Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »


SRX & J Series Site-to-Site VPN Configuration Generator:  https://www.juniper.net/support/tools/vpnconfig/#localSite

Configuring Route-Based Site-to-Site IPSec VPN on the SRX:   https://www.youtube.com/watch?v=4fhLZIbJ-ls


1- IKE Phase 1:

1a- create ike proposal
1b- create ike policy
1c- create ike gateway

2- Allow IKE traffic inbound to untrusted zone

3- IKE Phase 2 / IPSEC :

3a- create ipsec proposal
3b- create ipsec policy
3c- create ipsec gateway

4- Configure security VPN Zone and security policy between zones



============================================================================

A-Site:

1- IKE Phase 1:

#1a- create ike proposal
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP dh-group group5
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP lifetime-seconds 3600

#1c- create ike gateway
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL pre-shared-key ascii-text juniper

#1c- create ike gateway
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 1.2.3.22 # remote IP@!!!
set security ike gateway IKE-GW external-interface ge-0/0/0


#2- allow IKE traffic inbound to untrusted zone
set security zones security-zone untrust host-inbound-traffic system-services ike


#3- IKE Phase 2 / IPSEC :

#3a- create ipsec proposal
set security ipsec proposal IPSEC-PROP protocol esp
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600

#3b- create ipsec policy
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POL proposals IPSEC-PROP

#3c- create ipsec gateway
set security ipsec vpn IPSEC-VPN vpn-monitor
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security ipsec vpn IPSEC-VPN bind-interface st0.1


set interfaces st0 unit 1 family inet
set security zones security-zone VPN interfaces st0.1
set routing-options static route 11.11.11.0/24 next-hop st0.1


#4- Configure sec policy between zones

set security address-book global address Network-A 10.10.10.0/24
set security address-book global address Network-B 11.11.11.0/24

set security zones security-zone VPN

#deactivate security policies from-zone trust to-zone untrust policy default-permit
#deactivate security policies from-zone untrust to-zone trust policy default-deny

set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address Network-A
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match destination-address Network-B
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match application any
set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit

set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address Network-B
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match destination-address Network-A
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match application any
set security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit



==============================================================================================================

B Side:

#1- IKE Phase 1:

#1a- create ike proposal
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP dh-group group5
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP lifetime-seconds 3600

#1c- create ike gateway
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL pre-shared-key ascii-text juniper

#1c- create ike gateway
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 1.2.3.21 # remote IP@!!!
set security ike gateway IKE-GW external-interface ge-0/0/0


#2- allow IKE traffic inbound to untrusted zone
set security zones security-zone untrust host-inbound-traffic system-services ike


#3- IKE Phase 2 / IPSEC :

#3a- create ipsec proposal
set security ipsec proposal IPSEC-PROP protocol esp
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600

#3b- create ipsec policy
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POL proposals IPSEC-PROP

#3c- create ipsec gateway
set security ipsec vpn IPSEC-VPN vpn-monitor
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security ipsec vpn IPSEC-VPN bind-interface st0.1


set interfaces st0 unit 1 family inet
#set security zones security-zone VPN
set security zones security-zone VPN interfaces st0.1
set routing-options static route 10.10.10.0/24 next-hop st0.1


#4- Configure sec policy between zones

set security address-book global address Network-A 10.10.10.0/24
set security address-book global address Network-B 11.11.11.0/24

#deactivate security policies from-zone trust to-zone untrust policy default-permit
#deactivate security policies from-zone untrust to-zone trust policy default-deny

set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address Network-B
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match destination-address Network-A
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match application any
set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit

set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address Network-A
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match destination-address Network-B
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match application any
set security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit



  • No labels