Example IPsec configuration for Juniper SRX

This topic provides example IPsec configurations that needs to done on Juniper SRX to route http and https traffic to Forcepoint ONE via IPsec tunnels.

set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set routing-instances route_to_vpn instance-type forwarding
set routing-instances route_to_vpn routing-options static route 0.0.0.0/0 next-hop st0.0
set routing-instances route_to_vpn routing-options static route 0.0.0.0/0 qualified-next-hop st0.1 preference 10
set routing-options interface-routes rib-group inet route_via_vpn
set routing-options rib-groups route_via_vpn import-rib inet.0
set routing-options rib-groups route_via_vpn import-rib route_to_vpn.inet.0
set firewall family inet filter TO_VPN term 1 from source-address 10.1.1.0/24
set firewall family inet filter TO_VPN term 1 from destination-port 80
set firewall family inet filter TO_VPN term 1 from destination-port 443
set firewall family inet filter TO_VPN term 1 then routing-instance route_to_vpn
set interfaces <incoming_interface> unit 0 family inet filter input TO_VPN
set security zones security-zone Zone1 host-inbound-traffic system-services all
set security zones security-zone Zone1 host-inbound-traffic protocols all
set security zones security-zone Zone1 interfaces ge-0/0/0
set security zones security-zone Zone1 interfaces st0.0
set security zones security-zone Zone1 interfaces st0.1
set security ike proposal forcepoint authentication-method pre-shared-keys
set security ike proposal forcepoint dh-group 19
set security ike proposal forcepoint authentication-algorithm sha2
set security ike proposal forcepoint encryption-algorithm aes-128
set security ike proposal forcepoint lifetime-seconds 86400
set security ike policy 100 mode main
set security ike policy 100 proposals forcepoint
set security ike policy 100 pre-shared-key ascii-text 5uTyr7J60ge533bL4YR3cCbH3BiFYRGT
set security ike gateway toForcepoint_primary ike-policy 100 
set security ike gateway toForcepoint_primary address 3.141.173.255
set security ike gateway toForcepoint_primary dead-peer-detection always-send
set security ike gateway toForcepoint_primary dead-peer-detection interval 10
set security ike gateway toForcepoint_primary dead-peer-detection threshold 3
set security ike gateway toForcepoint_primary external-interface ge-0/0/0
set security ike gateway toForcepoint_primary version v2-only
set security ike gateway toForcepoint_backup ike-policy 100
set security ike gateway toForcepoint_backup address 13.250.218.49
set security ike gateway toForcepoint_backup dead-peer-detection always-send
set security ike gateway toForcepoint_backup dead-peer-detection interval 10
set security ike gateway toForcepoint_backup dead-peer-detection threshold 3
set security ike gateway toForcepoint_backup external-interface ge-0/0/0
set security ike gateway toForcepoint_backup version v2-only
If the IKE ID is the DNS hostname:
set security ike gateway toForcepoint_primary local-identity hostname srx.myenterprise.com
set security ike gateway toForcepoint_backup local-identity hostname srx.myenterprise.com

If the IKE ID is the device’s public IP address:
set security ike gateway toForcepoint_primary local-identity inet 13.228.255.0
set security ike gateway toForcepoint_backup local-identity inet 13.228.255.0
set security ipsec proposal FP_proposal protocol esp
set security ipsec proposal FP_proposal authentication-algorithm sha2
set security ipsec proposal FP_proposal encryption-algorithm aes-128
set security ipsec proposal FP_proposal lifetime-seconds 28800
set security ipsec policy 101 proposals FP_proposal
set security ipsec vpn Forcepoint_primary bind-interface st0.0
set security ipsec vpn Forcepoint_primary ike gateway toForcepoint_primary
set security ipsec vpn Forcepoint_primary ike ipsec-policy 101
set security ipsec vpn Forcepoint_primary establish-tunnels immediately
set security ipsec vpn Forcepoint_backup bind-interface st0.1
set security ipsec vpn Forcepoint_backup ike gateway toForcepoint_backup
set security ipsec vpn Forcepoint_backup ike ipsec-policy 101
set security ipsec vpn Forcepoint_backup establish-tunnels immediately