Netscreen – Create a Policy based VPN

This guide will show you how to create a policy based VPN on a Netscreen firewall.

The encryption domain will be,

Local Gateway :
Local Endpoint : /24
Remote Gateway :
Remote Endpoint : /24

1. Log into the Netscreens GUI
2. Click VPNs > Autokey IKE (Autokey IKE Screen is Below)

3. Enter VPN Name
4. Select ‘Create a Simple Gateway’
5. Enter the Gateway Name (This will be the remote peer)
6. Enter the IP address of the Gateway
7. Enter Pre-shared Key
8. Select Outgoing Interface
9. Select ‘Advanced’ (Advanced Autokey IKE screen is below)

Netscreen firewall - Security Level

10. Select ‘Replay Protection’
11. Tick Proxy-ID and enter your encryption domain details. * This is not required as the proxy id`s are created from the policy addresses.
12. Click ‘Return’
13. Click ‘OK’

Create a Policy

15. Goto Policy > Policies
16. Select ‘From Trust To Untrust’
17. Select ‘New’

Netscreen firewall - Create a Policy

18. Enter Source (local Endpoint)
19. Enter Destination (remote Endpoint)
20. Under Action select Tunnel
21. Under Tunnel select the Tunnel you just created
22. Tick ‘Modify matching bidirectional VPN policy’
23. Tick ‘Position at Top’


Heres a few commands that you can use in the event of any issues. The top 2 commands are (in my opinion) the most useful,

  • get event include vpn
  • get ike ?
  • get config | i ike
  • get config | i vpn
  • get vpn

If you find the following error message in the logs,

The peer sent a proxy ID that did not match the one in the SA exists for the proxy ID received:
local ID (, 0,0) remote ID (, 0, 0).

This normally indicates that there is an issue with the encryption domains matching on both ends. Using this log as an example, you can see that it has the remote gateways IP address rather then the endpoint IP. So this would point to an issue with NAT at the remote end or that the encryption domains being entered incorrectly.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial