SRX

last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX Site-to-Site VPN - Untrust Zone Hardening

    Posted 04-02-2015 04:30

    Hey guys

     

    In terms of host-inbound-traffic required for VPN setup (i.e interfaced exposed to internet), is it fair to say we simply require IKE as minimum and that all?.

     

    Regards

     

     

     

     



  • 2.  RE: SRX Site-to-Site VPN - Untrust Zone Hardening
    Best Answer

     
    Posted 04-02-2015 05:33

    if you are using site-to-stite VPN we can run with just ike. If its dynamic VPN we need https as well.



  • 3.  RE: SRX Site-to-Site VPN - Untrust Zone Hardening

    Posted 04-02-2015 07:04

    thats interesting suraj. on cisco platform there's a few port/protocols required covering ipsec and esp.

     

    ... yes on SRX seems to work with ike only.

     

    thanks man !



  • 4.  RE: SRX Site-to-Site VPN - Untrust Zone Hardening

     
    Posted 04-02-2015 07:41

    On every device you have to keep in mind that the ports for the protocols are open, esp and ah use the same ports. Or you must have decided that you want to use other ports



  • 5.  RE: SRX Site-to-Site VPN - Untrust Zone Hardening

    Posted 04-02-2015 06:36

    If you want additional control over what gets permitted, you can make use of the junos-host zone. 

    Check these for more information:

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/Junos-host-zone-clarification/td-p/270990

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&smlogin=true

     

     

    Regards,

    Srinath

     



  • 6.  RE: SRX Site-to-Site VPN - Untrust Zone Hardening

     
    Posted 04-02-2015 08:18
    Hi Ajaz,

    Yes, we just need ike under host-inbound traffic system services. We can also control the allowed protocols by specifying under "host-inbound traffic protocols". We need Esp/ah only if incase you have specified any.