Configure and Troubleshoot Route-Based Site-to-Site VPN in Juniper SRX


Previously we showed how to configure a policy-based site-to-site VPN in Juniper SRX devices. This time we will show you how to configure a route-based site-to-site VPN in Juniper SRX. My hope, you can understand how the different implementation of policy-based VPN and route-based VPN.

Before we begin to configure. Make sure you understand the basics of Juniper SRX tools, such as security zone, security policies, security objects, what is VPN and IPSec.

Moreover, if you are Indonesian and new to firewall devices, especially Juniper SRX, please learn from the beginning on our YouTube: JNCIA-Sec: Juniper SRX Devices

Objective

We will configure a route-based site-to-site VPN to connect private networks on vSRX-1 (LAN1 and LAN2) and vSRX-2 (LAN3). We will manually configure the IKE and IPsec proposal parameters.

IKE Phase 1
Authentication method: pre-shared-key "Indonesia_2020"
Authentication algorithm: sha-256
Encryption algorithm: aes-256-cbc
DH group: group20
Channel lifetime: 24 hours
IKE version: 2

IKE Phase 2
Protocol: ESP
Authentication algorithm: hmac-sha-256-128
Encryption algorithm: aes-256-cbc
DH group: group19
Tunnel lifetime: 6 hours
Establish tunnel: immediatelly

Secure Tunnel Interface
vSRX-1's st0.0: 10.0.0.1/30
vSRX-2's st0.0: 10.0.0.2/30

Preconfig

To ensure we start with the same conditions, make sure you have configured the following.

On Public-Router, we just configure the addressing as usual. There is not route to Private Network. Of course, you can use another vendor to be a Router here. Because we don't need any configuration here except for addressing.

system {
    host-name Public-Router;
    ...
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 100.1.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 200.2.2.1/24;
            }
        }
    }
}
  

For both VPN gateway (vSRX-1 and vSRX-2), we use vSRX 20.1R1. We have to configure addressing for public and private interface. Then, we have to add a default route which Public-Router as a default gateway.

We have to configure security policies to permit all traffics from Private zone to Public zone and Private Zone to Private Zone.

Optionally, I also configure the management interface and user login. Please adjust it to your needs.

vSRX-1

system {
    host-name vSRX-1 ;
    ...
}
security {
    screen {
        ids-option untrust-screen {
            # default config
            ...
        }
    }
    policies {
        from-zone Private to-zone Public {
            policy Permit-all-to-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Private to-zone Private {
            policy Permit-All {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Private {
            description "Private Network";
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
            }
        }
        security-zone Public {
            description "Public Network (Internet)";
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description to-Public-Router;
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        description to-LAN1;
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        description to-LAN2;
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}
    
  

vSRX-2

system {
    host-name vSRX-2;
    ...
}
security {
    screen {
        ids-option untrust-screen {
            # default config
            ...
        }
    }
    policies {
        from-zone Private to-zone Public {
            policy Permit-all-to-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    dynamic-application none;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Public {
            description "Public Network (Internet)"
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone Private {
            description "Private Network"
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description to-Public-Internet;
        unit 0 {
            family inet {
                address 200.2.2.2/24;
            }
        }
    }
    ge-0/0/1 {
        description to-LAN3;
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 200.2.2.1;
    }
}

  

On host devices in LAN1, LAN2, and LAN3. There is only the addressing configuration, we set the IP address according to the figure above (thumbnail) and set the default gateway to vSRX devices.

Host LAN1: 192.168.1.11/24 (gateway: 192.168.1.1)
Host LAN2: 192.168.2.22/24 (gateway: 192.168.2.1)
Host LAN3: 192.168.3.33/24 (gateway: 192.168.3.1)

If you are sure it is appropriate, let's start the configuration.

Configure The vSRX-1

Make sure the Public zone allows the inbound IKE packet (ISAKMP). If not allowed, please allow it.

[edit]
lab@vSRX-1# set security zones security-zone Public host-inbound-traffic system-services ike

First, configure the secure tunnel (st) interface and add a route to the remote network and use that secure tunnel interface as the gateway.

[edit]
lab@vSRX-1# set interfaces st0.0 family inet address 10.0.0.1/30
lab@vSRX-1# set routing-options static route 192.168.3.0/24 next-hop st0.0

Assign the st0.0 interface to a security zone (i.e. Secure Zone).

[edit]
lab@vSRX-1# set security zones security-zone Secure interfaces st0.0

We also need to create address-book entries for each private network (local and remote). We will use them to create security policies to allow traffic for each LAN.

[edit security zones security-zone Private]
lab@vSRX-1# set address-book address LAN1 192.168.1.0/24
lab@vSRX-1# set address-book address LAN2 192.168.2.0/24

[edit security zones security-zone Secure]
lab@vSRX-1# set address-book address LAN3 192.168.3.0/24

Let's begin to configure the IKE Phase 1 proposal (also known as IKE proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 1, including: authentication method, encryption algorithm, DH group, and lifetime of the channel (in seconds: 180-86400).

[edit security ike proposal ike-proposal-to-vSRX-2]
lab@vSRX-1# set authentication-method pre-shared-keys
lab@vSRX-1# set encryption-algorithm aes-256-cbc 
lab@vSRX-1# set authentication-algorithm sha-256
lab@vSRX-1# set dh-group group20
lab@vSRX-1# set lifetime-seconds 86400

Create the IKE Phase 1 policy (also known as IKE policy), we named the IKE policy as ike-policy-to-vSRX-2. We use main mode because this device (vSRX-1) has static IP addreess. We will use pre-shared-key as authetication. The pre-shared-key is "Indonesia_2020".

We also set the IKE proposal to user defined proposal named ike-proposal-to-vSRX-2 (we have made it before). If you want to use a predefined proposal from Juniper, that's fine. Just use set proposal-set command, instead of set proposals command. There are several options such as: basic, compatible, prime-128, prime-256, standard, suiteb-gcm-128, and suiteb-gcm-256 ().

[edit security ike policy ike-policy-to-vSRX-2]
lab@vSRX-1# set mode main
lab@vSRX-1# set pre-shared-key ascii-text "Indonesia_2020"
lab@vSRX-1# set proposals ike-proposal-to-vSRX-2

Then, define the IKE gateway with peer IP address (vSRX-2's address), IKE Policy, and outgoing interface. Also, we can chose the IKE version: version 1 or version 2. When a peer is configured as IKEv2, it cannot fall back to IKEv1 if the peer initiates IKEv1 negotiation. The default value for the version IKEv1. IKEv2 cannot be selected for Policy-based VPN

[edit security ike gateway vSRX-2]
lab@vSRX-1# set address 200.2.2.2
lab@vSRX-1# set ike-policy ike-policy-to-vSRX-2
lab@vSRX-1# set external-interface ge-0/0/0
lab@vSRX-1# set version v2-only

Next step, let's configure the IKE Phase 2 proposal (also known as IPsec proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 2, including: IPsec protocol, encryption algorithm, authentication algorithm, lifetime of the tunnel (in seconds: 180-86400).

[edit security ipsec proposal ipsec-proposal-to-vSRX-2]
lab@vSRX-1# set protocol esp
lab@vSRX-1# set encryption-algorithm aes-256-cbc
lab@vSRX-1# set authentication-algorithm hmac-sha-256-128
lab@vSRX-1# set lifetime-seconds 21600

Then, create the IKE Phase 2 policy (also known as IPsec policy). Set the ipsec proposal and the DH group for PFS.

[edit security ipsec policy ipsec-policy-to-vSRX-2]
lab@vSRX-1# set proposals ipsec-proposal-to-vSRX-2
lab@vSRX-1# set perfect-forward-secrecy keys group19

Then, define the IPSec VPN. Set the gateway and IPsec policy that we just created. And define the criteria of establish tunnels to immediately (tunnel created when the configuration commited) or on-traffic (tunnnel created when there is traffic going through). Don't forget to bind st0.0 interface as a tunnel interface.

[edit security ipsec vpn vSRX-2-VPN]
lab@vSRX-1# set ike gateway vSRX-2
lab@vSRX-1# set ike ipsec-policy ipsec-policy-to-vSRX-2
lab@vSRX-1# set establish-tunnels immediately
lab@vSRX-1# set bind-interface st0.0

Note: That step is one of the main differences between a policy-based VPN and a route-based VPN configuration. Route-based VPN bind a secure tunnel interface in IPsec vPN configuration and uses routing process to direct traffic to the tunnel interface (we configured it earlier). Whereas policy-based VPN use security policies to direct traffic to the tunnel interface.

Lastly, create the security policies to allow traffic from the private network (LAN1 and LAN2) to the remote network (LAN3) and vise versa. The outbond policy named vpn-Local-to-Remote, whereas inbound policy named vpn-Remote-to-Local.

This is the outbond policy (Local to Remote).

[edit security policies from-zone Private to-zone Secure policy vpn-Local-to-Remote]
lab@vSRX-1# set match source-address LAN1
lab@vSRX-1# set match source-address LAN2
lab@vSRX-1# set match destination-address LAN3
lab@vSRX-1# set match application any
lab@vSRX-1# set then permit

This is the inbond policy (Remote to Local).

[edit security policies from-zone Secure to-zone Private policy vpn-Remote-to-Local]
lab@vSRX-1# set match source-address LAN3
lab@vSRX-1# set match destination-address LAN1
lab@vSRX-1# set match destination-address LAN2
lab@vSRX-1# set match application any
lab@vSRX-1# set then permit

That's all configuration in vSRX-1. Commit all the changes! Then, we will configure in the vSRX-2

Make sure the Public zone allows the inbound IKE packet (ISAKMP). If not allowed, please allow it.

[edit]
lab@vSRX-2# set security zones security-zone Public host-inbound-traffic system-services ike

First, configure the secure tunnel (st) interface and add a route to the remote network and use that secure tunnel interface as the gateway.

[edit]
lab@vSRX-2# set interfaces st0.0 family inet address 10.0.0.2/30
lab@vSRX-2# set routing-options static route 192.168.1.0/24 next-hop st0.0
lab@vSRX-2# set routing-options static route 192.168.2.0/24 next-hop st0.0

Assign the st0.0 interface to a security zone (i.e. Secure Zone).

[edit]
lab@vSRX-2# set security zones security-zone Secure interfaces st0.0

We also need to create address-book entries for each private network (local and remote). We will use them to create security policies to allow traffic for each LAN.

[edit security zones security-zone Private]
lab@vSRX-2# set address-book address LAN3 192.168.3.0/24

[edit security zones security-zone Secure]
lab@vSRX-2# set address-book address LAN1 192.168.1.0/24
lab@vSRX-2# set address-book address LAN2 192.168.2.0/24

Let's begin to configure the IKE Phase 1 proposal (also known the IKE proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 1, including: authentication method, encryption algorithm, DH group, and lifetime of the channel (in seconds: 180-86400).

[edit security ike proposal ike-proposal-to-vSRX-1]
lab@vSRX-2# set authentication-method pre-shared-keys
lab@vSRX-2# set encryption-algorithm aes-256-cbc 
lab@vSRX-2# set authentication-algorithm sha-256
lab@vSRX-2# set dh-group group20
lab@vSRX-2# set lifetime-seconds 86400

Create the IKE Phase 1 policy (also known as IKE policy), we named the IKE policy as ike-policy-to-vSRX-1. We use main mode because this device (vSRX-2) has static IP addreess. We will use pre-shared-key as authetication. The pre-shared-key is "Indonesia_2020". It must be the same as the pair's pre-shared-key (vSRX-1's pre-shared-key).

We also set the IKE proposal to user defined proposal named ike-proposal-to-vSRX-1 (we have made it before). If you want to use a predefined proposal from Juniper, that's fine. Just use set proposal-set command, instead of set proposals command. There are several options such as: basic, compatible, prime-128, prime-256, standard, suiteb-gcm-128, and suiteb-gcm-256 ().

[edit security ike policy ike-policy-to-vSRX-1]
lab@vSRX-2# set mode main
lab@vSRX-2# set pre-shared-key ascii-text "Indonesia_2020"
lab@vSRX-2# set proposals ike-proposal-to-vSRX-1

Then, define the IKE gateway with peer IP address (vSRX-2's address), IKE Policy, and outgoing interface. Also, we can chose the IKE version: version 1 or version 2. When a peer is configured as IKEv2, it cannot fall back to IKEv1 if the peer initiates IKEv1 negotiation. The default value for the version IKEv1. IKEv2 cannot be selected for Policy-based VPN

[edit security ike gateway vSRX-1]
lab@vSRX-2# set address 100.1.1.2
lab@vSRX-2# set ike-policy ike-policy-to-vSRX-1
lab@vSRX-2# set external-interface ge-0/0/0
lab@vSRX-2# set version v2-only

Next step, let's configure the IKE Phase 2 proposal (also known as IPsec proposal). All parameters we set are security association parameters which will be negotiated in IKE Phase 2, including: IPsec protocol, encryption algorithm, authentication algorithm, lifetime of the tunnel (in seconds: 180-86400).

[edit security ipsec proposal ipsec-proposal-to-vSRX-1]
lab@vSRX-2# set protocol esp
lab@vSRX-2# set encryption-algorithm aes-256-cbc
lab@vSRX-2# set authentication-algorithm hmac-sha-256-128
lab@vSRX-2# set lifetime-seconds 21600

Then, create the IKE Phase 2 policy (also known as IPsec policy). Set the ipsec proposal and the DH group for PFS.

[edit security ipsec policy ipsec-policy-to-vSRX-1]
lab@vSRX-2# set proposals ipsec-proposal-to-vSRX-1
lab@vSRX-2# set perfect-forward-secrecy keys group19

Then, define the IPSec VPN. Set the gateway and IPsec policy that we just created. And define the criteria of establish tunnels to immediately (tunnel created when the configuration commited) or on-traffic (tunnnel created when there is traffic going through). Don't forget to bind st0.0 interface as a tunnel interface.

[edit security ipsec vpn vSRX-1-VPN]
lab@vSRX-2# set ike gateway vSRX-1
lab@vSRX-2# set ike ipsec-policy ipsec-policy-to-vSRX-1
lab@vSRX-2# set establish-tunnels immediately
lab@vSRX-2# set bind-interface st0.0

Note: That step is one of the main differences between a policy-based VPN and a route-based VPN configuration. Route-based VPN bind a secure tunnel interface in IPsec vPN configuration and uses routing process to direct traffic to the tunnel interface (we configured it earlier). Whereas policy-based VPN use security policies to direct traffic to the tunnel interface.

Lastly, create the security policies to allow traffic from the private network (LAN3) to the remote network (LAN1 and LAN2) and vise versa. The outbond policy named vpn-Local-to-Remote, whereas inbound policy named vpn-Remote-to-Local.

This is the outbond policy (Local to Remote).

[edit security policies from-zone Private to-zone Secure policy vpn-Local-to-Remote]
lab@vSRX-2# set match source-address LAN3
lab@vSRX-2# set match destination-address LAN1
lab@vSRX-2# set match destination-address LAN2
lab@vSRX-2# set match application any
lab@vSRX-2# set then permit

This is the inbond policy (Remote to Local).

[edit security policies from-zone Secure to-zone Private policy vpn-Remote-to-Local]
lab@vSRX-2# set match source-address LAN1
lab@vSRX-2# set match source-address LAN2
lab@vSRX-2# set match destination-address LAN3
lab@vSRX-2# set match application any
lab@vSRX-2# set then permit

That's all configuration in vSRX-2. Commit all the changes!

Done! Now check LAN1 and LAN2 can connect to LAN3, and vise versa.

user1@LAN1:~$ ping 192.168.3.33
PING 192.168.3.33 (192.168.3.33) 56(84) bytes of data.
64 bytes from 192.168.3.33: icmp_seq=1 ttl=62 time=6.57 ms
64 bytes from 192.168.3.33: icmp_seq=2 ttl=62 time=4.03 ms
user2@LAN2:~$ ping 192.168.3.33
PING 192.168.3.33 (192.168.3.33) 56(84) bytes of data.
64 bytes from 192.168.3.33: icmp_seq=1 ttl=62 time=4.95 ms
64 bytes from 192.168.3.33: icmp_seq=2 ttl=62 time=3.18 ms
user3@LAN3:~$ ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
64 bytes from 192.168.1.11: icmp_seq=1 ttl=62 time=6.84 ms
64 bytes from 192.168.1.11: icmp_seq=2 ttl=62 time=5.51 ms

Troubleshooting: Show IKE active peers.

Make sure the VPN gateway peer appears in this command.

lab@vSRX-1> show security ike active-peer
Remote Address                      Port     Peer IKE-ID                         AAA username                        Assigned IP
200.2.2.2                           500      200.2.2.2                                  not available                0.0.0.0
lab@vSRX-2> show security ike active-peer
Remote Address                      Port     Peer IKE-ID                         AAA username                        Assigned IP
100.1.1.2                           500      100.1.1.2                                  not available                0.0.0.0   

Troubleshooting: Check the security associations

If it doesn't appear, make sure the security associations parameter (include: proposal-set, pre-shared-key, etc) are correct and match between the two peers. Indicated by state: UP. Use show security ike security-associations detail command to check the IKE Phase 1 proposals.

lab@vSRX-1> show security ike security-associations detail
IKE peer 200.2.2.2, Index 1026798, Gateway Name: vSRX-2
  Role: Initiator, State: UP
  Initiator cookie: 310420e9fabafbc3, Responder cookie: 5236252f5aa1b268
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local: 100.1.1.2:500, Remote: 200.2.2.2:500
  Lifetime: Expires in 85278 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: 200.2.2.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha256-128
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-20
  Traffic statistics:
   Input  bytes  :                  614
   Output bytes  :                  630
   Input  packets:                    2
   Output packets:                    2
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 100.1.1.2:500, Remote: 200.2.2.2:500
    Local identity: 100.1.1.2
    Remote identity: 200.2.2.2
    Flags: IKE SA is created 

lab@vSRX-2> show security ike security-associations detail
IKE peer 100.1.1.2, Index 1353826, Gateway Name: vSRX-1
  Role: Responder, State: UP
  Initiator cookie: 310420e9fabafbc3, Responder cookie: 5236252f5aa1b268
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local: 200.2.2.2:500, Remote: 100.1.1.2:500
  Lifetime: Expires in 85192 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: 100.1.1.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha256-128
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-20
  Traffic statistics:
   Input  bytes  :                  630
   Output bytes  :                  614
   Input  packets:                    2
   Output packets:                    2
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 200.2.2.2:500, Remote: 100.1.1.2:500
    Local identity: 200.2.2.2
    Remote identity: 100.1.1.2
    Flags: IKE SA is created 

Or use show security ipsec security-associations detail command to check the IKE Phase 2 proposals.

lab@vSRX-1> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: vSRX-2-VPN
  Local Gateway: 100.1.1.2, Remote Gateway: 200.2.2.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Sep 09 2020
    : IPSec SA negotiation successfully completed          (1 times)
    Wed Sep 09 2020
    : Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    Wed Sep 09 2020
    : IKE SA negotiation successfully completed            (1 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (1 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (2 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (2 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (1 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed Sep 09 2020
    : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Wed Sep 09 2020
    : External interface's address received. Information updated (1 times)
    Wed Sep 09 2020
    : Bind-interface's zone received. Information updated  (1 times)
    Wed Sep 09 2020
    : External interface's zone received. Information updated (1 times)
  Direction: inbound, SPI: 298b8176, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20350 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19742 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 358e94a7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20350 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19742 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@vSRX-2> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: vSRX1-vpn
  Local Gateway: 200.2.2.2, Remote Gateway: 100.1.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Sep 09 2020
    : IPSec SA negotiation successfully completed          (1 times)
    Wed Sep 09 2020
    : IKE SA negotiation successfully completed            (1 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (1 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (1 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (2 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (2 times)
    Wed Sep 09 2020
    : Peer proposed phase1 proposal conflicts with local configuration. Negotiation failed (1 times)
    Wed Sep 09 2020
    : Negotiation failed  with error code NO_PROPOSAL_CHOSEN received from peer (1 times)
    Wed Sep 09 2020
    : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Wed Sep 09 2020
    : External interface's address received. Information updated (1 times)
    Wed Sep 09 2020
    : Bind-interface's zone received. Information updated  (1 times)
    Wed Sep 09 2020
    : External interface's zone received. Information updated (1 times)
  Direction: inbound, SPI: 358e94a7, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20359 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 298b8176, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 20359 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 19796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

And so on. You can check another operation command by your self. Run show security ike ? and show security ipsec ? in operational mode.

Also, please ensure you have security policies to allow the traffic from local network to remote network and vise versa.

lab@vSRX-1> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
From zone: Private, To zone: Secure
  Policy: vpn-Local-to-Remote, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN1, LAN2
    Destination addresses: LAN3
    Applications: any
    Action: permit
. . . .
From zone: Secure, To zone: Private
  Policy: vpn-Remote-to-Local, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN3
    Destination addresses: LAN1, LAN2
    Applications: any
    Action: permit 
lab@vSRX-2> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
From zone: Private, To zone: Secure
  Policy: vpn-Local-to-Remote, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN3
    Destination addresses: LAN1, LAN2
    Applications: any
    Action: permit
. . . .
From zone: Secure, To zone: Private
  Policy: vpn-Remote-to-Local, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
    Source vrf group: any
    Destination vrf group: any
    Source addresses: LAN1, LAN2
    Destination addresses: LAN3
    Applications: any
    Action: permit

Dont forget the route to reach the remote network!

lab@vSRX-1> show route protocol static

inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 02:26:13
                    >  to 100.1.1.1 via ge-0/0/0.0
192.168.3.0/24     *[Static/5] 00:23:05
                    >  via st0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
lab@vSRX-2> show route protocol static

inet.0: 10 destinations, 12 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 02:25:08
                    >  to 200.2.2.1 via ge-0/0/0.0
192.168.1.0/24     *[Static/5] 00:08:31
                    >  via st0.0
192.168.3.0/24      [Static/5] 00:22:00
                    >  via st0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

That's all. Good luck!

Disqus Comments