Below is the list of topics for IPSEC and NAT that you may see in JNCIE-SEC exam according to exam page. I will not only talk about exam topics but also in general about protocols and my troubleshooting tests. I would like to start JNCIE-SEC with IPSEC as I have lack of knowledge in this topic. I also would like to improve this JNCIE-SEC journal with the help of readers. You are encouraged to send your own case studies. Just for your information, the content I am going to create about this exam is all about my interpretation of the topics published by Juniper. I may not adhere %100 to exam topics and from time to time I can write about something that isn’t relevant to the exam. Without further ado, let’s begin the journey;

IPsec VPNs


  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites

Implementation of IPsec VPNs

IPSEC has two phases IKE Phase 1 and Phase 2. IKE Phase 1 has also two modes.

  • Main Mode
  • Aggressive Mode

Main Mode
Here is a simple site to site route based VPN topology.


Below is a wireshark capture of these two peers’ IPSEC negotiation.


Click to download the pcap file

Main mode has three two-way exchanges. In the first exchange initiator may propose several proposals i.e their encryption algorithms, hashes, authentication method, lifetime etc. but responder must reply with one. Practically speaking what you see in this exchange is what you configure in SRX’s IKE proposal for the specific connection;

In the second exchange peers use Diffie-Hellman, it is used to generate keying material to exchange shared secrets.

Third exchange is where encrypted communication starts. Peers verify their identities, PSKs exchanged etc.

Once this 6 messages are exchanged IKE Phase 2 starts which has only one mode: Quick Mode
In this mode, communication is already encrypted provided by IKE phase 1. Here IPSEC SAs are established and it is also used to renegotiate when IPSEC lifetime expires.

Practically this is what we get once IKE and IPSEC SAs are established

Note: Initiator cookie doesn’t match the packet capture as it was taken during
another IPSEC negotiation.

Let’s send a 1000 byte ICMP packet from J23 and see how it looks on the wire;


If you look at the packet capture our IP packet (echo request) is encapsulated and SPI is a352cf0f
which is what we see in the command output for outbound direction.


You can also see the SPI 6be505e0 in the inbound direction of the packet capture.

IPSEC SA management has different behavior between different releases. You may check KB26692 to see the difference.

When you have an established IPSEC SA, you have also two sessions installed for this;

These are inbound sessions only but I don’t recall the reason for two of them instead of one.

I would like to end this post here though it isn’t really a VPN implementation post, I just wanted to make an introduction for future posts in which I will do more practical stuff.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.