ScreenOS Firewalls (NOT SRX)
Reply
New User
jkirk
Posts: 1
Registered: ‎08-26-2009
0

Using a NetScreen / SSG as a dial-up IPSec client

Hello,

 

I have set up office-to-office IPSec VPN tunnels between NetScreen / SSG appliances many times where both devices had static public IP addresses.  I need help, however, on how to set up a similar scenario where one of the devices has a static IP address.  I think this involves the appliance with the DHCP address being configured as a dial-up client, and the other must be set up differently.  I know that, in this scenario, the appliance with the DHCP address must initiate traffic the the tunnel to be created, and not vice versa.

 

Is there any good literature on how to set this up?

 

Any help is appreciated!

 

Thanks,
John Kirkland

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Using a NetScreen / SSG as a dial-up IPSec client

It is possible .

Please follow the folowing link which explain in detail how you can setup :

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v5.pdf for description page 139 and example config and diagram on page 142

 

Thanks

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
spuluka
Posts: 2,554
Registered: ‎03-30-2009
0

Re: Using a NetScreen / SSG as a dial-up IPSec client

I have the same situation with some small offices and home offices in our network.  For these sites where we don't have a static address I use DynDNS service to create an ad-hoc DNS entry for the site.  You then reference the DNS entry for the tunnels just as if it were a static address site.  As long as you have DNS setup on the SSG it will resolve the name and bring up the tunnel.

 

Create an account with dyndns.org (they have small free ones but only charge $15 per year for a no-expiration account).

Pick your host name and domain

On the SSG configure registration of your DHCP address under Network--DNS--DDNS

 

After this the whole setup works just like a static to static site configuration.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.