Srx vpn monitor configuration6/24/2023 ![]() Once we’re out of configuration mode, let’s check on a few things. ![]() ![]() [edit security ipsec vpn set traffic-selector traffic-selector-1 local-ip 172.24.1.0/24 remote-ip 10.100.1.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-1 local-ip 172.24.0.0/24 remote-ip 10.100.1.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-1 local-ip 172.24.1.0/24 remote-ip 10.100.0.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-1 local-ip 172.24.0.0/24 remote-ip 10.100.0.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-4 local-ip 10.100.1.0/24 remote-ip 172.24.1.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-3 local-ip 10.100.1.0/24 remote-ip 172.24.0.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-2 local-ip 10.100.0.0/24 remote-ip 172.24.1.0/24 [edit security ipsec vpn set traffic-selector traffic-selector-1 local-ip 10.100.0.0/24 remote-ip 172.24.0.0/24 If these are duplicated/reversed the tunnels will not come up: Keep in mind that the local and remote IPs are different for each side of the tunnel. To add in the traffic selectors we just need to add them under the stanza as shown below. Pre-shared-key ascii-text "$9$iqfz9Cu0IctueWXxsY.P5F39Ehrv87/CORclLXjHqPz69Cu1Icn/hreW-dqmfT6A0ORSrvBI87-baJUjHq.5pu1cyKO1" # SECRET-DATA The output of such a configuration is shown below: So now let’s configure the SRXs with a single IKE policy and gateway. The example below shows two SRXs (SRX-1 and SRX-2) which need to allow access between 4 unique networks: IKEv2 support was added in Junos 15.1X49-D100, meaning this is only available for the SRX300, SRX1500, SRX4k, and SRX5k series. Traffic selectors were introduced as feature starting in Junos 12.1X46-D10 (SRX200, SRX1400, and SRX3k series) and Junos 17.3R1 (SRX300, SRX1500, SRX4k, and SRX5k series) for IKEv1. It only worked if there was one destination network, as Next-Hop Tunnel Bindings (NHTBs) did not address which source network traffic came from.It required the use of ephemeral IP address, which can be a waste of IP space.While the previous method still works, it still had some drawbacks: This is an extremely long-overdue post, but I wanted to add a follow-up to the old blogpost Route-based VPN with Multiple Source/Destination Networks to a 3rd Party Device.
0 Comments
Leave a Reply. |