• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2051
  • Last Modified:

Site to Site VPN between Netscreen and Linksys end point router?

I want to setup a Site to Site VPN between my Netscreen 5 SSG  and a single remote user using a
Linksys BEFSR41.  The purpose of this VPN is to connect a VoIP phone at their site.
Does anyone have experience or knows of a guide to setup a VPN between these two router.
My SSG router is configured with Static IPs and my remote Linksys will need to use Dynamic DNS.

0
smariani
Asked:
smariani
  • 3
  • 3
  • 2
  • +1
1 Solution
 
amoldkelkarCommented:
Hi,
You should follow the online technical documentation for configuring your netscreen fw.
http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/index.html#Concepts
In the above mentioned site please refer the 'concepts & Examples" and that too the 'Concepts & Examples ScreenOS Reference Guide: All volumes combined' section.

You must have a look at the 'Dialu-up VPN" example in Volume 5 > Dialup VPN > Dialup > Policy/Route based vpns

I am sure you should be able to configure your vpn if you follow the config in the example.

Let me know if you need any help.

-AK
0
 
smarianiAuthor Commented:
I was looking for step by step site to site VPN instructions for a Netscreen 5SSG running 5x or 6x Screen OS with a Linksys or D-link or 2Wire router.  I think the Linksys model BEFSR41 does not have End Point capacity.    I do not want to use VPN software...  I want a hardware to hardware VPN setting.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
The Linksys BEFSR41 is not a VPN endpoint. It only allows VPN pass-through.

You will need either the BEFSX41 (home/limited use) or the RV082 (hardened/business class) VPN endpoint routers. I recommend staying away from the WRV54G Wireless-G VPN endpoint as these things are lousy for VPN tunnels and the RV042 (4 ports, but limited on VPN capabilities)

Also, a nice plus with the RV082 unit is that is you are using DDNS via DynDNS.org, it can automatically update itself with the WAN IP address, thus making it easier for VPN tunnel needs.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
smarianiAuthor Commented:
mwecomputers:, you would not happen to know where there is a guide to setup a Jupiner Netscreen 5SSG with os 5 or 0s6 with a BEFSX41 or a RV082?
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Not really experienced in the Juniper products. You might try their website to see if they have a Community Forum or some type of Knowledge Base.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
I discovered this link, but I don't know if it will help:

Configuring a VPN Between a NetScreen Firewall and a Non-NetScreen Firewall in NSM (KB ID: KB4515)
http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1902ba5
0
 
ccreamer_22Commented:
You should be able to do this with the RV082.
First make sure both sites are able to get onto the internet. you should be able to ping the public ip of both devices from either network.
Now lets start with a simple setup we will use 3des/sha for both the phase 1 and phase 2 negotiations.
on the rv082, we need to know the external ip, or public ip address. lets use 1.1.1.1 as an example.
we also need to know the internal ip address range you are using. Lets say 192.168.1.0/24 on the network with the RV082.
We also need to know the other site's addresses. Lets use 2.2.2.2 for the external ip or untrust ip for the netscreen, and an internal ip range of 192.168.2.1/24.
on the RV082, we will go to the vpn tab and choose gateway to gateway.
type the local ip addresses in as well as the reomte addresses in. Make sure both sites have different address space, otherwise we will have to go into the headache of natting everything on both devices.
now at the bottom, you will notice an area for the setup of the security. Choose 3des/sha for both. make sure the timeouts match the timeouts on the netscreen. You can find them at VPNs > AutoKey Advanced > P1 Proposal & VPNs > AutoKey Advanced > P2 Proposal in the webui on the netscreen. now in the preshare key type in preshare. Don't worry about the advanced mode. That is for failover vpn tunnels and more complicated stuff. press ok and it should set it up for you on the RV082 side. Now go to the juniper. First we have to tell it what address the remote network is using. Go to the WebUI and then go to Objects > Addresses > List. Create the object in the untrust are with the address range of the remote network. Now go to VPNs > AutoKey Advanced > Gateway and create a new gateway. Type in the name of the remote peer, put in the public ip of the remote peer, 1.1.1.1 for this example. Type in preshare for your preshared key. Make the outgoing interface the untrust interface and press advanced. Under security level put the dot in custom. Choose pre-g2-3des-sha for the security level. The rsa and dsa both want a certificate for authentication. Let's just keep this simple. Choose x509-sig for your peer type, now press return, then ok on the next screen. Now go to VPNs > AutoKey IKE and press new. for the name type in tunnel to and the name of the remote gateway you just created. choose your remote gatway under predefined, then go to advanced. Choose User Defined under security level. Choose nopfs-esp-3des-sha for the encryption. Under bind to select tunnel zone. Press return and then ok on the next screen. Now go to policies. Select trust to untrust and press new. Under Source Address select or type in your local area network address, 192.168.2.0/24 for this example. Under Destination Address select the address book entry you created for the remote network. Set service to Any. Under action select tunnel. Under Tunnel select the tunnel to the network you set up under your phase 2 setup earlier. Put a check in modify bidirectional policy and position at the top. press ok and then you should be done. if it doesn't work correctly, go to your error log and look up the the entries that show your remote gateways public ip address. Then look through the ScreenOS 5.4 Message Log Reference Guide availible at http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/Msg.pdf. It will tell you what is wrong with the tunnel and how to fix it if there is an error or if negotiations are not working. Make sure you don't rush and double check each screen before moving on with the setup.
0
 
ccreamer_22Commented:
Junip[er has a good article on this: http://kb.juniper.net/CUSTOMERSERVICE/KB8554
It uses a cisco pix as an example, but the concept is the same.
0
 
smarianiAuthor Commented:
Great details.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now