Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Verify Your IPsec VPN

Now we'll show you how to quickly confirm that your route-based IPsec VPN is doing its job of protecting your sensitive data.

Confirm Licensing Status

SRX Security Gateways have many advanced features. For example, deep packet inspection (DPI), real-time antivirus (AV) scanning, cloud-based URL blocking, and so on. Some of these features require a license. Many use a hard licensing model, which means the feature is disabled until you add the necessary license. However, you might be able to configure the feature without receiving any type of license warning. For information about feature-based licenses, see Licenses for SRX Series. For information about subscription-based licenses, see Flex Software License for SRX Series Devices.

It's always a good idea to display the licensing status of your SRX, especially when adding new features, like the IPsec VPN you just turned up.

The output is good news. It shows that no specific licenses exist on the device. It also confirms that none of the features configured require any special add-on licensing. The base model license for the branch SRX includes support for VLANs, DHCP services, and basic IPsec VPNs.

Verify IKE Session

Verify that the SRX has successfully established an IKE association with the remote site:

The output shows an established IKE session to the remote site at 172.16.1.1.

Verify the IPsec Tunnel

Verify IPsec tunnel establishment:

The output confirms IKE session establishment to the remote site at 172.16.1.1.

Verify Tunnel Interface Status

Verify that the tunnel interface is operational (and it must be operational, given the successful establishment of the IPsec tunnel). Also, check that you can ping the remote tunnel endpoint:

Verify Static Routing for the IPsec Tunnel

Verify that the (static) route to the remote subnet correctly points to the IPsec tunnel interface as a next hop:

Verify Trust Zone Traffic Uses the Tunnel

Generate traffic from a trust zone device to a destination in the 172.16.200.0/24 subnet. We assigned address 172.16.200.1/32 to the remote location's loopback interface, and placed it into the vpn zone. This address provides a target to ping. If all is working, these pings should succeed.

To confirm this traffic is using the IPsec VPN, follow these steps.

  1. Clear the statistics for the IPsec tunnel.
  2. Generate a known number of pings to the 172.16.200.1 destination from a trust zone client.
  3. Display tunnel usage statistics.

This completes the verification of the IPsec VPN. Congratulations on the new branch location!