Juniper Netscreen Policy-based S2S Virtual-Private-Network Setup

Policy-based VPN is used to trigger VPN connection when there's some traffic crossing the pre-defined policies. After trigger, the connection will remain some time for idle then it will expire if there's no any crossed traffic. If any traffic crossing the policies after expiration, the connection will be re-established. This is different from the route-based one of which the VPN connection is always on within the pre-defined timer .

0. 1 Requirements

0. change admin account to netadmin/password

1. Configure the vlan and assign the ports to the vlan on sw1 and sw2

2. Configure interface IP address on router R3, and R4

3. Configure policy-based site-to-site IPSec VPN tunnel between ssg1 and ssg2, use the

following standards:

. Pre-shared key: juniper

. Phase1 proposal: pre-g2-3des-sha1

. Phase2 proposal: Nopfs-esp-3des-sha1

4. configure static routes

5. test connectivity from r3 to r4

0.2 Pre-configure

Erase the current configuration for SSG1 and SSG2:

ssg2-> unset all

Erase all system config, are you sure y/[n] ? y

ssg2-> reset

Configuration modified, save? [y]/n n

System reset, are you sure? y/[n] y

In reset ...

Setup the management interface for SSG1 and SSG2 for WebUI access.

ssg1-> get in

ssg1-> get sys

set hostname ssg1

set int e0/0 ip 10.1.1.1/?

set int e0/0 ip 10.1.1.1/24

set int e0/1 zone untrust

set int e0/1 ip 192.168.25.211/24

ping 10.1.1.2 count 100

ping 192.168.25.1

Get int e0/0

ssg1-> get int e0/0

Interface ethernet0/0:

  description ethernet0/0

  number 0, if_info 0, if_index 0, mode nat

  link up, phy-link up/full-duplex, admin status up

  status change:1, last change:02/22/2022 08:15:48

  vsys Root, zone Trust, vr trust-vr

  dhcp client disabled

  PPPoE disabled

  admin mtu 0, operating mtu 1500, default mtu 1500

  *ip 10.1.1.1/24   mac 0012.1ea6.2980

  *manage ip 10.1.1.1, mac 0012.1ea6.2980

  route-deny disable

  pmtu-v4 disabled

  ping enabled, telnet enabled, SSH en