IPSEC VPN between SRX and Netscreen

Below you will find my ipsec vpn configuration between an SRX100 device and Netscreen 5GT. Here is the topology;

Protected Networks on Netscreen:
Protected Network on SRX :


ns5gt-> get sys | inc Software
Software Version: 5.4.0r3.0, Type: Firewall+VPN
root@hub> show version
Hostname: hub
Model: srx100h
JUNOS Software Release [11.1R4.4]

This is a hub and spoke topology indeed. I have two more SRX devices connected to the same hub but for simplicity of this post, I will only include config for these two nodes.

root@hub# show security ike
policy sos-pol {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "$9$NBVs4UjqQF/aZF/CtIR-VwYaZDikPTz"; ## SECRET-DA
gateway sos-gw {
    ike-policy sos-pol;
    external-interface fe-0/0/3.0;
root@hub# show security ipsec
policy sos-pol {
    proposal-set standard;
vpn vpn-sos {
    bind-interface st0.0;
    ike {
        gateway sos-gw;
        ipsec-policy sos-pol;
    establish-tunnels immediately;

Tunnel Interface and physical interface config

root@hub# show interfaces st0.0
family inet {
root@hub# show interfaces fe-0/0/3.0
description "Netscreen device";
family inet {

Zone Configuration

root@hub# show security zones security-zone vpn
address-book {
    address sos-local;
interfaces {
root@hub# show security zones security-zone non-junos
host-inbound-traffic {
    system-services {
interfaces {

One of the most important thing that we shouldn’t forget is to enable ike on the external interface.

root@hub# show security policies from-zone vpn to-zone home-pcs
policy sos-to-internal {
    match {
        source-address sos-local;
        destination-address pcs;
        application any;
    then {

Another important point which from time to time I miss is policy should be from the vpn zone to the zone you need i.e from zone having st0.0 interface to any zone you want.

root@hub# show routing-options
static {
    route next-hop;


set address Trust local_lan
set zone name vpn
set address vpn hub_lan
set interface tun.1 zone vpn
set int tun.1 ip
set route interface tun.1
set ike gateway gw-hub address main outgoing-interface Untrust preshare juniper123 sec-level standard
set vpn vpn-hub gateway gw-hub sec-level standard
set vpn vpn-hub bind interface tun.1
set vpn vpn-hub monitor rekey
set policy from trust to vpn local_lan hub_lan any permit
set policy from vpn to trust hub_lan local_lan any permit
ns5gt-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address         Zone        MAC            VLAN State VSD
trust      Trust       0010.db4a.4042    -   D   -
untrust      Untrust     0010.db4a.4041    -   U   -
serial          Null        0010.db4a.4046    -   D   -
tun.1 vpn         N/A               -   U   -
vlan1          VLAN        0010.db4a.404f    1   D   -
null           Null        N/A               -   U   0

ns5gt-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ----------
vpn-hub         gw-hub          tunl No    g2-esp-3des-sha      on            0 untrust
  Total Auto VPN: 1

and here is the ping from that works well!

ns5gt-> ping from trust
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to, timeout is 1 seconds from trust
Success Rate is 100 percent (5/5), round-trip time min/avg/max=7/9/13 ms

As both devices work well together we didn’t need to play with NHTB configuration. In the next post I will try to do an srx-cisco VPN and see how the configuration changes.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE

5 thoughts on “IPSEC VPN between SRX and Netscreen”

  1. Hi rtoo. I am just about to follow what looks like an excellent description of exactly what I am trying to do (except the NS5GT is an NS50 in our case). I would like to ask though, in your diagram showing the SRX and the NS5GT, should the untrust interface not be If not, I am misunderstanding something 🙂

    1. Hi Simon,
      You aren’t misunderstanding. I made a mistake and thank you for this, good catch. I have corrected the image, I think you meant the topology image as I didn’t notice an error in the config. If you think there is another mistake, don’t hesitate to tell me.


  2. Your drawing has another error, or your config does. The drawing on the NS side identifies as the IP, but your config shows

    1. Thanks for pointing the mistake Mike. I have updated the topology image as the config looks correct but image was showing the wrong tunnel IP.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.