In this video, we’re going to configure an IPSec VPN between Juniper SRX and Cisco ASA using pre-shared key for authentication. We’re going use IKEv2 for phase 1, and for phase 2, we’re going to use the ASA’s relatively new static virtual tunnel interface, or SVTI.
Video
Topology & Final Configs
TopologySRX0ASA0
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
In this writeup, we’re going to set up an IPSec VPN between Juniper SRX and MikroTik RouterOS. To keep the Phase 1 tunnel simple, we’ll use IKE version 2 with pre-shared keys for authentication. RouterOS doesn’t yet support route-based Phase 2 tunnels, so we’ll configure policy-based on the RouterOS side, but keep the SRX side route-based so we can see how they interplay. If there’s enough interest in this content, I can turn this writeup into a video.
In this video, we’re going to update an existing IPSec VPN between Juniper SRX and Cisco IOS from pre-shared key to certificate authentication. We’re going to be looking at how IOS certificate configuration differs from SRX.
Video
Topology & Final Configs
TopologySRX0 PKI StepsSRX0IOS1 PKI StepsIOS1
At the configuration prompt (#), do the following:
If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
Commit both
At the operational prompt (>), do the following:
Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
Make PKI directory: “file make-directory /var/tmp/PKI/”
Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
Verify CA cert: “show security pki ca-certificate detail”
Verify CRL, if applicable: “show security pki crl detail”
Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity distinguished-name
set security ike gateway IOS1 remote-identity distinguished-name container CN=IOS1.node9.tech
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
At the configuration prompt (config)#, do the following:
If using a CRL, configure a DNS server: “ip name-server X.X.X.X”.
Configure the trustpoint:
crypto pki trustpoint CA
enrollment terminal pem
subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
revocation-check none
rsakeypair IOS1 2048
hash sha256
At the operational prompt (#), do the following:
Verify accurate date/time: “show clock”. If not accurate: “clock set X”.
Load CA cert into CA profile: “crypto pki authenticate CA”
Generate CSR: “crypto pki enroll CA”
Load local cert: “crypto pki import CA certificate”
Verify trustpoint: “show crypto pki trustpoints CA status”
In this video, we’re going to set up an IPSec VPN between Juniper SRX and Cisco IOS. Our Phase 1 tunnel will be IKE version 2 with pre-shared keys for authentication. Our Phase 2 tunnel will be route-based with tunnel interfaces. We’re going to be looking at the IOS configuration and how it differs from the SRX, plus looking at how to do a dynamic peer on IOS.
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 remote-identity hostname IOS1
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 dynamic hostname IOS1
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
virtual-template 1
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
description DVTI
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
interface Virtual-Template1 type tunnel
description SRX0
ip unnumbered Loopback1
ip mtu 1400
tunnel source 208.105.102.30
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!
In this video, we’re going overcome the challenges in setting up an IPSec VPN thru a NAT. We’ll be using Juniper SRXs as our VPN peers, IKEv2 for the Phase 1 tunnel with pre-shared keys for authentication, and our Phase 2 tunnel with be route-based. We’re also going to look at what NAT Keepalive and NAT Traversal do for us.
Video
Static NAT - Topology & Final Configs
TopologySRX0SRX1SRX2
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 208.105.102.61
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 address 208.105.102.62
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 remote-identity hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity inet 208.105.102.61
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
Dynamic NAT - Topology & Final Configs
TopologySRX0SRX1SRX2
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
NAT Overload - Topology & Final Configs
TopologySRX0SRX1SRX2
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
In this video, I configure a route-based IPSec VPN between two Juniper SRXs, this time using PKI certificates for authentication. I also demonstrate configuring IKE Dead Peer Detection(DPD) and multiple child IPSec SAs sharing a single IKE SA by using IKE Proxy Identity.
Video
Topology & Final Configs
TopologyPKI StepsSRX0SRX1
At the configuration prompt (#), do the following:
If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
Commit both
At the operational prompt (>), do the following:
Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
Make PKI directory: “file make-directory /var/tmp/PKI/”
Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
Verify CA cert: “show security pki ca-certificate detail”
Verify CRL, if applicable: “show security pki crl detail”
Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX1 local-identity distinguished-name
set security ike gateway SRX1 remote-identity distinguished-name container CN=SRX1.node9.lab
set security ike gateway SRX1 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX1 dead-peer-detection interval 5
set security ike gateway SRX1 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1_21 bind-interface st0.21
set security ipsec vpn SRX1_21 df-bit copy
set security ipsec vpn SRX1_21 ike gateway SRX1
set security ipsec vpn SRX1_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX1_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX1_121 bind-interface st0.121
set security ipsec vpn SRX1_121 df-bit copy
set security ipsec vpn SRX1_121 ike gateway SRX1
set security ipsec vpn SRX1_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX1_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set interfaces st0 unit 121 description SRX1
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX1_CERT
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ike gateway SRX0 local-identity distinguished-name
set security ike gateway SRX0 remote-identity distinguished-name container CN=SRX0.node9.lab
set security ike gateway SRX0 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX0 dead-peer-detection interval 5
set security ike gateway SRX0 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0_21 bind-interface st0.21
set security ipsec vpn SRX0_21 df-bit copy
set security ipsec vpn SRX0_21 ike gateway SRX0
set security ipsec vpn SRX0_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX0_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX0_121 bind-interface st0.121
set security ipsec vpn SRX0_121 df-bit copy
set security ipsec vpn SRX0_121 ike gateway SRX0
set security ipsec vpn SRX0_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX0_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set interfaces st0 unit 121 description SRX0
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#
In these videos, we configure an IPSec VPN between two Juniper SRXs using pre-shared key for authentication.
Long Video
Short Video
Topology & Final Configs
TopologySRX0SRX1
#
set system host-name SRX0
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.21
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.21
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#