Skip to main content

How to configure Juniper/Netscreen Policy Based Site to Site VPN

This is a simple guide on how to create a policy based Site to Site VPN or other security administrator prefer to use LAN to LAN VPN setup.

I used these steps for many years, and it still work with new devices.

  1. Create Network Group e.g. 192.168.10/24
  2. Create VPN Gateway, preferably to use Auto-IKE setup to minimize error.
  3. Create Site to Site Policy, make sure to place the policy in the beginning.
  4. Testing, ping internal network both sites.
To simplify the process, I named the first Office SiteA and the remote Office SiteB with the following network.

SiteA Network Information:
Untrust IP Assigned Gateway:
Trust Network: 192.168.10/24
VPN using Auto-Key with pre-shared KING.NET (example)

SiteB Network Information:
Untrust IP Assigned Gateway:
Trust Network: 192.168.20/24
VPN using Auto-Key with pre-shared KING.NET (example)

The procedure is based on Juniper Netscreen SSG 350 Firmware Version 6.2.x but this will be the same to configure your SSG 104, SSG 5 and other Firewall/VPN devices.

For Site A: 
Login to your firewall management console.
  • Step1. Create your trust and untrust network.
  • Click Policy, Policy Element, Addresses, and List
  • In List, click New to add your Trust Network e.g. 192.168.10/24 name it as SiteA_Network and UnTrust Network e.g. 192.168.20/24 name it as SiteB_Network
  • Step 2. Create your VPN Gateway
  • Click VPN, AutoKey IKE
  • In AutoKey IKE, click New
  • Create the VPN Name e.g. VPN_SiteA_SiteB
  • The Static IP Address, this is the public IP assigned by your Internet Service Provider
  • Select the VPN level for Phase1 and Phase2. The other network MUST use the same Phase1 and Phase2.
  • Click VPN monitor
  • Enter the pre-shared key e.g. KING.NET as example
  • Click OK.
  • Step 3. This is where you add the VPN policies.
  • Click Policy, Policies
  • Select from Trust to Untrust Zone, and click New
  • Source Address: Select SiteA_Network
  • Destination Address: Select SiteB_Network
  • Service: Any
  • Action: Tunnel
  • Tunnel: VPN_SiteA_SiteB
  • Check Modify matching bidirectional VPN policy
  • Position at Top: Enabled
  • Click OK
  • Step 4. Testing your policy.  After adding the policy to another network, you should see each other network.
  • From SiteA Network, using a workstation ping, where xxx is any IP address in SiteB_Network.
  • From SiteB_Network, ping in SiteA_Network
  • End of SiteA_Network configuration.
The SiteA_Network configuration is completed, now repeat the procedure for the SiteB_Network.

If you need assistance, please don't hesitate to let me know. You may post your questions here. If you need detailed information, please visit Juniper website or use the following references:


Popular posts from this blog

Alternative Social Networks

If you are planning to create your social network e.g. similar to Facebook. Here's a short list of alternative software's:

Open Source and Free​ - Wordpress (Open Source and Free) - (Open Source and Free)Commercial Social Networks software ($299 Stand Alone, $29/mo Cloud) (run with Joomla, need to know CMS) (very expensive, $399 for Standard) (from free to Commercial, I left my networks and they are selling it (I used this before, it's hard to maintain. I moved to NING but left too after it was sold to another company) (I don't recommend using this service, it's hard to export your data when it's time to move)Something to check when selecting your next soc…

Frequent Account Lockout in Active Directory

I have a user in Windows Pro 7, and Windows Server 2003 environment that is frequently account locked out. I tried many different scenarios to resolve this account lockout issue, from resetting his password, changing a new password, remove and re-join the domain, rebooting the workstation and active directory servers.

I tried to use the command prompt utility to run "rundll32.exe keymgrdll, KRShowKeyMgr" (case sensitive) to delete the account in Windows 7 password cache, and still no luck.

Still searching for answer ... Let me know if you encounter a similar issue in Windows Pro 7 and Windows Server 2003.

Continue reading updated post here:

Example of Out of Office Reply for Terminated Employee

This is a sample message that I used for terminated employees, unless HR staff specified a different message.
=== Example for KING.NET Employee === John Doe (employee or consultant) is no longer with KING.NET effective June 1, 2008 (termination date). For matters relating to "Project Name here" please direct your concerns to John Smith at (Manager or Supervisor). For all other matters, please direct your email to Mary Smith HR at
Please call our main office 703-345-6789 if you have other concerns.
Thank you.
=== end of message ===