configuring ipsec vpn between netscreen and cisco

Sure is possible. Here's a guide
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

Irmoore,
the link you have given talks about configuration of ipsec between pix and netscreen
In my case i just have netscreen and juniper or cisco routers.
So can i use them instead of pix?
What configuration changes i will have to make if i use a router instead of pix firewall?
Please i would really appreciate if you could exactly tell me what changes should be made
Do you think it would be more easier to have a ipsec between netscreen and juniper router than to have between netscreen and cisco router?

Deimark,
Thanks for the link but the link you gave me, i saw some configuration examples but they require login.
Should i make an account over there? is it free?
is there a way to access the information without login?

Could someone kindly give me a configuration example of how to configure policy based ipsec vpn between juniper router and netscreen firewall?
OR
between cisco router and netscreen
OR
both
Is policy based vpn simpler than route based vpn?
i want use easy and simple method.
Plus, how can i check the version of my ScreenOS?

For version of screenos, run a "get sys" the version of screenos will be there.

With regards to the examples:

http://kb.juniper.net/KB8554

This requires no login as far as I can see bud.

Can you confirm which one you don't have access to?

It is the same configuration on the Netscreen. Use the IOS router configuration in this example of a router to PIX. The router config is the same if going to a Netscreen
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

deimark,
i cant access KB 3715 ( ipsec between juniper j series router and Netscreen), it requires login
and thats the document i m looking for

Irmoore,
thanks for the link
so you mean i should have the netscreen configuration from the previous link and use the configuration of router from the second link you gave me? thats what you mean?
One more thing, this nat thing confuses me...the link u gave has nat and route-map and nat pool...
all this confuses me...i just want a simple ipsec.  Can i omit those nat parts in the configuration?
Can you tell me the configuration example you gave me of Netscreen in the previous link...is it policy based or route based?

I would assume the Netscreen config is policy based because that is what the Cisco side is.
Yes, use the Netscreen config from the first link, and the Cisco router config from the second like.
I can only assume that you are already Natting on the Cisco router. If yes, then you have to do the route-map thing. If not, then you do not. Can you post that config?

Acually my confusion is almost gone as i have found out the way to configure IPsec between Netscreen and Cisco router., at least theoretically, i still have to configure it to see if it works 100%
Now my next target is to implement ipsec between Netscreen and Juniper router.
Actually my ultimate objective is to implement hub and spoke ipsec VPN...with netscreen acting as a hub, Cisco router and Juniper router as spokes. Thats why i m first trying simple things first then go for the hub and spoke.
I am attaching a diagram which show what i m trying to achieve...can you guys tell me if its coceptually correct. Plus, would it be better or easier if i implement GRE tunnel along with ipsec? CAn GRE tunnels be configured in Netscreen? and most importantly, Can someone please give me a configuration example of Hub and Spoke VPN using Netscreen as hub and juniper or cisco router as spokes.?
Can Hub and spoke IPSEc VPN be implemented without the use of GRE tunnels?
One more thing, ethernet2 of netscreen is by default in DMZ zone...so i can set it to untrust zone as per my diagram?

Thanks,

Let's get the first part taken care of. It's not right to morph a question in the middle of a thread. We want to keep a clean database of 1 question/1 answer.
Most of the issues you face will depend on the NetScreen side. Unfortunately, we don't have many NetScreen or juniper experts on this site.

So you mean i should stop asking questions related to juniper or netscreen because you guys wont be able to help much?

Ok this is a pretty simple question:
I have a netscreen firewall and a cisco router.
I have set the ethernet interface of the netscreen and put the ip address as 2.2.2.2/30
and on cisco ethernet interface i have put 2.2.2.1/30
When I try to ping from netscreen to cisco, it pings but when i ping from cisco to netscreen it doesnt.
by the way, that interface is untrust interface of netscreen.
So that means inbound traffic is blocked but outboud traffic is allowed in the netscreen.(maybe thats the default in netscreen)
Can you tell me how can i allow inbound traffic to flow in netscreen?

I will answer inline bud (I am a junoper bod, BTW :P)

Ok this is a pretty simple question:
I have a netscreen firewall and a cisco router.
I have set the ethernet interface of the netscreen and put the ip address as 2.2.2.2/30
and on cisco ethernet interface i have put 2.2.2.1/30

>>  All fine so far :D

When I try to ping from netscreen to cisco, it pings but when i ping from cisco to netscreen it doesnt.
by the way, that interface is untrust interface of netscreen.

>> By default, the untrust interfaces on a netscreen BLOCK PINGs to the interface.  This is separate form the policies, so does not indicate its blocking all traffic,

>> To allow pings tpo your external interface type in the following:
    set int e<whatever your ext interface is> manage ping

I would not recommend having this enabled permanently.  To un set, type "un" berfore the set.

So that means inbound traffic is blocked but outboud traffic is allowed in the netscreen.(maybe thats the default in netscreen)

>>  As above, the blocked ping is not indicative of blocking all traffic.

Can you tell me how can i allow inbound traffic to flow in netscreen?

>>  Create a policy to allow the specific traffic.  It really is that simple bud.

>>  If the traffic is still being dropped, you can run debugs to see what is going on and why the traffic is being blocked and what we can do about it.

Does this answer your question?

>So you mean i should stop asking questions related to juniper or netscreen because you guys wont be able to help much
Not at all. I mean we should keep this thread to the original question and not morp it into something different, much more complicated.

@ deimark - glad to have you around!

Deimark and Irmoore thanks for the replies guys.
Deimark, I tried your command and now its pinging, thanks a lot
Can someone give me a sample configuration for juniper router (Jseries) to juniper router ipsec vpn?
It would be nice if there is a diagram as well so that i can better understand the configuration.
My problem is that i found couple of configuration for ipsec between juniper routers but they are without any diagram due to which i have trouble understanding whats going on.
Please guys i really need your help...
If you find a sample configuration then please include diagram and if there isnt then i would really appreciate if you could draw the diagram according to the config so that i can understand it better.
Please note that i have a J series router
Deimark, you seem to be an expert on Juniper so i really need your help in this one bud.

Thanks,

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_JSeries_VPN_Config_or_Trblsh.htm

Gives example info and instructions on J series VPNs bud.  If the PDF page does not open, then "download the link as" and it will save fine

Thanks a lot Deimark for the link. It really helped me understand the concept however, the configuration example is between juniper and netscreen only. Can you give me any configuration example of ipsec between juniper to juniper router with a network diagram?
Also i would be very thankful if you can find out a hub and spoke vpn config example with diagram where  netscreen and juniper or cisco routers are involved. I have found few configs but it only involved netscreen. I just have one netscreen firewall

Thanks,

The same principles apply here bud, no matter what the device is.

If you have a look at the PDF in http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Route-based_VPN_to_ScreenOS_v13.pdf

This has the route based VPN info there for you, with the example using a J series and SSG5.

We can replace the SSG5 with another J series and follow the same process as configuring the original J series box, we just replace the networks and IPs used to be the ones assigned to the SSG

ie J series 1 will have external IP of 1.1.1.2/30 with protected LAN of 10.10.10.0/24
J series 2 will have external IP of 2.2.2.2/30 with protected LAN of 192.168.168.0/24

For hub and spoke, its all fairly similar.  The branches will all have a single VPN configured to the hub, with appropriate routing etc Iie if it needs to talk to another branches LAN, it has a route to send them down the tunnel to the hub which will then route onwards to correct tunnel/endpoint)

The hub with a VPN to each branch with appropriate routing also.  As long as there are valid routes and the traffic has a policy to allow it, it all should work fine.

Junipers NSM takes a lot of the pain out of the VPN config by using a nice GUI to create the topology and set the VPN parameters, which will then convert to CLI commands and send onto the devices

Does this help any?

DM

Thanks a lot Deimark!
i really appreciate your answer and explanation.
Now my final task is to use netscreen as a firewall with static NAT and configure multiple zones i.e trust, untrust and DMZ. Can you suggest me a simple network diagram to accomplish this?
For example, I can put 2 or 3 routers and use netscreen as a firewall between them and do static NAT.
Can you give me a link for sample configuration of the above mentioned objective, so that i can understand how i can implement such a thing using netscreen as a firewall.
Is static NAT in netscreen is called Mapped IP (MIP)?

Thanks,

ok i will close this question off
Thanks once again for all the answers