NetScreen VPN with Pre-Shared key




Posts: 7

Joined: Sat Aug 11, 2012 7:44 am

Post Wed Aug 22, 2012 9:57 am

NetScreen VPN with Pre-Shared key

Just a brief list of instructions I made some time ago which may be useful:

Set up a VPN with a NetScreen using a preshared key walkthrough (using the web interface) of a route-based VPN solution between two NetScreens:
Firewall A -> Internet -> Firewall B
1. Log into Firewall A through the web interface
2. Configure your tunnel interface
• Click Network -> Interfaces
• Make sure the dropdown in the top left says Tunnel IF, and click New
• I put mine in the Untrust zone because I want all of my VPN traffic to run through my Untrust->Trust policy
• Click unnumbered and select the Untrust interface
• click OK
3. Configure your VPN Gateway
• Click VPNs -> AutoKey Advanced -> Gateway
• click New
• Name the gateway "FirewallB-gw"
I always select the custom security level, you'll see why in a following step
• Enter the public IP address of Firewall B
• Carefully enter your preshared key
• Select Untrust for your outgoing interface
• Click Advanced
• Select User defined (custom)
• In the first dropdown select pre-g2-aes128-sha
• Click Return at the bottom
• Click OK at the bottom
4. Create the VPN
• on the menu on the left select VPNs -> Autokey Advanced
• click New
• name it FirewallB-vpn
• select Custom
• leave predefined checked and select your FirewallB-GW in the dropdown
• click Advanced
• select Custom
• In the first dropdown, select g2-esp-aes128-sha
• Turn on replay protection
• Bind to tunnel interface, and select your tunnel interface you created in step 2
• Turn on VPN monitor (this will bring up the VPN right away and keep it up even when there's no traffic on it)
• Click Return
• Click OK
5. You need to add routes to the remote network.  You can configure the tunnel interfaces to run OSPF, or you can add a static.  I will tell you how to add a static.
• On the menu click Network -> Routing -> Destination
• Click new
• Type in the network address behind Firewall B
• Select Gateway
• Select your tunnel interface in the dropdown
• Click ok
6. Add your policy to allow access to/from the remote network.  If you are not in NAT mode on your trust interface, make sure you check position at top when creating a Trust->Untrust rule, or it will NAT the traffic to your Untrust IP or DIP pool and then send it across the tunnel, which you probably don't want.  Create an Untrust->Trust policy which allows access from the Network behind Firewall B to hosts or the network behind Firewall B.  You probably want to allow Ping at a minimum.
7. Repeat steps 1-6 on Firewall B.  Substituting Firewall A's data.
The VPN should pop up and everything should work.  You can also use the little wizard.  If one or both of your NetScreens is behind something that does NAT, you will also have to turn on NAT traversal on both ends.
If you don't want static routes and want to use OSPF instead, create an OSPF instance under the trust VR.  Make sure you add the tunnel interfaces and your internal interfaces to it, and tell it to advertise your private networks.  You will then have to go under each interface that you added, and turn on OSPF.  On tunnel interfaces, you can enable demand circuit and add it to the area, apply the changes, and then Enable OSPF on it.


"Remember there is no engineering problem that can't be fixed with an appropriate sized hammer and at the end of the day.....It gets Dark"


User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Wed Aug 22, 2012 10:47 am

Re: NetScreen VPN with Pre-Shared key

Thanks is this somthing you done for a home lab ? or more of a job for work ?
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er


User avatar

Sr. Member
Sr. Member

Posts: 370

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Fri Aug 24, 2012 3:02 am

Re: NetScreen VPN with Pre-Shared key

ofcourse vpn with cretificate is much secure than pre shared key thanx
CEH - HackingDojo Shodan - CCNA - MCITP - Offensive Security WIFU - LPIC - MTCNA - SECURITY+


User avatar

Sr. Member
Sr. Member

Posts: 258

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Sat Aug 25, 2012 1:22 am

Re: NetScreen VPN with Pre-Shared key

Cyber.spirit wrote:ofcourse vpn with cretificate is much secure than pre shared key thanx

Not sure I'd agree with that. Pre-shared keys means both parties know who is on the other end. Use of certificates in PKI only means the person with the public key knows who is on the other end - system with the private key has no clue who the other system is.
- Thomas Wilhelm, MSCS MSM

Web Site:
  • http://HackingDojo.com
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software