Skip to content

Commit c16c6f9

Browse files
showipintbrishowipintbri
authored
Update index.md
1 parent 868369a commit c16c6f9

File tree

1 file changed

+67
-0
lines changed

1 file changed

+67
-0
lines changed

docs/juniper/index.md

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,4 +129,71 @@ set system radius-options enhanced-accounting
129129

130130
I also, like to add: `set system services ssh root-login deny` to prevent **root** user from logging in remotely, forcing this to be a console only credential, incase an on-site rescue is needed.
131131

132+
## IKEv2 IPSEC Site-to-Site Tunnel
133+
```
134+
# -------------------------
135+
# IKE Phase 1 (IKEv2)
136+
# -------------------------
137+
set security ike proposal IKEV2-PROP authentication-method pre-shared-keys
138+
set security ike proposal IKEV2-PROP dh-group group14
139+
set security ike proposal IKEV2-PROP encryption-algorithm aes-256-gcm
140+
set security ike proposal IKEV2-PROP lifetime-seconds 28800
141+
set security ike proposal IKEV2-PROP authentication-algorithm hmac-sha-256-128
142+
143+
set security ike policy IKEV2-POL mode main
144+
set security ike policy IKEV2-POL proposals IKEV2-PROP
145+
set security ike policy IKEV2-POL pre-shared-key ascii-text "SuperSecret123"
146+
147+
set security ike gateway GW-TO-SRXB ike-policy IKEV2-POL
148+
set security ike gateway GW-TO-SRXB address 203.0.113.2
149+
set security ike gateway GW-TO-SRXB external-interface ge-0/0/0.0
150+
set security ike gateway GW-TO-SRXB version v2-only
151+
set security ike gateway GW-TO-SRXB local-identity inet 198.51.100.1
152+
set security ike gateway GW-TO-SRXB remote-identity inet 203.0.113.2
153+
set security ike gateway GW-TO-SRXB dead-peer-detection interval 10 retry 3
154+
155+
# -------------------------
156+
# IPsec Phase 2
157+
# -------------------------
158+
set security ipsec proposal IPSEC-PROP protocol esp
159+
set security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha-256-128
160+
set security ipsec proposal IPSEC-PROP encryption-algorithm aes-256-gcm
161+
set security ipsec proposal IPSEC-PROP lifetime-seconds 3600
162+
163+
set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group14
164+
set security ipsec policy IPSEC-POL proposals IPSEC-PROP
165+
166+
# -------------------------
167+
# VPN Binding
168+
# -------------------------
169+
set security ipsec vpn VPN-TO-SRXB ike gateway GW-TO-SRXB
170+
set security ipsec vpn VPN-TO-SRXB ike ipsec-policy IPSEC-POL
171+
set security ipsec vpn VPN-TO-SRXB bind-interface st0.0
172+
set security ipsec vpn VPN-TO-SRXB vpn-monitor optimized
173+
set security ipsec vpn VPN-TO-SRXB establish-tunnels immediately
174+
175+
# -------------------------
176+
# st0 interface
177+
# -------------------------
178+
set interfaces st0 unit 0 family inet address 169.254.10.1/30
179+
set security zones security-zone vpn-zone interfaces st0.0
180+
181+
# -------------------------
182+
# Security zones & policies
183+
# -------------------------
184+
set security zones security-zone trust interfaces ge-0/0/1.0
185+
set security zones security-zone untrust interfaces ge-0/0/0.0
186+
187+
set security policies from-zone trust to-zone vpn-zone policy trust-to-vpn match source-address any destination-address any application any
188+
set security policies from-zone trust to-zone vpn-zone policy trust-to-vpn then permit
189+
190+
set security policies from-zone vpn-zone to-zone trust policy vpn-to-trust match source-address any destination-address any application any
191+
set security policies from-zone vpn-zone to-zone trust policy vpn-to-trust then permit
192+
193+
# -------------------------
194+
# Routing
195+
# -------------------------
196+
set routing-options static route 10.2.2.0/24 next-hop st0.0
197+
198+
```
132199

0 commit comments

Comments
 (0)