Day One Tips
Day One Tips

Site to Site between SRX210 and SSG5

[ Edited ]
‎12-09-2015 01:30 PM

Site to Site between SRX210 and SSG5

 

Topology

 

screenshot_3.png

 

Configuration in SRX210 (12.1X44-D45.2):

# set interfaces st0 unit 0 family inet address 192.168.10.1/24
# set routing-options static route 192.168.7.0/24 next-hop st0.0
# set security zones security-zone untrust tcp-rst
# set security zones security-zone untrust host-inbound-traffic system-services all
# set security zones security-zone untrust interfaces pp0.0
# set security zones security-zone untrust interfaces st0.0
# set security zones security-zone Lan tcp-rst
# set security zones security-zone Lan host-inbound-traffic system-services all
# set security zones security-zone Lan interfaces fe-0/0/4.0
# set security ike proposal P1proposal authentication-method pre-shared-keys
# set security ike proposal P1proposal dh-group group2
# set security ike proposal P1proposal encryption-algorithm des-cbc
# set security ike proposal P1proposal lifetime-seconds 86400
# set security ike policy P1policy mode main
# set security ike policy P1policy proposals P1proposal
# set security ike policy P1policy pre-shared-key ascii-text Pinoci0
# set security ike gateway P1gateway ike-policy P1policy
# set security ike gateway P1gateway address 81.218.170.25
# set security ike gateway P1gateway dead-peer-detection interval 10
# set security ike gateway P1gateway dead-peer-detection threshold 3
# set security ike gateway P1gateway external-interface pp0
# set security ipsec proposal P2proposal protocol esp
# set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2proposal encryption-algorithm des-cbc
# set security ipsec proposal P2proposal lifetime-seconds 36000
# set security ipsec policy P2policy perfect-forward-secrecy keys group2
# set security ipsec policy P2policy proposals P2proposal
# set security ipsec vpn site1-to-site2 bind-interface st0.0
# set security ipsec vpn site1-to-site2 ike gateway P1gateway
# set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
# set security ipsec vpn site1-to-site2 establish-tunnels immediately

 

Now we’ve to configure a policy from untrust to trust and רeverse. In this case I’ve enabled all the ports, of course it’s under your control.

set security policies from-zone Lan to-zone untrust policy Lan2Untrust match source-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match destination-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match application any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust then permit

set security policies from-zone untrust to-zone Lan policy allowall match source-address any
set security policies from-zone untrust to-zone Lan policy allowall match destination-address any
set security policies from-zone untrust to-zone Lan policy allowall match application any
set security policies from-zone untrust to-zone Lan policy allowall then permit

 

Configuration in SSG5 (6.3.0r19.0)

Screenshot_10Screenshot_11Screenshot_12Screenshot_13Screenshot_14Screenshot_15Screenshot_16Screenshot_17

Verifying

Screenshot_10Screenshot_11

If you want to see the (U) letter and not (-) , you can enable the vpn monitor feature by this command :

Screenshot_4Screenshot_5Screenshot_6Screenshot_7

 

Good Luck Smiley Happy

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
1 REPLY 1
Day One Tips

Re: Site to Site between SRX210 and SSG5

‎05-07-2016 12:10 AM