Link to home
Start Free TrialLog in
Avatar of Aditya Arora
Aditya AroraFlag for India

asked on

Configure VPN in Juniper SSG5


I am looking for help to configure Juniper SSG5 VPN. we have 1 locally hosted website. we want our remote laptop user to access this website when they are out of office. our lan IP is and server IP is Firewall local IP is Firewall is direct connected with service provider WAN IP.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Aditya Arora


i am using web interface
Your local IP choice, could be problematic as it is a common LAN IP oin homes, the IP segments must be different.

You are setting up a remote VPN
Does your system have a static ip? and other resources of examples.....

You should
Sire A Your ssg5 location
wAN Ip: c.c.x.x
LAN segment:

Remote user:
Any source

IPSec policy, using VPN client or is provided?
Key length,
Pre shared:
Key lifetime

You have to mirror the settings...
My remote user don't have static IP.  Please suggest what should i do.

i have 15-20 remote user with dynamic connection to connect my LAN. they may have poor internet. what should i opt Policy base or route base.
Of course it would be much easier if you just "published" the web site by using port forwarding, but that will bring in some secuirty and privacy issues ...
Is the client running W10? Then you could use the integrated IPSec IKEv2 client. Otherwise you have to install IPSec software like the free ShrewSoft VPN, or a commercial one like NCP (very good support, even in trial phase).
But be warned, it might become a PITA to get it working. Testing definitely is a PITA, as you need to be in a different network for that.
Dial-in clients don't neeed to have static IPs, but your main site should have one, otherwise the configuration is getting more complex.
Unless you have complex configuration restrictions in mind, I would stay with a policy based VPN.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
what will be the issue if i continue using

And please also advise why to use policy base over route base.

i would like to go with different setup key for different user so i can restrict user when we want to.
When using XAuth (= explicit user authnentication), you restrict the user account, not the VPN. You can create a local user account setup  - and have full and separate control on the device -  or use RADIUS to authenticate against the domain account.
In both cases you do not need to use different keys for users.

Policy based VPN is just simpler, and allows for direct control in the GUI. A route based VPN is more complex, as you have to consider more levels of processing with different precedence and a particular sequence. Policies also have the advantage that you can just disable the policy to prevent from general dial-in.
If you still want to use different VPN tunnels for different user (groups), you can switch the policy for those on/off as you like.
Regarding the network: You get into serious trouble as soon as someone dialing in is using the same network. Tendency is to use IP addresses starting at the lower end, so the router will be .1, servers are usually at the lower end, and clients somewhere higher.
So imagine you have a common home network setup of router =, client PC = You want to establish the VPN connection to RDP into, which is a server. That would not work, no matter what you do. If the single addresses are not the same, you can apply some hacking and routing tricks, but that is flaky and likely to fail for other dial-in users.
Applying destination NAT to everything having to pass the VPN is one hack. E.g. you would translate all your office addresses to in the VPN policy - you then would have to use those addresses on VPN, without a working name resolution, and many issues more.

So really, the best you can do is move your office network to some random address like the one I used above. is a public IP space and is allocated to

You have to pick IPs from the PRIVATE IP Space
arnold, has been a type, we are (still) talking 'bout
in below link: 

Where i suppose to do below configuration:

From where i download Netscreen. Is there any license required or any alternate software.

Configuration of NetScreen-Remote Side:

    Create New Policy by clicking the New Connection icon on upper left corner.  Label this new connection Corporate
    On Remote Party Identity and Addressing
        Set ID Type: IP Subnet
        Enter Subnet:
        Enter Netmask:
        Click Connect using Secure Gateway Tunnel
        Enter ID Type: IP Address:
    Expand the connection Corporate
        Click Security Policy
            Select Phase 1 Negotiation Mode: Aggressive
            De-Select Enable Perfect Forward Secrecy (PFS)
            De-select "Enable Replay Detection"
        Click My Identity
            Select Certificate: None
            ID Type: Email address:
            Click Pre-Shared Key
            Click Enter Key
            Click OK
            Enter the Pre-shared key sharedikeid
        Expand Security Policy
            Expand Authentication (Phase 1)
                Select Proposal  1
                Authentication Method: Pre-Shared Key;Extended Authentication
                Encryption Alg: Triple DES
                Hash Alg: SHA
                SA Life: Unspecified
                Key Group: Diffie-Hellman Group 2
            Expand Key Exchange (Phase 2)
                Select Proposal 1
                Encrypt Alg. Triple DES
                Hash Alg. SHA
                Encapsulation: Tunnel
        Click Save
Juniper has changed to a rebranded NCP client. It always has required a client license - the SSG doesn't need licenses.
You shoukd netdom icy an ip for a remote VPN setup. Unless you explicitly setup one remote VPN per user.
In your situation, you would use a user identifier type.