Example: Configuring an IPsec VPN Between Two vSRX Instances

 

This example shows how to configure an IPsec VPN between two instances of vSRX in Microsoft Azure.

Before You Begin

Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.

Overview

You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure using two vSRX instances.

vSRX IPsec VPN Configuration

vSRX1 VPN Configuration

Step-by-Step Procedure

To configure IPsec VPN on vSRX1:

  1. Log in to the vSRX1 in configuration edit mode (see Configuring vSRX Using the CLI).
  2. Set the IP addresses for vSRX1 interfaces.
  3. Set up the untrust security zone.
  4. Set up the trust security zone.
  5. Configure IKE.
    Note

    Be sure to replace 198.51.100.10 in this example with the correct public IP address.

  6. Configure IPsec.
  7. Configure routing.

vSRX2 VPN Configuration

Step-by-Step Procedure

To configure IPsec VPN on vSRX2:

  1. Log in to the vSRX2 in configuration edit mode (See Configuring vSRX Using the CLI.
  2. Set the IP addresses for the vSRX2 interfaces.
  3. Set up the untrust security zone.
  4. Set up the trust security zone.
  5. Configure IKE.
    Note

    Be sure to replace 203.0.113.10 in this example with the correct public IP address. Also note that the SiteB local-identity and remote-identity should be in contrast with the SiteA local-identity and remote-identity.

  6. Configure IPsec.
  7. Configure routing.

Verification

Verify Active VPN Tunnels

Purpose

Verify that the tunnel is up on both vSRX instances.

Action

root@> show security ipsec security-associations