This is an old revision of the document!

Configuration VPN IPSEC between Juniper SRX and Google Cloud Platform (GCP)


Juniper SRX:
Local Network:

GLOBAL assigned static IP:
Local Network:

For this example will be used pre shared key: test

Google cloud platfrom are using following IKE, IPSEC policies.

IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 2

IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 2

VPN - tunnel mode esp

Configuring GCP.

1. Create Project in the chosen ZONE

For example the project with name of pr1-163914 was created in us-central1 ZONE.
Default local network for this ZONE -

2. Creating VPN router

For example name of router vpn-1 and assigned static GLOBAL IP. In this example -

gcloud compute --project "pr1-163914" target-vpn-gateways create "vpn-1" --region "us-central1" --network "default"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-esp" --region "us-central1" --address "" --ip-protocol "ESP" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp500" --region "us-central1" --address "" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp4500" --region "us-central1" --address "" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" vpn-tunnels create "vpn-1-tunnel-1" --region "us-central1" --peer-address "" --shared-secret "text" --ike-version "2" --target-vpn-gateway "vpn-1"
gcloud compute --project "avtest1-163914" routes create "vpn-1-tunnel-1-route-1" --network "default" --next-hop-vpn-tunnel "vpn-1-tunnel-1" next-hop-vpn-tunnel-region "us-central1" --destination-range ""

Configuring Juniper.

1. Create ST interface:

set interfaces st0 unit 0 description GCP
set interfaces st0 unit 0 family inet mtu 1460

2. Configuring three security zones on the Juniper:

set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone Internal interfaces reth1.0
set security zones security-zone Tunnels st0.0

3. Configuring security policies (for this example I will not configure detail policy.)

set security policies default-policy permit-all

4. Configuring IKE

set security ike proposal IKE_PRO_GOOGLE authentication-method pre-shared-keys
set security ike proposal IKE_PRO_GOOGLE dh-group group2
set security ike proposal IKE_PRO_GOOGLE authentication-algorithm sha1
set security ike proposal IKE_PRO_GOOGLE encryption-algorithm aes-128-cbc
set security ike proposal IKE_PRO_GOOGLE lifetime-seconds 28800
set security ike policy IKE_POL_GOOGLE mode main
set security ike policy IKE_POL_GOOGLE proposals IKE_PRO_GOOGLE
set security ike policy IKE_POL_GOOGLE pre-shared-key ascii-text

set security ike gateway GOOGLE ike-policy IKE_POL_GOOGLE
set security ike gateway GOOGLE address
set security ike gateway GOOGLE local-identity inet
set security ike gateway GOOGLE external-interface reth0.0
set security ike gateway GOOGLE version v2-only

5. Configuring IPSEC

set security ipsec proposal IPSEC_PRO_GOOGLE protocol esp
set security ipsec proposal IPSEC_PRO_GOOGLE authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PRO_GOOGLE encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PRO_GOOGLE lifetime-seconds 3600
set security ipsec policy IPSEC_POL_GOOGLE perfect-forward-secrecy keys group2
set security ipsec policy IPSEC_POL_GOOGLE proposals IPSEC_PRO_GOOGLE
set security ipsec vpn VPN_GOOGLE bind-interface st0.0
set security ipsec vpn VPN_GOOGLE ike gateway GOOGLE
set security ipsec vpn VPN_GOOGLE ike ipsec-policy IPSEC_POL_GOOGLE

6. Configuring routing

set routing-options static route next-hop st0.0

7. Commit


About author

Profile of the author

en/jobs/vpn_gcloud_srx.1491646433.txt.gz · Last modified: 2017/04/08 13:13 by admin
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki