Policy Based VPN

Policy Based VPN

Juniper Netscreen Firewall – Steps to create Policy based VPN

Below steps decribes how to cteate a Policy based VPN in Juniper Netscreen firewall. We will start with the below information about the tunnel setup.

 Remote Gateway (Public IP of remote peer) :- (an example)

Encryption domains:-

  1. Local endpoint :-  (an example)
  2. Remote endpoint :-  (an example)
  •  Login to the Web Interface of the NS and navigate to below shown link.
  • Click on NEW. Give a name and enter the IP address of the remote Peer.


  • Select Advanced and configure the pre-decided shared key
  • Set up the Phase 1 proposal.

  • Now navigate to AutokeyIKE as shown below.
  • In the Remote Gateway, select the Gateway, from the dropdown, that we creaetd above and clcik on Advanced


  • Define the Phase 2 Proposal,  Select ‘Replay Protection’; Tick Proxy-ID and enter your encryption domain details; Click ‘Return‘ and then OK

  • You can also create a VPN Monitor which will keeping checking if the tunnel is UP even if no interesting traffic is being generated. But the limitation is that it is not recommended to enable VPN Monitor if the remote peer is not NetScreen firewall.
  • Now create a Policy to allow traffic.
  • Select Policies -> Trust to Untrust -> New
  • Enter Source (local Endpoint) (create a new entry or select from address book)
  • Enter Destination (remote Endpoint)
  • Under Action dropdown select Tunnel
  • From the Tunnel dropdown select the Tunnel we just created
  • Tick ‘Modify matching bidirectional VPN policy’
  • Tick ‘Position at Top’
  • Click OK.



 get sa       *** will show the activ/inactive tunnels ***


NSFW-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 500  esp:3des/sha1 e37791d2 expir    unlim I/I 2 0
00000001> 500  esp:3des/sha1 883ebdb7 expir    unlim I/I 1 0

NSFW-> get sa
total configured sa: 1
HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    Sta PID vsys
00000001< 500  esp:3des/sha1 e37791d3 3596     unlim A/- 2 0
00000001> 500  esp:3des/sha1 883ebdb8 3596     unlim A/- 1 0 


  • I/I: VPN tunnel is Inactive
  • A/-: VPN tunnel is Active, and VPN Monitor is not configured
  • A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
  • A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. 

How do I interpret ‘get sa stat’ command?

How to Analyze IKE Phase 2 Messages in the Event Logs