Pagina Principal ARTIGOS Network

Juniper SRX VPN configuration

 

Route Based VPN configuration :
  • Configure Phase 1 Configuration (edit security ike)
    • Proposal – optional 
    • Policy
      • mode: main or aggressive
      • Reference a proposal: preconfigured or default
      • Pre-shared key
    • Gateway
      • Reference a policy
      • Peer Address
      • Exit interface
  • Phase 2 Configuration (edit security ipsec)
    • Proposal – optional
    • Policy
      • Reference a proposal: preconfigured or default
      • PFS – optional
    • VPN
      • bind interface st0.x
      • ike
        • Reference getaway
        • Reference ipsec-policy
        • Define Proxy-identity 
        • establish-tunnel immediately or when traffic
  • Security policy
    • permit traffic from remote zone to st0 zone and back
    • permit ike and ipsec traffic 
  • Interface configuration
    • Interface st0.x – ip address
    • Configure route to st0.x
Policy  Based VPN configuration :


 
  • Phase 1 (edit security ike)
    • Proposal – optional
    • Policy
      • mode: main
      • Reference a proposal: preconfigured or default
      • Preshared key
    • Gateway
      • Reference a policy
      • Peer Address
      • Exit interface
  • Phase 2 (edit security ipsec)
    • Proposal – optional
    • Policy
      • Reference a proposal: preconfigured or default
      • PFS – optional
    • VPN
      • ike
        • Reference getaway
        • Reference ipsec-policy
        • Optionally proxy identities can be defined
        •  
      • establish-tunnel immediately or when traffic
  • Security policy
    • Configure Address Book entries for source and destination addresses under “zones”
    • Configure policy from remote to local LAN and vice versa
    • In addition to the “permit” action, specify the IPSec Profile to be used
    • Include pair-policy statement to make the VPN bi-directional
  • Configure NAT rules if needed – source and destination
  • Configure tcp maximum segment size (tcp-mss)

 


Verify and debug:
 

>show security ike security-associations 1.1.1.1 (detail)
>show security ike active-peer
>show security ipsec security-associations
>show security ipsec inactive-tunnels
 
>show security ipsec statistics
>show interfaces st0.0 extensive
 
>show security flow session interface st0.0
 
>request security ike debug-enable local 173.167.224.13 remote 99.182.0.14 level 15
>show log kmd
Use traceoptions 



************************



Cisco ASA VPN Configuration:




  • Configure ISAKMP Policy (optional)
  • Configure Transform set with IPSec details
  • Configure Crypto ACL (specify traffic to be encrypted)
  • Configure pre-shared key for the peer
  • Configure Crypto Map
    • crypto ACL
    • peer address
    • reference transform set
    • interface (name)
  • Configure static route pointing to the tunnel (optional)
  • Enable isakmp on interface - crypto isakmp enable interface_name
  • Permit VPN traffice to ASA
    • from peer address to vpn address - eps and udp isakmp
 
 
.