In this post we will talk about setting a routed site to site vpn on juniper SRX.
To begin with we need to set the IKE proposal set
security {
ike {
proposal Site-To-Site {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
For this set we used the diffie hellman group 2 and the hash of sha with the encryption of AES. We have also set the tunnel life time and the authentication method to be a pre shared key.
Our next step is to set up the policy for the vpn under “edit security ike”.
policy Site-To-Site-VPN {
mode main;
proposals Site-To-Site;
pre-shared-key ascii-text "juniper"
We have selected the mode as main mode and added the correct proposal set and added the pre-shared key in. We now need to define a gateway.
gateway IKE-GW {
ike-policy Site-To-Site-VPN;
address 98.188.188.210;
external-interface ge-0/0/0.0;
version v2-only
Now we have setup the IKE part of the VPN we now need to set up the IPSec part. We first begain with the IPSec proposal set. This is set under the “edit security ipsec”
ipsec {
proposal Site-To-Site {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
We now create an ip sec Policy
policy Site-to-Site-IPSec {
proposals Site-To-Site;
We add the IPSec proposal set to the policy. We now set up the vpn.
vpn Site-to-site-vpn {
bind-interface st0.0;
ike {
gateway IKE-GW;
ipsec-policy Site-to-Site-IPSec;
Now we have complete the vpn config. We now need to do 4 things set up the interface, set the security zone, set the tcp-mss and the routing.
We set the interface first.
st0 {
unit 0 {
point-to-point;
family inet {
address 172.16.1.1/30;
Now we need to set up the security Zone.
zones {
security-zone VPN{
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
We then set the security policy this is done under “edit security policy”
from-zone VPN to-zone trust {
policy default {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
Once this is done we thing need to add route to go over our vpn.
routing-options {
static {
route 172.16.10.0/24 next-hop st0.0;
We finaly need to set the tcp-mss under “edit security flow”
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
Once this is done we can now test our vpn.
admin@srx> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 947309 UP ae140fccdd2b724c 71654357c48047dc IKEv2 98.188.188.210
admin@srx> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-256/sha1 87098745 2892/ unlim - root 500 98.188.188.210 >131073 ESP:aes-256/sha1 cd0f0359 2892/ unlim - root 500 98.188.188.210
admin@srx> ping 172.16.10.1 rapid PING 172.16.10.1 (172.16.10.1): 56 data bytes !!!!! --- 172.16.10.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 7.170/11.228/17.923/4.087 ms
If you are using NAT you need to disable it for address over the vpn.