This is a simple IPSEC VPN that uses PKI for IKE key exchange using certificates from CAcert.org.
In order to rule out any PKI related problems, setup a quick IPSEC VPN using a secure tunnel interface (st0), using preshared keys.
The configs for SRX210-1 and SRX210-2 are shown below. For reference, all of the pre-shared-keys are juniper123
version 12.1X45.5;
system {
host-name SRX210-1;
}
interfaces {
fe-0/0/6 {
unit 0 {
family inet {
address 10.0.110.211/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.69.69.211/24;
}
}
}
st0 {
unit 0 {
family inet {
address 10.66.66.211/24;
}
}
}
}
security {
ike {
proposal IKE-PSK {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm md5;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POLICY-PSK {
mode main;
proposals IKE-PSK;
pre-shared-key ascii-text "$9$Ly97dsaZjP5F245Fn/0OX7-V24JGDkmf"; ## SECRET-DATA
}
gateway SRX210-2 {
ike-policy IKE-POLICY-PSK;
address 10.69.69.212;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal ESP_AES128-MD5 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 7200;
}
policy ESP_AES128-MD5_PFS {
perfect-forward-secrecy {
keys group5;
}
proposals ESP_AES128-MD5;
}
vpn SRX210-2 {
bind-interface st0.0;
ike {
gateway SRX210-2;
ipsec-policy ESP_AES128-MD5_PFS;
}
establish-tunnels immediately;
}
}
zones {
functional-zone management {
interfaces {
fe-0/0/6.0;
}
host-inbound-traffic {
system-services {
ping;
ssh;
snmp;
}
}
}
security-zone IPSEC {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
fe-0/0/7.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
version 12.1X45.5;
system {
host-name SRX210-2;
}
interfaces {
fe-0/0/6 {
unit 0 {
family inet {
address 10.0.110.212/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.69.69.212/24;
}
}
}
st0 {
unit 0 {
family inet {
address 10.66.66.212/24;
}
}
}
}
security {
ike {
proposal IKE-PSK {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm md5;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-POLICY-PSK {
mode main;
proposals IKE-PSK;
pre-shared-key ascii-text "$9$Ly97dsaZjP5F245Fn/0OX7-V24JGDkmf"; ## SECRET-DATA
}
gateway SRX210-1 {
ike-policy IKE-POLICY-PSK;
address 10.69.69.211;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal ESP_AES128-MD5 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 7200;
}
policy ESP_AES128-MD5_PFS {
perfect-forward-secrecy {
keys group5;
}
proposals ESP_AES128-MD5;
}
vpn SRX210-1 {
bind-interface st0.0;
ike {
gateway SRX210-1;
ipsec-policy ESP_AES128-MD5_PFS;
}
establish-tunnels immediately;
}
}
zones {
functional-zone management {
interfaces {
fe-0/0/6.0;
}
host-inbound-traffic {
system-services {
ping;
ssh;
snmp;
}
}
}
security-zone IPSEC {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
fe-0/0/7.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
Do a couple of quick checks to make sure our secure tunnel is up, passing traffic and doing what it is supposed to.
juniper@SRX210-1> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 136964 UP ff85a2037e9e79ae bdffbacd4bfea098 Main 10.69.69.212 juniper@SRX210-1> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/md5 44329615 6937/ unlim - root 500 10.69.69.212 >131073 ESP:aes-cbc-128/md5 e5d12e07 6937/ unlim - root 500 10.69.69.212 juniper@SRX210-1> ping 10.66.66.212 count 3 PING 10.66.66.212 (10.66.66.212): 56 data bytes 64 bytes from 10.66.66.212: icmp_seq=0 ttl=64 time=3.850 ms 64 bytes from 10.66.66.212: icmp_seq=1 ttl=64 time=2.901 ms 64 bytes from 10.66.66.212: icmp_seq=2 ttl=64 time=2.788 ms --- 10.66.66.212 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.788/3.180/3.850/0.476 ms juniper@SRX210-1> show security ipsec statistics ESP Statistics: Encrypted bytes: 45744 Decrypted bytes: 252 Encrypted packets: 336 Decrypted packets: 3 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 juniper@SRX210-1>
Last page update 15 Dec 2013
