This configuration guide includes information needed to connect a Juniper Netscreen (SSG, ISG) firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing.
Note: This guide was created using ScreenOS version 5.4. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each Netscreen model may have slightly interface names and/or different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.
IMPORTANT: The tested version of ScreenOS did not support IKEv2 and thus IKEv1 was configured on the Pureport side. Additionally, the security transform set used included SHA1 and DH Group 5, both of which are know to be compromised. Finally, the Netscreen platform does not appear to support a 4-byte AS number in any version, thus BGP routing is not available since Pureport uses a 4-byte AS number. Future updates to our platform may include the ability to override the Pureport AS number on a per-network or per-connection basis.
You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your Netscreen firewall. Use these variables in the Configuration Script below.
<PRE-SHARED KEY 1><PRE-SHARED KEY 2>
Pre-shared keys are auto-generated by Pureport and are unique for each VPN gateway.
Existing Netscreen configuration
The outside interface on a Juniper Netscreen is often ethernet0/0. You should set this to the interface that you entered as the Customer Peer IP in the Pureport Console.
<GATEWAY 1 IP>
The IKE Peer IP on the primary and secondary Pureport VPN gateways. These IPs are unique per gateway
<CUSTOMER VTI CIDR 1>
The tunnel addresses are auto-generated by Pureport and are unique for each gateway. The format should include the IP address and mask in CIDR notation. For example: 169.254.1.1/30.
<LOCAL CIDR NETWORK>
Existing Netscreen configuration and/or local network documentation
Your local network address space, in CIDR notation. For example: 192.168.0.0/24.
As noted in the configuration example, you must repeat this configuration line for each local network
<PUREPORT VTI IP 1>
The BGP peer addresses, auto-generated by Pureport. The format should include the IP address only, without the slash notation. For example: 169.254.1.2.
# Turn on ECMP and set the max segment size for vpn tunnels
# This configuration example specifies tunnel interfaces tunnel.1 and tunnel.2
# This configuration example places the tunnel interfaces in the built-in "trust" zone
# Based on your existing configuration, you may need to use different interface names and zone
set interface tunnel.1 zone "Trust"
# IKE security settings in bold below may be changed to suit your security policy
# Settings used must match the Pureport gateway configuration