Screen OS

My ISP is preparing to roll out a VPN solution that will most likely be OpenVPN instead of IPsec.

My understanding is the ScreenOS (and SRX) platform only supports IPsec. But in reading this thread at http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-as-client-of-Open-VPN-server/td-p/255635, Steve Puluka says that the configuration on the SRX side is just an IPsec configuration. Is the concept for the SRX applicable of ScreenOS (SSG5 in my case) as well? I just need to create a tunnel between my SSG and my ISP's VPN concentrator.

Thanks.

As I read the OpenVPN web site, they are a standard IPSEC vpn concentrator.  So you would setup an vpn tunnel on ScreenOS using either a route based or Policy based VPN.

The ScreenOS kb articles for these configurations are here.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22091

I guess I'll soon find out. Thank you for your reply.

---

@spuluka wrote:

As I read the OpenVPN web site, they are a standard IPSEC vpn concentrator.

---

Having difficulty finding on their website where it's saying this. Based on their FAQ at https://openvpn.net/index.php/open-source/341-openvpn-compatibility.html

Is OpenVPN standards-compliant?

As a user-space VPN daemon, OpenVPN is compatible with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices. OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.

You are not able "build" a vpn between OPENVPN and ScreenOS devices. ScreenOS / JUNOS does IPSEC / IKE, openvpn does not.

Sorry about my error.  This page led me to believe you could do a site to site vpn with Open VPN.

https://openvpn.net/index.php/access-server/section-faq-openvpn-as/server-configuration/209-how-do-i-setup-openvpn-access-server-to-use-site-to-site.html

But on more closely reading the information this only allows site to site vpn between other Open VPN servers not the standards based site to site.

And as you note above the client software uses ssl vpn so would not be compatible with firewall connections.