Juniper SRX IPSEC

wan int ge-0/0/0.0 172.16.12.1 remote ip 172.16.12.2
lan int ge-0/0/1.0 192.168.1.0/24 remote ip 192.168.2.0/24

set system root plain-text-password
set interfaces ge-0/0/0 unit 0 family inet address 172.16.12.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic protocols all

Phase-1
set security ike proposal ike-prop description Remote-SRX
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm sha-256
set security ike proposal ike-prop encryption-algorithm aes-256-cbc
set security ike proposal ike-prop lifetime-seconds 3600

set security ike policy ike-pol mode main
set security ike policy ike-pol proposals ike-prop
set security ike policy ike-pol pre-shared-key ascii-text “$9$mPz6u0Icrvz3RSeK7Ns24”

set security ike gateway gat-RSRX ike-policy ike-pol
set security ike gateway gat-RSRX address 172.16.12.2
set security ike gateway gat-RSRX external-interface ge-0/0/0
set security ike gateway gat-RSRX version v2-only

phase-2
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0

set routing-options static route 192.168.2.0/24 next-hop st0.0

set security ipsec proposal prop-RSRX protocol esp
set security ipsec proposal prop-RSRX authentication-algorithm hmac-sha-256-128
set security ipsec proposal prop-RSRX encryption-algorithm aes-256-cbc
set security ipsec proposal prop-RSRX lifetime-seconds 3600

set security ipsec policy pol-RSRX perfect-forward-secrecy keys group2
set security ipsec policy pol-RSRX proposals prop-RSRX

set security ipsec vpn vpn-RSRX bind-interface st0.0
set security ipsec vpn vpn-RSRX ike gateway gat-RSRX
set security ipsec vpn vpn-RSRX ike ipsec-policy pol-RSRX
set security ipsec vpn vpn-RSRX establish-tunnels immediately

phase-1 check
show security ike security-associations
phase-2 check
show security ipsec security-associations

Allow traffic
set security policies from-zone vpn to-zone trust policy allowall match source-address any
set security policies from-zone vpn to-zone trust policy allowall match destination-address any
set security policies from-zone vpn to-zone trust policy allowall match application any
set security policies from-zone vpn to-zone trust policy allowall then permit

set security policies from-zone trust to-zone vpn policy allowall match source-address any
set security policies from-zone trust to-zone vpn policy allowall match destination-address any
set security policies from-zone trust to-zone vpn policy allowall match application any
set security policies from-zone trust to-zone vpn policy allowall then permit

*****************************************************************************************************
Working lab
SRX-1

root# run show configuration | display set
set version 15.1X49-D170.4
set system root-authentication encrypted-password “$5$L5S2aRWG$hY0.npiPlYdAkhw478KwBxdJv1lWOTWcT4vETQTkocD”
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode stream
set security log report
set security ike proposal ike-prop description pfsense
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm sha-256
set security ike proposal ike-prop encryption-algorithm aes-256-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-pol mode main
set security ike policy ike-pol proposals ike-prop
set security ike policy ike-pol pre-shared-key ascii-text “$9$mPz6u0Icrvz3RSeK7Ns24”
set security ike gateway gat-pfsense ike-policy ike-pol
set security ike gateway gat-pfsense address 172.16.12.2
set security ike gateway gat-pfsense external-interface ge-0/0/0
set security ike gateway gat-pfsense version v2-only
set security ipsec proposal prop-pfsense protocol esp
set security ipsec proposal prop-pfsense authentication-algorithm hmac-sha-256-128
set security ipsec proposal prop-pfsense encryption-algorithm aes-256-cbc
set security ipsec proposal prop-pfsense lifetime-seconds 3600
set security ipsec policy pol-pfsense perfect-forward-secrecy keys group2
set security ipsec policy pol-pfsense proposals prop-pfsense
set security ipsec vpn vpn-pfsense bind-interface st0.0
set security ipsec vpn vpn-pfsense ike gateway gat-pfsense
set security ipsec vpn vpn-pfsense ike ipsec-policy pol-pfsense
set security ipsec vpn vpn-pfsense establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone vpn to-zone trust policy allowall match source-address any
set security policies from-zone vpn to-zone trust policy allowall match destination-address any
set security policies from-zone vpn to-zone trust policy allowall match application any
set security policies from-zone vpn to-zone trust policy allowall then permit
set security policies from-zone trust to-zone vpn policy allowall match source-address any
set security policies from-zone trust to-zone vpn policy allowall match destination-address any
set security policies from-zone trust to-zone vpn policy allowall match application any
set security policies from-zone trust to-zone vpn policy allowall then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 description Uplink
set interfaces ge-0/0/0 unit 0 family inet address 172.16.12.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 192.168.2.0/24 next-hop st0.0

SRX-2

root# run show configuration | display set
set version 15.1X49-D170.4
set system root-authentication encrypted-password “$5$jEz0X43L$htcImYw4Rb//am9D3O5.UWoa.qNPiGJjMh1F0cs.n79”
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode stream
set security log report
set security ike proposal ike-prop description pfsense
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm sha-256
set security ike proposal ike-prop encryption-algorithm aes-256-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-pol mode main
set security ike policy ike-pol proposals ike-prop
set security ike policy ike-pol pre-shared-key ascii-text “$9$mPz6u0Icrvz3RSeK7Ns24”
set security ike gateway gat-pfsense ike-policy ike-pol
set security ike gateway gat-pfsense address 172.16.12.1
set security ike gateway gat-pfsense external-interface ge-0/0/0
set security ike gateway gat-pfsense version v2-only
set security ipsec proposal prop-pfsense protocol esp
set security ipsec proposal prop-pfsense authentication-algorithm hmac-sha-256-128
set security ipsec proposal prop-pfsense encryption-algorithm aes-256-cbc
set security ipsec proposal prop-pfsense lifetime-seconds 3600
set security ipsec policy pol-pfsense perfect-forward-secrecy keys group2
set security ipsec policy pol-pfsense proposals prop-pfsense
set security ipsec vpn vpn-pfsense bind-interface st0.0
set security ipsec vpn vpn-pfsense ike gateway gat-pfsense
set security ipsec vpn vpn-pfsense ike ipsec-policy pol-pfsense
set security ipsec vpn vpn-pfsense establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone vpn to-zone trust policy allowall match source-address any
set security policies from-zone vpn to-zone trust policy allowall match destination-address any
set security policies from-zone vpn to-zone trust policy allowall match application any
set security policies from-zone vpn to-zone trust policy allowall then permit
set security policies from-zone trust to-zone vpn policy allowall match source-address any
set security policies from-zone trust to-zone vpn policy allowall match destination-address any
set security policies from-zone trust to-zone vpn policy allowall match application any
set security policies from-zone trust to-zone vpn policy allowall then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 description Uplink
set interfaces ge-0/0/0 unit 0 family inet address 172.16.12.2/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 192.168.1.0/24 next-hop st0.0

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *