Conversion help sssg to srx



  • what is the best approach to convert my ssg configuration.

    in my configuration of the ssg I use 3 VR’s

    untrust-vr - wan link (public ip space)
                  - loadbalancer subnet (public ipspace)

    default routes to internet

    trust-vr - servers( private Ip space)
    default routes to untrust-vr
    staic routes to OAMP-VR

    OAMP-vr - management servers and tool(private Ip space)
    default routes to trust-vr
    static routes to vpn sites over tunnels

    any example of how I can get the same route control would be greatly  appreciated



  • Yes, I do have a support account and I have been using the ScreenOS -Junos tool to get started, there are still many things that do not get converted.

    for example the tool does not completely convert an SSG vpn to Junos when the vpn is defined with local-id and remote-id in the gateway definition.

    example:
    system {
        /* Password=Z32LsVT51br21X49
          Password(s) must be changed before commit /
        root-authentication {
            plain-text-password-value “Z32LsVT51br21X49”;
        }
    }
    security {
        ike {
            respond-bad-spi 1;
            /
    Missing mandatory external-interface
              Could not determine the type of identity from:“du-ssg”
              Assign mandatory external-interface manually /
            gateway corp-ssg {
                address 1.1.1.1;
                ike-policy corp-ssg;
            }
            /
    Missing mandatory external-interface
              Could not determine the type of identity from:“uae1-ssg”
              Assign mandatory external-interface manually /
            gateway Trial-SSG {
                address 2.2.2.2;
                ike-policy Trial-SSG;
            }
            /
    *Pre Shared Key MUST be changed to become valid /
            policy corp-ssg {
                mode main;
                pre-shared-key ascii-text “Pre Shared Key MUST be changed to become valid”;
                proposal-set standard;
            }
            /
    *Pre Shared Key MUST be changed to become valid /
            policy Trial-SSG {
                mode main;
                pre-shared-key ascii-text “Pre Shared Key MUST be changed to become valid”;
                proposal-set standard;
            }
            /
    IKE Phase1 Proposal
              Using ScreenOS Default for lifetime-seconds /
            proposal pre-g2-aes256-sha {
                authentication-method pre-shared-keys;
                dh-group group2;
                encryption-algorithm aes-256-cbc;
                authentication-algorithm sha1;
                lifetime-seconds 28800;
            }
        }
        ipsec {
            vpn corp-ssg {
                establish-tunnels immediately;
                ike {
                    gateway corp-ssg;
                    no-anti-replay;
                    ipsec-policy policy-corp-ssg;
                    proxy-identity {
                        local 172.16.3.1/32;
                        remote 172.17.3.1/32;
                        service any;
                    }
                }
                vpn-monitor {
                    optimized;
                }
            }
            vpn Trail-SSG {
                establish-tunnels immediately;
                ike {
                    gateway Trial-SSG;
                    no-anti-replay;
                    ipsec-policy policy-Trail-SSG;
                    proxy-identity {
                        local 172.16.3.1/32;
                        remote 172.18.3.1/32;
                        service any;
                    }
                }
                vpn-monitor {
                    optimized;
                }
            }
            /
    IKE Phase2 Proposal */
            proposal g2-esp-aes256-sha {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 3600;
            }
            policy policy-corp-ssg {
                proposal-set standard;
            }
            policy policy-Trail-SSG {
                proposal-set standard;
            }
        }
    }

    Lines that could not be converted are in red.
    Lines with warnings or comments are in blue.
    Lines with previously shown errors or warnings are in magenta.
    FPC / PIC / Port numbers MUST ALWAYS be changed to match your Juniper Networks hardware.

    [System]
    Password(s) must be changed before commit

    1:set ike p1-proposal “pre-g2-aes256-sha” preshare group2 esp aes256 sha-1
    2:set ike p2-proposal “g2-esp-aes256-sha” group2 esp aes256 sha-1 second 3600
    3:set ike gateway “corp-ssg” address 1.1.1.1 id “corp-ssg” Main local-id “du-ssg” outgoing-interface “redundant1.1” preshare “CYzyVXPoN3ixCeszqlCPMZdUXFnAud31rQ==” sec-level standard
    4:set ike gateway “corp-ssg” dpd-liveness interval 20
    Line not recognized by S2JES
    5:set ike gateway “Trial-SSG” address 2.2.2.2 id “trial-ssg” Main local-id “uae1-ssg” outgoing-interface “redundant1.1” preshare “j7XgL0jPNU9AVIsKcFCvH2UPZSnQfzmWfg==” sec-level standard
    6:set ike gateway “Trial-SSG” dpd-liveness interval 20
    Line not recognized by S2JES
    7:set ike respond-bad-spi 1
    8:set ike ikev2 ike-sa-soft-lifetime 60
    Line not recognized by S2JES
    9:unset ike ikeid-enumeration
    Line not recognized by S2JES
    10:unset ike dos-protection
    Line not recognized by S2JES
    11:unset ipsec access-session enable
    Line not recognized by S2JES
    12:set ipsec access-session maximum 5000
    Line not recognized by S2JES
    13:set ipsec access-session upper-threshold 0
    Line not recognized by S2JES
    14:set ipsec access-session lower-threshold 0
    Line not recognized by S2JES
    15:set ipsec access-session dead-p2-sa-timeout 0
    Line not recognized by S2JES
    16:unset ipsec access-session log-error
    Line not recognized by S2JES
    17:unset ipsec access-session info-exch-connected
    Line not recognized by S2JES
    18:unset ipsec access-session use-error-log
    Line not recognized by S2JES
    19:set xauth default ippool "vpnpool"
    Line not recognized by S2JES
    20:set vpn “corp-ssg” gateway “corp-ssg” no-replay tunnel idletime 0 sec-level standard
    21:set vpn “corp-ssg” monitor optimized rekey
    22:set vpn “corp-ssg” id 0x7 bind interface tunnel.2
    Interface not found or User did not choose to convert this interface
    23:set vpn “corp-ssg” dscp-mark 0
    Line not recognized by S2JES
    24:set vpn “Trail-SSG” gateway “Trial-SSG” no-replay tunnel idletime 0 sec-level standard
    25:set vpn “Trail-SSG” monitor optimized rekey
    26:set vpn “Trail-SSG” id 0x9 bind interface tunnel.5
    Interface not found or User did not choose to convert this interface
    27:unset interface tunnel.5 acvpn-dynamic-routing
    Line not recognized by S2JES
    28:set url protocol websense
    Line not recognized by S2JES
    29:exit
    30:set vpn “corp-ssg” proxy-id local-ip 172.16.3.1/32 remote-ip 172.17.3.1/32 "ANY"
    31:set vpn “Trail-SSG” proxy-id local-ip 172.16.3.1/32 remote-ip 172.18.3.1/32 “ANY”


  • administrators

    Do you have a juniper support account?  Log into the support site, and towards the middle bottom there is a section called Translation tools.  There is a ScreenOS to JunOS converter in there.  Just paste in your config, hit the button, and cross your fingers.

    It will almost certainly require manual tweaking.  And keep in mind that certain things do not currently work in VR’s on JunOS (dhcp client/server, IKE termination, NSM Management via netconf/DMI).


 

45
Online

38.4k
Users

12.7k
Topics

44.5k
Posts