Hi All,
I am in the middle of trying to create a new IPSEC route based site to site VPN between 2 SRX240 firewalls. These firewall already have a site to site tunnel established but we want to add a new tunnel. Please experts correct me if I am wrong but I was thinking that I need to create a new st interface and then bind the ike-vpn to the new st interface. If I bind the ike-vpn to the existing st0.0 interface I drop the current working VPN tunnel.
here is the output
security {
ike {
inactive: traceoptions {
file ike-debug;
flag all;
level 15;
}
policy Keno-V_IKE_Policy {
mode main;
proposal-set standard;
pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
policy Keno-Q_IKE_Policy {
mode main;
proposal-set standard;
pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
gateway Keno-V_IKE_Gateway {
ike-policy Keno-V_IKE_Policy;
address 172.21.131.14;
external-interface reth1.775;
}
gateway Keno-Q_IKE_Gateway {
ike-policy Keno-Q_IKE_Policy;
address 172.20.131.14;
external-interface reth1.875;
}
}
ipsec {
inactive: traceoptions {
flag all;
}
policy Keno-V_VPN_Policy {
proposal-set standard;
}
policy Keno-Q_VPN_Policy {
proposal-set standard;
}
vpn ike-vpn {
bind-interface st0.0;
ike {
gateway Keno-V_IKE_Gateway;
ipsec-policy Keno-V_VPN_Policy;
}
}
}
So I was thinking that I need to do the following
set vpn ike-vpn bind-interface st1.0 ike gateway Keno-Q_IKE_Gateway ipsec-policy Keno-Q_VPN_Policy.
I understand that I will also need to specify the st1 interface under the interface hierarchy.
Any help will be great.
Regards,
Mark Ostler