Netscreen – Basic Remote Access (Dial up) VPN

Below will show how to create a basic Remote Access VPN using Pre Shared Keys.

This guide presumes that you already have the Netscren Remote VPN Client installed onto your local machine and was created using the following software versions :

  • ScreenOS – 6.2.0r1.0
  • Netscren Remote VPN Client – 10.8.3 (Build 6)

Below is an outline of the required steps,

  1. Create User
  2. Create Group
  3. Create Phase 1 Prosposals
  4. Create Phase 2 Prosposals
  5. Create Policy
  6. Configure your Netscren Remote VPN Client

This example will be allowing us to connect to the subnet 192.168.1.0/24 (Trust Interface). Our Client will be connecting to the netscreen on the Untrust interface using the IP address 1.1.1.1.

Create User

  1. Goto “Objects > Users > Local” Click New
  2. Create a new user with the following details.

                Username: User1
                Status: Enable
                Click IKE User
                Number of Multiple Logins: 1
                Click Simple Identity
                IKE Identity:

     3. Click OK

Create Group

  1. Goto “Objects | User Groups | Local”
  2. Create a new usergroup and add your newly created user.

Create Phase 1 Prosposals

  1. Goto “VPNs | AutoKey | Advanced | Gateways | New”
  2. Add your “Gateway Name”
  3. Select “Remote Gateway | Dialup User Group” and choose your group from the drop down menu.
  4. Click Advanced
  5. Add your “Preshared Key”
  6. Add your Outgoing Interface (This will be the interface you are connect your Netscreen from. So normally this will be Untrust)
  7. Select “Security Level | User Defined | Custom” and choose “pre-g1-des-md5”
  8. Select “Mode | Aggressive”
  9. Click Return
  10. Click OK

Create Phase 2 Prosposals

  1. Click “VPNs | AutoKey IKE | New”
  2. Add your VPN Name
  3. Select “Remote Gateway | Predefined” and choose your previously created gateway from the drop down.
  4. Select Advanced
  5. Select “Security Level | User Defined | Custom” and select “g2-esp-3des-md5” from the drop down menu.
  6. Select Return
  7. Select OK

Create Policy

  1. Select “Policy | Policies”
  2. Select “From Untrust to Trust”
  3. Select “Dial-Up VPN” for the source address
  4. Add a new address of “192.168.1.0/24” for the destination address.
  5. Select “Action : Tunnel”
  6. Select your Dialup VPN created previously for the Tunnel.
  7. Select “Position at Top”
  8. Click “OK”

Configure your Netscren Remote VPN Client

  1. Launch NetScreen-Remote Security Policy Editor
  2. Right Click “My Connections” and Select Add
  3. Name your new connection
  4. Add the following to the various sections,

Remote Party Identity and Addressing

  • ID Type: IP Subnet
  • Subnet: 192.168.1.0
  • Netmask: 255.255.255.0
  • Click Connect using Secure Gateway Tunnel
  • ID Type: IP Address: 1.1.1.1

My Identity

  • Select Certificate: None
  • ID Type: Email address:
  • Click Pre-Shared Key and Enter Key (in this case its netscreen)
  • Enter the Pre-shared key netscreen

Security Policy

  • Select Phase 1 Negotiation Mode: Aggressive
  • Select Enable Perfect Forward Secrecy (PFS)
  • PFS Key Group: Diffie-Hellman Group 2
  • De-select “Enable Replay Detection”

Authentication (Phase 1)

  • Select Proposal 1
  • Encryption Alg: Triple DES
  • Hash Alg: MD5
  • SA Life: Unspecified
  • Key Group: Diffie-Hellman Group 2

Key Exchange (Phase 2)

  • Select Proposal 1
  • Encrypt Alg. Triple DES
  • Hash Alg. MD5
  • Encapsulation: Tunnel

Click Save
Right click the Netscreen Icon and choose connect.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial