Netscreen – AC-VPN


Auto-connect VPN works with a hub and spoke setup. Once static VPNs have been configured between all the spokes and the hubs, AC-VPN and NHRP (Next Hop Routing Protocol) is configured on each spoke and the hub.
When traffic is initiated between 2 spokes the traffic is passed via the hub while a dynamic tunnel is established between the 2 spokes. Once this tunnel is established the traffic is passed between the 2 spokes and the previous tunnel terminated.


The Hub in the hub and spoke network is classed as the “Next Hop Server” (NHS) and the spoke is referred to as the “Next Hop Client”. Messages are then exchanged between the client and the server using NBMA (Non Broadcast Multi Access) messages. By default there are 7 types of NBMA messages along with 2 more that are added by the Netscreen. These are :

  • Registration Request – Once a static VPN becomes active between the NHC and the NHS this message is sent containing Client information (such as routing, subnet masks etc)
  • Registration Reply – The NHS can ACK or NAK (not Acknowledged) a registration request.
  • Resolution Request, Resolution Reply – Added by Screen OS these messages ensure that the client cache of the NHS is update to date.
  • Purge Request, Purge Reply – This allows the NHC cache of the NHS to be purged in the event of a NHC being shutdown.
  • Error Indication – Logs a NHRP error conditions

To support AC-VPN Screen OS adds the following message pair :-
Resolution-set, Resolution-ack – When a static tunnel is established all the information required for each spoke to set up a tunnel between themselves is sent.

AC-VPN Restrictions

  • All VPN tunnels configured toward the hub must be route based.
  • Automatic key management in phase 1 must be in aggressive mode.
  • The authentication method must be self-signed certificate and generic PKI.
  • All spokes must be connected to a single zone on the hub.
  • Configuring NHRP in multiple instances of virtual routers is supported only on the NHS.

General Steps

Configuration on the Hub

  1. Create a static gateway and VPN.
  2. Create static tunnels to the spokes and bind the VPNs to the tunnels.
  3. Create an AC-VPN gateway profile.
  4. Create an AC-VPN VPN profile.
  5. Enable NHRP on the virtual router.
  6. Select the ACVPN-Profile for NHRP.
  7. Enable NHRP on the tunnel interface.
  8. Configure routing.

Configuration on Each Spoke

  1. The hub includes the following:
  2. Create a static tunnel to the hub.
  3. Create a gateway.
  4. Create a VPN gateway.
  5. Create an ACVPN-Dynamic gateway.
  6. Create ACVPN-Dynamic VPN
  7. Enable NHRP on the virtual router
  8. Configure the NHS IP address
  9. Configure the local cache.
  10. Enable NHRP on the tunnel interface.
  11. Configure routing.
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial