How to configure Juniper/Netscreen Policy Based Site to Site VPN

This is a simple guide on how to create a policy based Site to Site VPN or other security administrator prefer to use LAN to LAN VPN setup.

I used these steps for many years, and it still work with new devices.

1. Create Network Group e.g. 192.168.10/24
2. Create VPN Gateway, preferably to use Auto-IKE setup to minimize error.
3. Create Site to Site Policy, make sure to place the policy in the beginning.
4. Testing, ping internal network both sites.

To simplify the process, I named the first Office SiteA and the remote Office SiteB with the following network.

SiteA Network Information:
Untrust IP Assigned Gateway: 1.1.1.1
Trust Network: 192.168.10/24
VPN using Auto-Key with pre-shared KING.NET (example)

SiteB Network Information:
Untrust IP Assigned Gateway: 2.2.2.2

Trust Network: 192.168.20/24

VPN using Auto-Key with pre-shared KING.NET (example)

The procedure is based on Juniper Netscreen SSG 350 Firmware Version 6.2.x but this will be the same to configure your SSG 104, SSG 5 and other Firewall/VPN devices.

For Site A: 

Login to your firewall management console.

• Step1. Create your trust and untrust network.
• Click Policy, Policy Element, Addresses, and List
• In List, click New to add your Trust Network e.g. 192.168.10/24 name it as SiteA_Network and UnTrust Network e.g. 192.168.20/24 name it as SiteB_Network
• Step 2. Create your VPN Gateway
• Click VPN, AutoKey IKE
• In AutoKey IKE, click New
• Create the VPN Name e.g. VPN_SiteA_SiteB
• The Static IP Address, 2.2.2.2 this is the public IP assigned by your Internet Service Provider
• Select the VPN level for Phase1 and Phase2. The other network MUST use the same Phase1 and Phase2.
• Click VPN monitor
• Enter the pre-shared key e.g. KING.NET as example
• Click OK.
• Step 3. This is where you add the VPN policies.
• Click Policy, Policies
• Select from Trust to Untrust Zone, and click New
• Source Address: Select SiteA_Network
• Destination Address: Select SiteB_Network
• Service: Any
• Action: Tunnel
• Tunnel: VPN_SiteA_SiteB
• Check Modify matching bidirectional VPN policy
• Position at Top: Enabled
• Click OK
• Step 4. Testing your policy.  After adding the policy to another network, you should see each other network.
• From SiteA Network, using a workstation ping 192.168.20.xxx, where xxx is any IP address in SiteB_Network.
• From SiteB_Network, ping 192.168.20.xxx in SiteA_Network
• End of SiteA_Network configuration.

The SiteA_Network configuration is completed, now repeat the procedure for the SiteB_Network.

If you need assistance, please don't hesitate to let me know. You may post your questions here. If you need detailed information, please visit Juniper website or use the following references:

• http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm
• http://kb.juniper.net/KB15074
• http://kb.juniper.net/KB14330