Posts Tagged ‘ipsec’

  1. Add VPN profile to both sides with same PreShared Key

2020-01-07_23-39-50.png

 

 

2) Add Static Routes on both sides to each other’s Subnets via the VPN Connection Interface created in Step 1

3) Add Policies

WAN->VPN Connection Interface created in Step 1 ( without NAT ) 

VPN Connection Interface created in Step 1 -> All  ( without NAT ) 

 

 

 

***********

DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21. RFC 5114 Sec 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

GD Star Rating
loading...
GD Star Rating
loading...

To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

 

GD Star Rating
loading...
GD Star Rating
loading...

SRX210[1]In configuring a IPSec site to site vpn with SRX 240 we need to set the st0/1/2 Adapters to manual address

For this I choose 172.27.0.0 Subnet 30 which only gives 2 IP’s per subnet (between SRX1 and SRX2)

If you try and assign an IP in the Broadcast Address or Subnet Address wou will get

Cannot assign broadcast address as ip address

or

Cannot assign address 0 on subnet

Use a subnet caculator for checking these address’ and only use the values in between the Min and Max Host


http://wintelguy.com/subnetcalc.pl

GD Star Rating
loading...
GD Star Rating
loading...