SRX

Expand all | Collapse all

New Site to Site VPN configuration

Jump to Best Answer
  • 1.  New Site to Site VPN configuration

    Posted 04-09-2013 14:59

    Hi All,

    I am in the middle of trying to create a new IPSEC route based site to site VPN between 2 SRX240 firewalls. These firewall already have a site to site tunnel established but we want to add a new tunnel. Please experts correct me if I am wrong but I was thinking that I need to create a new st interface and then bind the ike-vpn to the new st interface. If I bind the ike-vpn to the existing st0.0 interface I drop the current working VPN tunnel.

     

    here is the output

     

    security {
        ike {
            inactive: traceoptions {
                file ike-debug;
                flag all;
                level 15;
            }
            policy Keno-V_IKE_Policy {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
            policy Keno-Q_IKE_Policy {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
            gateway Keno-V_IKE_Gateway {
                ike-policy Keno-V_IKE_Policy;
                address 172.21.131.14;
                external-interface reth1.775;
            }
            gateway Keno-Q_IKE_Gateway {
                ike-policy Keno-Q_IKE_Policy;
                address 172.20.131.14;
                external-interface reth1.875;
            }
        }
        ipsec {
            inactive: traceoptions {
                flag all;
            }
            policy Keno-V_VPN_Policy {
                proposal-set standard;
            }
            policy Keno-Q_VPN_Policy {
                proposal-set standard;
            }
            vpn ike-vpn {
                bind-interface st0.0;
                ike {
                    gateway Keno-V_IKE_Gateway;
                    ipsec-policy Keno-V_VPN_Policy;
                }
            }
        }

     

    So I was thinking that I need to do the following

     

    set vpn ike-vpn bind-interface st1.0 ike gateway Keno-Q_IKE_Gateway ipsec-policy Keno-Q_VPN_Policy.

     

    I understand that I will also need to specify the st1 interface under the interface hierarchy.

     

    Any help will be great.

     

    Regards,

     

    Mark Ostler



  • 2.  RE: New Site to Site VPN configuration
    Best Answer

    Posted 04-09-2013 17:49

    Hi Mark,

     

    You will want to use st0.1, not st1.0.  If you added a third VPN, you would use st0.2 and so on.  I hope this helps.



  • 3.  RE: New Site to Site VPN configuration

    Posted 04-09-2013 19:52

    Hi John,

    Thanks for the response. I just tried to configure the st0.1 interface and it comes back with the following error message when I do a commit check.

     

    edit security ipsec vpn qld-k-vpn bind-interface]
      'bind-interface st0.1'
        Referenced interface must be configured under [edit interfaces] hierarchy



  • 4.  RE: New Site to Site VPN configuration

    Posted 04-09-2013 20:24

    Hi John,

    I worked it out. I need to modify the st0 interface to become a multipoint interface so that I can added more VPN tunnels to it.

    Thanks for your input.

     

    Regards,

     

    Mark.



  • 5.  RE: New Site to Site VPN configuration

    Posted 01-21-2020 00:53

    You have to define the tunnel interface in interfaces, and then it should work

    set interfaces st0 unit 0 family inet