8/14/2019 srx220 juniper vpn config

1/4

8/14/2019 srx220 juniper vpn config

2/4

host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } } policies { from-zone trust to-zone vpn1-bb-vpn { policy permit-trust-to-vpn1-bb-vpn { match { source-address any; destination-address any; application any; } then { permit; }

} } } flow { tcp-mss { ipsec-vpn { mss 1420; } } }}SITE TWO (VPN1.BB)

interfaces { st0 { unit 0 { point-to-point; family inet { mtu 1420; address 10.255.0.2/30; } } }}security { ike {

proposal vpn1-aa-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; } policy vpn1-aa-ike-policy { mode main; proposals vpn1-aa-proposal; pre-shared-key ascii-text "secret-key"; ## ENSURE THIS IS THE SAME O

8/14/2019 srx220 juniper vpn config

3/4

N BOTH SIDES } gateway vpn1-aa-gateway { ike-policy vpn1-aa-ike-policy; address 2.3.4.5; ## EXTERNAL-FACING INTERFACE ADDRESS OF VPN1.AA external-interface ge-0/0/0.0; ## EXTERNAL-FACING INTERFACE OF VPN1.BB } } ipsec { proposal vpn1-aa-ipsec-proposal { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; } policy vpn1-aa-ipsec-policy { perfect-forward-secrecy { keys group2; } proposals vpn1-aa-ipsec-proposal; } vpn vpn1-aa-ipsec-vpn { bind-interface st0.0; ike {

gateway vpn1-aa-gateway; ipsec-policy vpn1-aa-ipsec-policy; } establish-tunnels immediately; } } zones { security-zone vpn1-aa-vpn { host-inbound-traffic { system-services { all; } protocols {

all; } } interfaces { st0.0; } } } policies { from-zone trust to-zone vpn1-aa-vpn { policy permit-trust-to-vpn1-aa-vpn { match { source-address any;

destination-address any; application any; } then { permit; } } } } flow {

8/14/2019 srx220 juniper vpn config

4/4

tcp-mss { ipsec-vpn { mss 1420; } } }}USEFUL COMMANDS

show security ike security-associationsshow security ipsec security-associations