Hello,
I am posting to the forum for help with a couple issues.
**I have attached all the VPNs for the SSG-520**
My predecessor set up the VPN’s on this SSG520 in a couple different ways. He was a Cisco engineer and did not have a Juniper back-ground. The tunnels do not appear to be built in a consistent manner.
The nat-traversal and cert peer-ca-hash were not necessary. I recently built the "naperville" VPN.
These questions have come up as I prepare to migrate the SSG-520 to a SRX-650.
Tunnel.1 is a concern. There are only three components to this tunnel.
set interface "tunnel.1" zone "GUIIN"
set interface tunnel.1 ip 192.xxx.54.1/30
set interface tunnel.1 tunnel encap gre
set interface tunnel.1 tunnel local-if ethernet0/0 dst-ip 121.xxx.112.74
set interface tunnel.1 tunnel keep-alive interval 10 threshold 3set route 10.21.0.0/16 interface tunnel.1
Tunnel.4 is similar but the VPN has IKE and IPSEC statements.
set interface "tunnel.4" zone "OLIUS"
set interface tunnel.4 ip 192.xxx.54.5/30
set interface tunnel.4 tunnel encap gre
set interface tunnel.4 tunnel local-if ethernet0/0 dst-ip 12.xxx.240.200
set interface tunnel.4 tunnel keep-alive interval 10 threshold 3
set ike gateway "toOlLIUS-GW" address 12.xxx.240.200 Main outgoing-interface "ethernet0/0" preshare "gXJ19Rp5NznwlQsRt5CupLuUtLniMlo5Aw==" proposal "pre-g2-3des-sha"
set ike gateway "toOlLIUS-GW" nat-traversal
set ike gateway "toOlLIUS-GW" nat-traversal udp-checksum
set ike gateway "toOlLIUS-GW" nat-traversal keepalive-frequency 0
set vpn "toOLIUS-VPN" gateway "toOlLIUS-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "toOLIUS-VPN" monitor optimized rekey
HOWEVER… it is not bound to the tunnel interface.
I have no problem migrating VPN tunnels built on the standard VPN template.
I’m simply not sure what to do with these two. Do I rebuild them with the standard JUNOS VPN template or is there another method I should use?
Thank you in advance,
Brent