This configuration guide includes information needed to connect a Juniper Netscreen (SSG, ISG) firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing. 


Note: This guide was created using ScreenOS version 5.4. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each Netscreen model may have slightly different interface names and/or different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.


IMPORTANT: The tested version of ScreenOS did not support IKEv2 and thus IKEv1 was configured on the Pureport side. Additionally, the security transform set used included SHA1 and DH Group 5, both of which are know to be compromised. Finally, the Netscreen platform does not appear to support a 4-byte AS number in any version, thus BGP routing is not available since Pureport uses a 4-byte AS number. Future updates to our platform may include the ability to override the Pureport AS number on a per-network or per-connection basis.


Variables Needed

You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your Netscreen firewall. Use these variables in the Configuration Script below.


Parameter

Source

Notes

<PRE-SHARED KEY 1>

<PRE-SHARED KEY 2>

Pureport Console/API

Pre-shared keys are auto-generated by Pureport and are unique for each VPN gateway.

<OUTSIDE INTERFACE>

Existing Netscreen configuration

The outside interface on a Juniper Netscreen is often ethernet0/0. You should set this to the interface that you entered as the Customer Peer IP in the Pureport Console.

<GATEWAY 1 IP>
<GATEWAY 2 IP>

Pureport Console/API

The IKE Peer IP on the primary and secondary Pureport VPN gateways. These IPs are unique per gateway

<CUSTOMER VTI CIDR 1>
<CUSTOMER VTI CIDR 2>

Pureport Console/API

The tunnel addresses are auto-generated by Pureport and are unique for each gateway. The format should include the IP address and mask in CIDR notation. For example: 169.254.1.1/30.

<LOCAL CIDR NETWORK>

Existing  Netscreen configuration and/or local network documentation

Your local network address space, in CIDR notation. For example: 192.168.0.0/24.

As noted in the configuration example, you must repeat this configuration line for each local network

<PUREPORT VTI IP 1>
<PUREPORT VTI IP 2>

Pureport Console/API

The BGP peer addresses, auto-generated by Pureport. The format should include the IP address only, without the slash notation. For example: 169.254.1.2.


Configuration Script


# Turn on ECMP and set the max segment size for vpn tunnels

set max-ecmp-routes 2
set flow tcp-mss 1350

# This configuration example specifies tunnel interfaces tunnel.1 and tunnel.2  

# This configuration example places the tunnel interfaces in the built-in "trust" zone 

# Based on your existing configuration, you may need to use different interface names and zone


set interface tunnel.1 zone "Trust"
set interface tunnel.1 ip <CUSTOMER VTI CIDR 1>
set interface tunnel.1 mtu 1436

set interface tunnel.2 zone "Trust"
set interface tunnel.2 ip <CUSTOMER VTI CIDR 2>
set interface tunnel.2 mtu 1436

# IKE security settings in bold below may be changed to suit your security policy

# Settings used must match the Pureport gateway configuration


set ike p1-proposal "PureportPhase1" preshare group5 esp aes128 sha-1 second 28800
set ike p2-proposal "PureportPhase2" group5 esp aes128 sha-1 second 3600

set ike gateway "pureport-gw-1" address <GATEWAY 1 IP> id "<GATEWAY 1 IP>" Main outgoing-interface "<OUTSIDE INTERFACE>" preshare <PRESHARED KEY 1> proposal "PureportPhase1"
set ike gateway "pureport-gw-1" dpd interval 10
set ike gateway "pureport-gw-2" address <GATEWAY 2 IP> "<GATEWAY 2 IP>" Main outgoing-interface "<OUTSIDE INTERFACE>" preshare <PRESHARED KEY 2> proposal "PureportPhase1"
set ike gateway "pureport-gw-2" dpd interval 10

set vpn "IPSEC-vpn-pureport-1" gateway "pureport-gw-1" replay tunnel idletime 0 proposal "PureportPhase2"
set vpn "IPSEC-vpn-pureport-1" monitor optimized rekey
set vpn "IPSEC-vpn-pureport-1" id 1 bind interface tunnel.1

set vpn "IPSEC-vpn-pureport-2" gateway "pureport-gw-2" replay tunnel idletime 0 proposal "PureportPhase2"
set vpn "IPSEC-vpn-pureport-2" monitor optimized rekey
set vpn "IPSEC-vpn-pureport-2" id 2 bind interface tunnel.2

set route <LOCAL CIDR NETWORK> interface tunnel.1 gateway <PUREPORT VTI IP 1>
set route <LOCAL CIDR NETWORK> interface tunnel.2 gateway <PUREPORT VTI IP 2>