API tools faq
paste
ddivins

Juniper SRX Dynamic S2S VPN

ddivins
Jun 11th, 2025
53
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.20 KB | Source Code | 0 0
raw download clone embed print report
  1. HUB SITE:
  2. set version 22.4R1.10
  3. set security ike proposal HUB authentication-method pre-shared-keys
  4. set security ike proposal HUB dh-group group19
  5. set security ike proposal HUB encryption-algorithm aes-256-gcm
  6. set security ike proposal HUB lifetime-seconds 28800
  7. set security ike policy HUB proposals HUB
  8. set security ike policy HUB pre-shared-key ascii-text "$9$/kHa9uBIRclv8GDuBEyvMaJGUjk"
  9. set security ike gateway SPOKE1 ike-policy HUB
  10. set security ike gateway SPOKE1 dynamic hostname SPOKE1
  11. set security ike gateway SPOKE1 local-identity hostname HUB
  12. set security ike gateway SPOKE1 external-interface ge-0/0/1
  13. set security ike gateway SPOKE1 version v2-only
  14. set security ipsec proposal HUB protocol esp
  15. set security ipsec proposal HUB encryption-algorithm aes-256-gcm
  16. set security ipsec proposal HUB lifetime-seconds 3600
  17. set security ipsec policy HUB perfect-forward-secrecy keys group19
  18. set security ipsec policy HUB proposals HUB
  19. set security ipsec vpn SPOKE1 bind-interface st0.1
  20. set security ipsec vpn SPOKE1 df-bit clear
  21. set security ipsec vpn SPOKE1 copy-outer-dscp
  22. set security ipsec vpn SPOKE1 ike gateway SPOKE1
  23. set security ipsec vpn SPOKE1 ike ipsec-policy HUB
  24. set security ipsec vpn SPOKE1 traffic-selector ts-1 local-ip 192.168.0.0/24
  25. set security ipsec vpn SPOKE1 traffic-selector ts-1 remote-ip 192.168.1.0/24
  26. set security ipsec vpn SPOKE1 establish-tunnels immediately
  27. set security address-book global address 192.168.0.0/24 192.168.0.0/24
  28. set security address-book global address 192.168.1.0/24 192.168.1.0/24
  29. set security policies from-zone DMZ to-zone VPN policy SPOKE-1 match source-address 192.168.0.0/24
  30. set security policies from-zone DMZ to-zone VPN policy SPOKE-1 match destination-address 192.168.1.0/24
  31. set security policies from-zone DMZ to-zone VPN policy SPOKE-1 match application any
  32. set security policies from-zone DMZ to-zone VPN policy SPOKE-1 then permit
  33. set security policies from-zone DMZ to-zone VPN policy SPOKE-1 then log session-close
  34. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 match source-address 192.168.1.0/24
  35. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 match destination-address 192.168.2.0/24
  36. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 match destination-address 192.168.0.0/24
  37. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 match application any
  38. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 then permit
  39. set security policies from-zone VPN to-zone DMZ policy SPOKE-2 then log session-close
  40. set security zones security-zone UNTRUST host-inbound-traffic system-services all
  41. set security zones security-zone UNTRUST host-inbound-traffic protocols all
  42. set security zones security-zone UNTRUST interfaces ge-0/0/0.0
  43. set security zones security-zone TRUST host-inbound-traffic system-services all
  44. set security zones security-zone TRUST host-inbound-traffic protocols all
  45. set security zones security-zone TRUST interfaces ge-0/0/1.0
  46. set security zones security-zone VPN host-inbound-traffic system-services all
  47. set security zones security-zone VPN host-inbound-traffic protocols all
  48. set security zones security-zone VPN interfaces st0.1
  49. set security zones security-zone DMZ host-inbound-traffic system-services all
  50. set security zones security-zone DMZ host-inbound-traffic protocols all
  51. set security zones security-zone DMZ interfaces ge-0/0/2.0
  52. set interfaces ge-0/0/0 description UNTRUST
  53. set interfaces ge-0/0/0 unit 0 family inet address 1.1.0.2/24
  54. set interfaces ge-0/0/1 description TRUST
  55. set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
  56. set interfaces ge-0/0/2 description DMZ
  57. set interfaces ge-0/0/2 unit 0 family inet address 192.168.0.1/24
  58. set interfaces fxp0 unit 0 family inet dhcp
  59. set interfaces st0 unit 1 family inet
  60. set routing-options static route 0.0.0.0/0 next-hop 1.1.0.1
  61.  
  62. SPOKE-1 CONFIG:
  63. set system host-name vSRX-Spoke1
  64. set security ike proposal HUB authentication-method pre-shared-keys
  65. set security ike proposal HUB dh-group group19
  66. set security ike proposal HUB encryption-algorithm aes-256-gcm
  67. set security ike proposal HUB lifetime-seconds 28800
  68. set security ike policy HUB proposals HUB
  69. set security ike policy HUB pre-shared-key ascii-text "$9$/kHa9uBIRclv8GDuBEyvMaJGUjk"
  70. set security ike gateway HUB ike-policy HUB
  71. set security ike gateway HUB address 1.1.1.1
  72. set security ike gateway HUB local-identity hostname SPOKE1
  73. set security ike gateway HUB remote-identity hostname HUB
  74. set security ike gateway HUB external-interface ge-0/0/0
  75. set security ike gateway HUB version v2-only
  76. set security ipsec proposal HUB protocol esp
  77. set security ipsec proposal HUB encryption-algorithm aes-256-gcm
  78. set security ipsec proposal HUB lifetime-seconds 3600
  79. set security ipsec policy HUB perfect-forward-secrecy keys group19
  80. set security ipsec policy HUB proposals HUB
  81. set security ipsec vpn HUB bind-interface st0.0
  82. set security ipsec vpn HUB df-bit clear
  83. set security ipsec vpn HUB copy-outer-dscp
  84. set security ipsec vpn HUB ike gateway HUB
  85. set security ipsec vpn HUB ike ipsec-policy HUB
  86. set security ipsec vpn HUB traffic-selector ts-1 local-ip 192.168.1.0/24
  87. set security ipsec vpn HUB traffic-selector ts-1 remote-ip 192.168.0.0/24
  88. set security ipsec vpn HUB establish-tunnels immediately
  89. set security address-book global address 192.168.0.0/24 192.168.0.0/24
  90. set security address-book global address 192.168.1.0/24 192.168.1.0/24
  91. set security policies from-zone TRUST to-zone VPN policy HUB-1 match source-address 192.168.1.0/24
  92. set security policies from-zone TRUST to-zone VPN policy HUB-1 match destination-address 192.168.0.0/24
  93. set security policies from-zone TRUST to-zone VPN policy HUB-1 match application any
  94. set security policies from-zone TRUST to-zone VPN policy HUB-1 then permit
  95. set security policies from-zone TRUST to-zone VPN policy HUB-1 then log session-close
  96. set security policies from-zone VPN to-zone TRUST policy HUB-2 match source-address 192.168.0.0/24
  97. set security policies from-zone VPN to-zone TRUST policy HUB-2 match destination-address 192.168.1.0/24
  98. set security policies from-zone VPN to-zone TRUST policy HUB-2 match application any
  99. set security policies from-zone VPN to-zone TRUST policy HUB-2 then permit
  100. set security policies from-zone VPN to-zone TRUST policy HUB-2 then log session-close
  101. set security zones security-zone UNTRUST host-inbound-traffic system-services all
  102. set security zones security-zone UNTRUST host-inbound-traffic protocols all
  103. set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services all
  104. set security zones security-zone TRUST host-inbound-traffic system-services all
  105. set security zones security-zone TRUST host-inbound-traffic protocols all
  106. set security zones security-zone TRUST interfaces ge-0/0/1.0
  107. set security zones security-zone VPN host-inbound-traffic system-services all
  108. set security zones security-zone VPN host-inbound-traffic protocols all
  109. set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping
  110. set interfaces ge-0/0/0 description UNTRUST
  111. set interfaces ge-0/0/0 unit 0 family inet dhcp
  112. set interfaces ge-0/0/1 description TRUST
  113. set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
  114. set interfaces st0 unit 0 family net
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!