Juniper SRX Site to Site VPN (cli)

  • Create a Secure Tunnel to be used for the route-based VPN

    set interfaces st0 unit 1 description "VPN from Site1 to Site2"
    set interfaces st0 unit 1 family inet

  • Put the Secure Tunnel interface in the security zone VPN

    set security zone security-zone VPNs interface st0.1

  • Create the Phase 1 IKE security proposal

    set security ike proposal P1-pre-g2-aes256-sha256-86400 authentication-method pre-shared-keys
    set security ike proposal P1-pre-g2-aes256-sha256-86400 dh-group group2
    set security ike proposal P1-pre-g2-aes256-sha256-86400 authentication-algorithm sha-256
    set security ike proposal P1-pre-g2-aes256-sha256-86400 encryption-algorithm aes-256-cbc
    set security ike proposal P1-pre-g2-aes256-sha256-86400 lifetime-seconds 86400

  • Configure the Phase 1 IKE policy

    set security ike policy IKE-Site2 mode main
    set security ike policy IKE-Site2 proposals P1-pre-g2-aes256-sha256-86400
    set security ike policy IKE-Site2 pre-shared-key ascii-text PSKforVPN

  • Configure the Phase 1 IKE gateway

    set security ike gateway GW-Site2 ike-policy IKE-Site2
    set security ike gateway GW-Site2 address 1.1.1.1
    set security ike gateway GW-Site2 no-nat-traversal
    set security ike gateway GW-Site2 external-interface ge-0/0/1.0
    set security ike gateway GW-Site2 version v1-only

  • Configure the Phase 2 IPSEC proposal

    set security ipsec proposal P2-esp-aes256-sha256-28800 protocol esp
    set security ipsec proposal P2-esp-aes256-sha256-28800 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal P2-esp-aes256-sha256-28800 encryption-algorithm aes-256-cbc
    set security ipsec proposal P2-esp-aes256-sha256-28800 lifetime-seconds 28800

  • Configure the Phase 2 IPSEC policy

    set security ipsec policy IPsec-g5-esp-aes256-sha256-28800 perfect-forward-secrecy keys group5
    set security ipsec policy IPsec-g5-esp-aes256-sha256-28800 proposals P2-esp-aes256-sha256-28800

  • Configure the VPN

    set security ipsec vpn VPN-Site2 bind-interface st0.1
    set security ipsec vpn VPN-Site2 ike gateway GW-Site2
    set security ipsec vpn VPN-Site2 ike ipsec-policy IPsec-g5-esp-aes256-sha256-28800
    set security ipsec vpn VPN-Site2 establish-tunnels immediately

  • Configure the list of trusted addresses

    set security ipsec vpn VPN-Site2 traffic-selector Site-2-TS-1 local-ip 10.1.1.0/24
    set security ipsec vpn VPN-Site2 traffic-selector Site-2-TS-1 remote-ip 10.2.1.0/24

    NOTE: this is reversed on the other gateway…

    set security ipsec vpn VPN-Site1 traffic-selector Site-1-TS-1 local-ip 10.2.1.0/24
    set security ipsec vpn VPN-Site1 traffic-selector Site-1-TS-1 remote-ip 10.1.1.0/24

  • Configure the NAT so there is no NAT occurs

    set security nat source rule-set NAT-trust-to-vpn from zone trust
    set security nat source rule-set NAT-trust-to-vpn to zone VPNs
    set security nat source rule-set NAT-trust-to-vpn rule No-NAT-2-Site2 match destination-address 10.2.1.0/24
    set security nat source rule-set NAT-trust-to-vpn rule No-NAT-2-Site2 then source-nat off

    NOTE: this would be reversed on the other gateway.

    set security nat source rule-set NAT-trust-to-vpn rule No-NAT-2-Site2 match destination-address 10.1.1.0/24

  • Configure the security policies to allow the traffic to and from the trust and VPN zones

    set security policies from-zone VPNs to-zone trust policy default-permit match source-address any
    set security policies from-zone VPNs to-zone trust policy default-permit match destination-address any
    set security policies from-zone VPNs to-zone trust policy default-permit match application any
    set security policies from-zone VPNs to-zone trust policy default-permit then permit

    set security policies from-zone trust to-zone VPNs policy default-permit match source-address any
    set security policies from-zone trust to-zone VPNs policy default-permit match destination-address any
    set security policies from-zone trust to-zone VPNs policy default-permit match appliation any
    set secuirty policies from-zone trust to-zone VPNs policy default-permit then permit