Example: Configuring Spoke 1 in a Hub-and-Spoke VPN (CLI)

The following example describes how to configure spoke 1 in a hub-and-spoke VPN. The hub has two spokes (First and Third) and the configuration is for route-based VPNs. Follow the same process to configure spoke First as you did to configure the hub:

1. Configure Phase 1 of the IPsec tunnel:

   1. Configure IKE Phase 1 proposals:
      user@host# set security ike proposal ike_prop authentication-method pre-shared-keysuser@host# set security ike proposal ike_prop dh-group group2user@host# set security ike proposal ike_prop authentication-algorithm md5user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc
   2. Configure IKE policies (and reference the proposals):
      user@host# set security ike policy ike_pol mode mainuser@host# set security ike policy ike_pol proposals ike_propuser@host# set security ike policy ike_pol pre-shared-key ascii-text "$9$vA38xd24Zk.5bs.5QFAtM8X"
   3. Configure IKE gateway (and reference the policy):
      user@host# set security ike gateway first ike-policy ike_poluser@host# set security ike gateway first address 4.4.4.1user@host# set security ike gateway first external-interface fe-2/0/0.0

2. Configure Phase 2 of the IPsec tunnel:

   1. Configure Phase 2 proposals:
      user@host# set security ipsec proposal ipsec_prop protocol espuser@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc
   2. Configure policies (and reference proposals):
      user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1user@host# set security ipsec policy ipsec_pol proposals ipsec_prop
   3. Configure AutoKey IKE (and reference the policy and gateway):
      user@host# set security ipsec vpn first_vpn bind-interface st0.0user@host# set security ipsec vpn first_vpn ike gateway gateuser@host# set security ipsec vpn first_vpn ike ipsec-policy ipsec_pol
3. Configure the security policy:
   user@host# set security policies default-policy permit-all
4. Configure routing options:
   user@host# set routing-options static route 1.1.1.0/24 next-hop 7.7.7.1

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Hub-and-Spoke VPNs
• Hub-and-Spoke VPN Configuration Overview
• Example: Configuring the Hub in a Hub-and-Spoke VPN (CLI)
• Example: Configuring Spoke 2 in a Hub-and-Spoke VPN (CLI)