VPN is build between Juniper firewalls:

Katowice – SSG140 ScreenOS 6.1.0r7.0

Warsaw  – Netscreen 5GT  – ScreenOS 5.4.0r10.0



REMOTE SITE(WARSAW) – firewall with dynamic IP


  • configure vpn zone

ns5gt-adsl-> set zone name VPN

new zone for vpn(for clear config)


  • configure tunnel interface

ns5gt-adsl-> set interface tunnel.1 zone VPN

ns5gt-adsl-> set interface tunnel.1 ip unnumbered interface untrust

tunnel interface is unnumbered because we do not need any nat,etc. 

tunnel.1 is assigned to zone VPN and interface untrust


  • configure IPSEC P1 proposal

ns5gt-adsl-> set ike  p1-proposal Katowice-p1 preshare group2 esp aes256 sha-1

Phase 1 proposal – by default lifetime is 28800 secs

  • configure IPSEC P2 proposal

ns5gt-adsl-> set ike p2-proposal Katowice-p2 group2 esp aes256 sha-1

Phase 2 proposal – by default lifetime is 3600 secs

  • configure ike gateway

ns5gt-adsl-> set ike gateway “to_Katowice” address aggressive local-id outgoing-interface Untrust preshare secret proposal Katowice-p1 – external ip of vpn terminator in  Katowice

mode – aggressive !

local-id – necessary to specify


  • configure vpn

ns5gt-adsl-> set vpn Katowice gateway to_Katowice proposal Katowice-p2

ns5gt-adsl-> set vpn Katowice proxy-id local-ip remote-ip any

encryption domain – what is allowed on tunnel – must match on both ends

  • assign vpn to interface tunnel.1

ns5gt-adsl-> set  vpn Katowice bind interface tunnel.1


  •  configure routing

ns5gt-adsl-> set route interface tunnel.1

all traffic with destination will be push to our new interface(vpn)


  • configure policy

ns5gt-adsl-> set address Katowice corporate_network

define address

ns5gt-adsl->set policy from Trust to VPN any permit log

policy allows traffic  from Trust zone to VPN zone( from Warsaw network to corporate network)

ns5gt-adsl-> set policy from VPN to Trust any permit log

 policy allows from VPN zone  to Trust zone(from corporate network to Warsaw network)




  •  configure new zone(for internal vpn)

-> set zone name VPN

  • configure tunnel interface

-> set interface tunnel.3 zone VPN

-> set interface tunnel.3 ip unnumbered interface ethernet0/9

ethernet0/9 is connected to Internet

  • configure vpn

-> set ike p1-proposal Warsaw-p1 group2 esp aes256 sha-1

-> set ike p2-proposal Warsaw-p2 group2 esp aes256 sha-1

-> set ike gateway to_Warsaw dynamic aggressive outgoing-interface ethernet0/9 preshare secretproposal Warsaw-p1

ethernet0/9 is connected to Internet – peer-id – must match with local-id on Warsaw firewall


-> set vpn Warsaw gateway to_Warsaw proposal Warsaw-p2

-> set vpn Warsaw proxy-id local-ip remote-ip any

  • bind vpn to interface “tunnel.3”

-> set vpn Warsaw bind interface tunnel.3

  • configure routing

-> set route interface tunnel.3


  • enable monitor,optimizing and rekey

set vpn “Warsaw” monitor source-interface ethernet0/9 optimized rekey


  • configure policy

-> set address VPN Warsaw

-> set policy from Trust to VPN any permit log

-> set policy from VPN to Trust any permit log


Check vpn tunnel


-> get sa

00000080<  500 esp:a256/sha1 84f2deac  3498 unlim A/-    -1 0

00000080>  500 esp:a256/sha1 f35016f9  3498 unlim A/-    -1 0

VPN is established



dzbanek 2013-01-22