Juniper SRX Site-to-Site VPN Configuration (Policy-based VPN)

1. Configure Branch Office SRX

set interface ge-0/0/4 unit 0 family inet address 10.10.101.1/24
set interface ge-0/0/3 unit 0 family inet address 172.18.1.1/30
set interfaces st0.0 family inet

set routing-options static route 10.10.201.0/24 next-hop st0.0

set security zones security-zone untrust interface st0.0
set security zones security-zone untrust interface ge-0/0/3
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interface ge-0/0/4

set security ike proposal phase1-proposal authentication-method pre-shared-keys
set security ike proposal phase1-proposal dh-group group19 
set security ike proposal phase1-proposal authentication-algorithm sha1
set security ike proposal phase1-proposal encryption-algorithm aes-256-cbc
set security ike proposal phase1-proposal lifetime-seconds 28800

set security ike policy phase1-policy mode main 
set security ike policy phase1-policy proposals phase1-proposal 
set security ike policy phase1-policy pre-shared-key ascii-text juniper

set security ike gateway phase1-gateway external-interface ge-0/0/3
set security ike gateway phase1-gateway ike-policy phase1-policy
set security ike gateway phase1-gateway address 172.18.2.2
set security ike gateway phase1-gateway version v2-only 

set security ipsec proposal phase2-proposal proposal esp
set security ipsec proposal phase2-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal phase2-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal phase2-proposal lifetime 3600 

set security ipsec policy phase2-policy proposals phase2-proposal

set security ipsec vpn to-remote-ipsec-gateway ike gateway phase1-gateway ipsec-policy phase2-policy
set security ipsec vpn to-remote-ipsec-gateway bind-interface st0.0 
set security ipsec vpn to-remote-ipsec-gateway ike gateway phase1-gateway
set security ipsec vpn to-remote-ipsec-gateway establish-tunnels immediately

edit security policies from-zone trust to-zone untrust
set policy toCorporate match source-address Branch_Office 
set policy toCorporate match destination-address Branch_HQ
set policy toCorporate match application any
set policy toCorporate then permit

edit security policies from-zone untrust to-zone trust
set policy fromCorporate match source-address Branch_HQ
set policy fromCorporate match destination-address Branch_Office
set policy fromCorporate match application any
set policy fromCorporate then permit

2. Configure HQ SRX

set interface ge-0/0/4 unit 0 family inet address 10.10.201.1/24
set interface ge-0/0/3 unit 0 family inet address 172.18.1.2/30
set interfaces st0.0 family inet

set routing-options static route 10.10.101.0/24 next-hop st0.0

set security zones security-zone untrust interface st0.0
set security zones security-zone untrust interface ge-0/0/3
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interface ge-0/0/4

set security ike proposal phase1-proposal authentication-method pre-shared-keys
set security ike proposal phase1-proposal dh-group group19 
set security ike proposal phase1-proposal authentication-algorithm sha1
set security ike proposal phase1-proposal encryption-algorithm aes-256-cbc
set security ike proposal phase1-proposal lifetime-seconds 28800

set security ike policy phase1-policy mode main 
set security ike policy phase1-policy proposals phase1-proposal 
set security ike policy phase1-policy pre-shared-key ascii-text juniper

set security ike gateway phase1-gateway external-interface ge-0/0/3
set security ike gateway phase1-gateway ike-policy phase1-policy
set security ike gateway phase1-gateway address 172.18.1.1
set security ike gateway phase1-gateway version v2-only 

set security ipsec proposal phase2-proposal proposal esp
set security ipsec proposal phase2-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal phase2-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal phase2-proposal lifetime-seconds 3600 

set security ipsec policy phase2-policy proposals phase2-proposal

set security ipsec vpn to-remote-ipsec-gateway ike gateway phase1-gateway ipsec-policy phase2-policy
set security ipsec vpn to-remote-ipsec-gateway bind-interface st0.0 
set security ipsec vpn to-remote-ipsec-gateway ike gateway phase1-gateway
set security ipsec vpn to-remote-ipsec-gateway establish-tunnels immediately

edit security policies from-zone trust to-zone untrust
set policy toCorporate match source-address Branch_Office 
set policy toCorporate match destination-address Branch_HQ
set policy toCorporate match application any
set policy toCorporate then permit

edit security policies from-zone untrust to-zone trust
set policy fromCorporate match source-address Branch_HQ
set policy fromCorporate match destination-address Branch_Offic
set policy fromCorporate match application any
set policy fromCorporate then permit

3. VPN Verification and Monitoring

show interface terse st0
show security ike security-associations
show security ipsec security-associations
show security ipsec statistics

show security st0 extensive
show security ipsec traffic-selector interface-name st0.0 detail
show route 10.10.201.0