IPSEC VPN between SRX and Netscreen

Below you will find my ipsec vpn configuration between an SRX100 device and Netscreen 5GT. Here is the topology;

Protected Networks on Netscreen: 10.10.10.0/24
Protected Network on SRX : 192.168.0.0/24

ipsec_srx100_netscreen

ns5gt-> get sys | inc Software
Software Version: 5.4.0r3.0, Type: Firewall+VPN
root@hub> show version
Hostname: hub
Model: srx100h
JUNOS Software Release [11.1R4.4]

This is a hub and spoke topology indeed. I have two more SRX devices connected to the same hub but for simplicity of this post, I will only include config for these two nodes.

[edit]
root@hub# show security ike
policy sos-pol {
    mode main;
    proposal-set standard;
    pre-shared-key ascii-text "$9$NBVs4UjqQF/aZF/CtIR-VwYaZDikPTz"; ## SECRET-DA
}
gateway sos-gw {
    ike-policy sos-pol;
    address 172.16.3.2;
    external-interface fe-0/0/3.0;
}
[edit]
root@hub# show security ipsec
policy sos-pol {
    proposal-set standard;
}
vpn vpn-sos {
    bind-interface st0.0;
    vpn-monitor;
    ike {
        gateway sos-gw;
        ipsec-policy sos-pol;
    }
    establish-tunnels immediately;
}

Tunnel Interface and physical interface config

[edit]
root@hub# show interfaces st0.0
multipoint;
family inet {
    address 192.168.100.5/24;
}
[edit]
root@hub# show interfaces fe-0/0/3.0
description "Netscreen device";
family inet {
    address 172.16.3.1/24;
}

Zone Configuration

[edit]
root@hub# show security zones security-zone vpn
address-book {
    address sos-local 10.10.10.0/24;
   }
}
interfaces {
    st0.0;
}
[edit]
root@hub# show security zones security-zone non-junos
host-inbound-traffic {
    system-services {
        ike;
        ping;
    }
}
interfaces {
    fe-0/0/3.0;
}

One of the most important thing that we shouldn’t forget is to enable ike on the external interface.

[edit]
root@hub# show security policies from-zone vpn to-zone home-pcs
policy sos-to-internal {
    match {
        source-address sos-local;
        destination-address pcs;
        application any;
    }
    then {
        permit;
    }
}

Another important point which from time to time I miss is policy should be from the vpn zone to the zone you need i.e from zone having st0.0 interface to any zone you want.

[edit]
root@hub# show routing-options
static {
    route 10.10.10.0/24 next-hop 192.168.100.100;
}

Netscreen Side CONFIGURATION

set address Trust local_lan 10.10.10.0/24
set zone name vpn
set address vpn hub_lan 192.168.0.0/24
set interface tun.1 zone vpn
set int tun.1 ip 192.168.100.100/24
set route 192.168.0.0/24 interface tun.1
set ike gateway gw-hub address 172.16.3.1 main outgoing-interface Untrust preshare juniper123 sec-level standard
set vpn vpn-hub gateway gw-hub sec-level standard
set vpn vpn-hub bind interface tun.1
set vpn vpn-hub monitor rekey
set policy from trust to vpn local_lan hub_lan any permit
set policy from vpn to trust hub_lan local_lan any permit
ns5gt-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address         Zone        MAC            VLAN State VSD
trust          10.10.10.1/24      Trust       0010.db4a.4042    -   D   -
untrust        172.16.3.2/24      Untrust     0010.db4a.4041    -   U   -
serial         0.0.0.0/0          Null        0010.db4a.4046    -   D   -
tun.1          192.168.100.100/24 vpn         N/A               -   U   -
vlan1          0.0.0.0/0          VLAN        0010.db4a.404f    1   D   -
null           0.0.0.0/0          Null        N/A               -   U   0


ns5gt-> get vpn
Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ----------
vpn-hub         gw-hub          tunl No    g2-esp-3des-sha      on            0 untrust
  Total Auto VPN: 1

and here is the ping from that works well!

ns5gt-> ping 192.168.0.1 from trust
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 1 seconds from trust
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=7/9/13 ms

As both devices work well together we didn’t need to play with NHTB configuration. In the next post I will try to do an srx-cisco VPN and see how the configuration changes.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


5 thoughts on “IPSEC VPN between SRX and Netscreen”

  1. Hi rtoo. I am just about to follow what looks like an excellent description of exactly what I am trying to do (except the NS5GT is an NS50 in our case). I would like to ask though, in your diagram showing the SRX and the NS5GT, should the untrust interface not be 172.16.3.2/24? If not, I am misunderstanding something 🙂

    1. Hi Simon,
      You aren’t misunderstanding. I made a mistake and thank you for this, good catch. I have corrected the image, I think you meant the topology image as I didn’t notice an error in the config. If you think there is another mistake, don’t hesitate to tell me.

      cheers
      Genco.

  2. Your drawing has another error, or your config does. The drawing on the NS side identifies 192.168.100.10/24 as the IP, but your config shows 192.168.100.100/24.

    1. Thanks for pointing the mistake Mike. I have updated the topology image as the config looks correct but image was showing the wrong tunnel IP.

Leave a Reply to mauibob Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.