The Netscreen is a Netscreen100, running 2.6.0r2.1.
There are two subnets behind the Netscreen:
The Freeswan box (named "stymie") I have connected to the Netscreen is actually behind a 1-to-1 NAT box. The subnet that it is on is 10.1.1.0/24. I will use "external.stymie.add.ress" for the external IP address of stymie in the following configuratoins.
Relevant Netscreen configuration (your policy ID numbers may vary):
set ike gateway "stymiegateway" ip external.stymie.add.ress Main preshare "KEYGOESHERE" proposal "pre-g2-3des-md5" set vpn "ikestymie" id 10 gateway "stymiegateway" replay tunnel idletime 0 proposal "g2-esp-3des-md5" "g2-esp-3des-sha" set address trust "vlanGreen" 10.2.1.0 255.255.255.0 set address trust "vlanRed" 10.3.1.0 255.255.255.0 set address untrust "OfficeLAN" 10.1.1.0 255.255.255.0 set address untrust "stymie" 10.1.1.28 255.255.255.255 set policy id 33 incoming "OfficeLAN" "vlanGreen" "ANY" Tunnel vpn "ikestymie" id 20 count set policy id 34 incoming "OfficeLAN" "vlanRed" "ANY" Tunnel vpn "ikestymie" id 21 count set policy id 46 outgoing "vlanGreen" "stymie" "ANY" Tunnel vpn "ikestymie" id 27 set policy id 47 outgoing "vlanRed" "stymie" "ANY" Tunnel vpn "ikestymie" id 26 count set policy id 48 outgoing "vlanGreen" "OfficeLAN" "ANY" Tunnel vpn "ikestymie" id 20 count set policy id 49 outgoing "vlanRed" "OfficeLAN" "ANY" Tunnel vpn "ikestymie" id 21 countThat should pretty much do it. I've actually set up everything through the web interface, but thats hard to describe. You should be able to figure it out. (In the following configuration, leftnexthop really is 10.1.1.1, since that's the internal IP address of the NAT router that is between stymie and the internet). Also, I have 4 tunnels (one for OfficeLAN to vlanGreen, one for OfficeLAN to vlanRed, one for stymie to vlanGreen, and one for stymie to vlanRed). Here's the relevent sections of /etc/ipsec.conf :
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn netscreen-gw-green
type=tunnel
auth=esp
authby=secret
keylife=1h
auto=start
leftid=external.stymie.add.ress
left=10.1.1.28
keyexchange=ike
leftsubnet=10.1.1.0/24
leftnexthop=10.1.1.1
right=net.screen.add.ress
keyingtries=0
rightsubnet=10.2.1.0/24
conn netscreen-gw-red
type=tunnel
auth=esp
authby=secret
keylife=1h
auto=start
leftid=external.stymie.add.ress
left=10.1.1.28
keyexchange=ike
leftsubnet=10.1.1.0/24
leftnexthop=10.1.1.1
right=net.screen.add.ress
keyingtries=0
rightsubnet=10.3.1.0/24
conn netscreen-me-green
type=tunnel
auth=esp
authby=secret
keylife=1h
auto=start
leftid=external.stymie.add.ress
left=10.1.1.28
keyexchange=ike
leftnexthop=10.1.1.1
right=net.screen.add.ress
keyingtries=0
rightsubnet=10.2.1.0/24
conn netscreen-me-red
type=tunnel
auth=esp
authby=secret
keylife=1h
auto=start
leftid=external.stymie.add.ress
left=10.1.1.28
keyexchange=ike
leftnexthop=10.1.1.1
right=net.screen.add.ress
keyingtries=0
rightsubnet=10.3.1.0/24
This web page may be reproduced whole, or in part, as long as you credit me (15 minutes of fame, here I come. :).