Site to Site VPN with Netscreen 5GT and Netgear DG834G
Posted by Michael Dale on Sat, 13 May 2006 10:13 AMI purchased my parents a new router/modem/wireless device the other day. It is a Netgear DG834G, great value for money.
Anyway the Netgear supports VPN termination, so I decided to setup a VPN between their house and mine. This allows me to run voip over the VPN without the need to worry about port forwarding (which is a real pain with SIP).
So the technical background:
My place:
1) Static IP address (59.167.253.89)
2) Juniper Netscreen 5GT running ScreenOS 5.3.0r2
3) 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
4) Router on address 10.0.0.254
Parents place:
1) Dynamic IP address
2) Netgear DG834G running firmware V3.01.25 (Has also been tested to work with a DG834 with firmware V2.10.22)
3) 10.0.4.0/24 (10.0.4.0 - 10.0.4.254)
4) Router on address 10.0.4.254
Now the netgear has some limitations with the VPN. The main issue is that it only supports "Main Mode" authentication. Main Mode is designed for site to site VPNs both with static IP addresses. My parents don't have a static IP address.
To get around this the netscreen allows you to point the remote end point (in this case the netgear) to a hostname. So for the netgear site you need to setup a dyndns.org account. For an example we will call this example.dyndns.org.
See below:
So lets setup the netscreen site first.
1) Setup IP Address Objects that point to each site. Under Objects > Addresses > List. In my case
10.0.0.0/22 TRUST (local)
10.0.4.0/25 UNTRUST (remote)
2) Now to setup the VPN Gateway on the netscreen. Under VPNs > AutoKey Advanced > Gateway.
Add a new connection like below:
Select your preshared key here too. 
Now select Advanced (note you could use 3DES, but in this case I just use DES):
3) Now you need to setup Phase 2. Under VPNs > AutoKey IKE
Then select advanced:
4) Now we need to create a policy that allows traffic to flow in both directions. This is called a bidirectional VPN policy.
In Policies under Trust to Untrust create this policy.
5) Now time to setup the netgear. Create an auto VPN account
Note the preshared key must be the same for each device.
That should be all you need to do. You can monitor the connection on both sides through the log files. The netscreen outputs a more detailed log so it is best to read this.
If the connection doesn't work it is best to troubleshoot the VPN from a console connection to the netscreen.
To start the debugging process type:
clear dbuf
debug ike detail
To finish the debugging type:
get dbuf stream
Thanks for posting this, I used this as a baseline to connect a Netgear FVS318 to a NetScreen NS5XP. I noticed that with this setup, I can connect to my remote lan machines, but I cannot ping or access any web based management tools I have there...did you have this problem?
Hi Steve,
I haven't had this problem with my netgear. Although when I setup a Netcomm NB5580W I was unable to access its web admin page (or ping the device) through the VPN, yet everything behind it worked fine. This seems to be a bug within the netcomm firmware (which I think has been fixed, but I haven't tried the newer firmware).
When you say you cannot access any web based tools, do you mean on the remote vpn device or the computers behind the remote device?
For any computer on the lan which you wish to access you must have the gateway on them pointing to the vpn device.
Just out of curiosity, have you guys tried using 3DES on the NB5580W by any chance ? I just tested it and even when i select 3DES, it seems to always try and negotiate DES which in my case i am NOT allowing..
I'm wondering if the Netgear 3DES is broken ?
I haven't tried 3DES, although I can have a look into it. Which device are you more interested in, the netgear or the netcomm?
How can I force all traffic from the netgear site to go through the VPN tunnel.
You could try setting the subnet to 0.0.0.0/0
Am trying something very similar between mine and my parents. Both are using DG834G routers and using dyndns.org for FQDNs. I can activate the VPN tunnel no problem but I'm damned if I can connect to a remote node on the remote LAN or PING one. I don't even seem to be able to use the PING diagnostics tool in the router GUI to ping the remote router. 100% packet loss. Any ideas anyone?
What subnets are you using on each end?
hi..
considering doing the same thing but like you say need to be able to point VPN by host name (have seen the dns link you put - very handy) but do you know of a router apart from the juniper, and say for about £40 or $80 that would allow this in the configuration?
thanks in advance
vinny
Yeah the netgear in this post should be fine. The non wireless version should be in your price range, about $AU80 I think.
Hi Michael,
Thanks for your reply, didn't you mention above that the netgear only used "main mode" and if I only have a dynamic IP address then I need a router that can point at a hostname - which I think you said the netscreen enabled you to do. I have one router which is the netgear DG834 wireless and need to get another. DO I need another router that can allow me to point to a hostname?
thanks again
Vinny (UK)
Yes although it seems that you can point it to a host name.
See this screen shot.
I haven't tried it myself, but it should work.
Thanks for this walkthrough, it was really helpful, I was able to setup my site to site VPN between a Juniper SSG5 and a Netgear FVS318v3.
One setting not metioned in this walkthrough that ended up breaking my Phase 2 negotation was the "Proxy ID", which is specified in VPNs --> Autokey IKE --> Edit Your VPN Tunnel --> Advanced --> and Enable Proxy-ID. For Local IP/Netmask and Remote IP/Netmask I had to set this to be reverse (obviously) of the LOCAL LAN & REMOTE LAN settings on the Netgear Firewall.
I was also able to bump up the encyrption to AES128/SHA-1 without any problems.
Thanks Much!
Interesting. I didn't need to manually set the proxy-id. The netscreen normally works this out based on your polices.
Hi,
Anyone know the reason why I can't ping the firewall of one lan from the other?
I'm using NS-5 and Netgear dg834G.
Thanks.
Can you guide me in setting up the DDNS
The settings are under:
Network -> DNS -> DDNS (you need to enable Config DDNS Client, Enable DDNS Client)
The help page can be be found here (for ScreenOS 6):
http://help.juniper.net/help/english/6.0.0/nt_ddns_entry_edit_cnt.htm
If you don't want to use dyndns you need to set it up via the command line, more info here:
http://www.juniperforum.com/index.php/topic,4132.0.html
Place I used to work we used the DG834 for nearly all small clients. Quite reliable (unlike some earlier models) and supports some nice features for a cheap consumer grade all-in-one box.