IPSEC between StrongSwan and SRX

In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX firewall and Linux with racoon. In this post, I will explain how you can set up a route based IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is below;


Tunnel Peers: debian1 and j41
Tunnel End point addresses: debian1( — j41(
Protected Networks: debian1( — j41(
SRX Junos Release: 12.1X46-D15.3
StrongSwan Release: 4.5.2-1.5+deb7u2


Create your strongswan configuration files as below;


config setup

conn j41-srx


@debian1.example.com @j41.example.com : PSK "lab123"

Strongswan config is this much, now SRX config.


lab@J41-Amsterdam# show security ike proposal strongswan 
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;

lab@J41-Amsterdam# show security ike policy strongswan       
mode main;
description "Debian1 PSK strongswan";
proposals strongswan;
pre-shared-key ascii-text "$9$uN.70Icyrv8LNcSwYoaUD"; ## SECRET-DATA

lab@J41-Amsterdam# show security ike gateway gw-debian1-strongswan       
ike-policy strongswan;
local-identity hostname j41.example.com;
remote-identity hostname debian1.example.com;
external-interface ge-0/0/0.64;

As I have several configuration for different peers, you can see IKE proposal,policy and gateway configuration in order.


lab@J41-Amsterdam# show security ipsec proposal strongswan            
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;

lab@J41-Amsterdam# show security ipsec policy strongswan      
perfect-forward-secrecy {
    keys group14;
proposals strongswan;

lab@J41-Amsterdam# show security ipsec vpn vpn-debian1-strongswan 
bind-interface st0.0;
ike {
    gateway gw-debian1-strongswan;
    proxy-identity {
    ipsec-policy strongswan;
establish-tunnels immediately;

IPSEC config is also in the same order proposal,policy and vpn.

Let’s verify this setup on two sides;


root@J41-Amsterdam> show security ike sa  
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address     
5695104 UP     bd883616bc2937de  35dea150eee8edc6  Main     

root@J41-Amsterdam> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131082 ESP:aes-cbc-128/sha1 80677dc 2893/ unlim - root 500    
  >131082 ESP:aes-cbc-128/sha1 ce787e8c 2893/ unlim - root 500   


root@debian1:~# ipsec status j41-srx
000 "j41-srx":[debian1.example.com]...[j41.example.com]===; erouted; eroute owner: #4
000 "j41-srx":   newest ISAKMP SA: #3; newest IPsec SA: #4; 
000 #4: "j41-srx" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2602s; newest IPSEC; eroute owner
000 #4: "j41-srx" esp.80677dc@ (0 bytes) esp.ce787e8c@ (0 bytes); tunnel
000 #3: "j41-srx" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27802s; newest ISAKMP
000 #2: "j41-srx" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2106s
000 #2: "j41-srx" esp.f09e63ad@ (0 bytes) esp.c3a90cd4@ (0 bytes); tunnel
000 #1: "j41-srx" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27065s
Security Associations:
  no match

root@debian1:~# ip -s xfrm policy list src
src dst uid 0
        dir out action allow index 521 priority 1859 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2014-04-15 21:15:05 use -
        tmpl src dst
                proto esp spi 0x00000000(0) reqid 16384(0x00004000) mode tunnel
                level required share any 
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

As you can see tunnel is established properly. I have tested this config two times on these releases. I hope there isn’t any mistake so far. I haven’t passed traffic on this setup as my purpose was to see how the configuration is done but I don’t think there should be a problem. Should you have any feedback, please feel free to comment!

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE

5 thoughts on “IPSEC between StrongSwan and SRX”

  1. I am trying to do the same task and succeful in making th tunnel but traffic is not passing through..please do some favor for me

    1. Yes you are right, I missed that but it should be an easy one as it is just an interface config and a static route towards the st0.0 interface.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.