Screen OS

Our SSG install base is going EoL and we are planning moving to JunOS.

I am in a typical small business environment with a large number of IPSec VPNs (~100).

The SSGs are used to filter incoming Internet traffic and establish IPSec VPNs to branches and business partners.

What is the best way to introduce a JunOS firewall/router (SRX 340) to the mix, and progressively rebuild all IPSec VPNs onto the SRX?

I looked into the ScreenOS-to-JunOS config translation tool, and it doesn't decrypt the IPSec keys, otherwise I would attempt a device swap.

My guess is that I'll have to setup the new SRX as an alternate gateway on the LAN side, and start moving the VPNs.

Looking for inputs.

I would connect the SSG and SRX as follows.

SRX WAN to the upstream internet on their own address with the default route and the like setup.

Create a routed link /31 or /30 between the SSG and the SRX for traffic to flow between the two firewalls.

Set a route on the SRX for all the internal subnets to the SSG interface.

The migration would move the VPN tunnels one at a time over to the SRX.

As the branch/partner subnet through the VPN is moved a route is added to the SSG to point to the SRX

When all the VPN are moved then the internal subnets can also swing over one at a time.

By using the routed link instead of dual gateways you insure there will never be asymmetrical traffic.  and you don't have to change gateway addresses or make special NAT rules just for the transition.