All Juniper related discussions.
User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

SRX and IPsec

Tue Aug 09, 2011 5:03 pm

So I've just inherited a couple of SRX210h firewalls and I'm in the process of learning me some JunOS (finally). I've found a VPN tunnel on one of them that connects my customer's old service provider to their network, and I need to make this go away. Being new to JunOS and this being their most critical network device I'm thinking that I want to do this quickly right now and I'll go back and clean it out once I know what the hell I'm doing. So my question is can I just do a 'set interfaces st0.0 disable' and call it a day on this one?

Here's the config:

Code: Select all
ike {
    proposal ike-sha1-aes256-pre-g5 {
        authentication-method pre-shared-keys;
        dh-group group5;
        authentication-algorithm sha1;
        encryption-algorithm aes-256-cbc;
    }
    policy ike-policy {
        mode main;
        proposals ike-sha1-aes256-pre-g5;
        pre-shared-key ascii-text "BLAH"; ## SECRET-DATA
    }
    gateway gw {
        ike-policy ike-policy;
        address x.x.x.x;
        external-interface reth4;
    }
}
ipsec {
    proposal p2-esp-sha1-aes256 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 28800;
    }
    policy p2-policy {
        perfect-forward-secrecy {
            keys group5;
        }
        proposals p2-esp-sha1-aes256;
    }
    vpn vpn {
        bind-interface st0.0;
        ike {
            gateway -gw;
            proxy-identity {
                local x.x.x.x/24;
                remote x.x.x.x/16;
            }
            ipsec-policy p2-policy;
        }
        establish-tunnels immediately;
    }
}

User avatar
cjutting
Post Whore
Posts:
1084
Joined:
Wed Sep 16, 2009 3:16 pm

Re: SRX and IPsec

Tue Aug 09, 2011 5:27 pm

I think disable will get you what you need for now.

IIRC I think you can delete ike, delete (insert line here)

commit the config and be done

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: SRX and IPsec

Tue Aug 09, 2011 6:33 pm

Type in "disable security vpn"

Then commit, assuming you have no other vpn tunnels.

User avatar
burnyd
Post Whore
Posts:
3159
Joined:
Fri Nov 13, 2009 5:15 pm
Certs:
CCIE R&S/SP,CCNP-SP,JNCIA,VCP510,VCA-DCV

Re: SRX and IPsec

Tue Aug 09, 2011 8:34 pm

Im not looking forward to when we have to migrate from the netscreens to these
http://danielhertzberg.wordpress.com - I blog about networks!

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: SRX and IPsec

Wed Aug 10, 2011 12:37 pm

Thanks guys.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: SRX and IPsec

Thu Aug 11, 2011 8:18 am

burnyd wrote:Im not looking forward to when we have to migrate from the netscreens to these



Netscreens are much more stable.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: SRX and IPsec

Thu Aug 11, 2011 9:35 am

texanmutt wrote:Type in "disable security vpn"

Then commit, assuming you have no other vpn tunnels.

That isn't a valid command.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: SRX and IPsec

Thu Aug 11, 2011 1:31 pm

Infinite wrote:
texanmutt wrote:Type in "disable security vpn"

Then commit, assuming you have no other vpn tunnels.

That isn't a valid command.


Oops, that should be deactivate instead of disable.

'

Return to Juniper Networking

Who is online

Users browsing this forum: No registered users and 7 guests