I have a simple routed non-dynamic vpn configured on an SRX240 that establishes with a Cisco router. The Cisco is always the session initiator. How do i configure the SRX to be responder only?
You can do 2 things,
1. Dont configure "establish-tunnels immediately" under IPSec VPN hierarchy
This way SRX will always wait for the connection from Peer
2. Dont configure "host-inbound-traffic system-services ike" under VPN external interface
I was a bit confused by rsuraj's response.
Does the "Edit Removing Point #2" mean that point #2 is wrong?
My understanding is that the public gateway interface of the VPN should be locked down in terms of what services it will process, and the "host-inbound-traffic system-services ike" allows the SRX to process incoming IKE dialogues (ie it allows the SRX to respond to a VPN initiation from a peer).
Is that not correct?
"responder-only", see https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-vpn.html