ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Site to Site VPN with SSG 140 and Sonicwall

‎08-31-2011 01:20 PM

Anyone know how to configure site to site VPN between SSG 140 and Sonicwall? I can't find any documentation on site to site configuration.

3 REPLIES 3
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Site to Site VPN with SSG 140 and Sonicwall

‎08-31-2011 02:21 PM

For a Sonicwall tunnel you will find using policy based vpn the simplest solution.

 

See kb15074 for the commands on the SSG side.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15074

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Site to Site VPN with SSG 140 and Sonicwall

‎10-13-2011 12:37 AM

 

Attached is a full configuration between sonicwall & Netscreen-5GT, it should be the same....

The configuration is:

* Policy Based

* Juniper firewall is dynamic

* Sonicwall is static

* IKE IDs are used on both firewalls.

* Aggresive mode.

Attachments

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Site to Site VPN with SSG 140 and Sonicwall

‎10-13-2011 06:19 PM

I have a number of policy sonicwall to route based screenos tunnels running.  So the connections can be made.  But I see a number of potential mismatches in the configuration.

 

What I am not sure about is the 5GT software setup.  I assume from the screenshots you have a version 5.x screenos.  I've only worked on 6.x versions.

 

Sonicwall

Primary/Secondary IPSEC gateway is listed as 0.0.0.0 this is wrong.  You will only use the Primary field and it should have the ip address or DNS name of your ScreenOS public interface.  This is the gateway where the connection will terminate.

 

Local/Peer IKE ID: leave these blank and unconfigured, you don't need them.

 

Phase 1 proposal should be Main mode not Aggressive.  Aggressive is for client to firewall connections not firewall to firewall ones.

 

ScreenOS

make sure the proposals match with the change from aggressive

Change the phase 1 and phase 2 lifetime to 28800 to match the Sonicwall times

Find the Proxy-id setting  and create this using the sonic-lan/juniper-lan addresses.

 

The sonicwall will automatically send a proxy id pair based on these address objects.  You need to have a matching pair on the Juniper side for the connection to complete.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home