Juniper SRX – How to configure a route based VPN

Below shows the necessary steps/commands to create a route based VPN on a Juniper SRX series gateway.

The main difference with a route based VPN is that a tunnel interface is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from the VPN is then controlled via the use of a policy.

Note : For troubleshooting steps please see here

This VPN is configured with the following :

Remote Endpoint : 172.16.200.0/24
Local Endpoint    : 172.16.100.0/24
Phase 1               : AES-256,SHA1, DH2
Phase 2               : ESP, SHA1, AES-256

Tunnel Interface

set interfaces st0 unit 0 family inet
set security zones security-zone untrust-vpn interfaces st0.0

Route

set routing-options static route 172.16.200.0/24 next-hop st0.0

Proposals

set security ike proposal IKE-DH2-AES256-SHA1 authentication-method pre-shared-keys
set security ike proposal IKE-DH2-AES256-SHA1 dh-group group2
set security ike proposal IKE-DH2-AES256-SHA1 authentication-algorithm sha1
set security ike proposal IKE-DH2-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-DH2-AES256-SHA1 lifetime-seconds 86400

set security ipsec proposal IPSEC-ESP-AES256-SHA1 protocol esp
set security ipsec proposal IPSEC-ESP-AES256-SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-ESP-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-ESP-AES256-SHA1 lifetime-seconds 3600

Phase 1

set security ike policy IKE-POLICY-SITEA mode main
set security ike policy IKE-POLICY-SITEA proposals IKE-DH2-AES256-SHA1
set security ike policy IKE-POLICY-SITEA pre-shared-key ascii-text  <PRESHARED KEY>

set security ike gateway IKE-PEER-SITEA ike-policy IKE-POLICY-SITEA
set security ike gateway IKE-PEER-SITEA address <PEER IP>
set security ike gateway IKE-PEER-SITEA external-interface fe-0/0/0.0

Phase 2

set security ipsec policy IPSEC-POLICY proposals IPSEC-ESP-AES256-SHA1

set security ipsec vpn VPN-SITEA bind-interface st0.0
set security ipsec vpn VPN-SITEA ike gateway IKE-PEER-SITEA
set security ipsec vpn VPN-SITEA ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-SITEA establish-tunnels immediately

Policy

set security zones security-zone untrust-vpn address-book address 172.16.200.0/24 172.16.200.0/24
set security zones security-zone trust address-book address 172.16.100.0/24 172.16.100.0/24

set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match source-address 172.16.100.0/24
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match destination-address 172.16.200.0/24
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn match application any
set security policies from-zone trust to-zone untrust-vpn policy trust-untrust-vpn then permit
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match source-address 172.16.200.0/24
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match destination-address 172.16.100.0/24
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn match application any
set security policies from-zone untrust-vpn to-zone trust policy untrust-trust-vpn then permit

MSS Clamping

To ensure that the packets do not exceed the MTU of the SRX interfaces (once the additional IPSEC headers are added) MSS clamping is configured.

set security flow tcp-mss ipsec-vpn mss 1350

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial