Configuring Route-Based Site-to-Site IPSec VPN on the SRX
Вставка
- Опубліковано 16 вер 2024
- The Configuring Route-Based Site-to-Site IPsec VPN on the SRX Series Learning Byte discusses the configuration of a secure VPN tunnel between two Juniper Networks SRX-series devices. The concept of route-based VPN is briefly discussed and the commands needed to configure and monitor the VPN are shown.
This Learning Byte is appropriate for beginner to intermediate level engineers who want to start configuring IPsec VPNs on their SRX devices.
Presenter: Petr Klimai, Juniper Ambassador, JNCI
Relevant to Junos OS Releases: All Junos releases
Relevant to Juniper Platforms: SRX Series
• On-Demand Training: Take a hands-on course…now!
learningportal...
• All-Access Training Pass: Access every course for a full year!
learningportal...
• Juniper Certification: Get started with the Juniper Open Learning program:
learningportal...
what an absolutely fantastic tutorial.....this is amazing...something i found totally mind blowing is now graspable.
thank you so much
Excellent Tutorial! Very Straight forward and well explained
Ultimate sir.......nice and clear explanation
I had a great challenge setting up GRE over IPSec between SRX and Cisco and SRX and Fortigate in my days, such a pain when you just know few things about IPSec or firewall on Juniper, lol. Oh, and not to mention a freaking D-link. Just needed to get OSPF and other things working over it properly. Would be interesting to hear about those all parameters additionally, or how to get a gre tunnel over that as well, though :) For IPSec recap - Thanks Petr, that's really well explained.
very good explanation
thanks for sharing this configuration process for VPN, they are very useful. I am learning JUNOS, and this kind of howto helps a lot.
Very useful in helping me get our VPN configured. Thanks for sharing your knowledge!
Very nice and clear explanation. Thanks
Awesome!!! Can you show how to build using BGP or OSPF between them?
What about NAT for crossing interfaces, is this needed in general for JunOS.
Very clear . Thanks you sir!
Great tutorial bro !
Thanks. Very good work
excellent very good explanation
which image of juniper srx are you using?
Excellent !!!
Thank you..
But what happens if other at Srx B it using Nat. If Side b is only using 1 static ip on its Modem and srx interface connected to the modem is natting.
Great tutorial sir!
Could you share this txt configuration?
I would like to try it in my lab
Best Regards!
SRXA
set security ike proposal IKE-PROP lifetime-seconds 3600
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP dh-group group5
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL mode main
set security ike policy IKE-POL pre-shared-key ascii-text juniper
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address xx.xx.xx.xx
set security ike gateway IKE-GW external-interface ge-0/0/0.0
set security zone security-zone Internet host-inbound-traffic system-services ike
set routing-options static route 192.168.2.0/24 next-hop st0.1
set security policies from-zone Internal to-zone VPN policy Internal-to-VPN match source-address Network-A destination-address Network-B application any
set security policies from-zone Internal to-zone VPN policy Internal-to-VPN then permit
set security policies from-zone VPN to-zone Internal policy VPN-to-Internal match source-address Network-B destination-address Network-A application any
set security policies from-zone VPN to-zone Internal policy VPN-to-Internal then permit
--same on both --
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600
set security ipsec proposal IPSEC-PROP protocol esp
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbc
set security ipsec policy IPSEC-POL propsals IPSEC-PROP
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5
set security ipsec vpn IPSEC-VPN ike gateway IKE-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL
set security ipsec vpn IPSEC-VPN vpn-monitor
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security ipsec vpn IPSEC-VPN bind-interface st0.1
set interfaces st0 unit 1 family inet
set security zones security-zone VPN interfaces st0.1
set security address-book global address Network-A 192.168.1.0/24
set security address-book global address Network-B 192.168.2.0/24
---
SRXB
set security ike proposal IKE-PROP lifetime-seconds 3600
set security ike proposal IKE-PROP authentication-method pre-shared-keys
set security ike proposal IKE-PROP authentication-algorithm sha1
set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP dh-group group5
set security ike policy IKE-POL proposals IKE-PROP
set security ike policy IKE-POL mode main
set security ike policy IKE-POL pre-shared-key ascii-text juniper
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address xx.xx.xx.xx
set security ike gateway IKE-GW external-interface ge-0/0/0.0
set security zone security-zone Internet host-inbound-traffic system-services ike
set routing-options static route 192.168.1.0/24 next-hop st0.1
set security policies from-zone Internal to-zone VPN policy Internal-to-VPN match source-address Network-B destination-address Network-A application any
set security policies from-zone Internal to-zone VPN policy Internal-to-VPN then permit
set security policies from-zone VPN to-zone Internal policy VPN-to-Internal match source-address Network-A destination-address Network-B application any
set security policies from-zone VPN to-zone Internal policy VPN-to-Internal then permit
Simply perfect
amazing job
great tutorial, thank you sir
Thank you very much.!
will it work with d20 version ?
can you please send the script commands?
great tutorial but pfsense is better