Astaro V7 110 VPN to Juniper 5GT setup

Posted on 2007-08-07
Last Modified: 2008-01-09
hello,  I am trying to set up a VPN connection from an Astaro V7 110 to a Juniper 5GT.  I have followed the first part of the juniper setup found here:

and i have setup the astaro to connect back to the juniper.  I am unsure of the phase 2 proposal and what it should be  g2-esp-des-md5? g2-esp-des-sha? 3des?

both devices have static public address'

I can not seem to get the correct combination and im not really sure how to see what part of the linking between the two devices is failing.  so this question is:
1- what type of encryption should i be selecting for both devices
2-how do i tell where it is breaking down(why it is not establishing the connection)
3-what do i need to change to make this work.

thanks for the help

Question by:knightdogs
    LVL 16

    Expert Comment

    I do have some experience with the Juniper but none with Astaro.
    First you have to make sure phase 1 is correctly established, only then you need to worry about phase 2 proposals.
    If phase 1 to the Juniper is established (or even if there is a failed attempt) there should be something in the logs. Logs are one of the few places that can tell you what goes wrong.

    So check the logs on the Juniper (and probably Astaro also) and post relevant content. Is the VPN even trying to connect? What step fails?
    LVL 2

    Accepted Solution

    Here is an article from astaro's knowledgebase that may help.  I have had success establishing VPN Tunnels from ASG220 V6 to Netgear Routers but i have no experience with Juniper Products.

     This guide explains what settings are required on your Astaro to setup an IPSec PSK Net-to-Net VPN from the Astaro to another firewall or VPN termination.  For any VPN it is required that all parameters match correctly and it is recommended that you first setup the remote firewall and match parameters with the Astaro.  

    This can be used for setting up a vpn to firewalls such as PIX, Netcreen, Sonicwall, Checkpoint, Cisco VPN or any Openswan system.
    These steps are for matching the parameters used to establish the VPN tunnel on the Astaro.  The other Remote Firewall will need the same parameters established.

    Policy to match for both sides of the tunnel:

    ISAKMP (IKE) Settings (Phase 1)
    Name: Enter a name that signifies the policy like RemoteFirewallPolicy
    IKE Mode: Main Mode
    Encryption Algorithm: 3DES 168bit
    Authentication Algorithm: MD5 160bit
    IKE DH Group: DH Group 2 (MODP 1024)
    SA Lifetime (secs): 28800

    IPSec Settings (Phase 2)
    IPSec Mode: Tunnel
    IPSec Protocol: ESP
    Encryption Algorithm: 3DES-CBC 168bit
    Enforce Algorithms: Off
    Authentication Algorithm: MD5 160bit
    SA Lifetime (secs): 28800
    PFS: None
    Compression: Off

    Astaro Security Gateway Settings

    Step 1  Defining the Networks
    1.1 - Definitions > Networks
    1.2 - Click New Definition
    1.3 - Name:  Remote_Gateway
    1.4 - Type: Host
    1.5 - Address: Enter the address of the Public IP on the Remote Firewall side
    1.6 - Comment: Enter a comment if you like
    1.7 - Click Add Definition
    1.8 - Name: Remote_Network
    1.9 - Type: Network
    1.10 - Address/Netmask: Enter the IP address of the LAN on the
              Remote Firewall side and choose the according Netmask
    1.11 - Comment:  Enter a comment if you like
    1.12 - Click Add Definition

    Step 2  Creating the Preshared Key
    2.1  IPSec VPN > Remote Keys
    2.2  Name: Enter a name for the key
    2.3  Virtual IP: <not used>
    2.4  Key type:  PSK
    2.5  Preshared Key: Enter the same key string that you did in the
             Remote Firewall
    2.6  Click Add

    Step 3  Creating a Policy
    3.1  IPSec VPN > Policies
    3.2  Click New

    ISAKMP (IKE) Settings
    3.3  Name: Enter a name that signifies the policy like RemoteFirewallPolicy
    3.4  IKE Mode: Main Mode
    3.5  Encryption Algorithm: 3DES 168bit
    3.6 - Authentication Algorithm: MD5 160bit
    3.7 - IKE DH Group: DH Group 2 (MODP 1024)
    3.8 - SA Lifetime (secs): 28800

    IPSec Settings
    3.9 - IPSec Mode: Tunnel
    3.10 - IPSec Protocol: ESP
    3.11 - Encryption Algorithm: 3DES-CBC 168bit
    3.12 - Enforce Algorithms: Off
    3.13 - Authentication Algorithm: MD5 160bit
    3.14 - SA Lifetime (secs): 28800
    3.15 - PFS: None
    3.16 - Compression: Off
    3.17  Click Add

    Step 4  Creating a Connection
    4.1  IPSec VPN > Connections
    4.2  Name: Enter a name for the connection
             (eg. To_Remote_Firewall)
    4.3  Type: Standard
    4.4  IPSec Policy: Choose the policy that was created
             earlier (RemoteFirewallPolicy)
    4.5  Auto Packet Filter: On (allows all traffic through) or
             Off (you will have to create packet filter rules later on)
    4.6  Strict Routing: On

    Endpoint Definition
    4.7 - Local Endpoint: Select from the dropdown the Public
             interface on the Astaro firewall [eg. External (address)]
    4.8 - Remote Endpoint: Select from the dropdown the definition
            of the public side on the Remote Firewall (Remote_Gateway)

    Subnet definition
    4.9 - Local Subnet: Select the internal LAN on the Astaro
            Firewall [eg. Internal (network)]
    4.10 - Remote Subnet: Select the definition of the LAN for the
              Remote Firewall (Remote_Network)

    Authentication of remote Station(s)
    4.11 - Key: Select the PSK that was created earlier
    4.12 - Click Add
    4.13 - Enable the tunnel by clicking on the red traffic light to
              make it green.

    Step 5  Check tunnel status
    5.1  Click Show for VPN Routes to see the route that is
             created which will look like this:

    <Astaro LAN>= = =<Astaro External>&<Remote Firewall External>= = =<Remote Firewall LAN>


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Title # Comments Views Activity
    Checkpoint books 3 63
    Sonicwall site to site VPN 10 62
    Questions on windows ports 13 53
    How to setup VPN onCisco RV016 8 20
    Let’s list some of the technologies that enable smooth teleworking. 
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now