HPE Juniper Networking SRX Series Firewalls

Overview

This guide provides step-by-step instructions for configuring HPE Juniper Networking SRX Series Firewalls to establish IPsec VPN tunnels to Cloudflare WAN. It is intended for network engineers who are familiar with HPE Juniper Networking SRX Series Firewalls administration and have an active Cloudflare WAN subscription.

This guide is a companion to the Cloudflare WAN IPsec VPN Reference Architecture, which defines the common IP addressing scheme, tunnel parameters, and design decisions used across all vendor guides. Readers should review that document before proceeding.

Test Environment

Field	Value
Vendor	HPE Juniper Networking
Model	SRX 320
Release	JUNOS 23.4R2-S3.9
Date Tested	March 2026

IKE/IPsec Crypto & Relevant Settings

Field	Value
Traffic Selection Criteria	Route-Based VPN
Routing	Static
Redundant Tunnels	Yes
Tunnel Load Balancing	Active/Active
IKE Version	IKEv2
Authentication	Pre-Shared Key
Anti-Replay Protection	Disabled
NAT Traversal (NAT-T)	Not Tested
NAT-T Port	Not Applicable
Phase 1 - DH-Group	Group 20
Phase 1 - Encryption	AES-256-CBC
Phase 1 - Authentication/Integrity	SHA-256
Phase 2 - DH-Group	Group 20
Phase 2 - Transport	ESP
Phase 2 - Encryption	AES-256-CBC

Cloudflare WAN and HPE Juniper Networking SRX Series Firewalls - Configuration Settings

• While following these steps, ensure you update all object names and IP addresses to match your environment.
• Aligning these elements with your actual naming conventions and network scheme ensures the configuration works correctly in your production setup.
• Use Find and Replace to parse the examples below, update the names and addresses accordingly, and maintain consistency.

Cloudflare WAN - Tunnel 01 of 02

Attribute	Value/Address
Name (required)	CF_WAN_TUN_01
Description	---
IPv4 Interface Address (required)	169.254.250.0/31
IPv6 Interface Address	---
Customer Endpoint	203.0.113.100
Cloudflare Endpoint	162.159.135.1
Tunnel health checks	True
Rate	Medium
Type	Request
Direction	Bidirectional
Target	Default
---	---
Turn on replay protection	False
Automatic return routing	True

• IKE Identity and Pre-shared Key (obtained after tunnel creation):

Attribute	Value/Address
FQDN ID	bf6c493d03<REDACTED>.ipsec.cloudflare.com
Pre-shared key	Cloudflare-WAN-T1-PSK-1234!

Cloudflare WAN - Tunnel 02 of 02

Attribute	Value/Address
Name (required)	CF_WAN_TUN_02
Description	---
IPv4 Interface Address (required)	169.254.250.2/31
IPv6 Interface Address	---
Customer Endpoint	203.0.113.100
Cloudflare Endpoint	172.64.135.1
Tunnel health checks	True
Rate	Medium
Type	Request
Direction	Bidirectional
Target	Default
---	---
Turn on replay protection	False
Automatic return routing	True

• IKE Identity and Pre-shared Key (obtained after tunnel creation):

Attribute	Value/Address
FQDN ID	0287844e9d<REDACTED>.ipsec.cloudflare.com
Pre-shared key	Cloudflare-WAN-T2-PSK-1234!

Customer Premise Equipment - HPE Juniper Networking

WAN Interface	Tunnel 01 of 02	Tunnel 02 of 02
WAN Interface	ge-0/0/0.0	ge-0/0/0.0
IP Address	203.0.113.100/24	203.0.113.100/24
Security Zone	untrust	untrust

Virtual Tunnel Interface (VTI)	Tunnel 01 of 02	Tunnel 02 of 02
Tunnel interface	st0.1	st0.2
IP Address	169.254.250.1/31	169.254.250.3/31
Security Zone	cloudflare	cloudflare

LAN Interface	Tunnel 01 of 02	Tunnel 02 of 02
LAN Interface	ge-0/0/1.0	ge-0/0/1.0
IP Address	192.168.125.1/24	192.168.125.1/24
Security Zone	trust	trust

HPE Juniper Networking SRX Object Names

Element	Object Hierarchy	Name
Security Zone - Trust	[ security zones security-zone ]	trust
Security Zone - Untrust	[ security zones security-zone ]	untrust
Security Zone - Cloudflare WAN	[ security zones security-zone ]	cloudflare
IKE Proposal (only one required)	[ security ike proposal ]	ike-aes256cbc-sha256-dh20
IKE Policy - Tunnel 1	[ security ike policy ]	cf-wan-ike-pol-01
IKE Policy - Tunnel 2	[ security ike policy ]	cf-wan-ike-pol-02
IKE Gateway - Tunnel 1	[ security ike gateway ]	cf-wan-ike-gw-01
IKE Gateway - Tunnel 2	[ security ike gateway ]	cf-wan-ike-gw-02
IPsec Proposal (only one required)	[ security ipsec proposal ]	esp-aes256cbc-sha256-128
IPsec Policy (only one required)	[ security ipsec policy ]	ipsec-aes256cbc-sha256-128-dh20
IPsec Tunnel - Tunnel 1	[ security ipsec vpn ]	cf-wan-ipsec-vpn-01
IPsec Tunnel - Tunnel 2	[ security ipsec vpn ]	cf-wan-ipsec-vpn-02

Assumptions

This guide assumes the following apply:

• Already configured IPsec tunnels and static routes in the Cloudflare dashboard
• Used the Cloudflare Dashboard to obtain the Local Identifier (FQDN/hostname) and generate a Pre-Shared Key for each of the IPsec tunnels
• Understand the importance of MSS clamping and adjusting it based on the traffic flows traversing the Cloudflare WAN IPsec Tunnels

High-Level Steps

• Add Virtual Tunnel Interfaces
• Create a Security Zone (Recommended)
• Add VTIs to Security Zone
• Define IKE Policy and Proposals (Phase 1)
• Add IKE Gateways
• IPsec Policy and Proposal (Phase 2)
• IPsec Tunnel Configuration
• Define Security policy to permit traffic to/from Cloudflare WAN
• Define Policy-Based Forwarding rules to selectively route traffic across the IPsec tunnels

HPE Juniper Networking SRX - Configuration

All examples are provided via the Junos Command-Line Interface (CLI). J-Web examples are not provided.

Junos Modes

Junos OS operates with two main command-line interface (CLI) modes, Operational Mode and Configuration Mode, which serve distinct purposes in managing Juniper network devices.

Operational Mode (>)

Operational mode ↗ is the default state upon logging into a Junos device, used for monitoring, troubleshooting, and displaying device status.

• Prompt: user@host>
• Purpose: View real-time information, check interface status, view routing tables, test connectivity (ping/traceroute), and restart processes.
• Key Commands: show, monitor, ping, traceroute, request.
• Action: Changes made here do not affect the persistent device configuration.

Configuration Mode (#)

Configuration mode ↗ is used to make changes to the device's configuration, such as defining interfaces, routing protocols, and system properties.

• Prompt: user@host#
• Purpose: Edit, add, or remove configuration statements.
• Key Commands: edit, set, delete, commit, rollback.
• Action: Changes are made to a "candidate configuration" and are not active until explicitly committed at which point they become part of the "running configuration".

Each section will indicate whether the commands are applicable to configuration mode or operational mode.

Virtual Tunnel Interfaces

Perform in Configuration Mode

set interfaces st0 unit 1 family inet address 169.254.250.1/31
set interfaces st0 unit 2 family inet address 169.254.250.3/31

Security Zone

Perform in Configuration Mode

Add st0.1 and st0.2 to the Security Zone cloudflare and permit system-services ping. This is required to ensure the Cloudflare WAN IPsec Tunnel Health Checks are able to verify reachability across the Virtual Tunnel Interfaces.

set security zones security-zone cloudflare interfaces st0.1 host-inbound-traffic system-services ping
set security zones security-zone cloudflare interfaces st0.2 host-inbound-traffic system-services ping

IKE - Phase 1

Perform in Configuration Mode

Configure the following:

• IKE Proposal
• IKE Policies (one required per Cloudflare WAN IPsec Tunnel)
• IKE Gateways (one required per Cloudflare WAN IPsec Tunnel)

IKE Proposal

Define an IKE Proposal with the following settings:

Attribute	Value
authentication-method	pre-shared-keys
dh-group	group20
authentication-algorithm	sha256
encryption-algorithm	aes-256-cbc
lifetime-seconds	28800

set security ike proposal ike-aes256cbc-sha256-dh20 authentication-method pre-shared-keys
set security ike proposal ike-aes256cbc-sha256-dh20 dh-group group20
set security ike proposal ike-aes256cbc-sha256-dh20 authentication-algorithm sha-256
set security ike proposal ike-aes256cbc-sha256-dh20 encryption-algorithm aes-256-cbc
set security ike proposal ike-aes256cbc-sha256-dh20 lifetime-seconds 28800

IKE Policies

Configure one IKE policy per IPsec tunnel:

Attribute	Value
mode	main
proposals	ike-aes256cbc-sha256-dh20
pre-shared-key ascii-text	specify pre-shared-key

set security ike policy cf-wan-ike-pol-01 mode main
set security ike policy cf-wan-ike-pol-01 proposals ike-aes256cbc-sha256-dh20
set security ike policy cf-wan-ike-pol-01 pre-shared-key ascii-text "Cloudflare-WAN-T1-PSK-1234!"

set security ike policy cf-wan-ike-pol-02 mode main
set security ike policy cf-wan-ike-pol-02 proposals ike-aes256cbc-sha256-dh20
set security ike policy cf-wan-ike-pol-02 pre-shared-key ascii-text "Cloudflare-WAN-T2-PSK-1234!"

IKE Gateways

Configure one IKE Gateway per IPsec tunnel:

set security ike gateway cf-wan-ike-gw-01 ike-policy cf-wan-ike-pol-01
set security ike gateway cf-wan-ike-gw-01 address 162.159.135.1
set security ike gateway cf-wan-ike-gw-01 local-identity hostname bf6c493d03<REDACTED>.ipsec.cloudflare.com
set security ike gateway cf-wan-ike-gw-01 external-interface ge-0/0/0.0
set security ike gateway cf-wan-ike-gw-01 local-address 203.0.113.100
set security ike gateway cf-wan-ike-gw-01 version v2-only

set security ike gateway cf-wan-ike-gw-02 ike-policy cf-wan-ike-pol-02
set security ike gateway cf-wan-ike-gw-02 address 172.64.135.1
set security ike gateway cf-wan-ike-gw-02 local-identity hostname 0287844e9d<REDACTED>.ipsec.cloudflare.com
set security ike gateway cf-wan-ike-gw-02 external-interface ge-0/0/0.0
set security ike gateway cf-wan-ike-gw-02 local-address 203.0.113.100
set security ike gateway cf-wan-ike-gw-02 version v2-only

Explain Code

IPsec - Phase 2

Perform in Configuration Mode

Configure the following:

• IPsec Proposal
• IPsec Policy
• IPsec Tunnels (one required per Cloudflare WAN IPsec Tunnel)

IPsec Proposal

Define an IPsec Proposal with the following settings:

Attribute	Value
protocol	esp
authentication-algorithm	hmac-sha-256-128
encryption-algorithm	aes-256-cbc
lifetime-seconds	28800

set security ipsec proposal esp-aes256cbc-sha256-128 protocol esp
set security ipsec proposal esp-aes256cbc-sha256-128 authentication-algorithm hmac-sha-256-128
set security ipsec proposal esp-aes256cbc-sha256-128 encryption-algorithm aes-256-cbc
set security ipsec proposal esp-aes256cbc-sha256-128 lifetime-seconds 28800

IPsec Policy

set security ipsec policy ipsec-aes256cbc-sha256-128-dh20 perfect-forward-secrecy keys group20
set security ipsec policy ipsec-aes256cbc-sha256-128-dh20 proposals esp-aes256cbc-sha256-128

IPsec VPN Tunnels

Create two IPsec VPN tunnels - each corresponding to its respective IKE Gateway.

set security ipsec vpn cf-wan-ipsec-vpn-01 bind-interface st0.1
set security ipsec vpn cf-wan-ipsec-vpn-01 ike gateway cf-wan-ike-gw-01
set security ipsec vpn cf-wan-ipsec-vpn-01 ike no-anti-replay
set security ipsec vpn cf-wan-ipsec-vpn-01 ike ipsec-policy ipsec-aes256cbc-sha256-128-dh20
set security ipsec vpn cf-wan-ipsec-vpn-01 establish-tunnels immediately

set security ipsec vpn cf-wan-ipsec-vpn-02 bind-interface st0.2
set security ipsec vpn cf-wan-ipsec-vpn-02 ike gateway cf-wan-ike-gw-02
set security ipsec vpn cf-wan-ipsec-vpn-02 ike no-anti-replay
set security ipsec vpn cf-wan-ipsec-vpn-02 ike ipsec-policy ipsec-aes256cbc-sha256-128-dh20
set security ipsec vpn cf-wan-ipsec-vpn-02 establish-tunnels immediately

Explain Code

Note

Enabling establish-tunnels-immediately ensures the SRX is always the tunnel initiator. This is crucial as Cloudflare will never initiate the IPsec tunnel. If you do not enable this option, you will need to generate some traffic that will traverse the IPsec tunnels at which point the SRX will initiate the tunnel in an on-demand fashion.

MSS Clamping

Perform in Configuration Mode

The SRX platform is unique in that it allows you to configure MSS Clamping that only applies to IPsec tunnels as opposed to per interface or globally.

This ensures the overhead associated with IKE/IPsec packet headers is factored in and will minimize opportunities for fragmentation as traffic ingresses and egresses the IPsec tunnels.

Note

The recommended MSS value 1360 may need to be adjusted based on the nature of the traffic traversing the Cloudflare WAN IPsec Tunnels.

set security flow tcp-mss ipsec-vpn mss 1360

See How to change the MSS of TCP traffic passing through an IPsec VPN ↗ for more details.

Security Policies

Perform in Configuration Mode

• Security policies are required to permit traffic between zones
• The Ethernet interface ge-0/0/1.0 is in the trust security zone
• The tunnel interfaces st0.1 and st0.2 are in the cloudflare security zone

The following example allows all source & destination IPs, ports, and protocols/services between cloudflare and trust as well as between trust and cloudflare.

Attribute	Value
source-address	any
destination-address	any
application	any
action	permit
log	session-close

set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match source-address any
set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match destination-address any
set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match application any
set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit then permit
set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit then log session-close

set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match source-address any
set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match destination-address any
set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match application any
set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit then permit
set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit then log session-close

Explain Code

Filter-Based Forwarding - Policy-Based Routing

Perform in Configuration Mode

HPE Juniper Networking provides multiple methods for performing Policy-Based Routing. Filter-Based Forwarding ↗ is the preferred method as it permits selectively routing traffic based on source, destination, protocol (and a wide variety of other matching criteria) through Cloudflare WAN or local Internet breakout with ease.

This example assumes traffic originating from 192.168.125.0/24 (ingress interface ge-0/0/1.0 zone trust) to any destination will be routed via the Cloudflare WAN IPsec Tunnels.

Implementing Filter-Based Forwarding (FBF) requires four steps:

1. Create a Forwarding Routing Instance
   • Think of the Routing Instance as a "bucket" containing an alternate routing table
   • The Routing Instance contains the destination prefix(es) and next hop addresses (VTI on Cloudflare side of the tunnels)
2. Create a Firewall Filter
   • Think of a Firewall Filter as the "brain" that determines which packets to send to the "bucket"
   • The Firewall Filter acts as a "classifier" that identifies the traffic you want to divert to the Routing Instance
3. Configure the RIB Group and Bind Routes
   • Think of this as the "bridge" that copies interface routes to the "bucket"
   • The Routing Instance is not part of the default routing table.
   • This step instructs the SRX how to reach directly connected networks and resolve next-hops found in the main table (inet.0) and the Cloudflare WAN Routing Instance's routing table CF_WAN_RI.inet.0
4. Apply the Firewall Filter to the ingress traffic interface(s)
   • Think of this as the "trigger" that starts processing packets as they enter the ingress interface
   • As traffic ingresses the interface(s) to which it is applied, traffic is processed in a top-down fashion

Define a Routing Instance

The Routing Instance defines the destination for your steered traffic. Unlike a standard VRF, FBF typically uses an instance type of forwarding.

This example effectively sets the default gateway (0.0.0.0/0) for any traffic landing on this Routing Instance to get routed to the IP address of the VTIs on the Cloudflare side of the IPsec tunnels:

set routing-instances CF_WAN_RI instance-type forwarding
set routing-instances CF_WAN_RI routing-options static route 0.0.0.0/0 next-hop 169.254.250.0
set routing-instances CF_WAN_RI routing-options static route 0.0.0.0/0 next-hop 169.254.250.2

Create a Firewall Filter

Add a firewall filter called CF_WAN_FBF_ALL with two terms (rules):

The first term CF_WAN_FWD_RI ensures any traffic originating from the LAN subnet (192.168.125.0/24) to any destination address (0.0.0.0/0) is processed against the CF_WAN_RI routing instance.

The second term EVERYTHING_ELSE effectively instructs the SRX to continue processing any traffic not matching the term CF_WAN_FWD_RI via the default routing table (inet.0).

Note the addition of the action count in both statements. This option defines a counter you can view to determine how many packets are processed on each term.

set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI from source-address 192.168.125.0/24
set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI from destination-address 0.0.0.0/0
set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI then count CF_WAN_FWD_RI_count
set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI then routing-instance CF_WAN_RI
set firewall family inet filter CF_WAN_FBF_ALL term EVERYTHING_ELSE then count EVERYTHING_ELSE_count
set firewall family inet filter CF_WAN_FBF_ALL term EVERYTHING_ELSE then accept

Configure the RIB Group and Bind Interface Routes

Create a RIB Group and import both the default route table (inet.0) and the route table associated with the newly created Forwarding Routing Instance:

set routing-options rib-groups CF_WAN_RG import-rib inet.0
set routing-options rib-groups CF_WAN_RG import-rib CF_WAN_RI.inet.0

Bind the RIB Group to the Interface Routes:

set routing-options interface-routes rib-group inet CF_WAN_RG

Apply the Firewall Filter to the Ingress Interface

• Traffic originating on the LAN subnet will ingress interface ge-0/0/1.0
• Apply the Firewall Filter CF_WAN_FBF_ALL as an input filter

set interfaces ge-0/0/1 unit 0 family inet filter input CF_WAN_FBF_ALL

Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels.

Note

If you have Cloudflare One configured to perform HTTPS traffic inspection, ensure that you install the Root CA certificate prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages.

Troubleshooting

Common issues

• Always check IKE Phase 1 & IPsec Phase 2 negotiated successfully - look for "no proposal chosen" in logs
• Verify Pre-Shared-Key and/or Local-Identity values are accurate and assigned to the correct tunnel
• Use ping to determine reachability between the CPE and Cloudflare sides of the VTI
  • Tunnel 1: CPE VTI to Cloudflare VTI: ping source 169.254.250.1 169.254.250.0
  • Tunnel 2: CPE VTI to Cloudflare VTI: ping source 169.254.250.3 169.254.250.2

View IKE Security Associations

Perform in Operational Mode

Use the CLI to verify IKE (Phase 1) and IPsec (Phase 2) security associations established.

admin@srx> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
403838  UP     a2d16e54c9d83ad5  873b1da714f0ca8f  IKEv2          162.159.135.1
403839  UP     476288ac95d878e2  e72ef64e00b623e6  IKEv2          172.64.135.1

View IPsec Security Associations

Perform in Operational Mode

admin@srx> show ipsec security associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256-96 9b429dd3 27739/unlim - root 500 162.159.135.1
  >131073 ESP:aes-cbc-256/sha256-96 28931d57 27739/unlim - root 500 162.159.135.1
  <131074 ESP:aes-cbc-256/sha256-96 eb2a275e 27739/unlim - root 500 172.64.135.1
  >131074 ESP:aes-cbc-256/sha256-96 4134d7a8 27739/unlim - root 500 172.64.135.1

Enable Debug Logging (traceoptions) for IKE (Phase 1) and IPsec (Phase 2)

In the event you encounter issues with IPsec tunnel negotiation, you can enable traceoptions for IKE and/or IPsec.

Note

Debug logging can create significant overhead on firewalls with high utilization. Ensure you monitor CPU and memory utilization closely and only enable debug logging when it is needed.

Enable IKE Traceoptions

Perform in Configuration Mode

set security ike traceoptions file ike-debug.log
set security ike traceoptions file size 1m
set security ike traceoptions file files 3
set security ike traceoptions file world-readable
set security ike traceoptions flag all

View IKE Debug Log

Perform in Operational Mode

View the log with the following command:

admin@srx> show log ike-debug.log

Press CTRL + C to stop viewing the log.

Disable IKE Traceoptions

Perform in Configuration Mode

delete security ike traceoptions
commit

Enable IPsec Traceoptions

Perform in Configuration Mode

set security ipsec traceoptions file ipsec-debug.log
set security ipsec traceoptions file size 1m
set security ipsec traceoptions file files 3
set security ipsec traceoptions file world-readable
set security ipsec traceoptions flag all

View IPsec Debug Logging

Perform in Operational Mode

View the log with the following command:

admin@srx> show log ipsec-debug.log

Press CTRL + C to stop viewing the log.

Disable IPsec Debug Logging

Perform in Configuration Mode

delete security ipsec traceoptions
commit

Disable/Enable IKE Gateways and/or IPsec VPN Tunnels

Perform in Configuration Mode

Junos provides the ability to administratively enable/disable IKE gateways and IPsec tunnels independently. This allows you to forcefully set up and tear down VPN tunnels which can be very useful during troubleshooting.

Deactivate IKE Gateway

deactivate security ike gateway cf-wan-ike-gw-01

Deactivate IPsec VPN

deactivate security ipsec vpn cf-wan-ipsec-vpn-01

Perform a commit to ensure the IKE Gateway and IPSec VPN objects are disabled.

Verify Inactive State

Note the presence of inactive: security ike gateway cf-wan-ike-gw-01 at the top of the IKE gateway stanza:

admin@srx# show security ike gateway cf-wan-ike-gw-01
##
## inactive: security ike gateway cf-wan-ike-gw-01
##
ike-policy cf-wan-ike-pol-01;
address 162.159.135.1;
local-identity hostname bf6c493d03<REDACTED>.ipsec.cloudflare.com;
external-interface ge-0/0/0.0;
local-address 203.0.113.100;
version v2-only;

Explain Code

Note the presence of inactive: security ipsec vpn cf-wan-ike-gw-01 at the top of the IPsec VPN stanza:

[edit]
admin@srx# show security ipsec vpn cf-wan-ipsec-vpn-01
##
## inactive: security ipsec vpn cf-wan-ipsec-vpn-01
##
bind-interface st0.1;
ike {
    gateway cf-wan-ike-gw-01;
    no-anti-replay;
    ipsec-policy ipsec-aes256cbc-sha256-128-dh20;
}
establish-tunnels immediately;

Explain Code

Activate IKE Gateway and IPsec VPN Objects

Reverse the process with the activate command:

activate security ike gateway cf-wan-ike-gw-01

activate security ipsec vpn cf-wan-ipsec-vpn-01

commit

Restart IPsec Daemon

Perform in Operational Mode

The IKE and IPsec lifetimes are set to 28800 seconds (8 hours). You can force tunnel establishment by restarting the IPsec daemon (kmd). This will invalidate the IKE and IPsec security associations and forcefully reconnect the IPsec VPN tunnels.

This can be accomplished with the following command:

admin@srx> restart ipsec-key-management

Ensure Reachability Across IPsec Tunnels

Perform in Operational Mode

Use ping to verify connectivity to the Cloudflare side of the Virtual Tunnel Interface

admin@srx> ping 169.254.250.0 source 169.254.250.1
admin@srx> ping 169.254.250.2 source 169.254.250.3

Show Tunnel Event Statistics

Perform in Operational Mode

admin@srx> show security ipsec tunnel-events-statistics

Resulting output:

External interface's zone received. Information updated                     : 2
Bind-interface's zone received. Information updated                         : 2
Bind-interface's address received. Information updated                      : 2
IKE SA negotiation successfully completed                                   : 2
IPSec SA negotiation successfully completed                                 : 2
Tunnel is ready. Waiting for trigger event or peer to trigger negotiation   : 2

Display Route Tables

Perform in Operational Mode

Default Route Table - inet.0

show route table inet.0

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

169.254.247.0/31   *[Direct/0] 00:02:10
                    > via st0.1
169.254.247.1/32   *[Local/0] 1d 05:35:54
                      Local via st0.1
169.254.247.2/31   *[Direct/0] 00:02:09
                    > via st0.2
169.254.247.3/32   *[Local/0] 1d 05:35:54
                      Local via st0.2
169.254.250.0/31   *[Direct/0] 00:02:09
                    > via st0.1
169.254.250.1/32   *[Local/0] 00:02:09
                      Local via st0.1
169.254.250.2/31   *[Direct/0] 00:02:09
                    > via st0.2
169.254.250.3/32   *[Local/0] 00:02:09
                      Local via st0.2
192.168.125.0/24   *[Direct/0] 00:02:10
                    > via ge-0/0/1.0
192.168.125.1/32   *[Local/0] 00:02:10
                      Local via ge-0/0/1.0
203.0.113.100/32   *[Local/0] 00:02:10
                      Reject

Explain Code

Routing Instance Route Table (CF_WAN_RI.inet.0)

show route table CF_WAN_RI.inet.0

CF_WAN_RI.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:01:04
                    > to 169.254.250.0 via st0.1
                      to 169.254.250.2 via st0.2
169.254.247.0/31   *[Direct/0] 00:02:58
                    > via st0.1
169.254.247.1/32   *[Local/0] 00:02:58
                      Local via st0.1
169.254.247.2/31   *[Direct/0] 00:02:57
                    > via st0.2
169.254.247.3/32   *[Local/0] 00:02:57
                      Local via st0.2
169.254.250.0/31   *[Direct/0] 00:02:57
                    > via st0.1
169.254.250.1/32   *[Local/0] 00:02:57
                      Local via st0.1
169.254.250.2/31   *[Direct/0] 00:02:57
                    > via st0.2
169.254.250.3/32   *[Local/0] 00:02:57
                      Local via st0.2
192.168.125.0/24   *[Direct/0] 00:02:58
                    > via ge-0/0/1.0
192.168.125.1/32   *[Local/0] 00:02:58
                      Local via ge-0/0/1.0
203.0.113.100/32   *[Local/0] 00:02:58
                      Reject

Explain Code

Display Firewall Filter Counters

admin@srx> show firewall counter filter CF_WAN_FBF_ALL CF_WAN_FWD_RI_count

Filter: CF_WAN_FBF_ALL
Counters:
Name                                Bytes              Packets
CF_WAN_FWD_RI_count                 14855935          189746

admin@srx> show firewall counter filter CF_WAN_FBF_ALL EVERYTHING_ELSE_count

Filter: CF_WAN_FBF_ALL
Counters:
Name                                Bytes              Packets
EVERYTHING_ELSE_count               4371377            18732

Resources - Juniper Product Documentation

Refer to the CLI Reference Guide for further details on each command referenced within this document:

• CLI Reference Guide ↗

• Route-Based IPsec VPNs ↗

• Route-Based VPN with IKEv2 ↗

• Route-Based and Policy-Based VPNs with NAT-T ↗

• Configuring Filter-Based Forwarding ↗

Resources - Juniper Knowledge Base

Valid support credentials may be required to view some/all of the following documents:

• [SRX] How do I tell if a VPN Tunnel SA (Security Association) is active - KB10090 ↗

• [SRX] How to configure syslog to display VPN status messages - KB10097 ↗

• [SRX] How to troubleshoot IKE Phase 2 VPN connection issues - KB10099 ↗

• [SRX] How to enable VPN (IKE/IPsec) traceoptions for specific SAs (Security Associations) - KB19943 ↗