SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Multiple Proxy ID support on a Route-Based VPN on SRX

    Posted 03-22-2015 01:56

    Hello All,

     

    We have ISG-1000 in which there is configuration of multiple proxy-id for ipsec route based site-to-site VPN. Below is a configuration snippet:-

     

    set vpn "Data-vpn" proxy-id local-ip 203.17.67.24/29 remote-ip 84.36.20.168/29 "ANY"

     

    Local encrypted network: 203.17.67.24/29

    Remote encrypted network: 84.36.20.168/29

     

     

    We have plan to migrate this VPN to SRX-3600.

     

    My question is, is this required in SRX? If yes, how do we configure in SRX?

     

    Junos on SRX is 12.1X44-D45.2.

     

    Many thanks.

     

     



  • 2.  RE: Multiple Proxy ID support on a Route-Based VPN on SRX

     
    Posted 03-22-2015 02:59

    Hi Vis_for_good,

     

    Multiple proxy-id can be configured on SRX from 12.1X46 releases. Below KB can provide more details.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 3.  RE: Multiple Proxy ID support on a Route-Based VPN on SRX

    Posted 03-22-2015 03:11

    Hi Suraj,

     

    Thanks for your reply. I have two questions:-

     

    1) Is it necessary to configure multiple proxy id in SRX?

     

    2) Also, since 12.1X44-D45.2 is the recommended version by JTAC for now, we have to go with this version. What is the workaround?



  • 4.  RE: Multiple Proxy ID support on a Route-Based VPN on SRX

    Posted 03-22-2015 03:25

    Hi Suraj,

     

    One input here, we are configuring st.x interfaces for each ipsec VPN i.e. st0.1 for VPN1, ST0.2 for VPN2 etc..

     

    Do we still need multiple proxy id ?



  • 5.  RE: Multiple Proxy ID support on a Route-Based VPN on SRX
    Best Answer

     
    Posted 03-22-2015 04:08

    Multiple proxy-ids are required when you have multiple subnets on either end of VPN. 12.1X44 dont support traffic selectors and you have to use Multiple VPNs for each ST0 as below.

     

        ipsec {
            proposal phase-2 {
                protocol esp;
                authentication-algorithm hmac-md5-96;
                encryption-algorithm des-cbc;
                lifetime-seconds 28800;
            }
            policy phase2-policy {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposals phase-2;
            }
            vpn ike-vpn-chicago {
                bind-interface st0.0;
                ike {
                    gateway gw-chicago;
                    proxy-identity {
                        local 192.168.2.0/24;
                        remote 192.168.1.0/24;
                        service any;
                    }
                    ipsec-policy phase2-policy;
                }
                establish-tunnels immediately;
            }
            vpn ike-vpn-chicago_1 {
                bind-interface st0.1;
                ike {
                    gateway gw-chicago;
                    proxy-identity {
                        local 192.168.3.0/24;
                        remote 192.168.1.0/24;
                        service any;
                    }
                    ipsec-policy phase2-policy;
                }
                establish-tunnels immediately;
              }
           }

     

    Below KB can be helpful with SRX configuration.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28861

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too