INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

SRX: Site to Site VPN example configuration

SRX: Site to Site VPN example configuration

(OP)
My external interface:
pp0 {
unit 0 {
description "Ethernet WAN";
ppp-options {
chap {
default-chap-secret "PASSWORD
local-name "USER@ISP";
passive;
}
pap {
local-name "USER@ISP";
local-password "PASSWORD
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
auto-reconnect 10;
client;
}
family inet {
negotiate-address;

My tunnel interface:
interfaces {
st0 {
description VPN;
unit 0 {
family inet {
address 192.168.100.1/24;

VPN config:
security {
ike {
traceoptions {
flag ike;
}
proposal phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy phase1-policy {
mode main;
proposals phase1-proposal;
pre-shared-key ascii-text "KEY
}
gateway phase1-gateway {
ike-policy phase1-policy;
address <PEER EXTERNAL IP>;
dead-peer-detection always-send;
external-interface pp0; <<<---This had me stumped for a while, I had put pp0.0 in here, which is the actual IP addressed interface
}
}
ipsec {
traceoptions {
flag all;
}
proposal phase2 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3200;
}
policy phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals phase2;
}
vpn to-SITE2 {
bind-interface st0.0;
ike {
gateway phase1-gateway;
ipsec-policy phase2-policy;
}
establish-tunnels immediately;
}
}

Mirror this on SITE2 SRX.


The IKE GATEWAY EXTERNAL INTERFACE had me stumped for ages - it didn't occur to me that you would use pp0 rather than the relevant interface, which is pp0.1.
When I added a second tunnel, though, checkout the only way I could get it to work:

gateway phase1-gateway-Alt {
ike-policy phase1-policy;
address <PEER ALT EXTERNAL IP>;
dead-peer-detection always-send;
external-interface pp0.1;
}

????

RE: SRX: Site to Site VPN example configuration

(OP)
And you need rules, I almost forgot:

security {
policies {
from-zone vpn to-zone trust {
policy ipsec-vpn-to-trust {
match {
source-address SITE2-Subnet;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy ipsec-trust-to-vpn {
match {
source-address SITE1-Subnet;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address SITE1-Subnet 10.1.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone vpn {
address-book {
address SITE2-Subnet 10.1.2.0/24;
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
}
}
}
}
}
}
}

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close