ipsec configuration on srx
Below is a site-to-site configuration between two SRX boxes (240 and 210)
HOST1
root@host1# show security
ike {
proposal prop-basic {
authentication-method pre-shared-keys;
dh-group group2;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
mode main;
proposals prop-basic;
pre-shared-key ascii-text “$9$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI”; ## SECRET-DATA
}
gateway gateway-marsh {
ike-policy pol-basic;
address 172.30.72.255;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal prop-basic {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
proposals prop-basic;
}
vpn vpnx {
bind-interface st0.0;
ike {
gateway gateway-marsh;
ipsec-policy pol-basic;
}
establish-tunnels immediately;
}
}
root@host1# show interfaces st0
unit 0 {
family inet {
mtu 1490;
address 10.11.11.10/24;
}
}
root@host1# show routing-options
static {
route 10.201.2.0/24 next-hop st0.0;
}
HOST2
root@host2# show security
ike {
proposal prop-basic {
authentication-method pre-shared-keys;
dh-group group2;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
mode main;
proposals prop-basic;
pre-shared-key ascii-text “$9$Yk4JD.PQ9v0ikA0BIrl24aZikmfT3/C”; ## SECRET-DATA
}
gateway gateway-craig {
ike-policy pol-basic;
address 172.30.72.226;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal prop-basic {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
proposals prop-basic;
}
vpn vpny {
bind-interface st0.0;
ike {
gateway gateway-craig;
ipsec-policy pol-basic;
}
establish-tunnels immediately;
}
}
root@host2# show routing-options
static {
route 10.200.2.0/24 next-hop st0.0;
}
root@host2# show interfaces st0
unit 0 {
family inet {
mtu 1490;
address 10.11.11.11/24;
}
}
Troubleshooting
root@host1> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
35 172.30.72.255 UP 74d6e81797b4ca3a 66dfde896b7620b0 Main
root@host1> show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
172.30.72.255 500 172.30.72.255
root@host1> show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 172.30.72.255 500 ESP:3des/md5 4bc06d39 3305/ unlim – root
>131073 172.30.72.255 500 ESP:3des/md5 cf63feb9 3305/ unlim – root
root@host1> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
**TIP:
- Because SRX has a default deny-all policy in intra-zone traffic, if your traffic traverses in the same zone, make sure you have a policy in place allowing this traffic
- Make sure on outside interface IKE protocol is allowed
- st0.0 must be assigned to a security zone otherwise tunnel won’t come up.
Very good blog! You are kind a guru to juniper!!!
But the scenario that would really help me would be this…and it seems less helpful…
Which are the public ips of the routers? And how did you configure them?
These are two hosts in the same lab so they don’t have any public IPs Henry.
Thank you for your reply!
hahaha…I guess my question sound silly one…In the most of the cases when you make a VPN is for connecting two public domains of the same sector…so, yes of course these are all private IPs…but which are the “public” ones…you know…for the first handshake (IKE P1)?
172.30.72.255? If yes which is the other?
In case of Public Scenario…through an ISP, what would we change?