SRX Services Gateway
Highlighted
SRX Services Gateway

Setting an ipsec tunnel to responder only?

‎04-19-2015 07:50 PM

I have a simple routed non-dynamic vpn configured on an SRX240 that establishes with a Cisco router.  The Cisco is always the session initiator. How do i configure the SRX to be responder only?

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Setting an ipsec tunnel to responder only?

[ Edited ]
‎04-19-2015 07:54 PM

Hi Clough,

 

You can do 2 things,

 

1. Dont configure "establish-tunnels immediately" under IPSec VPN hierarchy

 

 

This way SRX will always wait for the connection from Peer

 

Thanks,

Suraj

 

 EDIT:

 

Removing point#2

 

2. Dont configure "host-inbound-traffic system-services ike" under VPN external interface

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Setting an ipsec tunnel to responder only?

‎04-20-2015 08:26 AM

Hi-

 

I was a bit confused by rsuraj's response.

 

Does the "Edit Removing Point #2" mean that point #2 is wrong?

 

My understanding is that the public gateway interface of the VPN should be locked down in terms of what services it will process, and the "host-inbound-traffic system-services ike" allows the SRX to process incoming IKE dialogues (ie it allows the SRX to respond to a VPN initiation from a peer).

 

Is that not correct?

Highlighted
SRX Services Gateway

Re: Setting an ipsec tunnel to responder only?

‎04-20-2015 08:47 AM
You are correct, #2 was incorrect and thats the reason i have edited.
#2 can be used if we want to make Srx the initiator only not responder.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too