Network topology
Interactive diagram
Click any node to see configuration details for that component.
Reference
Interface & IP summary
All addresses used in this lab across both SRX appliances.
SRX1 — VM 150
| Interface | Role | IP Address |
|---|---|---|
| ge-0/0/0 | WAN / untrust | 172.16.100.1/24 |
| ge-0/0/1 | LAN / trust + DHCP | 10.100.11.1/24 |
| st0.0 | VPN tunnel | 10.100.200.1/24 |
| lo0 | Loopback | 10.100.100.1/32 |
| fxp0 | Management | 172.27.1.137 |
SRX2 — VM 151
| Interface | Role | IP Address |
|---|---|---|
| ge-0/0/0 | WAN / untrust | 172.16.100.2/24 |
| ge-0/0/1 | LAN / trust + DHCP | 10.100.22.1/24 |
| st0.0 | VPN tunnel | 10.100.200.2/24 |
| lo0 | Loopback | 10.100.100.2/32 |
| fxp0 | Management | 172.27.1.129 |
Routing summary
| Device | Destination | Next-hop |
|---|---|---|
| SRX1 | 10.100.22.0/24 | st0.0 |
| SRX2 | 10.100.11.0/24 | st0.0 |
Security zones
| Zone | Interface | Inbound services |
|---|---|---|
| untrust | ge-0/0/0 | IKE + ping |
| trust | ge-0/0/1 | all + DHCP |
| VPN | st0.0 | ping |
Configuration
CLI quick configs for IPsec
Paste directly into the Junos console. Replace $ABC123 with your pre-shared key on both devices.
# Enter configuration mode cli configure # --- Interfaces --- set interfaces ge-0/0/0 unit 0 family inet address 172.16.100.1/24 set interfaces ge-0/0/1 unit 0 family inet address 10.100.11.1/24 set interfaces lo0 unit 0 family inet address 10.100.100.1/32 set interfaces st0 unit 0 family inet address 10.100.200.1/24 # --- Static routes --- set routing-options static route 10.100.22.0/24 next-hop st0.0 # --- IKE --- set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POL mode main set security ike policy IKE-POL proposals standard set security ike policy IKE-POL pre-shared-key ascii-text $ABC123 set security ike gateway IKE-GW ike-policy IKE-POL set security ike gateway IKE-GW address 172.16.100.2 set security ike gateway IKE-GW external-interface ge-0/0/0 # --- IPsec --- set security ipsec proposal standard set security ipsec policy IPSEC-POL proposals standard set security ipsec vpn VPN-to-Host2 bind-interface st0.0 set security ipsec vpn VPN-to-Host2 ike gateway IKE-GW set security ipsec vpn VPN-to-Host2 ike ipsec-policy IPSEC-POL set security ipsec vpn VPN-to-Host2 establish-tunnels immediately # --- Security zones --- set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone VPN host-inbound-traffic system-services ping set security zones security-zone VPN interfaces st0.0 # --- Address books --- set security address-book Host1 address Host1-Net 10.100.11.0/24 set security address-book Host1 attach zone trust set security address-book Host2 address Host2-Net 10.100.22.0/24 set security address-book Host2 attach zone VPN # --- Security policies --- set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host1-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host2-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match application any set security policies from-zone trust to-zone VPN policy VPN-OUT then permit set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host2-Net set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host1-Net set security policies from-zone VPN to-zone trust policy VPN-IN match application any set security policies from-zone VPN to-zone trust policy VPN-IN then permit # --- TCP-MSS --- set security flow tcp-mss ipsec-vpn mss 1350 # --- DHCP server --- set system services dhcp-local-server group LAN-DHCP interface ge-0/0/1.0 set access address-assignment pool LAN-POOL family inet network 10.100.11.0/24 set access address-assignment pool LAN-POOL family inet range HOSTS low 10.100.11.100 set access address-assignment pool LAN-POOL family inet range HOSTS high 10.100.11.200 set access address-assignment pool LAN-POOL family inet dhcp-attributes router 10.100.11.1 set access address-assignment pool LAN-POOL family inet dhcp-attributes name-server 8.8.8.8 # --- Commit --- commit check commit
# Enter configuration mode cli configure # --- Interfaces --- set interfaces ge-0/0/0 unit 0 family inet address 172.16.100.2/24 set interfaces ge-0/0/1 unit 0 family inet address 10.100.22.1/24 set interfaces lo0 unit 0 family inet address 10.100.100.2/32 set interfaces st0 unit 0 family inet address 10.100.200.2/24 # --- Static routes --- set routing-options static route 10.100.11.0/24 next-hop st0.0 # --- IKE --- set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POL mode main set security ike policy IKE-POL proposals standard set security ike policy IKE-POL pre-shared-key ascii-text $ABC123 set security ike gateway IKE-GW ike-policy IKE-POL set security ike gateway IKE-GW address 172.16.100.1 set security ike gateway IKE-GW external-interface ge-0/0/0 # --- IPsec --- set security ipsec proposal standard set security ipsec policy IPSEC-POL proposals standard set security ipsec vpn VPN-to-Host1 bind-interface st0.0 set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL set security ipsec vpn VPN-to-Host1 establish-tunnels immediately # --- Security zones --- set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone VPN host-inbound-traffic system-services ping set security zones security-zone VPN interfaces st0.0 # --- Address books --- set security address-book Host2 address Host2-Net 10.100.22.0/24 set security address-book Host2 attach zone trust set security address-book Host1 address Host1-Net 10.100.11.0/24 set security address-book Host1 attach zone VPN # --- Security policies --- set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match application any set security policies from-zone trust to-zone VPN policy VPN-OUT then permit set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net set security policies from-zone VPN to-zone trust policy VPN-IN match application any set security policies from-zone VPN to-zone trust policy VPN-IN then permit # --- TCP-MSS --- set security flow tcp-mss ipsec-vpn mss 1350 # --- DHCP server --- set system services dhcp-local-server group LAN-DHCP interface ge-0/0/1.0 set access address-assignment pool LAN-POOL family inet network 10.100.22.0/24 set access address-assignment pool LAN-POOL family inet range HOSTS low 10.100.22.100 set access address-assignment pool LAN-POOL family inet range HOSTS high 10.100.22.200 set access address-assignment pool LAN-POOL family inet dhcp-attributes router 10.100.22.1 set access address-assignment pool LAN-POOL family inet dhcp-attributes name-server 8.8.8.8 # --- Commit --- commit check commit
# --- Verify interfaces --- show interfaces terse # --- Verify routing table --- show route # --- Verify IKE security associations --- show security ike security-associations show security ike security-associations detail # --- Verify IPsec security associations --- show security ipsec security-associations show security ipsec security-associations detail # --- Check encrypted/decrypted packet counters --- show security ipsec statistics # --- Verify security zones --- show security zones # --- Verify DHCP leases --- show dhcp server binding # --- Test connectivity (run from SRX1) --- ping 10.100.22.1 routing-instance default count 5 # --- Check kmd log for IKE/IPsec errors --- show log kmd
Running configurations
Full device configs
Complete hierarchical configurations exported directly from each device running Junos 24.4R2.21.
## srx1 — running configuration — Junos 24.4R2.21 version 24.4R2.21; system { host-name srx1; services { netconf { ssh { rate-limit 32; } rfc-compliant; } ssh { root-login allow; max-sessions-per-connection 20; rate-limit 32; } dhcp-local-server { group LAN-DHCP { interface ge-0/0/1.0; } } web-management { http { interface fxp0.0; } https { system-generated-certificate; interface fxp0.0; } } } name-server { 172.27.1.200; } } security { ike { proposal standard { authentication-method pre-shared-keys; } policy IKE-POL { mode main; proposals standard; pre-shared-key ascii-text "$9$Yf24aZGjkqPQFhSleW8GDj"; ## SECRET-DATA } gateway IKE-GW { ike-policy IKE-POL; address 172.16.100.2; external-interface ge-0/0/0; } } ipsec { proposal standard; policy IPSEC-POL { proposals standard; } vpn VPN-to-Host2 { bind-interface st0.0; ike { gateway IKE-GW; ipsec-policy IPSEC-POL; } establish-tunnels immediately; } } address-book { Host1 { address Host1-Net 10.100.11.0/24; attach { zone trust; } } Host2 { address Host2-Net 10.100.22.0/24; attach { zone VPN; } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone VPN { policy VPN-OUT { match { source-address Host1-Net; destination-address Host2-Net; application any; } then { permit; } } } from-zone VPN to-zone trust { policy VPN-IN { match { source-address Host2-Net; destination-address Host1-Net; application any; } then { permit; } } } } zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; dhcp; } } interfaces { ge-0/0/1.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ike; ping; } } interfaces { ge-0/0/0.0; } } security-zone VPN { host-inbound-traffic { system-services { ping; } } interfaces { st0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 172.16.100.1/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.100.11.1/24; } } } fxp0 { unit 0 { family inet { dhcp; } } } lo0 { unit 0 { family inet { address 10.100.100.1/32; } } } st0 { unit 0 { family inet { address 10.100.200.1/24; } } } } access { address-assignment { pool LAN-POOL { family inet { network 10.100.11.0/24; range HOSTS { low 10.100.11.100; high 10.100.11.200; } dhcp-attributes { name-server { 8.8.8.8; } router { 10.100.11.1; } } } } } } routing-options { static { route 10.100.22.0/24 next-hop st0.0; } }
## srx2 — running configuration — Junos 24.4R2.21 version 24.4R2.21; system { host-name srx2; services { netconf { ssh { rate-limit 32; } rfc-compliant; } ssh { root-login allow; max-sessions-per-connection 20; rate-limit 32; } dhcp-local-server { group LAN-DHCP { interface ge-0/0/1.0; } } web-management { http { interface fxp0.0; } https { system-generated-certificate; interface fxp0.0; } } } name-server { 172.27.1.200; } } security { ike { proposal standard { authentication-method pre-shared-keys; } policy IKE-POL { mode main; proposals standard; pre-shared-key ascii-text "$9$ZGGDikqPTQ39AKMLX-dqmP"; ## SECRET-DATA } gateway IKE-GW { ike-policy IKE-POL; address 172.16.100.1; external-interface ge-0/0/0; } } ipsec { proposal standard; policy IPSEC-POL { proposals standard; } vpn VPN-to-Host1 { bind-interface st0.0; ike { gateway IKE-GW; ipsec-policy IPSEC-POL; } establish-tunnels immediately; } } address-book { Host2 { address Host2-Net 10.100.22.0/24; attach { zone trust; } } Host1 { address Host1-Net 10.100.11.0/24; attach { zone VPN; } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone VPN { policy VPN-OUT { match { source-address Host2-Net; destination-address Host1-Net; application any; } then { permit; } } } from-zone VPN to-zone trust { policy VPN-IN { match { source-address Host1-Net; destination-address Host2-Net; application any; } then { permit; } } } } zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; dhcp; } } interfaces { ge-0/0/1.0; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { ike; ping; } } interfaces { ge-0/0/0.0; } } security-zone VPN { host-inbound-traffic { system-services { ping; } } interfaces { st0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 172.16.100.2/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.100.22.1/24; } } } fxp0 { unit 0 { family inet { dhcp; } } } lo0 { unit 0 { family inet { address 10.100.100.2/32; } } } st0 { unit 0 { family inet { address 10.100.200.2/24; } } } } access { address-assignment { pool LAN-POOL { family inet { network 10.100.22.0/24; range HOSTS { low 10.100.22.100; high 10.100.22.200; } dhcp-attributes { name-server { 8.8.8.8; } router { 10.100.22.1; } } } } } } routing-options { static { route 10.100.11.0/24 next-hop st0.0; } }
Display set format
Flat set configurations
Output of show configuration | display set — paste directly into any Junos device to restore config.
## srx1 — display set — Junos 24.4R2.21 set version 24.4R2.21 set system host-name srx1 set system services netconf ssh rate-limit 32 set system services netconf rfc-compliant set system services ssh root-login allow set system services ssh max-sessions-per-connection 20 set system services ssh rate-limit 32 set system services dhcp-local-server group LAN-DHCP interface ge-0/0/1.0 set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system name-server 172.27.1.200 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system syslog file sdcloud-messages any any set system syslog file sdcloud-messages structured-data set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security pki ca-profile ISRG_Root_X1 ca-identity ISRG_Root_X1 set security pki ca-profile ISRG_Root_X1 pre-load set security pki ca-profile Lets_Encrypt ca-identity Lets_Encrypt set security pki ca-profile Lets_Encrypt enrollment url https://acme-v02.api.letsencrypt.org/directory set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_ca set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POL mode main set security ike policy IKE-POL proposals standard set security ike policy IKE-POL pre-shared-key ascii-text "$9$Yf24aZGjkqPQFhSleW8GDj" set security ike gateway IKE-GW ike-policy IKE-POL set security ike gateway IKE-GW address 172.16.100.2 set security ike gateway IKE-GW external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POL proposals standard set security ipsec vpn VPN-to-Host2 bind-interface st0.0 set security ipsec vpn VPN-to-Host2 ike gateway IKE-GW set security ipsec vpn VPN-to-Host2 ike ipsec-policy IPSEC-POL set security ipsec vpn VPN-to-Host2 establish-tunnels immediately set security address-book Host1 address Host1-Net 10.100.11.0/24 set security address-book Host1 attach zone trust set security address-book Host2 address Host2-Net 10.100.22.0/24 set security address-book Host2 attach zone VPN set security flow tcp-mss ipsec-vpn mss 1350 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host1-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host2-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match application any set security policies from-zone trust to-zone VPN policy VPN-OUT then permit set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host2-Net set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host1-Net set security policies from-zone VPN to-zone trust policy VPN-IN match application any set security policies from-zone VPN to-zone trust policy VPN-IN then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone VPN host-inbound-traffic system-services ping set security zones security-zone VPN interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 172.16.100.1/24 set interfaces ge-0/0/1 unit 0 family inet address 10.100.11.1/24 set interfaces fxp0 unit 0 family inet dhcp set interfaces lo0 unit 0 family inet address 10.100.100.1/32 set interfaces st0 unit 0 family inet address 10.100.200.1/24 set access address-assignment pool LAN-POOL family inet network 10.100.11.0/24 set access address-assignment pool LAN-POOL family inet range HOSTS low 10.100.11.100 set access address-assignment pool LAN-POOL family inet range HOSTS high 10.100.11.200 set access address-assignment pool LAN-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool LAN-POOL family inet dhcp-attributes router 10.100.11.1 set routing-options static route 10.100.22.0/24 next-hop st0.0
## srx2 — display set — Junos 24.4R2.21 set version 24.4R2.21 set system host-name srx2 set system services netconf ssh rate-limit 32 set system services netconf rfc-compliant set system services ssh root-login allow set system services ssh max-sessions-per-connection 20 set system services ssh rate-limit 32 set system services dhcp-local-server group LAN-DHCP interface ge-0/0/1.0 set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system name-server 172.27.1.200 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system syslog file sdcloud-messages any any set system syslog file sdcloud-messages structured-data set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security pki ca-profile ISRG_Root_X1 ca-identity ISRG_Root_X1 set security pki ca-profile ISRG_Root_X1 pre-load set security pki ca-profile Lets_Encrypt ca-identity Lets_Encrypt set security pki ca-profile Lets_Encrypt enrollment url https://acme-v02.api.letsencrypt.org/directory set security pki ca-profile sd_cloud_ca ca-identity sd_cloud_ca set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POL mode main set security ike policy IKE-POL proposals standard set security ike policy IKE-POL pre-shared-key ascii-text "$9$ZGGDikqPTQ39AKMLX-dqmP" set security ike gateway IKE-GW ike-policy IKE-POL set security ike gateway IKE-GW address 172.16.100.1 set security ike gateway IKE-GW external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POL proposals standard set security ipsec vpn VPN-to-Host1 bind-interface st0.0 set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL set security ipsec vpn VPN-to-Host1 establish-tunnels immediately set security address-book Host2 address Host2-Net 10.100.22.0/24 set security address-book Host2 attach zone trust set security address-book Host1 address Host1-Net 10.100.11.0/24 set security address-book Host1 attach zone VPN set security flow tcp-mss ipsec-vpn mss 1350 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net set security policies from-zone trust to-zone VPN policy VPN-OUT match application any set security policies from-zone trust to-zone VPN policy VPN-OUT then permit set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net set security policies from-zone VPN to-zone trust policy VPN-IN match application any set security policies from-zone VPN to-zone trust policy VPN-IN then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic system-services dhcp set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone VPN host-inbound-traffic system-services ping set security zones security-zone VPN interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 172.16.100.2/24 set interfaces ge-0/0/1 unit 0 family inet address 10.100.22.1/24 set interfaces fxp0 unit 0 family inet dhcp set interfaces lo0 unit 0 family inet address 10.100.100.2/32 set interfaces st0 unit 0 family inet address 10.100.200.2/24 set access address-assignment pool LAN-POOL family inet network 10.100.22.0/24 set access address-assignment pool LAN-POOL family inet range HOSTS low 10.100.22.100 set access address-assignment pool LAN-POOL family inet range HOSTS high 10.100.22.200 set access address-assignment pool LAN-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool LAN-POOL family inet dhcp-attributes router 10.100.22.1 set routing-options static route 10.100.11.0/24 next-hop st0.0
Notes
Important reminders
Things to check before and after deployment.
Pre-shared keyThe key must match exactly on both SRXs. A single character difference will cause IKE negotiation to silently fail. Replace $ABC123 with a strong value before deploying.
No default gateway neededBoth SRX WAN interfaces share 172.16.100.0/24 on sw1. Since sw1 is internal between the two devices, no default route is required.
Proxmox bridge promiscuous modeIf IKE packets are not reaching the peer, check that sw1 is not filtering frames. Enable promiscuous mode on the bridge if needed.
NIC driverUse virtio for best performance. If vSRX fails to detect interfaces on first boot, switch to e1000 in the Proxmox VM hardware settings.
DHCP syntax versionThe DHCP local server syntax shown is validated for Junos 20.4R1. Verify against your installed version if you see commit errors.
st0 range restrictionInterfaces st0.16000 through st0.16385 are reserved for Multinode High Availability. Only use st0.0 through st0.15999.