IPSEC VPN between SRX and Linux

After a little struggle, I have managed to establish an IPSEC VPN tunnel between an SRX box and a Linux machine. In case someone else needs below is my configuration.

SRX 650, JunOS 10.4R5.5

IKE CONFIG


IPSEC CONFIG

Make sure interfaces are assigned to zones properly and permissive security policies are in place. Main problem I got was the proposal mismatch because of which I didn’t use standard proposal set in Junos but adjust it according to my setting in linux.
One configlet that needs emphasis is proxy-identity without it only phase1 comes up but not phase2 and in linux racoon debug log I have found the following when proxy-identity was missing;

Here is racoon.conf and setkey.conf
racoon.conf

setkey.conf

Here is a proof how the VPN is up and running:)

Troubleshooting
1) Make sure each interface involved are properly assigned to zones
2) There is a route towards Linux box like;

8 thoughts on “IPSEC VPN between SRX and Linux

  1. sathish

    Have you tried enabling DPD in racoon for ipsec between SRX and linux?
    SRX is not acknowledging the dpd
    DPD: remote (ISAKMP-SA remote: 10.0.120.20[500] spi=7bcd4864810cbf9f:e717172e2cde1d93) Seq#/Fail 0x2b4/44. Did not rx DPD ack but sending next packet.

    Let me know if you have tried this and works for you.

    Reply
  2. rtoodtoo Post author

    Hi,
    Unfortunately I haven’t tried DPD. To be honest, I used linux when I didn’t have a 3rd SRX device during my studies. I don’t recall that I enabled DPD. If I try this setup again, I will update this post of course.

    Genco.

    Reply
  3. Atul

    Hi,
    can you explain your Network topology. Like what IP st0.0 using? and what are the Networks behind Linux and Juniper-SRX. Thnx

    Reply
  4. rtoodtoo Post author

    Hi Atul,
    I don’t have the setup right now but networks can be seen in proxy-identity section of SRX

    proxy-identity {
    local 192.168.100.0/24;
    remote 192.168.200.0/24;
    }

    SRX has 100.0/24 and linux has 200.0/24 networks. As far as I remember IP on st0.0 interface can be any IP on this setup but I will try to confirm this in a different post as this post is quite primitive.

    Reply
    1. rtoodtoo Post author

      If you mean the dynamic vpn connection, probably not. As far as I recall only pulse works.

      Reply
  5. Muhammad Fahad Khan

    Hi , how did u setup/configure this setkey.conf, i am not finding that on my linux machine ??

    Reply
    1. rtoodtoo Post author

      As far as I recall, there wasn’t a file, I created based on official docs.

      Reply

You have a feedback?