Screen OS

Ok so i have been battling with a little problem, i have a netscreen ssg5 - 6.1.0r4.0, no juniper experience,  I have managed to bypass the functions of the bt business hub and put into bridge mode and i am using the pppoe to authenticate the adsl so the netscreen gets my single static ip. I have also manage to configure my port forwarding using vips and policies to my internal devices ie mail server cctv and rdp access to various machines. I do not have any other switch or hub just using the ports on the netscreen, I have a wireless access point which has vlan tagging so on i have created some vlan type things using sub interfaces on the bgroup0 so bgroup0 has bindings to port 1- 6 with ip 192.168.10.1 untagged (DHCP OFF) a sub interface bgroup0.1 vlan tagged 1 with ip 192.168.11.1 (DHCP ON) , another sub interface bgroup0.2 vlan tagged 200 ip 172.16.16.1 (DHCP ON) all in the trust zone I then have my wireless ap connected on port 2 using the untagged ip of 192.168.10.49 an ssid for corp use on vlan 1 and an ssid for guest access on vlan 200 then in zones and for the trust zone i ticked the box block intra zone traffic so anythin connected on the guest ssid cant see anything in the other subnets, i then created a intra zone policy to allow traffic between the untagged vlan and vlan 1 subnets (192.168.10.0 - 192.168.11.0) so now my portable devices can connect to my corp network an see internal resources and i can have a guest ssid that cant see anything.  

Ok so now you have the background on what i have managed to setup here the part i need help with , 

I have created a vpn using a pre shared key , no certs or anything fancy at home i have a draytek 2820 with a dynamic external ip address internal address 10.10.10.1 so i also use a no ip solution to give myself a hostname that auto updates, 

So i have created a vpn using a hostname address on the ssg side and the external ip on my draytek side , all iset on the vpn side of things was the ike preshared key and the phase 1 and 2 proposals. i then used another policy to tunnel these to my internal network from external address setup in the address list (entered my home network and labelled as home ) now the vpn is working fine, in that respect from my home network i can ping the internal ips of the ssg and my server ping from 10.10.10.49 to 192.168.10.201 100 ! success and vice versa, now i want to also be able to access the various wireless devices i may have connected to the corp ssid (vlan 1) (subnet 192.168.11.0)  so i thought this would be as easy as creating a new vpn policy to route traffic from my external network 10.10.10.0 or home as labelled in the address list to the other subnet 192.168.11.0 and allowing all traffic and putting this through the same tunnel , then on the draytek side adding a new route to the vpn to also have to the 192.168.11.0 in my remote network list, in the routing table when it connects shows as
192.168.10.0/   255.255.255.0 via 81.149.137.206,    VPN
192.168.11.0/   255.255.255.0 via 81.149.137.206,    VPN

but alas no i cannot get it to work i cannot get to the other subnet from home through the vpn can anyone shed some light i can upload configs if needed ?  

would really appreciate it ) 

Hello ,

if you can share the config , it will be easier to validate .

Is the second VPN coming up ? You can use the following command to see whether VPN  is Active

get sa 

If the VPN is not coming up, we can see the "get events"  for the errors. when you are trying  to initiate the traffic from behind yur home network

2nd vpn hmm i only made one do i need 2 even though its the same 2 devices that have the first vpn ? sorry may sound stupid but i am new to all this. 

i have one firewall at site a with 3 subnets and a firewall at the other site if i create a vpn tunnel between the two sites would i not be able to see all the subnets throught the one vpn or do i need a seperate vpn for each subnet at site a ? 

here is my config : 

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "JDMRDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "JDMRDP1" protocol tcp src-port 0-65535 dst-port 3390-3390
set service "JDMRDP2" protocol tcp src-port 0-65535 dst-port 3391-3391
set service "CAM1" protocol tcp src-port 0-65535 dst-port 7474-7474
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nAbzGZrzH12FcfVNHsABsALtJ6IRXn"
set admin port 8181
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" block
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface "bgroup0.1" tag 1 zone "Trust"
set interface "bgroup0.2" tag 200 zone "Trust"
set interface bgroup0 port ethernet0/1
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 81.149.137.206/32
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.10.1/24
set interface bgroup0 nat
set interface bgroup0.1 ip 192.168.11.1/24
set interface bgroup0.1 nat
set interface bgroup0.2 ip 172.16.16.1/24
set interface bgroup0.2 nat
set interface bgroup0.2 bandwidth egress gbw 1500 mbw 1500 ingress mbw 1500
set interface bgroup0.1 mtu 1500
set interface bgroup0.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup0.1 ip manageable
set interface bgroup0.2 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
unset interface bgroup0.1 manage ssh
unset interface bgroup0.1 manage telnet
unset interface bgroup0.1 manage snmp
unset interface bgroup0.1 manage ssl
unset interface bgroup0.1 manage web
unset interface bgroup0.2 manage ssh
unset interface bgroup0.2 manage telnet
unset interface bgroup0.2 manage snmp
unset interface bgroup0.2 manage ssl
unset interface bgroup0.2 manage web
set interface ethernet0/0 vip interface-ip 3389 "JDMRDP" 192.168.10.201
set interface ethernet0/0 vip interface-ip 443 "HTTPS" 192.168.10.201
set interface ethernet0/0 vip interface-ip 25 "MAIL" 192.168.10.201
set interface ethernet0/0 vip interface-ip 110 "POP3" 192.168.10.201
set interface ethernet0/0 vip interface-ip 80 "HTTP" 192.168.10.201
set interface ethernet0/0 vip interface-ip 3390 "JDMRDP1" 192.168.10.108 manual
set interface ethernet0/0 vip interface-ip 3391 "JDMRDP2" 172.16.16.2 manual
set interface ethernet0/0 vip interface-ip 7474 "CAM1" 192.168.11.49
set interface bgroup0.1 dhcp server service
set interface bgroup0.2 dhcp server service
set interface bgroup0.1 dhcp server enable
set interface bgroup0.2 dhcp server enable
set interface bgroup0.1 dhcp server option lease 1440000
set interface bgroup0.1 dhcp server option gateway 192.168.11.1
set interface bgroup0.1 dhcp server option dns1 194.72.0.98
set interface bgroup0.1 dhcp server option dns2 194.74.65.68
set interface bgroup0.2 dhcp server option lease 1440000
set interface bgroup0.2 dhcp server option gateway 172.16.16.1
set interface bgroup0.2 dhcp server option dns1 194.72.0.98
set interface bgroup0.2 dhcp server option dns2 194.74.65.68
set interface bgroup0.1 dhcp server ip 192.168.11.2 to 192.168.11.50
set interface bgroup0.2 dhcp server ip 172.16.16.2 to 172.16.16.50
unset interface bgroup0.1 dhcp server config next-server-ip
unset interface bgroup0.2 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface bgroup0.2 route-deny
set flow tcp-mss
set flow all-tcp-mss 1304
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "192.168.10.0/24" 192.168.10.0 255.255.255.0
set address "Trust" "192.168.10.1/24" 192.168.10.1 255.255.255.0
set address "Trust" "192.168.11.0/24" 192.168.11.0 255.255.255.0
set address "Trust" "192.168.11.1/24" 192.168.11.1 255.255.255.0
set address "Trust" "jdm" 192.168.10.0 255.255.255.0
set address "Untrust" "192.168.10.0/24" 192.168.10.0 255.255.255.0
set address "Untrust" "home" 10.10.10.0 255.255.255.0
set ike p1-proposal "tets" preshare group1 esp des md5 second 28800
set ike p2-proposal "test" group2 esp des sha-1 second 3600
set ike gateway "vpn tunnel" address wolfmaster.no-ip.org Main outgoing-interface "ethernet0/0" preshare "g31rVS1xNFz/k1sYsvCOHwt2VZnywK01Uw==" proposal "pre-g2-des-md5"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn tunnel 2" gateway "vpn tunnel" replay tunnel idletime 0 proposal "g2-esp-des-sha" "test"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set traffic-shaping mode on
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
set log session-init
exit
set policy id 2 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "SMTP" permit log
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTP" permit log
set policy id 3
exit
set policy id 4 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTPS" permit log
set policy id 4
exit
set policy id 5 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "JDMRDP" permit log
set policy id 5
exit
set policy id 6 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "POP3" permit log
set policy id 6
exit
set policy id 7 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "JDMRDP1" permit log
set policy id 7
exit
set policy id 8 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "JDMRDP2" permit log
set policy id 8
exit
set policy id 9 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "CAM1" permit log
set policy id 9
exit
set policy id 10 from "Trust" to "Trust" "192.168.10.0/24" "192.168.11.0/24" "ANY" permit
set policy id 10
exit
set policy id 11 from "Trust" to "Trust" "192.168.11.1/24" "192.168.10.1/24" "ANY" permit
set policy id 11
exit
set policy id 12 name "VPN TUN" from "Trust" to "Untrust" "jdm" "home" "ANY" tunnel vpn "vpn tunnel 2" id 0x1 pair-policy 13
set policy id 12
exit
set policy id 13 name "VPN TUN" from "Untrust" to "Trust" "home" "jdm" "ANY" tunnel vpn "vpn tunnel 2" id 0x1 pair-policy 12
set policy id 13
exit
set policy id 14 name "VPN TUN" from "Untrust" to "Trust" "home" "192.168.11.0/24" "ANY" tunnel vpn "vpn tunnel 2" id 0x5 pair-policy 15
set policy id 14
exit
set policy id 15 name "VPN TUN" from "Trust" to "Untrust" "192.168.11.0/24" "home" "ANY" tunnel vpn "vpn tunnel 2" id 0x5 pair-policy 14
set policy id 15
exit
set pppoe name "eth0/0"
set pppoe name "eth0/0" username "D265678@hg57.btclick.com" password "RfStHJ+ANWOthzsby7Cz/JCKivnns7RxnQ=="
set pppoe name "eth0/0" interface ethernet0/0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ssl port 4443
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Your config looks good.In the background two phase two SAs will be created 

You can use the following command to see whether both the phase two Sas are active 

get sa 

If the second phase two  is not  up, we can see the "get events"  for the errors. when you are trying  to initiate the traffic from behind your home network

OR , you can also , try disablng the new VPN policies and add the second network in the old  VPN policy itself 

get sa produces 

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 2.217.197.242 500 esp: des/sha1 6685bd8b 1517 unlim A/- 13 0
00000001> 2.217.197.242 500 esp: des/sha1 6ef2b497 1517 unlim A/- 12 0
00000005< 2.217.197.242 500 esp: des/sha1 00000000 expir unlim I/I 14 0
00000005> 2.217.197.242 500 esp: des/sha1 00000000 expir unlim I/I 15 0

not sure what this means though 

Here u see, two phase 2 SAs,  one is Active (A) and other is I (INactive)  which means down as a result traffic through this second SA will fail.

get sa produces 

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 2.217.197.242 500 esp: des/sha1 6685bd8b 1517 unlim A/- 13 0
00000001> 2.217.197.242 500 esp: des/sha1 6ef2b497 1517 unlim A/- 12 0
00000005< 2.217.197.242 500 esp: des/sha1 00000000 expir unlim I/I 14 0
00000005> 2.217.197.242 500 esp: des/sha1 00000000 expir unlim I/I 15 0

We need to check why it is not coming up. To start with , you can initate traffic from home side whihc is failing and check the event logs on SSG side to look for any errors

im not sure how but i have tried by using ping -t 192.168.11.1 from my cmd promt on my home pc cant see anything in the event log on the ssg side is there a specific log to look at or do i need t shh in to see a different log than on the webgui ?

Many Thanks for your Help !

We need to look for VPN events.

Following KB will be helpful

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4426#

How to Analyze IKE Phase 1 Messages in the Event Logs

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB9238

[ScreenOS] How to Analyze IKE Phase 2 Messages in the Event Logs

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB9231

This is actually pretty simple.

All you need to do is configure another VPN on your home device, the same way you created the first one.  The only difference is that you'll set different parameters for the remote network to 192.168.11.0.

Every time you create a policy in a NS device with the action of "tunnel" -- you are in essence building a new VPN tunnel, so you need to do the corresponding configs on the other side of the connection (your draytek router (which I am not familiar with)).

They key to remember is that every policy-based VPN on the Netscreen builds a new VPN connection, even though the two endpoints for the VPN tunnels are the same.  Your Draytek isn't going to work that "automatically" so you need to do the legwork on that side of the config.

Keithr - Thankyou very much that makes so much sense and works a treat 🙂 

so created a new vpn connnection just using the other subnet and now my home 10.10.10.0 network will now talk to my work 192.168.10.0 / 192.168.11.0 network 🙂 

Many thanks for your reply keith saved me hours of config and event checking, 

I am very surprised at the capabilities of the ssg didnt think i was going to be able to set all te ports to all 3 vlans without a managed switch but it really does work a treat. without one ,