Mikrotik (dynamic IP) vpn ike ipsec with Juniper SRX.

elprim · July 28, 2020, 12:28pm

Is there someone who can translate Juniper SRX configuration to mikrotik configuration.
Currently, the Juniper SRX100 communicates with the SRX340 and works great.

I would like to change Juniper SRX100 with Mikrotik RB3011UiAS, but I can't establish the connection between mikrotik and Juniper.

configuration on SRX100 router, witch i would like to translate in mikrotik configuration

ike {
proposal pre-g2-aes-128 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy IKE-policy {
mode aggressive;
proposals pre-g2-aes-128;
pre-shared-key ascii-text "Secure key"; ## SECRET-DATA
}
gateway gw_ADSL-XXXXX {
ike-policy IKE-policy;
address xxx.xxx.xxx.xxx; "public IP of server office"
local-identity hostname fw-XXXXX;
external-interface fe-0/0/7;
}
}

ipsec {
proposal nopfs-esp-aes128-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE-policy {
proposals nopfs-esp-aes128-sha;
}
vpn vpn-ADSL-XXXXX {
bind-interface st0.0;
vpn-monitor {
optimized;
}
ike {
gateway gw_ADSL-XXXXX;
ipsec-policy IKE-policy;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
all-tcp {
mss 1350;
}
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-syn-check;
no-sequence-check;
}
}

interface:

interfaces fe-0/0/7
description INTERNET;
unit 0 {
family inet {
dhcp;
}
}

interfaces st0.0
unit 0 {
family inet {
mtu 1500;
address 172.31.1.134/30;
}

clients address 192.168.90.0/24

=============================================================

configuration on master SRX340 router

ike
}
proposal pre-g2-aes128-sha_dyn {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;

policy IKE-policy-ADSL_XXXXXX {
mode aggressive;
proposals IKE-proposal;
pre-shared-key ascii-text "Secure key"; ## SECRET-DATA
}
gateway GW_ADSL_XXXXXX {
ike-policy IKE-policy-ADSL_XXXXXX;
dynamic hostname fw-XXXXXX;
external-interface ge-0/0/2;
}

ipsec {
proposal ipsec-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;

}
policy ipsec-policy-ADSL_XXXXXX{
proposals ipsec-proposal;
}
}
vpn ipsec-policy-ADSL_XXXXXX {
bind-interface st0.4;
ike {
gateway GW_ADSL_XXXXXX;
ipsec-policy ipsec-policy-ADSL_XXXXXX;
}
establish-tunnels immediately;
}
}

interface:

interfaces ge-0/0/2
description ==Untrust==;
unit 0 {
description ==Internet==;
family inet {
address xxx.xxx.xxx.xxx/16; "fixed public IP"
}
}

interfaces st0.4
description ==ADSL_XXXXXX==;
family inet {
mtu 1500;
address 172.31.1.133/32;
}

elprim · March 15, 2022, 2:17pm

Is there anyone here who knows if it is possible to connect Juniper SRX to Mikrotik in route based mode?

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-ipsec-vpns.html

Mikrotik (dynamic IP) vpn ike ipsec with Juniper SRX.

policy IKE-policy-ADSL_XXXXXX { mode aggressive; proposals IKE-proposal; pre-shared-key ascii-text "Secure key"; ## SECRET-DATA } gateway GW_ADSL_XXXXXX { ike-policy IKE-policy-ADSL_XXXXXX; dynamic hostname fw-XXXXXX; external-interface ge-0/0/2; }

policy IKE-policy-ADSL_XXXXXX {
mode aggressive;
proposals IKE-proposal;
pre-shared-key ascii-text "Secure key"; ## SECRET-DATA
}
gateway GW_ADSL_XXXXXX {
ike-policy IKE-policy-ADSL_XXXXXX;
dynamic hostname fw-XXXXXX;
external-interface ge-0/0/2;
}