Bluetrait (Program)
                IBM N2200 8363

Fri, 01 Sep 2006 6:59 PM

Setting up a dial-up VPN to connect to a Netscreen

Michael Dale

I've been getting lots of hits to the post about a site to site VPN setup with a netscreen. So I've decided to do one for a dial-up VPN user connecting to a netscreen.

A dial-up user is anyone who needs access into the network and has a dynamic ip address. We don't wish to be able to access them (the dial-up user) from within the network. This is how we setup most connections at work. This allows people to access file shares and outlook (without the need to setup RPC over HTTP).


  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
  • Netscreen Remote 8.7 (The Windows VPN client)
  • Local Network (the one in which the vpn users want to access) of ( -
  • External Address of

Setting up the Netscreen

1) First we need to create a user. This can be found in Objects -> Users -> Local (Note: Follow the screen shot below, you don't need a password here, you do need the IKE User info though)

Adding user to the netscreen

So we have our user, Test.User

2) Create Phase 1 of the VPN tunnel. This can be found in VPNs -> AutoKey Advanced -> Gateway (Note: Security level is set to custom, password for VPN is entered here, Outgoing interface is your untrust interface).

Adding Phase 1 of VPN policy

3) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Mode is set to Aggressive)

Phase 1 VPN

Now click return and okay to save your settings.

4) Now we'll create the Phase 2 information. This can be found in VPNs -> AutoKey IKE (Note: Security level is set to custom, Remote Gateway is set to "Test.UserP1")

VPN Phase 2

5) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Replay Protection is on)

VPN Phase 2

Now click return and okay to save your settings.

6) Now we'll need to create a policy. This will go from untrust to trust. This can be found in Policies.

Netscreen Policies

Click new (Note: Source Address is Any-IPv4 or just Any if IPv6 is disabled, Destination Address is your local subnet, tunnel the connection though the VPN user "Test.UserP2")

Netscreen Policy

Now the Netscreen has been setup.

Setting up Netscreen Remote

1) Open the policy editor in Netscreen Remote

Netscreen Remote 1

2) Create a new connection (Note: Type in the remote subnet details and set the secure gateway to your netscreens external address)

Netscreen Remote 2

3) Now we'll setup the login details (Note: The Certificate is None, The ID Type is Domain Name and the value is "Test.User")

Netscreen Remote 3

4) Now click Pre-Shared Key (Note: Type in the password you used when setting up the connection in the netscreen)

Netscreen Remote 4

5) Now we'll set the connection to aggressive (Note: Enable PFS, DH is Group 2 and Enable Replay Dection)

Netscreen Remote 5

6) Now we'll setup the Phase 1 details (Note: We're using DES and MD5 here. SA Life is 28800 seconds)

Netscreen Remote 6

7) Now we'll setup the Phase 2 details (Note: The SA Life here is 3600 Seconds)

Netscreen Remote 7

8) Save the settings and Test!

That should be all you need to do.


  • The VPN may not work behind some NAT routers. You can try turning on NAT-T within the netscreen, although I find it doesn't normally work (newer versions such as 5.4 and 6.x seem to work just fine).
  • Make sure the details in the Netscreen and Netscreen Remote Match (i.e Phase 1 policies etc)
  • You can check the logs from both Netscreen and Netscreen Remote
  • You cannot connect to the VPN while within the local subnet
  • Netscreen Remote should be disabled when you're directly connected to the network
  • Only traffic for the subnet is passed over the VPN.


On Fri, 14 Sep 2007 at 4:27 PM, Monxoo wrote Hi Thahnks for your post. I have a problem. I esatblished a dial-up VPN as you showed here. VPN connects OK but i can't ping the hosts in LAN. Cannot communicate. Any idea? 1: Comment Link

On Fri, 14 Sep 2007 at 7:21 PM, Michael Dale (of wrote Make sure your VPN policies are before the standard ANY-ANY rule. 2: Comment Link

On Tue, 12 Feb 2008 at 5:28 AM, Adi wrote Hi, Extremely helpful tutorial. However I came into a problem: after the connection, the IP address from my laptop (the remote client) is inside the company's LAN = my laptop is not seen inside company's LAN with an IP address within the LAN subnet. Because of that I do not have access to servers, for example, that are in other subnet, behind another firewall... Is there anything I can do to receive a LAN IP address when the connection is completed? Thanks 3: Comment Link

On Wed, 13 Feb 2008 at 5:03 PM, Michael Dale (of wrote Yes it is possible but I haven't done it myself. If I do I'll write a tutorial for it. The easiest way to get it working is to make sure the laptop is on a different subnet. For most company LANs I try and use a fairly unique IP range such as 172.25.25.x. 4: Comment Link

On Fri, 22 Feb 2008 at 3:25 AM, Jaska wrote Hi everyone! I haven't had this problem with my netscreen. Although when I setup a VPN netscreen remote client, icmp goes fine(lan and outside) and i can see all my computers lan. but web traffic is not working over vpn. i dont know what is problem. i think that is something with route... i allmost try everything but is not working... maybe somebody can help me :) 5: Comment Link

On Thu, 06 Mar 2008 at 9:11 AM, Jason Ellison wrote In response to Adi's comment: I recently had a situation where roadwarriors needed to communicate with routers and systems beyond our administrative scope. I used the information listed here... but under your VPN policy goto advanced and you can use source NAT (SNAT) to make the connections appear to come from the local interface of the NetScreen. I would not advise this for more than a few users doing light tcp/udp work. My situation was this: 5 remote users need telnet access to an internal rehat server (large car dealership). The other locations have networks that were large enough for us to have coporate add routes back. 6: Comment Link

On Fri, 14 Mar 2008 at 6:15 AM, Adi wrote Thank you Jason, I made the configuration as you explained and indeed the packets coming from a connected client were seen inside the Lan with the IP address of the internal interface of the firewall so it was a step forward. However, I realized that this was not the solution I needed; any client that gets into the LAN via de VPN will have the same IP address and I also have to make new sets of policies that will allow access from this ip (firewall's internal IP) to the resources that need to be accessed. 1. I do not have traceability (I do not know which client connected, with which IP address - knowing this would help a lot in identifying possible problems not only attacks) 2. I do not want to make all resources available to all clients coming through the VPN. To achieve that I would need a way of assigning specific, LAN, reserved IP addresses to incoming clients so that each IP address would be an identifier of the client. Or maybe there is another way to have the same result and I am not aware of it. Any idea would be much appreciated as usual. Thank you, 7: Comment Link

On Fri, 04 Apr 2008 at 5:08 AM, Joe VOirol wrote This is set up with a static IP address in the netscreen. What changes do you need to make to get it to work with a dynamic IP address pointed to a name with dnyDNS such as or 8: Comment Link

On Thu, 05 Jun 2008 at 11:16 PM, Robert BECKERS wrote MANY MANY MANY MANY Thank's for your explanation about the setting-up of the VPN Connection with a 5GT I search a lot and your configuration work very fine !!!! Regards ! 9: Comment Link

On Sat, 05 Jul 2008 at 5:45 AM, Jim wrote I am trying to get the dial up users to have access to another remote network but cannot seem to get it to work. Basically, Lan1=home office, Lan2=remote office. Lan1 has a static vpn connection to Lan2. Dial up users connect directly to Lan1 but cannot get any traffic to Lan2, is this just a policy that needs to be implemented or should the Nat get by this? 10: Comment Link

On Thu, 04 Sep 2008 at 6:49 PM, James wrote Hi! Nice tutorial, thanks! :) The only question i have is : How can i assign an local IP-Address to this when the user has dialed up? (Background : We have different Systems which only allow access from an local IP-Adress. Thanks for your time, James K. 11: Comment Link

On Mon, 03 Nov 2008 at 7:22 AM, Adi wrote I come back to my previous question as this is also the problem James seems to have. There is a possibility to assign local IP addresses (from within the LAN inside the company) to the dial-up incoming clients. Open Security Policy Editor, go to Options -> Global Policy Settings and check the Allow to specify internal network address. After this, still in Secure Policy Editor, under My Identity, you should see a area called Secure interface configuration where you should chose Virtual adapter required and fill in the IP address you need to have inside the remote LAN. However this is not working as it should. A tried it on 4 different versions of Netscreen Remote (except the newest 11.1 that I don't have) and also on Windows XP and Vista. The Netscreen Remote application obviously has some nasty bugs or other similar problems. If you managed to make it work PLEASE let me know how. Thanks, 12: Comment Link

On Mon, 03 Nov 2008 at 8:58 AM, Michael Dale (of wrote This link should show you how to setup a dial-up VPN with local IP address: 13: Comment Link

On Mon, 23 Feb 2009 at 7:31 PM, Rizwan wrote I have configured the VPN exactly as mentioned above. But when i am creating policy i can not see "vpn name" in tunnel. I have rechecked all the configuration thrice but no luck. I have also erased and reconfigured VPN. Please advice 14: Comment Link

On Mon, 30 Mar 2009 at 12:16 AM, sandeep wrote were can i find this netscreen remote client 15: Comment Link

On Mon, 30 Mar 2009 at 6:52 PM, Michael Dale (of wrote Hi sandeep, You will need to purchase a license from Juniper in order to have access to download it. 16: Comment Link

On Fri, 29 May 2009 at 2:35 PM, Graham wrote Ahhh - some problems with this....... I have already set up 4 different Clients using this setup on a SSG-5 and they all work well. Now I am trying to set up a 5th Client in exactly the same way, but when I try and set the VPNs -> AutoKey Advanced -> Gateway (Step 2 above) I get the following...... "Only one set or proposals allowed for Main Mode dynamic peer." "Error in set ike gateway" It won't let me create this gateway? Any ideas?? 17: Comment Link

On Sun, 02 Aug 2009 at 7:34 PM, Mohammad Khalil wrote hi all after i configured everything as mentioned above i cannot make the connection i mean how do i connect for example in cisco vpn client there is connect ?? thanks 18: Comment Link

On Tue, 15 Sep 2009 at 8:50 AM, amal wrote Is there any way to make the remote system running Netscreen Remote software addressable from the LAN? I want to be able to have roaming clients obtain a local LAN IP address by which I can ping and access those clients. Is that possible with Netscreen Remote? 19: Comment Link

On Thu, 15 Oct 2009 at 3:27 PM, DMAN wrote Hi We are on a Domain environment and have laptop users who have the netscreen Remote software installed and configure on their machine. AIM: We would like users to login to our Domain server using the dial up connection option when logging from home and not on the work network. Please refer to the sample screenshot: Questions: 1) Can we configure the netscreen remote to be use a dial up connection? 2) Do we need to do anything on our Domain Server? I tried to tick the dial up connection and ask me to connect using the SafeNet Virtual Adapter Interface, which I did and it gave me a dialog box: "Checking network protocol conections.... TCP/IP CP reported error 738: The server did not assign an address" Any help would be appreciated. Thanks. 20: Comment Link


HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.



Email (not shown)

WWW (optional)

Allow contact form email

Remember details