PSK IPSec VPN – SRX to SRX – Long & Short

In these videos, we configure an IPSec VPN between two Juniper SRXs using pre-shared key for authentication.

Long Video
Short Video
Topology & Final Configs
TopologySRX0SRX1

#
set system host-name SRX0
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.21
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.21
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#

Leave a Comment

Your email address will not be published. Required fields are marked *