ipsec configuration on srx

Below is a site-to-site configuration between two SRX boxes (240 and 210)

HOST1

root@host1# show security
ike {
    proposal prop-basic {
        authentication-method pre-shared-keys;
        dh-group group2;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }
    policy pol-basic {
        mode main;
        proposals prop-basic;
        pre-shared-key ascii-text “$9$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI”; ## SECRET-DATA
    }
    gateway gateway-marsh {
        ike-policy pol-basic;
        address 172.30.72.255;
        dead-peer-detection {
            interval 10;
            threshold 5;
        }
        external-interface ge-0/0/0.0;
    }
}
ipsec {
    proposal prop-basic {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }
    policy pol-basic {
        proposals prop-basic;
    }
    vpn vpnx {
        bind-interface st0.0;
        ike {
            gateway gateway-marsh;
            ipsec-policy pol-basic;
        }
        establish-tunnels immediately;
    }
}
root@host1# show interfaces st0
unit 0 {
    family inet {
        mtu 1490;
        address 10.11.11.10/24;
    }
}
root@host1# show routing-options
static {
    route 10.201.2.0/24 next-hop st0.0;
}
HOST2
root@host2# show security
ike {
    proposal prop-basic {
        authentication-method pre-shared-keys;
        dh-group group2;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }
    policy pol-basic {
        mode main;
        proposals prop-basic;
        pre-shared-key ascii-text “$9$Yk4JD.PQ9v0ikA0BIrl24aZikmfT3/C”; ## SECRET-DATA
    }
    gateway gateway-craig {
        ike-policy pol-basic;
        address 172.30.72.226;
        dead-peer-detection {
            interval 10;
            threshold 5;
        }
        external-interface ge-0/0/0.0;
    }
}
ipsec {
    proposal prop-basic {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }
    policy pol-basic {
        proposals prop-basic;
    }
    vpn vpny {
        bind-interface st0.0;
        ike {
            gateway gateway-craig;
            ipsec-policy pol-basic;
        }
        establish-tunnels immediately;
    }
}
root@host2# show routing-options
static {
    route 10.200.2.0/24 next-hop st0.0;
}
root@host2# show interfaces st0
unit 0 {
    family inet {
        mtu 1490;
        address 10.11.11.11/24;
    }
}

Troubleshooting

root@host1> show security ike security-associations 
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
35      172.30.72.255     UP     74d6e81797b4ca3a  66dfde896b7620b0  Main
root@host1> show security ike active-peer 
Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP
172.30.72.255                         500      172.30.72.255
root@host1> show security ipsec security-associations 
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131073 172.30.72.255    500   ESP:3des/md5    4bc06d39 3305/ unlim   –   root
  >131073 172.30.72.255    500   ESP:3des/md5    cf63feb9 3305/ unlim   –   root
root@host1> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
**TIP:
  •  Because SRX has a default deny-all policy in intra-zone traffic, if your traffic traverses in the same zone, make sure you have a policy in place allowing this traffic 
  • Make sure on outside interface IKE protocol is allowed 
  • st0.0 must be assigned to a security zone otherwise tunnel won’t come up.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “ipsec configuration on srx”

  1. Very good blog! You are kind a guru to juniper!!!
    But the scenario that would really help me would be this…and it seems less helpful…

    Which are the public ips of the routers? And how did you configure them?

      1. Thank you for your reply!

        hahaha…I guess my question sound silly one…In the most of the cases when you make a VPN is for connecting two public domains of the same sector…so, yes of course these are all private IPs…but which are the “public” ones…you know…for the first handshake (IKE P1)?

        172.30.72.255? If yes which is the other?
        In case of Public Scenario…through an ISP, what would we change?

Leave a Reply to HenryCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading