IPSec VPN between SRX300 and pfSense
I set up an IPSec VPN between a SRX300 and pfSense running on an x86_64 box
SRX300 running JUNOS 22.4R3-S3.3
Internet 3.0.0.1/24
Inside/Office 10.9.6.1/24
pfSense running 2.7.2-RELEASE (amd64)
WAN 2.0.0.1/24
LAN 10.9.169.1/24
pfSense Configuration
Phase 1
IKE Endpoint Configuration
.
.
Phase 1 Proposal (Authentication)
Phase 1 Proposal (Encryption Algorithm)
Algorithm
Key length
Hash
DH Group
Expiration and Replacement
Advanced Options
(Leave Blank) UDP port for IKE on the remote gateway.
(Leave Blank) UDP port for NAT-T on the remote gateway.
Enable DPD
Phase 2
Networks
Type
/Address
Type
/Address
Type
/Address
Phase 2 Proposal (SA/Key Exchange)
.
Expiration and Replacement
Keep Alive
SRX300
set security ike proposal ike-pro-VPN-169NET authentication-method pre-shared-keys set security ike proposal ike-pro-VPN-169NET dh-group group14 set security ike proposal ike-pro-VPN-169NET authentication-algorithm sha-256 set security ike proposal ike-pro-VPN-169NET encryption-algorithm aes-256-cbc set security ike proposal ike-pro-VPN-169NET lifetime-seconds 28800 set security ike policy ike-policy-VPN-169NET mode main set security ike policy ike-policy-VPN-169NET proposals ike-pro-VPN-169NET set security ike policy ike-policy-VPN-169NET pre-shared-key ascii-text "MySecretSharedKey" set security ike gateway ike-gate-VPN-169NET ike-policy ike-policy-VPN-169NET set security ike gateway ike-gate-VPN-169NET address 2.0.0.1 set security ike gateway ike-gate-VPN-169NET dead-peer-detection optimized set security ike gateway ike-gate-VPN-169NET dead-peer-detection interval 2 set security ike gateway ike-gate-VPN-169NET dead-peer-detection threshold 2 set security ike gateway ike-gate-VPN-169NET nat-keepalive 30 set security ike gateway ike-gate-VPN-169NET local-identity inet 10.9.6.254 set security ike gateway ike-gate-VPN-169NET remote-identity inet 10.9.169.1 set security ike gateway ike-gate-VPN-169NET external-interface irb.20 set security ike gateway ike-gate-VPN-169NET version v2-only set security ipsec proposal ipsec-pro-VPN-169NET protocol esp set security ipsec proposal ipsec-pro-VPN-169NET encryption-algorithm aes-128-gcm set security ipsec proposal ipsec-pro-VPN-169NET lifetime-seconds 3600 set security ipsec policy ipsec-policy-VPN-169NET proposals ipsec-pro-VPN-169NET set security ipsec vpn ipsec-vpn-VPN-169NET bind-interface st0.15 set security ipsec vpn ipsec-vpn-VPN-169NET ike gateway ike-gate-VPN-169NET set security ipsec vpn ipsec-vpn-VPN-169NET ike proxy-identity local 10.9.6.0/24 set security ipsec vpn ipsec-vpn-VPN-169NET ike proxy-identity remote 10.9.169.0/24 set security ipsec vpn ipsec-vpn-VPN-169NET ike ipsec-policy ipsec-policy-VPN-169NET set security ipsec vpn ipsec-vpn-VPN-169NET establish-tunnels on-traffic set security policies from-zone trust to-zone VPN-169NET policy trust-VPN-169NET-VPN-169NET match source-address NEWNAN-NET set security policies from-zone trust to-zone VPN-169NET policy trust-VPN-169NET-VPN-169NET match destination-address 169NET-NET set security policies from-zone trust to-zone VPN-169NET policy trust-VPN-169NET-VPN-169NET match application any set security policies from-zone trust to-zone VPN-169NET policy trust-VPN-169NET-VPN-169NET then permit set security policies from-zone VPN-169NET to-zone trust policy VR-trust match source-address 169NET-NET set security policies from-zone VPN-169NET to-zone trust policy VR-trust match destination-address NEWNAN-NET set security policies from-zone VPN-169NET to-zone trust policy VR-trust match application any set security policies from-zone VPN-169NET to-zone trust policy VR-trust then permit set security zones security-zone VPN-169NET address-book address 169NET-NET 10.9.169.0/24 set security zones security-zone VPN-169NET interfaces st0.15