IPSec in IBM SoftLay

(3)Customer end: Juniper SRX Firewall (policy based ×××)

1. Phase 1

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-alGorithm md5

set security ike proposal ike-phase1-proposal encryption-algorithm 3Des-cbc

set security ike policy ike-phase1-policy mode main

set security ike policy ike-phase1-policy proposals ike-phase1-proposal

set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG"

set security ike gateway SL ike-policy ike-phase1-policy

set security ike gateway SL address x.x.x.x

set security ike gateway SL external-interface ge-0/0/0.0

2. Phase 2

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hMac-md5-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec *** SL××× ike gateway SL

set security ipsec *** SL××× ike proxy-identity local 192.168.109.0/24

set security ipsec *** SL××× ike proxy-identity remote 10.66.24.0/26

set security ipsec *** SL××× ike proxy-identity service any

set security ipsec *** SL××× ike ipsec-policy ipsec-phase2-policy

3. Security Policy (Inbound)

set security policies from-zone trust to-zone untrust policy outbound_*** match source-address local_network

set security policies from-zone trust to-zone untrust policy outbound_*** match destination-address SL-net

set security policies from-zone trust to-zone untrust policy outbound_*** match application any

set security policies from-zone trust to-zone untrust policy outbound_*** then permit tunnel ipsec-*** SL×××

set security policies from-zone trust to-zone untrust policy outbound_*** then count

4. Security Policy (Outbound)

set security policies from-zone untrust to-zone trust policy inbound_*** match source-address SL-net

set security policies from-zone untrust to-zone trust policy inbound_*** match destination-address local_network

set security policies from-zone untrust to-zone trust policy inbound_*** match application any

set security policies from-zone untrust to-zone trust policy inbound_*** then permit tunnel ipsec-*** SL×××

set security policies from-zone untrust to-zone trust policy inbound_*** then count

5.Routing

set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1