's ? Would this effectively put me on the local LAN so I could use DAAP on my Thecus NAS box ?
Any help appreciated.
Simon

28: Comment Link

On Fri, 11 Jul 2008 at 8:37 AM, Mark wrote

Hi there,
Does anyone know how to route all traffic down the VPN tunnel at the Netgear end? The Netgear not let you enter 0.0.0.0 / 0.0.0.0 as the remote site. Sadly i suspect this is either not possible, perhaps only by hacking the Netgear box via the hidden telnet interface - i can think of no other way around it :( Can anyone help?

Like one of the guys above i had to set the proxy ID on the Netscreen manually before phase2 would complete, i think this is only required if you use a routed VPN (route traffic to a tunnel interface). Only with a policy based VPN does the Netscreen work things out itself.

29: Comment Link

On Mon, 21 Jul 2008 at 9:44 PM, infinity wrote

Hi,

The VPN are established successfully, I see computers on the VPN (throught ping), i make "remote desktop" successfully but I can't share files and printers. Why? Someone knows what are happen with this connection?!

Thank you very much.

30: Comment Link

On Tue, 22 Jul 2008 at 12:41 AM, Frederick Stein wrote

Hi,

Please can someone help?

I want to set up a site-to-site using 2 x Juniper SSG 20's. Do I just apply the same config as in these screen shots for the Junipers at both ends?

31: Comment Link

On Thu, 16 Oct 2008 at 2:15 AM, Rob wrote

Hey Michael... I'm extending a HUGE **THANK YOU** for your insightful and largely helpful post. This was all I needed to get my SSG5 site-to-site up and running.

--As for the posts in regards to Windows print and file shares: be sure to modify your local machine firewalls. You'll need to add the new address scopes to your "local/home/trusted" zones/profiles.

32: Comment Link

On Tue, 18 Nov 2008 at 7:52 AM, Jeremy Ward wrote

Just a quick note:

Just because you are using DDNS services to create Host (A) record to point at a dynamic IP, does not mean FQDN authentication will work.

This is because a PTR record is different then an A record. FQDN Authentication uses Reverse DNS to check that the initiating peer's address matched the Fuly Qualified Domain Name specified in the target peers configuration.

For instance, lets say you are using Dynanic DNS from DynDns.org. Your IP is 4.5.12.22 and is registered correctly with DynDNS. Run nslookup from your Windows XP/2000/NT4/Vista workstation.

Type 4.5.12.22. (or your Public IP). You will notice that the result does NOT match your DynDNS name (server.dyndns.org).

This is because PTR records are controlled by the ISP. Lets say you have a static IP and you have mail server. Even though your Domain/DNS panel will let you point mail.mydomain.com to that public IP, the reverse DNS entry will reflect the ISP's entry - which is usually something like (ip)-(ip).city.network.domain.net.

When you have a Static IP, you can request that your ISP make a Reverse DNS entry for you so that the PTR record matches the A record. This is especially important for an email server since many email providers - like AOL - reverse DNS the sending SMTP server's IP to make sure that it matches the domain name of the email address' domain name to prevent SPAM.

What does this mean to you? Overall, you are better using Aggressive Mode (when available) with email address authentication if you have a dynamically-assigned IP address.

Trust me. I set these things up every day. It's a much better solution.

Jeremy Ward
Network Architect

Trust me

33: Comment Link

On Tue, 18 Nov 2008 at 11:11 AM, Michael Dale (of michaeldale.com.au) wrote

Hi Jeremy,

Thanks for your comment. I have not had this problem before and use this setup to a few of my family connections. I will need to look into it.

The main reason for using Main Mode auth is that the Netgear does not support aggressive mode.

34: Comment Link

On Wed, 19 Nov 2008 at 12:22 AM, Jeremy Ward wrote

Sorry, some how the words "Trust Me" were repeated after my name... I wasn't trying to sound that convincing ;-) - I should be more careful.

Anyhow, I did understand that the reason that you were using Main Mode authentication was because the Netgear did not support Aggressive mode.

The way I look at it is that if it's working for you, then all the better.

I posted my comment for the greater benefit of everyone else, not necessarily in response to your issue.

Given all of the talk about DynDNS, I figured that someone might attempt to use FQDN authentication in Main Mode an not understand why that might not work with a DynDNS host record.

Hope it's helpful!

35: Comment Link

On Sun, 30 Nov 2008 at 10:15 PM, deena wrote

it g8..topic..thanx

i want to create a VPN between sonic firwall to juniper.can you please explain me in detail.

thanx in advance

36: Comment Link

On Fri, 12 Dec 2008 at 6:31 AM, Ben wrote

Thanks for the tutorial, Michael, it was very helpful.

37: Comment Link

On Sun, 29 Mar 2009 at 9:36 PM, sandeep wrote

it nice tutorial.

i am having a netscreen NS5GT ADSL router in my office. I need to creat a VPn between my home router(D-link +ADSL) & office.

can help me on this

38: Comment Link

On Tue, 25 Aug 2009 at 2:31 PM, salish k samuel wrote

Hi Michael Dale, i was going through your website, its really an amazing one. i was searching out for a resolution for one my office. I am from UAE. I have an application in my computer. I want to set up a VPN connectivity for this application to be accessed from branch office. i am using dsl line in both location with dynamic ip. i purchased a Juniper SSG 20 H device for the VPN connectivity. As i am new with this Juniper, i need a help to set up this device for my VPN connectivity. Can you help me on this. can show some relevent post regarding this. Thnaks in Advance.

39: Comment Link

On Tue, 05 Apr 2011 at 8:46 AM, Rodney Graves wrote

Michael,

I found this to be very useful. I was configuring VPN tunnels between two remote Cradlepoint MBR1200's and a NetScreen5gt in a central office. My "How To" for that configuation can be found here.

40: Comment Link

On Sun, 29 May 2011 at 8:49 PM, GlynH wrote

Michael,

I am setting up a similar tunnel between two DG834's (v5) both using ddns, one in england, one in france.

All devices on the French LAN are clients which only need to access the Internet, I wish to route all of this traffic to the english gateway, and to break out to the internet from there. Is there a way to set up this policy?

Thanks

Glyn

41: Comment Link

Comments?

HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.

Message

Name

Email (not shown)

WWW (optional)

Allow contact form email

Remember details