IPSEC VPN between SRX and Netscreen

Below you will find my ipsec vpn configuration between an SRX100 device and Netscreen 5GT. Here is the topology;

Protected Networks on Netscreen: 10.10.10.0/24
Protected Network on SRX : 192.168.0.0/24

ipsec_srx100_netscreen

This is a hub and spoke topology indeed. I have two more SRX devices connected to the same hub but for simplicity of this post, I will only include config for these two nodes.

Tunnel Interface and physical interface config

Zone Configuration

One of the most important thing that we shouldn’t forget is to enable ike on the external interface.

Another important point which from time to time I miss is policy should be from the vpn zone to the zone you need i.e from zone having st0.0 interface to any zone you want.

Netscreen Side CONFIGURATION

and here is the ping from that works well!

As both devices work well together we didn’t need to play with NHTB configuration. In the next post I will try to do an srx-cisco VPN and see how the configuration changes.

5 thoughts on “IPSEC VPN between SRX and Netscreen

  1. Simon Cornish

    Hi rtoo. I am just about to follow what looks like an excellent description of exactly what I am trying to do (except the NS5GT is an NS50 in our case). I would like to ask though, in your diagram showing the SRX and the NS5GT, should the untrust interface not be 172.16.3.2/24? If not, I am misunderstanding something 🙂

    Reply
    1. rtoodtoo Post author

      Hi Simon,
      You aren’t misunderstanding. I made a mistake and thank you for this, good catch. I have corrected the image, I think you meant the topology image as I didn’t notice an error in the config. If you think there is another mistake, don’t hesitate to tell me.

      cheers
      Genco.

      Reply
  2. Mike

    Your drawing has another error, or your config does. The drawing on the NS side identifies 192.168.100.10/24 as the IP, but your config shows 192.168.100.100/24.

    Reply
    1. rtoodtoo Post author

      Thanks for pointing the mistake Mike. I have updated the topology image as the config looks correct but image was showing the wrong tunnel IP.

      Reply

You have a feedback?