Site to Site VPN between Netscreen and Linksys end point router?

I want to setup a Site to Site VPN between my Netscreen 5 SSG  and a single remote user using a
Linksys BEFSR41.  The purpose of this VPN is to connect a VoIP phone at their site.
Does anyone have experience or knows of a guide to setup a VPN between these two router.
My SSG router is configured with Static IPs and my remote Linksys will need to use Dynamic DNS.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You should follow the online technical documentation for configuring your netscreen fw.
In the above mentioned site please refer the 'concepts & Examples" and that too the 'Concepts & Examples ScreenOS Reference Guide: All volumes combined' section.

You must have a look at the 'Dialu-up VPN" example in Volume 5 > Dialup VPN > Dialup > Policy/Route based vpns

I am sure you should be able to configure your vpn if you follow the config in the example.

Let me know if you need any help.

smarianiAuthor Commented:
I was looking for step by step site to site VPN instructions for a Netscreen 5SSG running 5x or 6x Screen OS with a Linksys or D-link or 2Wire router.  I think the Linksys model BEFSR41 does not have End Point capacity.    I do not want to use VPN software...  I want a hardware to hardware VPN setting.
Michael WorshamStaff Infrastructure ArchitectCommented:
The Linksys BEFSR41 is not a VPN endpoint. It only allows VPN pass-through.

You will need either the BEFSX41 (home/limited use) or the RV082 (hardened/business class) VPN endpoint routers. I recommend staying away from the WRV54G Wireless-G VPN endpoint as these things are lousy for VPN tunnels and the RV042 (4 ports, but limited on VPN capabilities)

Also, a nice plus with the RV082 unit is that is you are using DDNS via, it can automatically update itself with the WAN IP address, thus making it easier for VPN tunnel needs.
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

smarianiAuthor Commented:
mwecomputers:, you would not happen to know where there is a guide to setup a Jupiner Netscreen 5SSG with os 5 or 0s6 with a BEFSX41 or a RV082?
Michael WorshamStaff Infrastructure ArchitectCommented:
Not really experienced in the Juniper products. You might try their website to see if they have a Community Forum or some type of Knowledge Base.
Michael WorshamStaff Infrastructure ArchitectCommented:
I discovered this link, but I don't know if it will help:

Configuring a VPN Between a NetScreen Firewall and a Non-NetScreen Firewall in NSM (KB ID: KB4515)
You should be able to do this with the RV082.
First make sure both sites are able to get onto the internet. you should be able to ping the public ip of both devices from either network.
Now lets start with a simple setup we will use 3des/sha for both the phase 1 and phase 2 negotiations.
on the rv082, we need to know the external ip, or public ip address. lets use as an example.
we also need to know the internal ip address range you are using. Lets say on the network with the RV082.
We also need to know the other site's addresses. Lets use for the external ip or untrust ip for the netscreen, and an internal ip range of
on the RV082, we will go to the vpn tab and choose gateway to gateway.
type the local ip addresses in as well as the reomte addresses in. Make sure both sites have different address space, otherwise we will have to go into the headache of natting everything on both devices.
now at the bottom, you will notice an area for the setup of the security. Choose 3des/sha for both. make sure the timeouts match the timeouts on the netscreen. You can find them at VPNs > AutoKey Advanced > P1 Proposal & VPNs > AutoKey Advanced > P2 Proposal in the webui on the netscreen. now in the preshare key type in preshare. Don't worry about the advanced mode. That is for failover vpn tunnels and more complicated stuff. press ok and it should set it up for you on the RV082 side. Now go to the juniper. First we have to tell it what address the remote network is using. Go to the WebUI and then go to Objects > Addresses > List. Create the object in the untrust are with the address range of the remote network. Now go to VPNs > AutoKey Advanced > Gateway and create a new gateway. Type in the name of the remote peer, put in the public ip of the remote peer, for this example. Type in preshare for your preshared key. Make the outgoing interface the untrust interface and press advanced. Under security level put the dot in custom. Choose pre-g2-3des-sha for the security level. The rsa and dsa both want a certificate for authentication. Let's just keep this simple. Choose x509-sig for your peer type, now press return, then ok on the next screen. Now go to VPNs > AutoKey IKE and press new. for the name type in tunnel to and the name of the remote gateway you just created. choose your remote gatway under predefined, then go to advanced. Choose User Defined under security level. Choose nopfs-esp-3des-sha for the encryption. Under bind to select tunnel zone. Press return and then ok on the next screen. Now go to policies. Select trust to untrust and press new. Under Source Address select or type in your local area network address, for this example. Under Destination Address select the address book entry you created for the remote network. Set service to Any. Under action select tunnel. Under Tunnel select the tunnel to the network you set up under your phase 2 setup earlier. Put a check in modify bidirectional policy and position at the top. press ok and then you should be done. if it doesn't work correctly, go to your error log and look up the the entries that show your remote gateways public ip address. Then look through the ScreenOS 5.4 Message Log Reference Guide availible at It will tell you what is wrong with the tunnel and how to fix it if there is an error or if negotiations are not working. Make sure you don't rush and double check each screen before moving on with the setup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Junip[er has a good article on this:
It uses a cisco pix as an example, but the concept is the same.
smarianiAuthor Commented:
Great details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.