Hi,

I have previously written a blog post on Policy-Based VPN(https://r2079.wordpress.com/2015/07/12/contructing-an-ipsec-site-to-site-vpn-on-vsrx/), coming from pure service provider world I would rather enjoy a Route-Based Vpn more than a policy based VPN ;).

I have

1.1.1.1 —(st0.0 172.16.1.1)srx1(5.5.12.1) ———–ipsec-tunnel————–srx2(5.5.12.2)(st0 172.16.1.2)—2.2.2.2

First steps first – Check if you have ST Interface on your SRX device, there is no reason why it should not be!

image-1

second, see if you have all security zones and policies are in place

image-2

Third, assign ip-address to your st0 interface

image-3

Fourth- Build your IKE policy and Ipsec-Policy – Very important – BIND YOUR ST0 interface here

image-4

fifth, write appropriate security-policies and also verify that your ST0 is called to appropriate zone and it allows required protocols for me it was only icmp

image-5

lastly check your SA and reachability

image-6

Regards

Rakesh

Advertisements