SRX100 (Internet traffic NATted to 5.6.1.2): =========================================================== ## Last commit: 2011-08-13 15:56:53 EST by root version 10.4R6.5; interfaces { st0 { unit 127 { description "Tunnel interface"; family inet; } } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.53.254; route 10.0.0.0/8 { qualified-next-hop st0.127 { preference 150; } } } router-id 192.168.255.65; } security { ike { proposal PSK-G5-AES256-SHA1 { description "IKE proposal Pre-shared Key Group 5 AES-256 SHA-1"; authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; } policy IKE-Policy { mode aggressive; description "IKE Policy"; proposals PSK-G5-AES256-SHA1; pre-shared-key ascii-text "XXXX"; ## SECRET-DATA } gateway IKE-Gateway { ike-policy IKE-Policy; address 1.2.3.4; local-identity user-at-hostname "user1@abc.com.au"; external-interface fe-0/0/1.0; } } ipsec { proposal ESP-AES256-SHA1 { description "IPSEC proposal ESP AES0-256 SHA-1"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy IPSEC-Policy { description "IPSEC POlicy for VPN"; perfect-forward-secrecy { keys group5; } proposals ESP-AES256-SHA1; } vpn IPSEC-VPN { bind-interface st0.127; ike { gateway IKE-Gateway; ipsec-policy IPSEC-Policy; } establish-tunnels immediately; } } zones { security-zone trust { tcp-rst; address-book { address PHONES 10.78.7.64/27; address USERS 10.78.7.96/27; address SWI01 10.78.15.66/32; address-set ALL-ALL { address PHONES; address USERS; address SWI01; } } host-inbound-traffic { system-services { any-service; } protocols { all; } } interfaces { fe-0/0/0.0; fe-0/0/2.0; fe-0/0/3.0; } } security-zone untrust { host-inbound-traffic { system-services { ssh; ping; http; } } interfaces { fe-0/0/1.0; } } security-zone VPN { tcp-rst; host-inbound-traffic { system-services { ssh; ping; all; } } interfaces { st0.127; } } } policies { from-zone trust to-zone untrust { policy OUTBOUND { match { source-address ALL-ALL; destination-address any; application any; } then { permit; log { session-close; } } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } from-zone trust to-zone VPN { policy VPN-OUT { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone VPN to-zone trust { policy VPN-IN { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } } } =========================================================== root@mefwi01> show interfaces terse Interface Admin Link Proto Local Remote fe-0/0/0 up down fe-0/0/0.0 up down inet 10.78.15.65/30 gr-0/0/0 up up ip-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16 10.0.0.6 --> 0/0 128.0.0.1 --> 128.0.1.16 128.0.0.6 --> 0/0 fe-0/0/1 up up fe-0/0/1.0 up up inet 192.168.53.100/24 fe-0/0/2 up down fe-0/0/2.0 up down inet 10.78.7.65/27 fe-0/0/3 up up fe-0/0/3.0 up up inet 10.78.7.97/27 fe-0/0/4 up down fe-0/0/5 up down fe-0/0/6 up down fe-0/0/7 up down gre up up ipip up up lo0 up up lo0.0 up up inet 192.168.255.65 --> 0/0 lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up st0.127 up down inet root@mefwi01> show security ike security-associations detail IKE peer 1.2.3.4, Index 4100826, Role: Initiator, State: UP Initiator cookie: 682e87c61404e94e, Responder cookie: 7ad2dd31f2393b00 Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 192.168.53.100:4500, Remote: 1.2.3.4:4500 Lifetime: Expires in 85802 seconds Peer ike-id: 1.2.3.4 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 608 Output bytes : 8091 Input packets: 1 Output packets: 20 Flags: Caller notification sent IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 1178258113 Local: 192.168.53.100:4500, Remote: 1.2.3.4:4500 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) root@mefwi01> show security ipsec security-associations Total active tunnels: 0 root@mefwi01> show security flow session protocol esp Session ID: 28746, Policy name: N/A, Timeout: N/A, Valid In: 1.2.3.4/0 --> 192.168.53.100/0;esp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0 Session ID: 28747, Policy name: N/A, Timeout: N/A, Valid In: 1.2.3.4/0 --> 192.168.53.100/0;esp, If: fe-0/0/1.0, Pkts: 0, Bytes: 0 Total sessions: 2 SRX240 (Internet interface is 1.2.3.4; 5.6.7.8 is another site to site IPSEC VPN without NAT): =========================================================== ## Last commit: 2011-08-13 15:26:44 EST by root version 10.2R3.10; root@FW01-node0> show configuration interfaces st0 unit 127 { description "Tunnel interface"; family inet; } root@FW01-node0> show configuration routing-options static route 10.78.7.64/26 { qualified-next-hop st0.127 { preference 150; } root@FW01-node0> show configuration security ike proposal PSK-G5-AES256-SHA1 description "IKE proposal Pre-shared Key Group 5 AES-256 SHA-1"; authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 86400; root@FW01-node0> show configuration security ike policy IKE-Policy mode aggressive; description "IKE Policy"; proposals PSK-G5-AES256-SHA1; pre-shared-key ascii-text "XXXX"; ## SECRET-DATA root@FW01-node0> show configuration security ike gateway IKE-Gateway ike-policy IKE-Policy; dynamic user-at-hostname "user1@abc.com.au"; external-interface reth15.0; root@FW01-node0> show configuration security ipsec proposal ESP-AES256-SHA1 description "IPSEC proposal ESP AES0-256 SHA-1"; protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; root@FW01-node0> show configuration security ipsec policy IPSEC-Policy description "IPSEC POlicy for VPN"; perfect-forward-secrecy { keys group5; } proposals ESP-AES256-SHA1; root@FW01-node0> show configuration security ipsec vpn IPSEC-VPN bind-interface st0.127; ike { gateway IKE-Gateway; ipsec-policy IPSEC-Policy; } root@FW01-node0> show configuration security zones security-zone trust tcp-rst; host-inbound-traffic { system-services { ssh; ping; http; https; ike; all; } } interfaces { reth3.0; st0.127; } root@FW01-node0> show configuration security policies from-zone trust to-zone trust policy default-permit { match { source-address any; destination-address any; application any; } then { permit; inactive: log { session-close; } } } =========================================================== root@FW01-node0> show route 10.78.7.64/26 inet.0: 80 destinations, 87 routes (80 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.78.7.64/26 *[Static/150] 1w3d 18:39:55 > via st0.127 {primary:node0} root@FW01-node0> show route 10.78.7.99 inet.0: 80 destinations, 87 routes (80 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.78.7.64/26 *[Static/150] 1w3d 18:40:00 > via st0.127 root@FW01-node0> show interfaces st0.127 Logical interface st0.127 (Index 160) (SNMP ifIndex 613) Description: Tunnel interface Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets : 0 Output packets: 14 Security: Zone: trust Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip Protocol inet, MTU: 9192 Flags: Sendbcast-pkt-to-re root@FW01-node0> show security flow session protocol esp | match 5.6 In: 5.6.7.8/0 --> 1.2.3.4/0;esp, If: reth15.0, Pkts: 0, Bytes: 0 In: 5.6.7.8/42053 --> 1.2.3.4/22442;esp, If: reth15.0, Pkts: 0, Bytes: 0 In: 5.6.7.8/0 --> 1.2.3.4/0;esp, If: reth15.0, Pkts: 0, Bytes: 0 In: 5.6.7.8/42053 --> 1.2.3.4/22442;esp, If: reth15.0, Pkts: 0, Bytes: 0 root@FW01-node0> show security ike security-associations node0: -------------------------------------------------------------------------- Index Remote Address State Initiator cookie Responder cookie Mode 841064 5.6.7.8 UP bba3abbd8cb941d0 27d0ff3de982bbad Main 842076 5.6.1.2 UP 70462e62872e1702 0bde1f95f6f1c443 Aggressive root@FW01-node0> show security ike security-associations index 842076 detail node0: -------------------------------------------------------------------------- IKE peer 5.6.1.2, Index 842076, Role: Responder, State: UP Initiator cookie: 70462e62872e1702, Responder cookie: 0bde1f95f6f1c443 Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 1.2.3.4:4500, Remote: 5.6.1.2:23776 Lifetime: Expires in 86106 seconds Algorithms: Authentication : sha1 Encryption : aes-cbc (256 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 4795 Output bytes : 5552 Input packets: 12 Output packets: 13 Flags: Caller notification sent IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 2367315920 Local: 1.2.3.4:4500, Remote: 5.6.1.2:23781 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) root@FW01-node0> show security ipsec security-associations | match 5.6 <131075 5.6.7.8 500 ESP:aes-256/sha1 a44557aa 9699/ 1048576 - root >131075 5.6.7.8 500 ESP:aes-256/sha1 6f2fc835 9699/ 1048576 - root