---
title: "Juniper (ScreenOS)"
slug: "juniper-screenos"
updated: 2026-04-07T09:02:13Z
published: 2026-04-07T09:02:13Z
canonical: "support.perimeter81.com/juniper-screenos"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Juniper (ScreenOS)

<meta charset="utf-8">

## Introduction

Welcome to our guide on establishing a Site-to-Site VPN tunnel between your Check Point SASE network and the Juniper ScreenOS environment.

**Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

To successfully follow this guide, ensure that:

1. Have an active Check Point SASE account and an established network.
2. Have the Check Point SASE application installed on your devices.
3. Possess an active Juniper ScreenOS setup with the necessary administrative rights.

## Configuration Steps

## Configuring an IPSec Tunnel in the Management Platform

1. Go to the Gateway in your network from which you want to create the tunnel to the Juniper SSG (ScreenOS) Firewall,
2. Select the three-dotted menu (...) and select **Add Tunnel.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-02_at_5_53_13_PM.png)
3. Select **IPSec Site-2-Site Tunnel** and select **Continue.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.56.11%20PM.png)
4. Select **Single Tunnel,**and****Click**Continue.**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.57.33%20PM.png)
5. Under **General Settings**, enter the following:
  - Name - Set the name for the Tunnel.
  - Shared Secret - Enter a shared secret or click **Generate**.
  - **Public IP** and **Remote ID** - Enter your Juniper SSG (ScreenOS) Public WAN IP address.
  - In **Check Point SASE Gateway Proposal Subnets,** choose****your**Check Point SASE Network Subnet**.
  - In **Remote Gateway Proposal Subnets**, enter your internal LAN subnet.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Barracuda_General(1).PNG)
6. In the **Advanced Settings**section, specify these:
  - IKE Version: V1
  - IKE Lifetime: 8h
  - Tunnel Lifetime: 1h
  - Dead Peer Detection Delay: 10s
  - Dead Peer Detection Timeout: 50s
  - **Phase 1**:
    - Encryption (Phase 1): aes256
    - Integrity (Phase 1): sha1
    - Key Exchange Method: modp1536
  - **Phase 2**:
    - Encryption (Phase 2): aes256
    - Integrity (Phase 2): sha1
    - Key Exchange Method: modp1536  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/JuniperScreenOS_V1_1536.PNG)
7. Click Add Tunnel.

## Configuring the Tunnel on the Juniper SSG

1. Navigate to the Admin Console of the Juniper device.
2. In the left-hand menu, click on **Network**, then go to **Interfaces**.
3. Create a new Unnumbered Tunnel interface.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.36.44%20PM.png)![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__4_51_PM.png)
4. In the left-hand menu, under Network, click on **Routing**, then **Source**/**Destination.**
  - Select the correct zone (usually Trust) and Click**New.**
  - Under **IP Address/Netmask**, enter your Check Point SASE Network Subnet. (Usually 10.255.0.0/16)  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-02_at_6_18_34_PM.png)
5. In the left-hand menu, click on **VPNs.**
6. Select **AutoKey Advanced.**
  - Verify that the Following **P1 Proposal** exists:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__4_34_PM.png)
  - Navigate to **P2 Proposal**, and ensure that the following Proposal exists:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__4_35_PM.png)
7. In the left-hand menu, click on **Gateway**,
  - Select a **Gateway Name**.
  - Under **Static IP Address**, enter your Check Point SASE Gateway IP Address.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-02_at_5_25_21_PM.png)
8. Click **Advanced**.
  - Fill in the **Preshared Key** you generated in your Check Point SASE Admin Console earlier.
  - Under **Security Level**, Select **Custom**. in **Phase 1 Proposal**, Select "**pre-g5-aes256-sha1-28800s**"
  - Enable **DPD.**
    - Set **DPD Interval** to 10s.
    - Set **DPD Retry** to 5.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__4_40_PM.png)
9. In the left-hand menu, click on **Autokey IKE.**
  - Under **VPN Name**, choose a name. (for example "Check Point SASE")
  - In **Remote Gateway**, select **Predefined** and choose the AutoKey Advanced *Gateway* you created during the previous step.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.39.03%20PM.png)
10. Click **Advanced**.
  - Under **Security Level**, Click Custom and select the **Phase 2 Proposal** named "g5-esp-aes256-sha1-3600s"
  - Under **Bind to**, Click **Tunnel Interface** and select the Tunnel Interface you created in Step 3.
  - Make sure **Proxy-ID Check** is enabled.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__5_23_PM.png)
11. Configure a **Proxy ID****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__6_25_PM.png)**
  - <meta charset="utf-8">**Local Proxy ID**: Enter your local LAN Subnet (For example 192.168.120.0/24)
  - **Remote Proxy ID**: Your Check Point SASE Subnet (By default: 10.255.0.0/16)
  - **Service**: Any  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_2_22__6_26_PM.png)

<meta charset="utf-8">

## Verifying the Setup

After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.