ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Posts: 10
Registered: ‎05-11-2008

layer 2 VPN, is it possible? Design help



Is it possible to create a layer 2 vpn with SSG-5's? Here's my design challenge that I'm trying to overcome:


We have 4 seperate private networks:,,,  Orignally, we created a mesh VPN network between the sites for the equipment living on those networks.  All was well, everyone got along, life was good. Now, we recently received a new system that needs installed. 


The system comprises of a "controller" server and mutliple video servers.  The video servers have to boot up using bootp and the  controller is the bootp server.  The controller lives in and then 5 video servers live in each of the networks (for a total of 20).  Naturally, the video servers on the same network as the controller, work fine.  The others do not.  As expected, they don't get a bootp response from the controller, because they are on different networks.


So, my thought is:


1.  Install a bootp relay server (I'm invesitgating this, and that doesn't really apply here)

2.  Do the juniper SSG's do bootp relaying?

3.  Create a layer2 VPN (if it even exists) and make all the servers simply live on the same broadcast domain.  


Is there some really simple solution I'm missing out there?


Any help would be appreciated!




Posts: 9
Registered: ‎01-29-2008

Re: layer 2 VPN, is it possible? Design help

can't do l2vpns.  would require an mpls core (


As for bootp never done that so can't tell you if it would work.  Wat version of ScreenOS are you using?  Can you just create a local dhcp service on each local ssg-5?


good luck...

-Mike Mainer
Posts: 10
Registered: ‎05-11-2008

Re: layer 2 VPN, is it possible? Design help

We are running screenOS 6.0.0r6.


As for the dhcp server in each location, the bootp server is part of the "controller" device and a bootp server in every location is not a supported solution from the vendor.  The system is intended for all of the devices to live on the same broadcast domain.

Trusted Expert
Posts: 441
Registered: ‎07-08-2008

Re: layer 2 VPN, is it possible? Design help



Not sure if this will work for your kit but it might be worth looking at DHCP relay on the netscreen firewalls. Have a look in the concepts and example manual Volume 2 page 233. I remember using if for some voip phones, but that was quite awhile ago.


Hope this is of help.





Trusted Contributor
Posts: 70
Registered: ‎02-11-2008

Re: layer 2 VPN, is it possible? Design help

Hi npgcable,


VPNs are possible, but only for traffic encapsulated with layer 3 information. Since Bootp packets can be encapsulated, they can be processed by the VPN tunnel. All IP traffic can be.

The subnets are all the same, which makes things a little more challenging. You would need to look at translating the source and destination IP addresses of the packets as they traverse the firewall. Because you require this network address translating, you need the firewalls to operate in route/nat mode, so you need to look at a normal IPsec VPN.