SRX

Expand all | Collapse all

Setting an ipsec tunnel to responder only?

  • 1.  Setting an ipsec tunnel to responder only?

    Posted 04-19-2015 19:50

    I have a simple routed non-dynamic vpn configured on an SRX240 that establishes with a Cisco router.  The Cisco is always the session initiator. How do i configure the SRX to be responder only?



  • 2.  RE: Setting an ipsec tunnel to responder only?

     
    Posted 04-19-2015 19:54

    Hi Clough,

     

    You can do 2 things,

     

    1. Dont configure "establish-tunnels immediately" under IPSec VPN hierarchy

     

     

    This way SRX will always wait for the connection from Peer

     

    Thanks,

    Suraj

     

     EDIT:

     

    Removing point#2

     

    2. Dont configure "host-inbound-traffic system-services ike" under VPN external interface



  • 3.  RE: Setting an ipsec tunnel to responder only?

    Posted 04-20-2015 08:26

    Hi-

     

    I was a bit confused by rsuraj's response.

     

    Does the "Edit Removing Point #2" mean that point #2 is wrong?

     

    My understanding is that the public gateway interface of the VPN should be locked down in terms of what services it will process, and the "host-inbound-traffic system-services ike" allows the SRX to process incoming IKE dialogues (ie it allows the SRX to respond to a VPN initiation from a peer).

     

    Is that not correct?



  • 4.  RE: Setting an ipsec tunnel to responder only?

     
    Posted 04-20-2015 08:47
    You are correct, #2 was incorrect and thats the reason i have edited.
    #2 can be used if we want to make Srx the initiator only not responder.


  • 5.  Re: Setting an ipsec tunnel to responder only?

     
    Posted 28 days ago