nsm 2009.1r1 question

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[frank3427]

I was told that nsm2009 had the ability to  migrate SSG configuration to J-series or SRX. is this true?

[aweck]

Who told you that?

[frank3427]

A juniper technician

[aweck]

That's surprising.  He probably misspoke.  However, Juniper does have a beta tool on their support site that can be used to migrate ScreenOS to JUNOS for the SRX/J-series.

[frank3427]

yes, I have found the tool, a little limited
can you advise as to how to route between VR's. in the SSG I was using untrust,trust, and OAMP Vr's

untrust-vr  default to internet, static ro9ute to trust-vr
trust-vr default to untrust, static to oamp
oamp-vr default to trust-vr static to vpn tunnels

[aweck]

The JUNOS equivalent is routing-instances.  You can define different routing-instances, which can then be assigned interfaces and static routes to next-hop gateways or other routing-instances.

[frank3427]

Okay, I understand.

so how do you define routes to other routing instance's.

I have setup instance-type virtual-router.

[aweck]

Unfortunately it's not as simple as in ScreenOS.  I've only used separate virtual routers when they are connected via service sets, and in those cases static routes to the respective SP interfaces are the pathways between different routing-instances.  You can leak routes between routing instances using rib-groups, but that is a new learning curve and takes some time to understand.  You might want to think about the necessity of separate virtual routers in your environment.  This is a good link: http://forums.juniper.net/t5/Junos/ScreenOS-to-JunOS-VR-and-Instance/m-p/33412;jsessionid=36802BD3EECA70BF18E2596B50456DE2

[aweck]

Found one more useful link: http://forums.juniper.net/t5/SRX-Services-Gateway/filter-based-forwarding-question/m-p/27998#M862

This gives among other things a short example of how you can use RIB groups to share routes.

[frank3427]

Aweck, thank you for the information. youo have been very helpful.

i am getting a better understanding of how to configure the SRX.

I have one remaining problem to resolve.

in the following config;
set ike gateway "Trial-SSG" address x.x.x.x id "trial-ssg" Main local-id "ae1-ssg" outgoing-interface "redundant1.1" preshare "j7XgL0jPNU9AVIsKcFCvH2UPZSnQfzmWfg==" sec-level standard

I can not find where one is able to set the local-id and remote-id.

this is what I have so far.

security {
    ike {
        respond-bad-spi 1;
        proposal pre-g2-aes256-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy corp-ssg {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$dPwY4GUH.PTHqIhreW8aZGiqfCws";
        }
        policy Trial-SSG {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$eCyM8xVb2oJU246CuORENdVY4ZPws";
        }
        gateway corp-ssg {
            ike-policy corp-ssg;
            address z.z.z.z;
            local-identity hostname corp-ssg;
            external-interface ge-0/0/0.0;
        }
        gateway Trial-SSG {
            ike-policy Trial-SSG;
            address w.w.w.w;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal g2-esp-eas256-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy policy-corp-ssg {
            proposal-set standard;
        }
        policy policy-Trial-SSG {
            proposal-set standard;
        }
        vpn corp-ssg {
            bind-interface st0.2;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway corp-ssg;
                no-anti-replay;
                proxy-identity {
                    local x.x.x.x/32;
                    remote y.y.y.y/32;
                    service any;
                }
                ipsec-policy policy-corp-ssg;
            }
            establish-tunnels immediately;
        }
        vpn Trial-SSG {
            bind-interface st0.5;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway corp-ssg;
                no-anti-replay;
                proxy-identity {
                    local x.x.x.x/32;
                    remote y.y.y.y/32;
                    service any;
                }
                ipsec-policy policy-Trial-SSG;
            }
            establish-tunnels immediately;
        }
    }

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Yesterday]

• Netscreen 5xp by timeshadowrider [Yesterday at 11:36:57 PM]
• JNCIS-FWV????? by utkarsh.sawant [Yesterday at 09:21:04 PM]
• Host access via VPN to no... by djonas [Yesterday at 06:56:57 PM]
• nc.windows.app.23711 by weekdaysailor [Yesterday at 05:44:20 PM]
• BGP filter for all but de... by rejackson [Yesterday at 04:18:20 PM]
• Branch office VPN to Lan ... by holdenga [Yesterday at 03:39:02 PM]
• 5GT Power LED Constant Bl... by zalion [Yesterday at 02:14:12 PM]
• FTP sessione over VPN Tun... by marty [Yesterday at 12:16:04 PM]
• windows 7 network connect... by denniss [Yesterday at 11:12:21 AM]
• iPhone VPN to SRX by ctr [Yesterday at 09:43:13 AM]

Members

• Total Members: 20508
• Latest: underscore

Stats

• Total Posts: 38039
• Total Topics: 9827
• Online Today: 18
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 0
Guests: 17
Total: 17