Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to remove VPN configuration from a ScreenOS device using the CLI?

0

0

Article ID: KB14138 KB Last Updated: 11 Mar 2020Version: 2.0
Summary:
How to remove the VPN configuration from a ScreenOS device?  Which pieces of the configuration need to be removed and in what order?

Symptoms:
  • VPN configuration to delete (Route-based VPN):
set address "Trust" "10.2.0.0/24" 10.2.0.0 255.255.255.0
set address "Untrust" "10.1.0.0/24" 10.1.0.0 255.255.255.0
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip 10.0.2.2/24
set ike gateway "gw-to-voyager" address 192.168.20.2 Main outgoing-interface "ethernet2/1" preshare netscreen sec-level standard
set vpn "vpn-to-voyager" gateway "gw-to-voyager" no-replay tunnel idletime 0 sec-level standard
set vpn "vpn-to-voyager" id 0x1 bind interface tunnel.1
set policy id 2 from "Untrust" to "Trust" "10.1.0.0/24" "10.2.0.0/24" "ANY" permit
set policy id 3 from "Trust" to "Untrust" "10.2.0.0/24" "10.1.0.0/24" "ANY" permit
set route 10.1.0.0/24 interface tunnel.1


  • VPN configuration to delete (Policy-based VPN):
set address "Trust" "10.2.0.0/24" 10.2.0.0 255.255.255.0
set address "Untrust" "10.1.0.0/24" 10.1.0.0 255.255.255.0
set ike gateway "gw-to-voyager" address 192.168.20.2 Main outgoing-interface "ethernet2/1" preshare netscreen sec-level standard
set vpn "vpn-to-voyager" gateway "gw-to-voyager" no-replay tunnel idletime 0 sec-level standard
set policy id 2 from "Untrust" to "Trust" "10.1.0.0/24" "10.2.0.0/24" "ANY" tunnel vpn "vpn-to-voyager"
set policy id 3 from "Trust" to "Untrust" "10.2.0.0/24" "10.1.0.0/24" "ANY" tunnel vpn "vpn-to-voyager"

Solution:
For route-based VPNs, the procedure is as follows:
  1. First, delete policies and addresses associated with the specific VPN traffic  [Optional]
  2. unset policy id 2
    unset policy id 3
    unset address "Trust" "10.2.0.0/24"
    unset address "Untrust" "10.1.0.0/24"


  3. Unbind the VPN to tunnel interface:
  4. unset vpn "vpn-to-voyager" bind interface

  5. Delete the VPN configuration:
  6. unset vpn "vpn-to-voyager"

  7. Delete the IKE gateway configuration:
  8. unset ike gateway "gw-to-voyager"

  9. Delete the routing associated with the tunnel interface:
  10. unset route 10.1.0.0/24 interface tunnel.1

  11. Last, delete the tunnel configuration:
  12. unset interface "tunnel.1"

For policy-based VPNs, the procedure is as follows:
  1. First, delete policies and addresses associated with the specific VPN traffic  [Optional]
  2. unset policy id 2
    unset policy id 3
    unset address "Trust" "10.2.0.0/24"
    unset address "Untrust" "10.1.0.0/24"


  3. Delete the VPN configuration:
  4. unset vpn "vpn-to-voyager"

  5. Last, delete the IKE gateway configuration:
  6. unset ike gateway "gw-to-voyager"
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search