ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
New User
Posts: 1
Registered: ‎08-26-2009
0 Kudos

Using a NetScreen / SSG as a dial-up IPSec client



I have set up office-to-office IPSec VPN tunnels between NetScreen / SSG appliances many times where both devices had static public IP addresses.  I need help, however, on how to set up a similar scenario where one of the devices has a static IP address.  I think this involves the appliance with the DHCP address being configured as a dial-up client, and the other must be set up differently.  I know that, in this scenario, the appliance with the DHCP address must initiate traffic the the tunnel to be created, and not vice versa.


Is there any good literature on how to set this up?


Any help is appreciated!


John Kirkland

Super Contributor
Posts: 287
Registered: ‎10-21-2008
0 Kudos

Re: Using a NetScreen / SSG as a dial-up IPSec client

It is possible .

Please follow the folowing link which explain in detail how you can setup : for description page 139 and example config and diagram on page 142




If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Posts: 4,288
Registered: ‎03-30-2009
0 Kudos

Re: Using a NetScreen / SSG as a dial-up IPSec client

I have the same situation with some small offices and home offices in our network.  For these sites where we don't have a static address I use DynDNS service to create an ad-hoc DNS entry for the site.  You then reference the DNS entry for the tunnels just as if it were a static address site.  As long as you have DNS setup on the SSG it will resolve the name and bring up the tunnel.


Create an account with (they have small free ones but only charge $15 per year for a no-expiration account).

Pick your host name and domain

On the SSG configure registration of your DHCP address under Network--DNS--DDNS


After this the whole setup works just like a static to static site configuration.



Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)