Netscreen - Creating a route based VPN.

Below shows you how to create a route based vpn upon a Netscreen firewall using the firewalls gui interface.
This tutorial was created using the ScreenOS version 6.2.0r1.0.
The encryption domain for this guide will be,

  • Local Gateway :
  • Local Endpoint :
  • Remote Gateway :
  • Remote Endpoint :

Create Tunnel Interface

  1. Go into "Network | Interfaces"
  2. Select "Tunnel IF" from the drop down and click New
  3. Enter the tunnel interface Name (number)
  4. Select the Zone. This will be the outgoing zone and the corresponding Virtual Router.
  5. Select Unnumbered and select the interface. This will be your local interface that the un-encrypted traffic will arrive on.

Add the GW

  1. Goto "VPNs | AutoKey Advanced | Gateway" and select new
  2. Enter the "Gateway Name"
  3. Select "Static IP address" and add the IP

  1. Select "Adavanced"
  2. Enter your "Preshared Key"
  3. Select your "Outgoing interface". This will normally be your Untrust interfcae.
  4. select "User Defined | Custom" and select your Phase 1 proposal.
  5. Select "Return"
  6. Select "OK"

Configure Phase 2

  1. Click "VPNs | AutoKey IKE | New"
  2. Add your "VPN name"
  3. Select your gateway

  1. Click "Advanced"
  2. Select "User defined | Custom"
  3. Select your Phase 2 Proposal
  4. Select Bind to "Tunnel Interface" and select your Tunnel Interface you created earlier.
  5. Select "Proxy-ID" and add your Local and Remote IP`s.
  6. Select "Return"
  7. Select "OK"

Add Policy

  1. Create a new policy from "trust to untrust"
  2. Add your source and destination addresses and select "Position at Top"
  3. Select the Action as "Permit".
  4. Click "OK"
  5. Create another policy for traffic going the other way.

Add a route

  1. Create a route within the required Virtual Router (default is trust-vr) for the remote end point.
  2. Select the next hop as gateway.
  3. Then select your tunnel interface from the drop down.

Tags: VPN, Netscreen