Configure and Troubleshoot Policy-Based Site-to-Site VPN in Juniper SRX


Now, I want to share a tutorial how to configure policy-based site-to-site VPN in Juniper SRX devices. This article is part of a series on IPSec VPN in Juniper SRX devices.

Before we begin to configure. Make sure you understand the basics of Juniper SRX tools, such as security zone, security policies, security objects, what is VPN and IPSec.

Moreover, if you are Indonesian and new to firewall devices, especially Juniper SRX, please learn from the beginning on our YouTube: JNCIA-Sec: Juniper SRX Devices

Objective

We will configure a policy-based site-to-site VPN to connect private networks on vSRX-1 (LAN1 and LAN2) and vSRX-2 (LAN3). We will manually configure the IKE and IPsec proposal parameters.

IKE Phase 1
Authentication method: pre-shared-key "Indonesia_2020"
Authentication algorithm: sha1
Encryption algorithm: 3des-cbc
DH group: group19
Channel lifetime: 24 hours

IKE Phase 2
Protocol: ESP
Authentication algorithm: hmac-sha1-96
Encryption algorithm: aes-256-cbc
DH group: group19
Tunnel lifetime: 6 hours
Establish tunnel: immediatelly

Preconfig

To ensure we start with the same conditions, make sure you have configured the following.

On Public-Router, we just configure the addressing as usual. There is not route to Private Network. Of course, you can use another vendor to be a Router here. Because we don't need any configuration here except for addressing.

system {
    host-name Public-Router;
    ...
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 100.1.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 200.2.2.1/24;
            }
        }
    }
}
  

For both VPN gateway (vSRX-1 and vSRX-2), we use vSRX 20.1R1. We have to configure addressing for public and private interface. Then, we have to add a default route which Public-Router as a default gateway.

We have to configure security policies to permit all traffics from Private zone to Public zone and Private Zone to Private Zone.

Optionally, I also configure the management interface and user login. Please adjust it to your needs.

vSRX-1

system {
    host-name vSRX-1 ;
    ...
}
security {
    screen {
        ids-option untrust-screen {
            # default config
            ...
        }
    }
    policies {
        from-zone Private to-zone Public {
            policy Permit-all-to-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Private to-zone Private {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Private {
            description "Private Network";
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
            }
        }
        security-zone Public {
            description "Public Network (Internet)";
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description to-Public-Router;
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        description to-LAN1;
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description to-LAN2;
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}
    
  

vSRX-2

    system {
    host-name vSRX-2;
    ...
}
security {
    screen {
        ids-option untrust-screen {
            # default config
            ...
        }
    }
    policies {
        from-zone Private to-zone Public {
            policy Permit-all-to-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Public {
            description "Public Network (Internet)"
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone Private {
            description "Private Network"
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description to-Public-Internet;
        unit 0 {
            family inet {
                address 200.2.2.2/24;
            }
        }
    }
    ge-0/0/1 {
        description to-LAN3;
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 200.2.2.1;
    }
}

  

On host devices in LAN1, LAN2, and LAN3. There is only the addressing configuration, we set the IP address according to the figure above (thumbnail) and set the default gateway to vSRX devices.

Host LAN1: 192.168.1.11/24 (gateway: 192.168.1.1)
Host LAN2: 192.168.2.22/24 (gateway: 192.168.2.1)
Host LAN3: 192.168.3.33/24 (gateway: 192.168.3.1)
  

If you are sure it is appropriate, let's start the configuration.

Configure The vSRX-1

Make sure the Public zone allows the inbound IKE packet (ISAKMP). If not allowed, please allow it.

[edit security zones security-zone Public]
lab@vSRX-1# set host-inbound-traffic system-services ike

We also need to create address-book entries for each private network (local and remote). We will use them to create security policies to allow traffic for each LAN.

[edit security zones security-zone Private]
lab@vSRX-1# set address-book address LAN1 192.168.1.0/24
lab@vSRX-1# set address-book address LAN2 192.168.2.0/24

[edit security zones security-zone Public]
lab@vSRX-1# set address-book address LAN3 192.168.3.0/24

First, configure the IKE Phase 1 proposal (also known as IKE proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 1, including: authentication method, encryption algorithm, DH group, and lifetime of the channel (in seconds: 180-86400).

[edit security ike proposal ike-proposal-to-vSRX-2]
lab@vSRX-1# set authentication-method pre-shared-keys
lab@vSRX-1# set encryption-algorithm 3des-cbc 
lab@vSRX-1# set authentication-algorithm sha1
lab@vSRX-1# set dh-group group19
lab@vSRX-1# set lifetime-seconds 86400

Create the IKE Phase 1 policy (also known as IKE policy), we named the IKE policy as "ike-policy-to-vSRX-2". We use main mode because this device (vSRX-1) has static IP addreess. We will use pre-shared-key as authetication. The pre-shared-key is "Indonesia_2020".

We also set the IKE proposal to user defined proposal named ike-proposal-to-vSRX-2 (we have made it before). If you want to use a predefined proposal from Juniper, that's fine. Just use set proposal-set command, instead of set proposals command. There are several options such as: basic, compatible, prime-128, prime-256, standard, suiteb-gcm-128, and suiteb-gcm-256 ().

[edit security ike policy ike-policy-to-vSRX-2]
lab@vSRX-1# set mode main
lab@vSRX-1# set pre-shared-key ascii-text "Indonesia_2020"
lab@vSRX-1# set proposals ike-proposal-to-vSRX-2

Then, define the IKE gateway with peer IP address (vSRX-2's address), IKE Policy, and outgoing interface.

[edit security ike gateway vSRX-2]
lab@vSRX-1# set address 200.2.2.2
lab@vSRX-1# set ike-policy ike-policy-to-vSRX-2
lab@vSRX-1# set external-interface ge-0/0/0

Next step, let's configure the IKE Phase 2 proposal (also known as IPsec proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 2, including: IPsec protocol, encryption algorithm, authentication algorithm, lifetime of the tunnel (in seconds: 180-86400).

[edit security ipsec proposal ipsec-proposal-to-vSRX-2]
lab@vSRX-1# set protocol esp
lab@vSRX-1# set encryption-algorithm aes-256-cbc
lab@vSRX-1# set authentication-algorithm hmac-sha1-96
lab@vSRX-1# set lifetime-seconds 21600

Then, create the IKE Phase 2 policy (also known as IPsec policy). Set the ipsec proposal and the DH group for PFS.

[edit security ipsec policy ipsec-policy-to-vSRX-2]
lab@vSRX-1# set proposals ipsec-proposal-to-vSRX-2
lab@vSRX-1# set perfect-forward-secrecy keys group19
lab@vSRX-1# 

Then, define the IPSec VPN. Set the gateway and IPsec policy that we just created. And define the criteria of establish tunnels to immediately (tunnel created when the configuration commited) or on-traffic (tunnnel created when there is traffic going through).

[edit security ipsec vpn vSRX-2-VPN]
lab@vSRX-1# set ike gateway vSRX-2
lab@vSRX-1# set ike ipsec-policy ipsec-policy-to-vSRX-2
lab@vSRX-1# set establish-tunnels immediately

Lastly, let's create the security policies to allow traffic from the private network (LAN1 and LAN2) to the remote network (LAN3) and vise versa. In addition, we also direct the traffic to the IPsec VPN for encapsulation. The outbond policy named vpn-Local-to-Remote, whereas inbound policy named vpn-Remote-to-Local.

Note: This step is one of the main differences between a policy-based VPN and a route-based VPN configuration. Policy-based VPN uses security policies to direct traffic to the tunnel interface. Whereas route-based VPN bind a secure tunnel interface in IPsec vPN configuration and uses routing process to direct traffic to the tunnel interface (we configured it earlier). See Configure Route-Based Site-to-Site VPN in Juniper SRX.

This is the outbond policy (Local to Remote).

[edit security policies from-zone Private to-zone Public policy vpn-Local-to-Remote]
lab@vSRX-1# set match source-address LAN1
lab@vSRX-1# set match source-address LAN2
lab@vSRX-1# set match destination-address LAN3
lab@vSRX-1# set match application any
lab@vSRX-1# set then permit tunnel ipsec-vpn vSRX-2-VPN
lab@vSRX-1# set then permit tunnel pair-policy vpn-Remote-to-Local

This is the inbond policy (Remote to Local).

[edit security policies from-zone Public to-zone Private policy vpn-Remote-to-Local]
lab@vSRX-1# set match source-address LAN3
lab@vSRX-1# set match destination-address LAN1
lab@vSRX-1# set match destination-address LAN2
lab@vSRX-1# set match application any
lab@vSRX-1# set then permit tunnel ipsec-vpn vSRX-2-VPN
lab@vSRX-1# set then permit tunnel pair-policy vpn-Local-to-Remote

Because in preconfig we have created policies to allow all traffic out of the Private zone to the Public zone (named: Permit-all-to-Internet). So, please make sure policy rule named vpn-Local-to-Remote executed first before Permit-all-to-Internet.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-1# show
policy Permit-all-to-Internet {
    ...
}
policy vpn-Local-to-Remote {
    ...
}

We have to sort vpn-Local-to-Remote before Permit-all-to-Internet.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-1#  insert policy vpn-Local-to-Remote before policy Permit-all-to-Internet

So, the order is like this.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-1# show
policy vpn-Local-to-Remote {
    ...
}
policy Permit-all-to-Internet {
    ...
}

That's all configuration in vSRX-1. Commit all the changes! Then, we will configure in the vSRX-2

Configure The vSRX-2

Make sure the Public zone allows the inbound IKE packet (ISAKMP). If not allowed, please allow it.

[edit security zones security-zone Public]
lab@vSRX-2# set host-inbound-traffic system-services ike

We also need to create address-book entries for each private network (local and remote). We will use them to create security policies to allow traffic for each LAN.

[edit security zones security-zone Private]
lab@vSRX-2# set address-book address LAN3 192.168.3.0/24

[edit security zones security-zone Public]
lab@vSRX-2# set address-book address LAN1 192.168.1.0/24
lab@vSRX-2# set address-book address LAN2 192.168.2.0/24

First, configure the IKE Phase 1 proposal (also known as IKE proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 1, including: authentication method, encryption algorithm, DH group, and lifetime of the channel (in seconds: 180-86400).

[edit security ike proposal ike-proposal-to-vSRX-1]
lab@vSRX-2# set authentication-method pre-shared-keys
lab@vSRX-2# set encryption-algorithm 3des-cbc 
lab@vSRX-2# set authentication-algorithm sha1
lab@vSRX-2# set dh-group group19
lab@vSRX-2# set lifetime-seconds 86400

Create the IKE Phase 1 policy (also known as IKE policy), we named the IKE policy as "ike-policy-to-vSRX-1". We use main mode because this device (vSRX-2) has static IP addreess. We will use pre-shared-key as authetication. The pre-shared-key is "Indonesia_2020". It must be the same as the pair's pre-shared-key (vSRX-1's pre-shared-key).

We also set the IKE proposal to user defined proposal named ike-proposal-to-vSRX-1 (we have made it before). If you want to use a predefined proposal from Juniper, that's fine. Just use set proposal-set command, instead of set proposals command. There are several options such as: basic, compatible, prime-128, prime-256, standard, suiteb-gcm-128, and suiteb-gcm-256 ().

[edit security ike policy ike-policy-to-vSRX-1]
lab@vSRX-2# set mode main
lab@vSRX-2# set pre-shared-key ascii-text "Indonesia_2020"
lab@vSRX-2# set proposals ike-proposal-to-vSRX-1

Then, define the IKE gateway with peer IP address (vSRX-1's address), IKE Policy, and outgoing interface.

[edit security ike gateway vSRX-1]
lab@vSRX-2# set address 100.1.1.2
lab@vSRX-2# set ike-policy ike-policy-to-vSRX-1
lab@vSRX-2# set external-interface ge-0/0/0

Next step, let's configure the IKE Phase 2 proposal (also known as IPsec proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 2, including: IPsec protocol, encryption algorithm, authentication algorithm, lifetime of the tunnel (in seconds: 180-86400).

[edit security ipsec proposal ipsec-proposal-to-vSRX-1]
lab@vSRX-2# set protocol esp
lab@vSRX-2# set encryption-algorithm aes-256-cbc
lab@vSRX-2# set authentication-algorithm hmac-sha1-96
lab@vSRX-2# set lifetime-seconds 21600

Then, create the IKE Phase 2 policy (also known as IPsec policy). Set the ipsec proposal and the DH group for PFS.

[edit security ipsec policy ipsec-policy-to-vSRX-1]
lab@vSRX-2# set proposals ipsec-proposal-to-vSRX-1
lab@vSRX-2# set perfect-forward-secrecy keys group19
lab@vSRX-2# 

Then, define the IPSec VPN. Set the gateway and IPsec policy that we just created. And define the criteria of establish tunnels to immediately (tunnel created when the configuration commited) or on-traffic (tunnnel created when there is traffic going through).

[edit security ipsec vpn vSRX-1-VPN]
lab@vSRX-2# set ike gateway vSRX-1
lab@vSRX-2# set ike ipsec-policy ipsec-policy-to-vSRX-1
lab@vSRX-2# set establish-tunnels immediately

Lastly, let's create the security policies to allow traffic from the local network (LAN3) to the remote network (LAN1 and LAN2) and vise versa. In addition, we also direct the traffic to the IPsec VPN for encapsulation. The outbond policy named vpn-Local-to-Remote, whereas inbound policy named vpn-Remote-to-Local.

Note: This step is one of the main differences between a policy-based VPN and a route-based VPN configuration. Policy-based VPN uses security policies to direct traffic to the tunnel interface. Whereas route-based VPN bind a secure tunnel interface in IPsec vPN configuration and uses routing process to direct traffic to the tunnel interface (we configured it earlier). See Configure Route-Based Site-to-Site VPN in Juniper SRX.

This is the outbond policy (Local to Remote).

[edit security policies from-zone Private to-zone Public policy vpn-Local-to-Remote]
lab@vSRX-2# set match source-address LAN3
lab@vSRX-2# set match destination-address LAN1
lab@vSRX-2# set match destination-address LAN2
lab@vSRX-2# set match application any
lab@vSRX-2# set then permit tunnel ipsec-vpn vSRX-1-VPN
lab@vSRX-2# set then permit tunnel pair-policy vpn-Remote-to-Local

This is the inbond policy (Remote to Local).

[edit security policies from-zone Public to-zone Private policy vpn-Remote-to-Local]
lab@vSRX-2# set match source-address LAN1
lab@vSRX-2# set match source-address LAN2
lab@vSRX-2# set match destination-address LAN3
lab@vSRX-2# set match application any
lab@vSRX-2# set then permit tunnel ipsec-vpn vSRX-1-VPN
lab@vSRX-2# set then permit tunnel pair-policy vpn-Local-to-Remote

Because in preconfig we have created policies to allow all traffic out of the Private zone to the Public zone (named: Permit-all-to-Internet). So, please make sure policy rule named vpn-Local-to-Remote executed first before Permit-all-to-Internet.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-2# show
policy Permit-all-to-Internet {
    ...
}
policy vpn-Local-to-Remote {
    ...
}

We have to sort vpn-Local-to-Remote before Permit-all-to-Internet.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-2#  insert policy vpn-Local-to-Remote before policy Permit-all-to-Internet

So, the order is like this.

[edit security policies from-zone Private to-zone Public]
lab@vSRX-2# show
policy vpn-Local-to-Remote {
    ...
}
policy Permit-all-to-Internet {
    ...
}

That's all configuration in vSRX-2. Commit all the changes!

Done! Now check LAN1 and LAN2 can connect to LAN3, and vise versa.

user1@LAN1:~$ ping 192.168.3.33
PING 192.168.3.33 (192.168.3.33) 56(84) bytes of data.
64 bytes from 192.168.3.33: icmp_seq=1 ttl=62 time=6.57 ms
64 bytes from 192.168.3.33: icmp_seq=2 ttl=62 time=4.03 ms
user2@LAN2:~$ ping 192.168.3.33
PING 192.168.3.33 (192.168.3.33) 56(84) bytes of data.
64 bytes from 192.168.3.33: icmp_seq=1 ttl=62 time=4.95 ms
64 bytes from 192.168.3.33: icmp_seq=2 ttl=62 time=3.18 ms
user3@LAN3:~$ ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
64 bytes from 192.168.1.11: icmp_seq=1 ttl=62 time=6.84 ms
64 bytes from 192.168.1.11: icmp_seq=2 ttl=62 time=5.51 ms

Troubleshooting: Show IKE active peers.

Make sure the VPN gateway peer appears in this command.

lab@vSRX-1> show security ike active-peer
Remote Address                      Port     Peer IKE-ID                         AAA username                        Assigned IP
200.2.2.2                           500      200.2.2.2                                  not available                0.0.0.0
lab@vSRX-2> show security ike active-peer
Remote Address                      Port     Peer IKE-ID                         AAA username                        Assigned IP
100.1.1.2                           500      100.1.1.2                                  not available                0.0.0.0   

Troubleshooting: Check the security associations

If it doesn't appear, make sure the security associations parameter (include: proposal-set, pre-shared-key, etc) are correct and match between the two peers. Use show security ike security-associations detail command to check the IKE Phase 1 proposals.

lab@vSRX-1> show security ike security-associations detail
IKE peer 200.2.2.2, Index 3860716, Gateway Name: vSRX2
  Role: Responder, State: UP
  Initiator cookie: 2c6ba7b84d910284, Responder cookie: 7691793b444bd876
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 100.1.1.2:500, Remote: 200.2.2.2:500
  Lifetime: Expires in 86043 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: 200.2.2.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-19
  Traffic statistics:
   Input  bytes  :                  864
   Output bytes  :                  660
   Input  packets:                    5
   Output packets:                    4
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 100.1.1.2:500, Remote: 200.2.2.2:500
    Local identity: 100.1.1.2
    Remote identity: 200.2.2.2
    Flags: IKE SA is created 

lab@vSRX-2> show security ike security-associations detail
IKE peer 100.1.1.2, Index 2319874, Gateway Name: vSRX1
  Role: Initiator, State: UP
  Initiator cookie: 2c6ba7b84d910284, Responder cookie: 7691793b444bd876
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 200.2.2.2:500, Remote: 100.1.1.2:500
  Lifetime: Expires in 85410 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: 100.1.1.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-19
  Traffic statistics:
   Input  bytes  :                  660
   Output bytes  :                  864
   Input  packets:                    4
   Output packets:                    5
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 200.2.2.2:500, Remote: 100.1.1.2:500
    Local identity: 200.2.2.2
    Remote identity: 100.1.1.2
    Flags: IKE SA is created

Or use show security ipsec security-associations detail command to check the IKE Phase 2 proposals.

lab@vSRX-1> show security ipsec security-associations detail
ID: 2 Virtual-system: root, VPN Name: vSRX2-vpn
  Local Gateway: 100.1.1.2, Remote Gateway: 200.2.2.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled                             , Policy-name: vpn-Local-to-Remote
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Tue Sep 08 2020
    : No response from peer. Negotiation failed            (1 times)
    Tue Sep 08 2020
    : IPSec SA negotiation successfully completed          (1 times)
    Tue Sep 08 2020
    : IKE SA negotiation successfully completed            (1 times)
    Tue Sep 08 2020
    : No response from peer. Negotiation failed            (41 times)
    Tue Sep 08 2020
    : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Tue Sep 08 2020
    : External interface's address received. Information updated (1 times)
    Tue Sep 08 2020
    : External interface's zone received. Information updated (1 times)
  Direction: inbound, SPI: 9498f793, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20813 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 20216 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 45ad0a96, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20813 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 20216 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@vSRX-2> show security ipsec security-associations detail
ID: 2 Virtual-system: root, VPN Name: vSRX1-vpn
  Local Gateway: 200.2.2.2, Remote Gateway: 100.1.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled                             , Policy-name: vpn-Local-to-Remote
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Tue Sep 08 2020
    : IPSec SA negotiation successfully completed          (1 times)
    Tue Sep 08 2020
    : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Tue Sep 08 2020
    : External interface's address received. Information updated (1 times)
    Tue Sep 08 2020
    : External interface's zone received. Information updated (1 times)
    Tue Sep 08 2020
    : IKE SA negotiation successfully completed            (1 times)
  Direction: inbound, SPI: 45ad0a96, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20571 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19929 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 9498f793, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20571 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19929 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

And so on. You can check another operation command by your self. Run show security ike ? and show security ipsec ? in operational mode.

Also, please ensure you have security policies to allow the traffic from local network to remote network and vise versa.

lab@vSRX-1> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
From zone: Private, To zone: Public
  Policy: vpn-Local-to-Remote, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN1, LAN2
    Destination addresses: LAN3
    Applications: any
    Action: permit, tunnel
. . . .
From zone: Public, To zone: Private
  Policy: vpn-Remote-to-Local, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN3
    Destination addresses: LAN1, LAN2
    Applications: any
    Action: permit, tunnel 
lab@vSRX-2> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
From zone: Private, To zone: Public
  Policy: vpn-Local-to-Remote, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN3
    Destination addresses: LAN1, LAN2
    Applications: any
    Action: permit, tunnel
. . . .
From zone: Public, To zone: Private
  Policy: vpn-Remote-to-Local, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN1, LAN2
    Destination addresses: LAN3
    Applications: any
    Action: permit, tunnel

Dont forget the route to reach the remote network!

That's all. Good luck!

Disqus Comments