![]() Set security ipsec vpn VPN_TEST_2 df-bit clear Set security ipsec vpn VPN_TEST_2 bind-interface st0.2 # The second VPN is created for the other subnet: Set security ipsec vpn VPN_TEST ike proxy-identity service any Set security ipsec vpn VPN_TEST ike proxy-identity remote 10.30.1.0/24 ![]() Set security ipsec vpn VPN_TEST ike proxy-identity local 172.21.1.0/24 # The IPsec SA identities are set manually for the first VPN: Set security ipsec vpn VPN_TEST bind-interface st0.1 # The tunnel interface st0.1 is bound to the first VPN: Set interfaces st0 unit 2 description "VPN tunnel for 10.30.2.0/24" Set interfaces st0 unit 1 description "VPN tunnel for 10.30.1.0/24" To be able to set up two different proxy identity combinations we need to create two different VPNs for these networks: # Two VPN tunnel interfaces are created: However, it is not possible to set two different proxy identities for a single VPN with the “proxy-identity” statement. Last Tunnel Down Reason: SA config deactivatedĭirection: inbound, SPI: bc430d5a, AUX-SPI: 0ĭirection: outbound, SPI: c0c66b2d, AUX-SPI: 0 ID: 4 Virtual-system: root, VPN Name: VPN_TEST Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)Īnti-replay service: counter-based enabled, Replay window size: 64ĭirection: outbound, SPI: baab14a6, AUX-SPI: 0 Mode: Tunnel(0 0), Type: dynamic, State: installed Last Tunnel Down Reason: Delete payload receivedĭirection: inbound, SPI: 616334bf, AUX-SPI: 0 ID: 2 Virtual-system: root, VPN Name: VPN_TEST ID Algorithm SPI Life:sec/kb Mon lsys Port GatewayĢ ESP:aes-cbc-256/sha256 baab14a6 2432/ unlim - root 500 198.51.100.10Ĥ ESP:aes-cbc-256/sha256 c0c66b2d 3439/ unlim - root 500 show security ipsec security-associations detail Index State Initiator cookie Responder cookie Mode Remote AddressĦ185192 UP 3150639546069bb2 c37a561409da1705 Main show security ipsec security-associations Insert security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN after policy TEST_INĪfter these configurations there are two IPsec SAs up: show security ike security-associations Set security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN then permit tunnel pair-policy TEST_2_OUT Set security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN then permit tunnel ipsec-vpn VPN_TEST Set security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN match application any Set security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN match destination-address NET_172.21.1.0/24 Set security policies from-zone UNTRUST to-zone TRUST policy TEST_2_IN match source-address NET_10.30.2.0/24 ![]() Insert security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT after policy TEST_OUT Set security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT then permit tunnel pair-policy TEST_2_IN Set security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT then permit tunnel ipsec-vpn VPN_TEST Set security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT match application any Set security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT match destination-address NET_10.30.2.0/24 Set security policies from-zone TRUST to-zone UNTRUST policy TEST_2_OUT match source-address NET_172.21.1.0/24 To keep this post to the point I only show here the new configurations compared to the policy-based VPN in part 1, so check that out if needed. Let’s first configure the policy-based VPN on My Site. In this post we have two subnets in Their Site to illustrate the VPN configuration options. In part 1 we had a simple LAN-to-LAN VPN with only one subnet in each site. This is the part 2 of my Juniper SRX IPsec LAN-to-LAN VPN posts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |