[Juniper SRX] IPsec VPN site-to-site with overlapping subnet
SRX Configuration:
Interface:
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.184/24
set routing-instances untrust interface ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces lo0.0
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set routing-instances untrust interface lo0.0
set interfaces st0 unit 0 family inet address 1.1.1.1/24
set security zones security-zone untrust interfaces st0.0
set routing-instances untrust interface st0.0
Routing:
set routing-instances untrust routing-options static route 2.2.2.0/24 next-hop st0.0
VPN:
Phase1:
set security ike proposal P1 authentication-method pre-shared-keys
set security ike proposal P1 dh-group group2
set security ike proposal P1 authentication-algorithm sha-256
set security ike proposal P1 encryption-algorithm aes-256-cbc
set security ike proposal P1 lifetime-seconds 28800
set security ike policy ike-Policy mode main
set security ike policy ike-Policy proposals P1
set security ike policy ike-Policy pre-shared-key ascii-text "$9$0l1pOEyleWx-wvWjqfzCAvWLX7V"
set security ike gateway SRX-FG ike-policy ike-Policy
set security ike gateway SRX-FG address 192.168.0.108
set security ike gateway SRX-FG no-nat-traversal
set security ike gateway SRX-FG external-interface ge-0/0/0
set security ike gateway SRX-FG local-address 192.168.0.184
set security ike gateway SRX-FG version v1-only
Phase2:
set security ipsec proposal Phase2-proposal protocol esp
set security ipsec proposal Phase2-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal Phase2-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Phase2-proposal lifetime-seconds 3600
set security ipsec policy Phase2_policy proposals Phase2-proposal
set security ipsec vpn SRX-FG bind-interface st0.0
set security ipsec vpn SRX-FG ike gateway SRX-FG
set security ipsec vpn SRX-FG ike no-anti-replay
set security ipsec vpn SRX-FG ike ipsec-policy Phase2_policy
set security ipsec vpn SRX-FG establish-tunnels immediately
Security Policy:
set security policies from-zone untrust to-zone untrust policy allow match source-address any
set security policies from-zone untrust to-zone untrust policy allow match destination-address any
set security policies from-zone untrust to-zone untrust policy allow match application junos-icmp-all
set security policies from-zone untrust to-zone untrust policy allow match application junos-ike
set security policies from-zone untrust to-zone untrust policy allow then permit
Static NAT:
set security nat static rule-set STATIC from zone untrust
set security nat static rule-set STATIC rule STATIC-rule match source-address 2.2.2.0/24
set security nat static rule-set STATIC rule STATIC-rule match destination-address 1.1.1.0/24
set security nat static rule-set STATIC rule STATIC-rule then static-nat prefix 11.11.11.0/24
set security nat static rule-set STATIC rule STATIC-rule then static-nat prefix routing-instance untrust
Proxy ARP:
set security nat proxy-arp interface st0.0 address 1.1.1.2/32 to 1.1.1.254/32
Static NAT Hit Count:
run show security nat static rule STATIC-rule
Comments
Post a Comment