In this blog, I will provide a policy-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.
Softlayer End configuration, please refer to my another blog.
https://davidwzhang.com/2016/07/09/configuring-ipsec-on-cisco-ios-router-for-softlayer-connectivity/
Customer end Configuration: Juniper SRX Firewall (policy based VPN)
- Phase 1
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm md5
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”
set security ike gateway SL ike-policy ike-phase1-policy
set security ike gateway SL address x.x.x.x
set security ike gateway SL external-interface ge-0/0/0.0
2. Phase 2
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn SLVPN ike gateway SL
set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24
set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26
set security ipsec vpn SLVPN ike proxy-identity service any
set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy
3. Security Policy (Inbound)
set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network
set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net
set security policies from-zone trust to-zone untrust policy outbound_vpn match application any
set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN
set security policies from-zone trust to-zone untrust policy outbound_vpn then count
4. Security Policy (Outbound)
set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net
set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network
set security policies from-zone untrust to-zone trust policy inbound_vpn match application any
set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN
set security policies from-zone untrust to-zone trust policy inbound_vpn then count
5.Routing
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1