conversion help sssg to srx

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[frank3427]

what is the best approach to convert my ssg configuration.

in my configuration of the ssg I use 3 VR's

untrust-vr - wan link (public ip space)
               - loadbalancer subnet (public ipspace)

default routes to internet

trust-vr - servers( private Ip space)
default routes to untrust-vr
staic routes to OAMP-VR

OAMP-vr - management servers and tool(private Ip space)
default routes to trust-vr
static routes to vpn sites over tunnels

any example of how I can get the same route control would be greatly  appreciated

[signal15]

Do you have a juniper support account?  Log into the support site, and towards the middle bottom there is a section called Translation tools.  There is a ScreenOS to JunOS converter in there.  Just paste in your config, hit the button, and cross your fingers.

It will almost certainly require manual tweaking.  And keep in mind that certain things do not currently work in VR's on JunOS (dhcp client/server, IKE termination, NSM Management via netconf/DMI).

[frank3427]

Yes, I do have a support account and I have been using the ScreenOS -Junos tool to get started, there are still many things that do not get converted.

for example the tool does not completely convert an SSG vpn to Junos when the vpn is defined with local-id and remote-id in the gateway definition.

example:
system {
    /* Password=Z32LsVT51br21X49
       Password(s) must be changed before commit */
    root-authentication {
        plain-text-password-value "Z32LsVT51br21X49";
    }
}
security {
    ike {
        respond-bad-spi 1;
        /* ***Missing mandatory external-interface***
           Could not determine the type of identity from:"du-ssg"
           ***Assign mandatory external-interface manually*** */
        gateway corp-ssg {
            address 1.1.1.1;
            ike-policy corp-ssg;
        }
        /* ***Missing mandatory external-interface***
           Could not determine the type of identity from:"uae1-ssg"
           ***Assign mandatory external-interface manually*** */
        gateway Trial-SSG {
            address 2.2.2.2;
            ike-policy Trial-SSG;
        }
        /* ****Pre Shared Key MUST be changed to become valid*** */
        policy corp-ssg {
            mode main;
            pre-shared-key ascii-text "Pre Shared Key MUST be changed to become valid";
            proposal-set standard;
        }
        /* ****Pre Shared Key MUST be changed to become valid*** */
        policy Trial-SSG {
            mode main;
            pre-shared-key ascii-text "Pre Shared Key MUST be changed to become valid";
            proposal-set standard;
        }
        /* IKE Phase1 Proposal
           Using ScreenOS Default for lifetime-seconds */
        proposal pre-g2-aes256-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            encryption-algorithm aes-256-cbc;
            authentication-algorithm sha1;
            lifetime-seconds 28800;
        }
    }
    ipsec {
        vpn corp-ssg {
            establish-tunnels immediately;
            ike {
                gateway corp-ssg;
                no-anti-replay;
                ipsec-policy policy-corp-ssg;
                proxy-identity {
                    local 172.16.3.1/32;
                    remote 172.17.3.1/32;
                    service any;
                }
            }
            vpn-monitor {
                optimized;
            }
        }
        vpn Trail-SSG {
            establish-tunnels immediately;
            ike {
                gateway Trial-SSG;
                no-anti-replay;
                ipsec-policy policy-Trail-SSG;
                proxy-identity {
                    local 172.16.3.1/32;
                    remote 172.18.3.1/32;
                    service any;
                }
            }
            vpn-monitor {
                optimized;
            }
        }
        /* IKE Phase2 Proposal */
        proposal g2-esp-aes256-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy policy-corp-ssg {
            proposal-set standard;
        }
        policy policy-Trail-SSG {
            proposal-set standard;
        }
    }
}


Lines that could not be converted are in red.
Lines with warnings or comments are in blue.
Lines with previously shown errors or warnings are in magenta.
FPC / PIC / Port numbers MUST ALWAYS be changed to match your Juniper Networks hardware.


[System]
Password(s) must be changed before commit

1:set ike p1-proposal "pre-g2-aes256-sha" preshare group2 esp aes256 sha-1
2:set ike p2-proposal "g2-esp-aes256-sha" group2 esp aes256 sha-1 second 3600
3:set ike gateway "corp-ssg" address 1.1.1.1 id "corp-ssg" Main local-id "du-ssg" outgoing-interface "redundant1.1" preshare "CYzyVXPoN3ixCeszqlCPMZdUXFnAud31rQ==" sec-level standard
4:set ike gateway "corp-ssg" dpd-liveness interval 20
Line not recognized by S2JES
5:set ike gateway "Trial-SSG" address 2.2.2.2 id "trial-ssg" Main local-id "uae1-ssg" outgoing-interface "redundant1.1" preshare "j7XgL0jPNU9AVIsKcFCvH2UPZSnQfzmWfg==" sec-level standard
6:set ike gateway "Trial-SSG" dpd-liveness interval 20
Line not recognized by S2JES
7:set ike respond-bad-spi 1
8:set ike ikev2 ike-sa-soft-lifetime 60
Line not recognized by S2JES
9:unset ike ikeid-enumeration
Line not recognized by S2JES
10:unset ike dos-protection
Line not recognized by S2JES
11:unset ipsec access-session enable
Line not recognized by S2JES
12:set ipsec access-session maximum 5000
Line not recognized by S2JES
13:set ipsec access-session upper-threshold 0
Line not recognized by S2JES
14:set ipsec access-session lower-threshold 0
Line not recognized by S2JES
15:set ipsec access-session dead-p2-sa-timeout 0
Line not recognized by S2JES
16:unset ipsec access-session log-error
Line not recognized by S2JES
17:unset ipsec access-session info-exch-connected
Line not recognized by S2JES
18:unset ipsec access-session use-error-log
Line not recognized by S2JES
19:set xauth default ippool "vpnpool"
Line not recognized by S2JES
20:set vpn "corp-ssg" gateway "corp-ssg" no-replay tunnel idletime 0 sec-level standard
21:set vpn "corp-ssg" monitor optimized rekey
22:set vpn "corp-ssg" id 0x7 bind interface tunnel.2
Interface not found or User did not choose to convert this interface
23:set vpn "corp-ssg" dscp-mark 0
Line not recognized by S2JES
24:set vpn "Trail-SSG" gateway "Trial-SSG" no-replay tunnel idletime 0 sec-level standard
25:set vpn "Trail-SSG" monitor optimized rekey
26:set vpn "Trail-SSG" id 0x9 bind interface tunnel.5
Interface not found or User did not choose to convert this interface
27:unset interface tunnel.5 acvpn-dynamic-routing
Line not recognized by S2JES
28:set url protocol websense
Line not recognized by S2JES
29:exit
30:set vpn "corp-ssg" proxy-id local-ip 172.16.3.1/32 remote-ip 172.17.3.1/32 "ANY"
31:set vpn "Trail-SSG" proxy-id local-ip 172.16.3.1/32 remote-ip 172.18.3.1/32 "ANY"

   

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• SRX-210H port-mirroring s... by ociz [Today at 02:14:13 PM]
• configs out of sync by ciscler [Today at 01:11:30 PM]
• Monitoring user bandwidth... by x0rerror [Today at 12:30:20 PM]
• NSRP active/passive with ... by junreaper [Today at 08:41:52 AM]
• Ladies’ fashionable shoes... by fivefingers8 [Yesterday at 06:54:36 PM]
• Routing Traffic From Cust... by fivefingers8 [Yesterday at 06:52:49 PM]
• Load balancing on J-serie... by fivefingers8 [Yesterday at 06:49:46 PM]
• Juniper SSG or other bran... by whoppi [Yesterday at 11:23:49 AM]
• NS25 and NS Remote - Want... by mbrown [Yesterday at 10:38:14 AM]
• Netscreen SSG Policy base... by thisisnuts999 [Yesterday at 07:01:01 AM]

Members

• Total Members: 22068
• Latest: vu.luu@flysfo.com

Stats

• Total Posts: 39593
• Total Topics: 10459
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 33
Total: 34

eagq