ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
jkirk
New User
jkirk
Posts: 1
Registered: ‎08-26-2009
0

Using a NetScreen / SSG as a dial-up IPSec client

Options

‎08-26-2009 12:10 PM

Hello,

 

I have set up office-to-office IPSec VPN tunnels between NetScreen / SSG appliances many times where both devices had static public IP addresses.  I need help, however, on how to set up a similar scenario where one of the devices has a static IP address.  I think this involves the appliance with the DHCP address being configured as a dial-up client, and the other must be set up differently.  I know that, in this scenario, the appliance with the DHCP address must initiate traffic the the tunnel to be created, and not vice versa.

 

Is there any good literature on how to set this up?

 

Any help is appreciated!

 

Thanks,
John Kirkland

Message 1 of 3 (3,481 Views)
 
Reply
Super Contributor
Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Using a NetScreen / SSG as a dial-up IPSec client

Options

‎08-26-2009 12:56 PM

It is possible .

Please follow the folowing link which explain in detail how you can setup :

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v5.pdf for description page 139 and example config and diagram on page 142

 

Thanks

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 2 of 3 (3,477 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,612
Registered: ‎03-30-2009
0

Re: Using a NetScreen / SSG as a dial-up IPSec client

Options

‎09-09-2009 05:07 PM

I have the same situation with some small offices and home offices in our network.  For these sites where we don't have a static address I use DynDNS service to create an ad-hoc DNS entry for the site.  You then reference the DNS entry for the tunnels just as if it were a static address site.  As long as you have DNS setup on the SSG it will resolve the name and bring up the tunnel.

 

Create an account with dyndns.org (they have small free ones but only charge $15 per year for a no-expiration account).

Pick your host name and domain

On the SSG configure registration of your DHCP address under Network--DNS--DDNS

 

After this the whole setup works just like a static to static site configuration.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 3 of 3 (3,382 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.