Sat, 13 May 2006 10:13 AM
I purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G
, great value for money.
Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).
So the technical background:
1) Static IP address (220.127.116.11)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254
Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.
To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.
So lets setup the netscreen site first.
1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)
2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:
Select your preshared key here too.
Now select Advanced (note you could use 3DES, but in this case I just use DES):
3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Then select advanced:
4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.
In Policies under Trust to Untrust create this policy.
5) Now time to setup the netgear. Create an auto VPN account
Note the preshared key must be the same for each device.
That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.
If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.
To start the debugging process type:
set console dbuf
debug ike detail
To finish the debugging type:
get dbuf stream
On Sun, 14 May 2006 at 9:04 AM, Nicko wrote
Place I used to work we used the DG834 for nearly all small clients. Quite reliable (unlike some earlier models) and supports some nice features for a cheap consumer grade all-in-one box.
1: Comment Link
On Thu, 15 Jun 2006 at 7:55 AM, Steve Postema wrote
Thanks for posting this, I used this as a baseline to connect a Netgear FVS318 to a NetScreen NS5XP. I noticed that with this setup, I can connect to my remote lan machines, but I cannot ping or access any web based management tools I have there...did you have this problem?
2: Comment Link
On Thu, 15 Jun 2006 at 9:02 AM, Michael Dale
I haven't had this problem with my netgear. Although when I setup a Netcomm NB5580W I was unable to access its web admin page (or ping the device) through the VPN, yet everything behind it worked fine. This seems to be a bug within the netcomm firmware (which I think has been fixed, but I haven't tried the newer firmware).
When you say you cannot access any web based tools, do you mean on the remote vpn device or the computers behind the remote device?
For any computer on the lan which you wish to access you must have the gateway on them pointing to the vpn device.
3: Comment Link
On Thu, 20 Jul 2006 at 5:51 PM, Nathan wrote
Just out of curiosity, have you guys tried using 3DES on the NB5580W by any chance ? I just tested it and even when i select 3DES, it seems to always try and negotiate DES which in my case i am NOT allowing..
I'm wondering if the Netgear 3DES is broken ?
4: Comment Link
On Fri, 21 Jul 2006 at 9:56 PM, Michael Dale
I haven't tried 3DES, although I can have a look into it. Which device are you more interested in, the netgear or the netcomm?
5: Comment Link
On Tue, 17 Oct 2006 at 9:56 PM, Anonymous wrote
How can I force all traffic from the netgear site to go through the VPN tunnel.
6: Comment Link
On Tue, 17 Oct 2006 at 10:30 PM, Michael Dale
You could try setting the subnet to 0.0.0.0/0
7: Comment Link
On Thu, 14 Dec 2006 at 11:31 PM, Cos wrote
Am trying something very similar between mine and my parents. Both are using DG834G routers and using dyndns.org for FQDNs. I can activate the VPN tunnel no problem but I'm damned if I can connect to a remote node on the remote LAN or PING one. I don't even seem to be able to use the PING diagnostics tool in the router GUI to ping the remote router. 100% packet loss. Any ideas anyone?
8: Comment Link
On Fri, 15 Dec 2006 at 7:51 AM, Michael Dale
What subnets are you using on each end?
9: Comment Link
On Tue, 09 Jan 2007 at 9:50 PM, Anonymous wrote
considering doing the same thing but like you say need to be able to point VPN by host name (have seen the dns link you put - very handy) but do you know of a router apart from the juniper, and say for about £40 or $80 that would allow this in the configuration?
thanks in advance
10: Comment Link
On Tue, 09 Jan 2007 at 10:51 PM, Michael Dale
Yeah the netgear in this post should be fine. The non wireless version should be in your price range, about $AU80 I think.
11: Comment Link
On Wed, 10 Jan 2007 at 8:33 PM, Anonymous wrote
Thanks for your reply, didn't you mention above that the netgear only used "main mode" and if I only have a dynamic IP address then I need a router that can point at a hostname - which I think you said the netscreen enabled you to do. I have one router which is the netgear DG834 wireless and need to get another. DO I need another router that can allow me to point to a hostname?
12: Comment Link
On Wed, 10 Jan 2007 at 11:35 PM, Michael Dale
Yes although it seems that you can point it to a host name.
I haven't tried it myself, but it should work.
13: Comment Link
On Tue, 08 May 2007 at 11:41 PM, Ian
Thanks for this walkthrough, it was really helpful, I was able to setup my site to site VPN between a Juniper SSG5 and a Netgear FVS318v3.
One setting not metioned in this walkthrough that ended up breaking my Phase 2 negotation was the "Proxy ID", which is specified in VPNs --> Autokey IKE --> Edit Your VPN Tunnel --> Advanced --> and Enable Proxy-ID. For Local IP/Netmask and Remote IP/Netmask I had to set this to be reverse (obviously) of the LOCAL LAN & REMOTE LAN settings on the Netgear Firewall.
I was also able to bump up the encyrption to AES128/SHA-1 without any problems.
14: Comment Link
On Wed, 09 May 2007 at 9:23 AM, Michael Dale
Interesting. I didn't need to manually set the proxy-id. The netscreen normally works this out based on your polices.
15: Comment Link
On Wed, 29 Aug 2007 at 4:51 PM, Anonymous wrote
Anyone know the reason why I can't ping the firewall of one lan from the other?
I'm using NS-5 and Netgear dg834G.
16: Comment Link
On Mon, 24 Sep 2007 at 2:50 AM, Victor
Can you guide me in setting up the DDNS
17: Comment Link
On Mon, 24 Sep 2007 at 10:42 AM, Michael Dale
The settings are under:
Network -> DNS -> DDNS (you need to enable Config DDNS Client, Enable DDNS Client)
The help page can be be found here (for ScreenOS 6):
If you don't want to use dyndns you need to set it up via the command line, more info here:
18: Comment Link
On Thu, 13 Dec 2007 at 12:44 AM, eyad hasssn wrote
can i have the full steps in order to configure VPN connection between two site using juniper 5gt?
i am using dynamic IP address
19: Comment Link
On Tue, 08 Jan 2008 at 10:20 AM, Michael Dale
Juniper offer a "Remote Firewall Configuration" service. More details can be found here
20: Comment Link
On Fri, 01 Feb 2008 at 5:28 PM, iman wrote
I followed the instructions and both ends talking however, why I still couldn't get the subnet behind the juniper, which is mentioned on both configuration to access resources at netgear side. Anyone can enlighten me on this one? thank you
21: Comment Link
On Fri, 01 Feb 2008 at 7:01 PM, Michael Dale
I'm going to need some more information. If you'd like to send me the configuration of the juniper netscreen and the netgear I can have a look.
22: Comment Link
On Fri, 01 Feb 2008 at 10:55 PM, iman wrote
The configuration is exactly like what's on bluetrait, except my version of DG834 doesn't have enable NetBIOS tick box (this model is the one without wireless), no other VPN connection, plain vanilla configuration except on the DMZ zone which is irrelevant to this issue.
OR... should I put the rule on the top position?
23: Comment Link
On Fri, 01 Feb 2008 at 11:09 PM, Michael Dale
the vpn rules should be before the any-any rules.
24: Comment Link
On Tue, 05 Feb 2008 at 8:37 AM, iman wrote
when you mean before any any rule, is it deny any any or permit any any. By the way, I browse thru the manual but couldn't find the rule on netscreen implied rule, for example if the policy from trust to untrust is empty what's the implied rule, implicit deny or implicit accept.
btw, I got a funny problem outside this vpn, am trying to use webproxy and block trust to untrust connection, however, one pc needs direct outside connection then i enabled particularly for that pc. what happened is, the rest of the pc in the trust then can access directly. juniper cust support is helpful, but with this issue, they haven;t got back to me yet. got any idea, michael?
25: Comment Link
On Tue, 05 Feb 2008 at 10:10 AM, Michael Dale
Just make sure your vpn rule is at the top of the list (i.e it is the first rule to be run).
The netscreen has an implicit deny any any policy.
For your other problem is your source correct? Maybe you should email me your configuration.
26: Comment Link
On Thu, 21 Feb 2008 at 3:49 PM, Joel Greene wrote
Again, like the guy said above.
How do you VPN two Netscreen Routers.
I assume the netscreen configuation you have is to listen for the VPN request.
But in my case I need one netscreen (Dynamic IP/Hostname) to request the connection and the other netscreen (Static IP) to listen.
27: Comment Link
On Thu, 08 May 2008 at 11:31 PM, Simon wrote
Would I follow the same process if I wanted to set-up a Juniper VPN server for a windows based VPN connection ? Scenario like this. I'm on sky broadband with a DDNS.org set-up (dynamic IP). When I am at work in an alternate location I would like to use windows New network wizard to set-up a VPN using IP-SEC to my Juniper on it's DDNS set-up. Is this feasible since both ends will be on dynamis IP's ? Would this effectively put me on the local LAN so I could use DAAP on my Thecus NAS box ?
Any help appreciated.
28: Comment Link
On Fri, 11 Jul 2008 at 8:37 AM, Mark wrote
Does anyone know how to route all traffic down the VPN tunnel at the Netgear end? The Netgear not let you enter 0.0.0.0 / 0.0.0.0 as the remote site. Sadly i suspect this is either not possible, perhaps only by hacking the Netgear box via the hidden telnet interface - i can think of no other way around it :( Can anyone help?
Like one of the guys above i had to set the proxy ID on the Netscreen manually before phase2 would complete, i think this is only required if you use a routed VPN (route traffic to a tunnel interface). Only with a policy based VPN does the Netscreen work things out itself.
29: Comment Link
On Mon, 21 Jul 2008 at 9:44 PM, infinity wrote
The VPN are established successfully, I see computers on the VPN (throught ping), i make "remote desktop" successfully but I can't share files and printers. Why? Someone knows what are happen with this connection?!
Thank you very much.
30: Comment Link
On Tue, 22 Jul 2008 at 12:41 AM, Frederick Stein wrote
Please can someone help?
I want to set up a site-to-site using 2 x Juniper SSG 20's. Do I just apply the same config as in these screen shots for the Junipers at both ends?
31: Comment Link
On Thu, 16 Oct 2008 at 2:15 AM, Rob wrote
Hey Michael... I'm extending a HUGE **THANK YOU** for your insightful and largely helpful post. This was all I needed to get my SSG5 site-to-site up and running.
--As for the posts in regards to Windows print and file shares: be sure to modify your local machine firewalls. You'll need to add the new address scopes to your "local/home/trusted" zones/profiles.
32: Comment Link
On Tue, 18 Nov 2008 at 7:52 AM, Jeremy Ward
Just a quick note:
Just because you are using DDNS services to create Host (A) record to point at a dynamic IP, does not mean FQDN authentication will work.
This is because a PTR record is different then an A record. FQDN Authentication uses Reverse DNS to check that the initiating peer's address matched the Fuly Qualified Domain Name specified in the target peers configuration.
For instance, lets say you are using Dynanic DNS from DynDns.org. Your IP is 18.104.22.168 and is registered correctly with DynDNS. Run nslookup from your Windows XP/2000/NT4/Vista workstation.
Type 22.214.171.124. (or your Public IP). You will notice that the result does NOT match your DynDNS name (server.dyndns.org).
This is because PTR records are controlled by the ISP. Lets say you have a static IP and you have mail server. Even though your Domain/DNS panel will let you point mail.mydomain.com to that public IP, the reverse DNS entry will reflect the ISP's entry - which is usually something like (ip)-(ip).city.network.domain.net.
When you have a Static IP, you can request that your ISP make a Reverse DNS entry for you so that the PTR record matches the A record. This is especially important for an email server since many email providers - like AOL - reverse DNS the sending SMTP server's IP to make sure that it matches the domain name of the email address' domain name to prevent SPAM.
What does this mean to you? Overall, you are better using Aggressive Mode (when available) with email address authentication if you have a dynamically-assigned IP address.
Trust me. I set these things up every day. It's a much better solution.
33: Comment Link
On Tue, 18 Nov 2008 at 11:11 AM, Michael Dale
Thanks for your comment. I have not had this problem before and use this setup to a few of my family connections. I will need to look into it.
The main reason for using Main Mode auth is that the Netgear does not support aggressive mode.
34: Comment Link
On Wed, 19 Nov 2008 at 12:22 AM, Jeremy Ward
Sorry, some how the words "Trust Me" were repeated after my name... I wasn't trying to sound that convincing ;-) - I should be more careful.
Anyhow, I did understand that the reason that you were using Main Mode authentication was because the Netgear did not support Aggressive mode.
The way I look at it is that if it's working for you, then all the better.
I posted my comment for the greater benefit of everyone else, not necessarily in response to your issue.
Given all of the talk about DynDNS, I figured that someone might attempt to use FQDN authentication in Main Mode an not understand why that might not work with a DynDNS host record.
Hope it's helpful!
35: Comment Link
On Sun, 30 Nov 2008 at 10:15 PM, deena wrote
i want to create a VPN between sonic firwall to juniper.can you please explain me in detail.
thanx in advance
36: Comment Link
On Fri, 12 Dec 2008 at 6:31 AM, Ben wrote
Thanks for the tutorial, Michael, it was very helpful.
37: Comment Link
On Sun, 29 Mar 2009 at 9:36 PM, sandeep wrote
it nice tutorial.
i am having a netscreen NS5GT ADSL router in my office. I need to creat a VPn between my home router(D-link +ADSL) & office.
can help me on this
38: Comment Link
On Tue, 25 Aug 2009 at 2:31 PM, salish k samuel
Hi Michael Dale, i was going through your website, its really an amazing one. i was searching out for a resolution for one my office. I am from UAE. I have an application in my computer. I want to set up a VPN connectivity for this application to be accessed from branch office. i am using dsl line in both location with dynamic ip. i purchased a Juniper SSG 20 H device for the VPN connectivity. As i am new with this Juniper, i need a help to set up this device for my VPN connectivity. Can you help me on this. can show some relevent post regarding this. Thnaks in Advance.
39: Comment Link
On Tue, 05 Apr 2011 at 8:46 AM, Rodney Graves
I found this to be very useful. I was configuring VPN tunnels between two remote Cradlepoint MBR1200's and a NetScreen5gt in a central office. My "How To" for that configuation can be found here
40: Comment Link
On Sun, 29 May 2011 at 8:49 PM, GlynH wrote
I am setting up a similar tunnel between two DG834's (v5) both using ddns, one in england, one in france.
All devices on the French LAN are clients which only need to access the Internet, I wish to route all of this traffic to the english gateway, and to break out to the internet from there. Is there a way to set up this policy?
41: Comment Link