In this blog, I will provide a policy-based VPN reference configuration when customer is using Juniper SRX Firewall for IPSec connectivity to Softlayer.

Softlayer End configuration, please refer to my another blog.

https://davidwzhang.com/2016/07/09/configuring-ipsec-on-cisco-ios-router-for-softlayer-connectivity/

Customer end Configuration: Juniper SRX Firewall (policy based VPN)

 

1. Phase 1

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-algorithm md5

set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-phase1-policy mode main

set security ike policy ike-phase1-policy proposals ike-phase1-proposal

set security ike policy ike-phase1-policy pre-shared-key ascii-text “$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG”

set security ike gateway SL ike-policy ike-phase1-policy

set security ike gateway SL address x.x.x.x

set security ike gateway SL external-interface ge-0/0/0.0

2. Phase 2

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn SLVPN ike gateway SL

set security ipsec vpn SLVPN ike proxy-identity local 192.168.109.0/24

set security ipsec vpn SLVPN ike proxy-identity remote 10.66.24.0/26

set security ipsec vpn SLVPN ike proxy-identity service any

set security ipsec vpn SLVPN ike ipsec-policy ipsec-phase2-policy

 

3. Security Policy (Inbound)

set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network

set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net

set security policies from-zone trust to-zone untrust policy outbound_vpn match application any

set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone trust to-zone untrust policy outbound_vpn then count

 

4. Security Policy (Outbound)

set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net

set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network

set security policies from-zone untrust to-zone trust policy inbound_vpn match application any

set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN

set security policies from-zone untrust to-zone trust policy inbound_vpn then count
5.Routing

set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1