SRX Services Gateway
Highlighted
SRX Services Gateway

SSG to SRX migration phase-out

Thursday

Hello community!

I have 1 SSG 140 which is an IPSec endpoint for 50+ tunnels with various external organizations (clients).

In addition to IPSec, the SSG performs NAT services for about 20 servers in my DMZ.

 

The NATing rules are easy enough to re-create on the SRX, but the IPSec tunnels were all configured with PSKs, which I have not recorded.

Abruptly swapping the SSG with an SRX isn't an option, as it would break all IPSec tunnels.

Even armed with the PSKs, rebuilding the VPNs with same configuration as in SSG on SRX is a crapshoot.

 

The SSG is currently configured with a /30 IP, and the ISP routes a /29 IP block for my publicly accesssible servers.

 

Can I configure the SRX in passthrough mode at first, so all IPSec traffic is forwarded to the SSG, then gradually move tunnels one-at-a-time to the SRX?

 

Let me know your suggestions.

Oh, and wash your hands. Definitely wash your hands...

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: SSG to SRX migration phase-out

Friday

 

Spoiler

The SSG is currently configured with a /30 IP, and the ISP routes a /29 IP block for my publicly accesssible servers.

 

Can I configure the SRX in passthrough mode at first, so all IPSec traffic is forwarded to the SSG, then gradually move tunnels one-at-a-time to the SRX?

 

If the gateway address on your vpn configurations is the /30 address of the ISP interface then no.  This cannot be passed through.

 

If the gateway address is one of the /29 addresses than yes you can can transit this to the SSG downstream.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SSG to SRX migration phase-out

Friday

No, the IPSec endpoint is my device.

The gateway for my device is the ISP's router.

 

The /30 is as follows:

x.x.x.140 network ID

x.x.x.141 ISP router

x.x.x.142 my router (currently SSG)

x.x.x.143 broadcast

 

All tunnels terminate on .142

 

If I have the following setup:

... [ISP] x.x.x.141 <-> x.x.x.142 [SSG] DMZ IP <-> various DMZ IPs

 

My plan is to implement this scenario:

... [ISP] x.x.x.141 <-> x.x.x.142 [SRX] 10.255.255.17 <-> 10.255.255.18 [SSG] DMZ IP <-> various DMZ IPs

 

Can I have initially all IPSec traffic passed-through to SSG?

I think the answer is yes.

 

In a second phase, can I selectively -based on source IP- terminate some IPSec traffic on SRX, then route to appropriate internal IP over the 10.255.255.17/30 link?

 

Highlighted
SRX Services Gateway

Re: SSG to SRX migration phase-out

Saturday

No that will not be possible.  Since the public address is physically on an interface any ipsec traffic direted tthat ip will be processed directly by the SRX and cannot be transit traffic.

 

You could ask your isp to convert your /30 to a /29.

Change all the remote side gateway addresses to the new address on the SSG

Use another address in the /29 for the SRX.

then the devices in parallel for the transition shifiting the vpn one at a time.

 

For this you will also need a cross link between the two firewalls.  and you will have to manage the cross traffic between the devices to prevent any asymmetrical routing from occuring and breaking flows.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: SSG to SRX migration phase-out

Saturday

Okay.

We might be able to free up another /30 block, which could be used for the SRX independently of the SSG.

 

In that scenario, I would assign a new DMZ subnet behind the SRX, and connect my hosts to it.

Their default gateway would remain unchanged initially.

 

One-by-one, I could change the IP endpoint of each VPN to the SRX IP.

And add a static route back to the remote private IP through the SRX on the host itself.

 

Once all VPNs have been moved, I could then use the SRX as default gateway to my DMZ hosts.

 

Does that sound like a workable plan?

Highlighted
SRX Services Gateway

Re: SSG to SRX migration phase-out

Saturday

yes that is the basic process.

 

The key to keep things working is that as you move subnets from one device to the other you use the cross link for that traffic and keep one and only one gateway in any subnet.  This will prevent asymmetrical routing that will break the flows on either firewall.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home