Configurations on Juniper SRX

Configure two tunnel interfaces for primary and secondary connections:

set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet

Configure a routing-instance and routing-options for the traffic forwarded to the tunnel interface:

set routing-instances <routing_instance_name> instance-type forwarding
set routing-instances <routing_instance_name> routing-options static route 0.0.0.0/0 next-hop st0.0
set routing-instances <routing_instance_name> routing-options static route 0.0.0.0/0 qualified-next-hop st0.1 preference 10

set routing-options interface-routes rib-group inet <rib_group_name>
set routing-options rib-groups <rib_group_name> import-rib inet.0
set routing-options rib-groups <rib_group_name> import-rib <routing_instance_name>.inet.0

Configure a filter to match http and https traffic and route it to the tunnel:

set firewall family inet filter <inet_filter_name> term 1 from source-address <client_subnet>
set firewall family inet filter <inet_filter_name> term 1 from destination-port 80
set firewall family inet filter <inet_filter_name> term 1 from destination-port 443
set firewall family inet filter <inet_filter_name> term 1 then routing-instance <routing_instance_name>

Attach the filter to the ingress interface:

set interfaces <incoming_interface> unit 0 family inet filter input <inet_filter_name>

Configure the tunnel interfaces st0.0 and st0.1 in a security zone:

set security zones security-zone <zone_name> host-inbound-traffic system-services all
set security zones security-zone <zone_name> host-inbound-traffic protocols all
set security zones security-zone <zone_name> interfaces <outgoing_interface>
set security zones security-zone <zone_name> interfaces st0.0
set security zones security-zone <zone_name> interfaces st0.1

You can use the following show command to view the details of the security zones.

show security zones
security-zone <zone_name> {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
<outgoing_interface>;
fe-0/0/5.0;
st0.0;
st0.1;
}
}

Configure the IKE cipher, DH group, and security association lifetime parameters:

set security ike proposal <ike_proposal_name> authentication-method pre-shared-keys
set security ike proposal <ike_proposal_name> dh-group <supported_dh_group>
set security ike proposal <ike_proposal_name> authentication-algorithm <supported_algorithm>
set security ike proposal <ike_proposal_name> encryption-algorithm <supported_ike_algorithm>
set security ike proposal <ike_proposal_name> lifetime-seconds 86400

Configure a policy with pre-shared key. This key must match the key configured in the Forcepoint ONE SSE portal:

set security ike policy <IKE_policy_name> mode main
set security ike policy <IKE_policy_name> proposals <ike_proposal_name>
set security ike policy <IKE_policy_name> pre-shared-key ascii-text <pre-shared_key>

Configure an IPsec peer for primary and secondary connections, and associate it with the egress interface:

set security ike gateway <primary_IKE_gateway_name> ike-policy <IKE_policy_name> 
set security ike gateway <primary_IKE_gateway_name> address <primary_destination_address>
set security ike gateway <primary_IKE_gateway_name> dead-peer-detection always-send
set security ike gateway <primary_IKE_gateway_name> dead-peer-detection interval 10
set security ike gateway <primary_IKE_gateway_name> dead-peer-detection threshold 3
set security ike gateway <primary_IKE_gateway_name> external-interface <outgoing_interface>
set security ike gateway <primary_IKE_gateway_name> version v2-only

set security ike gateway <secondary_IKE_gateway_name> ike-policy <IKE_policy_name>
set security ike gateway <secondary_IKE_gateway_name> address <secondary_destination_address>
set security ike gateway <secondary_IKE_gateway_name> dead-peer-detection always-send
set security ike gateway <secondary_IKE_gateway_name> dead-peer-detection interval 10
set security ike gateway <secondary_IKE_gateway_name> dead-peer-detection threshold 3
set security ike gateway <secondary_IKE_gateway_name> external-interface <outgoing_interface>
set security ike gateway <secondary_IKE_gateway_name> version v2-only

Based on the Site IKE ID configured for your device in the Forcepoint ONE SSE, configure the FQDN or IP address as the IKE identity.

If the IKE ID is the DNS hostname:

set security ike gateway <primary_IKE_gateway_name> local-identity hostname <local_fqdn_id>
set security ike gateway <secondary_IKE_gateway_name> local-identity hostname <local_fqdn_id>

If the IKE ID is the device’s public IP address:

set security ike gateway <primary_IKE_gateway_name> local-identity inet <public_egress_IP>
set security ike gateway <secondary_IKE_gateway_name> local-identity inet <public_egress_IP>

Configure the IPsec proposal. The IPsec proposal is a list of protocols and algorithms used to negotiate with the IPsec peer.

set security ipsec proposal <IPsec_proposal_name> protocol esp
set security ipsec proposal <IPsec_proposal_name> authentication-algorithm <supported_algorithm>
set security ipsec proposal <IPsec_proposal_name> encryption-algorithm <supported_IPsec_algorithm>
set security ipsec proposal <IPsec_proposal_name> lifetime-seconds 28800
set security ipsec policy <IPSec_policy_name> proposals <IPsec_proposal_name>

Bind primary tunnel interface and configure VPN monitoring for tunnel failover:

set security ipsec vpn <primary_IPsec_VPN_name> bind-interface st0.0
set security ipsec vpn <primary_IPsec_VPN_name> ike gateway <primary_IKE_gateway_name>
set security ipsec vpn <primary_IPsec_VPN_name> ike ipsec-policy <IPSec_policy_name>
set security ipsec vpn <primary_IPsec_VPN_name> establish-tunnels immediately

Bind backup tunnel interface and configure VPN monitoring:

set security ipsec vpn <secondary_IPsec_VPN_name> bind-interface st0.1
set security ipsec vpn <secondary_IPsec_VPN_name> ike gateway <secondary_IKE_gateway_name>
set security ipsec vpn <secondary_IPsec_VPN_name> ike ipsec-policy <IPSec_policy_name>
set security ipsec vpn <secondary_IPsec_VPN_name> establish-tunnels immediately

Configurations on Juniper SRX

Steps