Netscreen - Create a Policy based VPN
This guide will show you how to create a policy based VPN on a Netscreen firewall.
The encryption domain will be,
Local Gateway : 220.127.116.11
Local Endpoint : 10.1.1.0 /24
Remote Gateway : 18.104.22.168
Remote Endpoint : 22.214.171.124 /24
1. Log into the Netscreens GUI
2. Click VPNs > Autokey IKE (Autokey IKE Screen is Below)
3. Enter VPN Name
4. Select 'Create a Simple Gateway'
5. Enter the Gateway Name (This will be the remote peer)
6. Enter the IP address of the Gateway
7. Enter Pre-shared Key
8. Select Outgoing Interface
9. Select 'Advanced' (Advanced Autokey IKE screen is below)
10. Select 'Replay Protection'
11. Tick Proxy-ID and enter your encryption domain details. * This is not required as the proxy id`s are created from the policy addresses.
12. Click 'Return'
13. Click 'OK'
Create a Policy
15. Goto Policy > Policies
16. Select 'From Trust To Untrust'
17. Select 'New'
18. Enter Source (local Endpoint)
19. Enter Destination (remote Endpoint)
20. Under Action select Tunnel
21. Under Tunnel select the Tunnel you just created
22. Tick 'Modify matching bidirectional VPN policy'
23. Tick 'Position at Top'
Heres a few commands that you can use in the event of any issues. The top 2 commands are (in my opinion) the most useful,
- get event include vpn
- get ike ?
- get config | i ike
- get config | i vpn
- get vpn
If you find the following error message in the logs,
The peer sent a proxy ID that did not match the one in the SA exists for the proxy ID received:
local ID (10.1.1.0/255.255.255.0, 0,0) remote ID (126.96.36.199/255.255.255.255, 0, 0).
This normally indicates that there is an issue with the encryption domains matching on both ends. Using this log as an example, you can see that it has the remote gateways IP address rather then the endpoint IP. So this would point to an issue with NAT at the remote end or that the encryption domains being entered incorrectly.