![]() Set security flow tcp-mss ipsec-vpn mss 1350Īt this point, both SRX’s know how to form an IPSec tunnel with each other, and our diagram now looks like this: Encryption increases packet size, so to avoid packets exceeding the Maximum Transmission Unit (MTU) of any network devices in the path, we set the Maximum Segment Size (MSS) for TCP segments sent over a VPN to a value that allows for this extra overhead: One final bit of config completes our IPSec VPN. Set security ipsec vpn lon-man-vpn ike ipsec-policy lon-man-ipsec-policy Set security ipsec vpn lon-man-vpn ike gateway LON-SRX Set security ipsec vpn lon-man-vpn bind-interface st0.0 Set security ipsec policy lon-man-ipsec-policy proposal-set compatible Next, create an IPSec policy called ‘lon-man-ipsec-policy’ and apply it to a new VPN called ‘lon-man-vpn’ to be formed with the London SRX over the ST interface: Set security ike gateway LON-SRX external-interface ge-0/0/1.0 Set security ike gateway LON-SRX address 172.16.0.1 Set security ike gateway LON-SRX ike-policy lon-man-ike-policy Set security ike policy lon-man-ike-policy pre-shared-key ascii-text VeryStrongKey Set security ike policy lon-man-ike-policy proposal-set compatible Set security ike policy lon-man-ike-policy mode main Now create an IKE policy (we’ll call ours ‘lon-man-ike-policy’) and tell the Manchester SRX to use this for IKE negotiations with the London SRX over the external interface: Set security zones security-zone INTERNET host-inbound-traffic system-services ike Next, to allow the tunnel to form we need the SRX to listen for IKE packets on it’s external interface: Set security zones security-zone VPN interfaces st0.0 Set interfaces st0 unit 0 family inet address 1.1.1.2/30 To build our tunnel, we first need to create our ST interface and bind it to a new security zone that we’ll call ‘VPN’: To keep things brief, all config examples will show the Manchester end of the tunnel. Here is our network diagram before the VPN is set up showing two LAN’s (Manchester and London) connected via a pair of SRX’s over the ‘internet’: when the route to a particular network is via a Secure Tunnel (ST) virtual interface. With a route based VPN, there is no particular policy tied to a VPN tunnel, rather traffic is forwarded across a tunnel link based on the routing table. Here’s how to build a simple route based IPSec VPN between two Juniper SRX gateways.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |