SRX

Struggling trying to relearn VPN Tunneling with JUNOS. I guess the screenos way was too easy and straight forward.

I get that st interfaces are the replacement for tunnel interfaces but do they really need ip addresses ?

Also, I dont suppose there is any documentation on how to do this in NSM? If I dont do this in NSM I need to reimport which destroys my rule groups.

Sigh..

Can't help you with the NSM question - You do not need to use IP addresses for tunnel I/F's. However it is recommened as a best practice to do so.

I emphasize with your transition struggles. Because Juniper is heirarchical in nature it seems like there are a lot more steps in Junos then in ScreenOS. But, at the end of the day I think you will find it is worth it due to all the other cool features 🙂

Hi Jikckfoo,

You can use these tool for conversion screenos-to-junos

https://migration-tools.juniper.net/

VPN S2S Configuraton Tool

https://www.juniper.net/customers/support/configtools/vpnconfig.html

However, unnumber tunnel interface concept is same in ScreenOS and JunOS. If you dont assign the IP address to tunnel interface, it will use IP address of respective security zone interface.

regards 

Hi ,

Advantage of adding ip address on st interfaces:

Dynamic routing protocols like OSPF between st0 interfaces if it has ip addresses defined.

Regards,

rparthi

The ip address on the st0.0 interface is optional in Junos the same as in ScreenOS.

For NSM there is a configuration document posted in the user forum Configuration library at this link for setting up vpn in NSM.

http://forums.juniper.net/t5/Configuration-Library/Doc-for-Creating-IPSec-VPN-tunnels-for-Junos-boxes-in-NSM/td-p/210275

Thanks Spuluka,

I actually created that document after finding no documentation on how to do it. 🙂

Thanks,

Justin