Reconfigure VPN's already deployed to work with SSG140

  • Hey everyone, I’m getting ready to swap out my current Sonicwall TC170 here at our office with my SSG140, however one problem that I have just realized, are the 3 other sonicwalls we have deployed elsewhere which Tunnel into our current box.  Anyone want to give me a little guidance as to what the best way to reconfigure these beasts are so that once I make the swap everything is still up and running?


  • Global Moderator

    The un(set) ike policy-checking commands are indeed box level. It’s advised by juniper for debugging. Don’t forget you can’t use it when you run multiple phase 2’s over 1 phase 1.

  • As far as I know set ike policy-checking nad unset ike policy-checking are box level commands, unless juniper has changed them.


  • Hey Frac,

    Is that a system setting or can it be applied to a specific VPN?  Thank you.



  • Engineer


    if you know the preshared key and proposals you can configure these (with route-based vpn’s, will be easiest) and do the “unset ike policy-checking” setting, so you don’t run into proxy-id issues.

    when the vpn are up you can troubleshoot them to see which is the proxy-id for each tunnel and change these in the vpn settings.

    when all this is done => set ike policy-checking.


  • I don’t think there is an easy way to do it. You just have to schedule some down time with your customers and do it. If you match all the settings, setting for setting it may be easier than you think. As long as your proposals, pre-shareds, and policies match you should be good. Have you tested interop in a lab at all? to see what potential problems you might face?

  • Hello Matt,

    We have a few site-to-site VPN’s configured with our Netscreen Firewalls.  Do you plan on using the same IP?  If so, I would configure the additional VPN’s with the same PSK.  Once you swap them out, the VPN’s should come up.  However, I would make sure the Tunnel and Address info match.  If possible, I would test offline in a lab first.