This is a simple IPSEC VPN that uses PKI for IKE key exchange using certificates from CAcert.org.
In order to rule out any PKI related problems, setup a quick IPSEC VPN using a secure tunnel interface (st0), using preshared keys.
The configs for SRX210-1 and SRX210-2 are shown below. For reference, all of the pre-shared-keys are juniper123
version 12.1X45.5; system { host-name SRX210-1; } interfaces { fe-0/0/6 { unit 0 { family inet { address 10.0.110.211/24; } } } fe-0/0/7 { unit 0 { family inet { address 10.69.69.211/24; } } } st0 { unit 0 { family inet { address 10.66.66.211/24; } } } } security { ike { proposal IKE-PSK { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IKE-POLICY-PSK { mode main; proposals IKE-PSK; pre-shared-key ascii-text "$9$Ly97dsaZjP5F245Fn/0OX7-V24JGDkmf"; ## SECRET-DATA } gateway SRX210-2 { ike-policy IKE-POLICY-PSK; address 10.69.69.212; external-interface fe-0/0/7.0; } } ipsec { proposal ESP_AES128-MD5 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; lifetime-seconds 7200; } policy ESP_AES128-MD5_PFS { perfect-forward-secrecy { keys group5; } proposals ESP_AES128-MD5; } vpn SRX210-2 { bind-interface st0.0; ike { gateway SRX210-2; ipsec-policy ESP_AES128-MD5_PFS; } establish-tunnels immediately; } } zones { functional-zone management { interfaces { fe-0/0/6.0; } host-inbound-traffic { system-services { ping; ssh; snmp; } } } security-zone IPSEC { host-inbound-traffic { system-services { ping; ike; } } interfaces { fe-0/0/7.0; } } security-zone TRUST { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } } }
version 12.1X45.5; system { host-name SRX210-2; } interfaces { fe-0/0/6 { unit 0 { family inet { address 10.0.110.212/24; } } } fe-0/0/7 { unit 0 { family inet { address 10.69.69.212/24; } } } st0 { unit 0 { family inet { address 10.66.66.212/24; } } } } security { ike { proposal IKE-PSK { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IKE-POLICY-PSK { mode main; proposals IKE-PSK; pre-shared-key ascii-text "$9$Ly97dsaZjP5F245Fn/0OX7-V24JGDkmf"; ## SECRET-DATA } gateway SRX210-1 { ike-policy IKE-POLICY-PSK; address 10.69.69.211; external-interface fe-0/0/7.0; } } ipsec { proposal ESP_AES128-MD5 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm aes-128-cbc; lifetime-seconds 7200; } policy ESP_AES128-MD5_PFS { perfect-forward-secrecy { keys group5; } proposals ESP_AES128-MD5; } vpn SRX210-1 { bind-interface st0.0; ike { gateway SRX210-1; ipsec-policy ESP_AES128-MD5_PFS; } establish-tunnels immediately; } } zones { functional-zone management { interfaces { fe-0/0/6.0; } host-inbound-traffic { system-services { ping; ssh; snmp; } } } security-zone IPSEC { host-inbound-traffic { system-services { ike; ping; } } interfaces { fe-0/0/7.0; } } security-zone TRUST { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } } }
Do a couple of quick checks to make sure our secure tunnel is up, passing traffic and doing what it is supposed to.
juniper@SRX210-1> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 136964 UP ff85a2037e9e79ae bdffbacd4bfea098 Main 10.69.69.212 juniper@SRX210-1> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/md5 44329615 6937/ unlim - root 500 10.69.69.212 >131073 ESP:aes-cbc-128/md5 e5d12e07 6937/ unlim - root 500 10.69.69.212 juniper@SRX210-1> ping 10.66.66.212 count 3 PING 10.66.66.212 (10.66.66.212): 56 data bytes 64 bytes from 10.66.66.212: icmp_seq=0 ttl=64 time=3.850 ms 64 bytes from 10.66.66.212: icmp_seq=1 ttl=64 time=2.901 ms 64 bytes from 10.66.66.212: icmp_seq=2 ttl=64 time=2.788 ms --- 10.66.66.212 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.788/3.180/3.850/0.476 ms juniper@SRX210-1> show security ipsec statistics ESP Statistics: Encrypted bytes: 45744 Decrypted bytes: 252 Encrypted packets: 336 Decrypted packets: 3 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 juniper@SRX210-1>