Site to Site between SRX210 and SSG5

Topology

Screenshot_3

Configuration in SRX210 (12.1X44-D45.2):

# set interfaces st0 unit 0 family inet address 192.168.10.1/24
# set routing-options static route 192.168.7.0/24 next-hop st0.0
# set security zones security-zone untrust tcp-rst
# set security zones security-zone untrust host-inbound-traffic system-services all
# set security zones security-zone untrust interfaces pp0.0
# set security zones security-zone untrust interfaces st0.0
# set security zones security-zone Lan tcp-rst
# set security zones security-zone Lan host-inbound-traffic system-services all
# set security zones security-zone Lan interfaces fe-0/0/4.0
# set security ike proposal P1proposal authentication-method pre-shared-keys
# set security ike proposal P1proposal dh-group group2
# set security ike proposal P1proposal encryption-algorithm des-cbc
# set security ike proposal P1proposal lifetime-seconds 86400
# set security ike policy P1policy mode main
# set security ike policy P1policy proposals P1proposal
# set security ike policy P1policy pre-shared-key ascii-text Pinoci0
# set security ike gateway P1gateway ike-policy P1policy
# set security ike gateway P1gateway address 81.218.170.25
# set security ike gateway P1gateway dead-peer-detection interval 10
# set security ike gateway P1gateway dead-peer-detection threshold 3
# set security ike gateway P1gateway external-interface pp0
# set security ipsec proposal P2proposal protocol esp
# set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2proposal encryption-algorithm des-cbc
# set security ipsec proposal P2proposal lifetime-seconds 36000
# set security ipsec policy P2policy perfect-forward-secrecy keys group2
# set security ipsec policy P2policy proposals P2proposal
# set security ipsec vpn site1-to-site2 bind-interface st0.0
# set security ipsec vpn site1-to-site2 ike gateway P1gateway
# set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
# set security ipsec vpn site1-to-site2 establish-tunnels immediately

Now we’ve to configure a policy from untrust to trust and רeverse. In this case I’ve enabled all the ports, of course it’s under your control.

set security policies from-zone Lan to-zone untrust policy Lan2Untrust match source-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match destination-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match application any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust then permit

set security policies from-zone untrust to-zone Lan policy allowall match source-address any
set security policies from-zone untrust to-zone Lan policy allowall match destination-address any
set security policies from-zone untrust to-zone Lan policy allowall match application any
set security policies from-zone untrust to-zone Lan policy allowall then permit

Configuration in SSG5 (6.3.0r19.0)

Screenshot_10 Screenshot_11 Screenshot_12 Screenshot_13 Screenshot_14 Screenshot_15 Screenshot_16 Screenshot_17

Verifying

Screenshot_10Screenshot_11

If you want to see the (U) letter and not (-) , you can enable the vpn monitor feature by this command :

Screenshot_4 Screenshot_5Screenshot_6Screenshot_7

Good Luck 🙂

By: Abed AL-R. Bishara

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s