--- title: HPE Juniper Networking SRX Series Firewalls description: Connect HPE Juniper SRX to Cloudflare WAN. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-wan/configuration/third-party/juniper.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HPE Juniper Networking SRX Series Firewalls ## Overview This guide provides step-by-step instructions for configuring HPE Juniper Networking SRX Series Firewalls to establish IPsec VPN tunnels to Cloudflare WAN. It is intended for network engineers who are familiar with HPE Juniper Networking SRX Series Firewalls administration and have an active Cloudflare WAN subscription. This guide is a companion to the Cloudflare WAN IPsec VPN Reference Architecture, which defines the common IP addressing scheme, tunnel parameters, and design decisions used across all vendor guides. Readers should review that document before proceeding. ## Test Environment | **Field** | **Value** | | ----------- | ---------------------- | | Vendor | HPE Juniper Networking | | Model | SRX 320 | | Release | JUNOS 23.4R2-S3.9 | | Date Tested | March 2026 | ## IKE/IPsec Crypto & Relevant Settings | **Field** | **Value** | | ---------------------------------- | --------------- | | Traffic Selection Criteria | Route-Based VPN | | Routing | Static | | Redundant Tunnels | Yes | | Tunnel Load Balancing | Active/Active | | IKE Version | IKEv2 | | Authentication | Pre-Shared Key | | Anti-Replay Protection | Disabled | | NAT Traversal (NAT-T) | Not Tested | | NAT-T Port | Not Applicable | | Phase 1 - DH-Group | Group 20 | | Phase 1 - Encryption | AES-256-CBC | | Phase 1 - Authentication/Integrity | SHA-256 | | Phase 2 - DH-Group | Group 20 | | Phase 2 - Transport | ESP | | Phase 2 - Encryption | AES-256-CBC | ## Cloudflare WAN and HPE Juniper Networking SRX Series Firewalls - Configuration Settings * While following these steps, ensure you update all object names and IP addresses to match your environment. * Aligning these elements with your actual naming conventions and network scheme ensures the configuration works correctly in your production setup. * Use Find and Replace to parse the examples below, update the names and addresses accordingly, and maintain consistency. ### Cloudflare WAN - Tunnel 01 of 02 | **Attribute** | **Value/Address** | | --------------------------------- | ----------------- | | Name (required) | CF\_WAN\_TUN\_01 | | Description | \--- | | IPv4 Interface Address (required) | 169.254.250.0/31 | | IPv6 Interface Address | \--- | | Customer Endpoint | 203.0.113.100 | | Cloudflare Endpoint | 162.159.135.1 | | Tunnel health checks | True | | Rate | Medium | | **Type** | **Request** | | **Direction** | **Bidirectional** | | Target | Default | | \--- | \--- | | Turn on replay protection | False | | **Automatic return routing** | **True** | * IKE Identity and Pre-shared Key (obtained after tunnel creation): | **Attribute** | **Value/Address** | | -------------- | ----------------------------------------- | | FQDN ID | bf6c493d03.ipsec.cloudflare.com | | Pre-shared key | Cloudflare-WAN-T1-PSK-1234! | ### Cloudflare WAN - Tunnel 02 of 02 | **Attribute** | **Value/Address** | | --------------------------------- | ----------------- | | Name (required) | CF\_WAN\_TUN\_02 | | Description | \--- | | IPv4 Interface Address (required) | 169.254.250.2/31 | | IPv6 Interface Address | \--- | | Customer Endpoint | 203.0.113.100 | | Cloudflare Endpoint | 172.64.135.1 | | Tunnel health checks | True | | Rate | Medium | | **Type** | **Request** | | **Direction** | **Bidirectional** | | Target | Default | | \--- | \--- | | Turn on replay protection | False | | **Automatic return routing** | **True** | * IKE Identity and Pre-shared Key (obtained after tunnel creation): | **Attribute** | **Value/Address** | | -------------- | ----------------------------------------- | | FQDN ID | 0287844e9d.ipsec.cloudflare.com | | Pre-shared key | Cloudflare-WAN-T2-PSK-1234! | ## Customer Premise Equipment - HPE Juniper Networking | **WAN Interface** | **Tunnel 01 of 02** | **Tunnel 02 of 02** | | ----------------- | ------------------- | ------------------- | | WAN Interface | ge-0/0/0.0 | ge-0/0/0.0 | | IP Address | 203.0.113.100/24 | 203.0.113.100/24 | | Security Zone | untrust | untrust | | **Virtual Tunnel Interface (VTI)** | **Tunnel 01 of 02** | **Tunnel 02 of 02** | | ---------------------------------- | ------------------- | ------------------- | | Tunnel interface | st0.1 | st0.2 | | IP Address | 169.254.250.1/31 | 169.254.250.3/31 | | Security Zone | cloudflare | cloudflare | | **LAN Interface** | **Tunnel 01 of 02** | **Tunnel 02 of 02** | | ----------------- | ------------------- | ------------------- | | LAN Interface | ge-0/0/1.0 | ge-0/0/1.0 | | IP Address | 192.168.125.1/24 | 192.168.125.1/24 | | Security Zone | trust | trust | ### HPE Juniper Networking SRX Object Names | **Element** | **Object Hierarchy** | **Name** | | ---------------------------------- | ---------------------------------- | ------------------------------- | | Security Zone - Trust | \[ security zones security-zone \] | trust | | Security Zone - Untrust | \[ security zones security-zone \] | untrust | | Security Zone - Cloudflare WAN | \[ security zones security-zone \] | cloudflare | | IKE Proposal (only one required) | \[ security ike proposal \] | ike-aes256cbc-sha256-dh20 | | IKE Policy - Tunnel 1 | \[ security ike policy \] | cf-wan-ike-pol-01 | | IKE Policy - Tunnel 2 | \[ security ike policy \] | cf-wan-ike-pol-02 | | IKE Gateway - Tunnel 1 | \[ security ike gateway \] | cf-wan-ike-gw-01 | | IKE Gateway - Tunnel 2 | \[ security ike gateway \] | cf-wan-ike-gw-02 | | IPsec Proposal (only one required) | \[ security ipsec proposal \] | esp-aes256cbc-sha256-128 | | IPsec Policy (only one required) | \[ security ipsec policy \] | ipsec-aes256cbc-sha256-128-dh20 | | IPsec Tunnel - Tunnel 1 | \[ security ipsec vpn \] | cf-wan-ipsec-vpn-01 | | IPsec Tunnel - Tunnel 2 | \[ security ipsec vpn \] | cf-wan-ipsec-vpn-02 | ## Assumptions This guide assumes the following apply: * Already configured [IPsec tunnels](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/) and [static routes](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/) in the Cloudflare dashboard * Used the Cloudflare Dashboard to obtain the Local Identifier (FQDN/hostname) and generate a Pre-Shared Key for each of the IPsec tunnels * Understand the importance of [MSS clamping](https://developers.cloudflare.com/cloudflare-wan/reference/mtu-mss/#mss-clamping) and adjusting it based on the traffic flows traversing the Cloudflare WAN IPsec Tunnels ## High-Level Steps * Add Virtual Tunnel Interfaces * Create a Security Zone (Recommended) * Add VTIs to Security Zone * Define IKE Policy and Proposals (Phase 1) * Add IKE Gateways * IPsec Policy and Proposal (Phase 2) * IPsec Tunnel Configuration * Define Security policy to permit traffic to/from Cloudflare WAN * Define Policy-Based Forwarding rules to selectively route traffic across the IPsec tunnels ## HPE Juniper Networking SRX - Configuration All examples are provided via the Junos Command-Line Interface (CLI). J-Web examples are not provided. ### Junos Modes Junos OS operates with two main command-line interface (CLI) modes, Operational Mode and Configuration Mode, which serve distinct purposes in managing Juniper network devices. #### Operational Mode (>) [Operational mode ↗](https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/junos-cli-operational-overview.html) is the default state upon logging into a Junos device, used for monitoring, troubleshooting, and displaying device status. * Prompt: `user@host>` * Purpose: View real-time information, check interface status, view routing tables, test connectivity (ping/traceroute), and restart processes. * Key Commands: show, monitor, ping, traceroute, request. * Action: Changes made here do not affect the persistent device configuration. #### Configuration Mode (#) [Configuration mode ↗](https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/cli-configuration.html) is used to make changes to the device's configuration, such as defining interfaces, routing protocols, and system properties. * Prompt: `user@host#` * Purpose: Edit, add, or remove configuration statements. * Key Commands: edit, set, delete, commit, rollback. * Action: Changes are made to a "candidate configuration" and are not active until explicitly committed at which point they become part of the "running configuration". Each section will indicate whether the commands are applicable to configuration mode or operational mode. ### Virtual Tunnel Interfaces _Perform in Configuration Mode_ ``` set interfaces st0 unit 1 family inet address 169.254.250.1/31 set interfaces st0 unit 2 family inet address 169.254.250.3/31 ``` ### Security Zone _Perform in Configuration Mode_ Add `st0.1` and `st0.2` to the Security Zone `cloudflare` and permit `system-services ping`. This is required to ensure the Cloudflare WAN IPsec Tunnel Health Checks are able to verify reachability across the Virtual Tunnel Interfaces. ``` set security zones security-zone cloudflare interfaces st0.1 host-inbound-traffic system-services ping set security zones security-zone cloudflare interfaces st0.2 host-inbound-traffic system-services ping ``` ### IKE - Phase 1 _Perform in Configuration Mode_ Configure the following: * IKE Proposal * IKE Policies (one required per Cloudflare WAN IPsec Tunnel) * IKE Gateways (one required per Cloudflare WAN IPsec Tunnel) #### IKE Proposal Define an IKE Proposal with the following settings: | **Attribute** | **Value** | | ------------------------ | --------------- | | authentication-method | pre-shared-keys | | dh-group | group20 | | authentication-algorithm | sha256 | | encryption-algorithm | aes-256-cbc | | lifetime-seconds | 28800 | ``` set security ike proposal ike-aes256cbc-sha256-dh20 authentication-method pre-shared-keys set security ike proposal ike-aes256cbc-sha256-dh20 dh-group group20 set security ike proposal ike-aes256cbc-sha256-dh20 authentication-algorithm sha-256 set security ike proposal ike-aes256cbc-sha256-dh20 encryption-algorithm aes-256-cbc set security ike proposal ike-aes256cbc-sha256-dh20 lifetime-seconds 28800 ``` #### IKE Policies Configure one IKE policy per IPsec tunnel: | **Attribute** | **Value** | | ------------------------- | ------------------------- | | mode | main | | proposals | ike-aes256cbc-sha256-dh20 | | pre-shared-key ascii-text | _specify pre-shared-key_ | ``` set security ike policy cf-wan-ike-pol-01 mode main set security ike policy cf-wan-ike-pol-01 proposals ike-aes256cbc-sha256-dh20 set security ike policy cf-wan-ike-pol-01 pre-shared-key ascii-text "Cloudflare-WAN-T1-PSK-1234!" set security ike policy cf-wan-ike-pol-02 mode main set security ike policy cf-wan-ike-pol-02 proposals ike-aes256cbc-sha256-dh20 set security ike policy cf-wan-ike-pol-02 pre-shared-key ascii-text "Cloudflare-WAN-T2-PSK-1234!" ``` #### IKE Gateways Configure one IKE Gateway per IPsec tunnel: ``` set security ike gateway cf-wan-ike-gw-01 ike-policy cf-wan-ike-pol-01 set security ike gateway cf-wan-ike-gw-01 address 162.159.135.1 set security ike gateway cf-wan-ike-gw-01 local-identity hostname bf6c493d03.ipsec.cloudflare.com set security ike gateway cf-wan-ike-gw-01 external-interface ge-0/0/0.0 set security ike gateway cf-wan-ike-gw-01 local-address 203.0.113.100 set security ike gateway cf-wan-ike-gw-01 version v2-only set security ike gateway cf-wan-ike-gw-02 ike-policy cf-wan-ike-pol-02 set security ike gateway cf-wan-ike-gw-02 address 172.64.135.1 set security ike gateway cf-wan-ike-gw-02 local-identity hostname 0287844e9d.ipsec.cloudflare.com set security ike gateway cf-wan-ike-gw-02 external-interface ge-0/0/0.0 set security ike gateway cf-wan-ike-gw-02 local-address 203.0.113.100 set security ike gateway cf-wan-ike-gw-02 version v2-only ``` Explain Code ### IPsec - Phase 2 _Perform in Configuration Mode_ Configure the following: * IPsec Proposal * IPsec Policy * IPsec Tunnels (one required per Cloudflare WAN IPsec Tunnel) #### IPsec Proposal Define an IPsec Proposal with the following settings: | **Attribute** | **Value** | | ------------------------ | ---------------- | | protocol | esp | | authentication-algorithm | hmac-sha-256-128 | | encryption-algorithm | aes-256-cbc | | lifetime-seconds | 28800 | ``` set security ipsec proposal esp-aes256cbc-sha256-128 protocol esp set security ipsec proposal esp-aes256cbc-sha256-128 authentication-algorithm hmac-sha-256-128 set security ipsec proposal esp-aes256cbc-sha256-128 encryption-algorithm aes-256-cbc set security ipsec proposal esp-aes256cbc-sha256-128 lifetime-seconds 28800 ``` #### IPsec Policy ``` set security ipsec policy ipsec-aes256cbc-sha256-128-dh20 perfect-forward-secrecy keys group20 set security ipsec policy ipsec-aes256cbc-sha256-128-dh20 proposals esp-aes256cbc-sha256-128 ``` #### IPsec VPN Tunnels Create two IPsec VPN tunnels - each corresponding to its respective IKE Gateway. ``` set security ipsec vpn cf-wan-ipsec-vpn-01 bind-interface st0.1 set security ipsec vpn cf-wan-ipsec-vpn-01 ike gateway cf-wan-ike-gw-01 set security ipsec vpn cf-wan-ipsec-vpn-01 ike no-anti-replay set security ipsec vpn cf-wan-ipsec-vpn-01 ike ipsec-policy ipsec-aes256cbc-sha256-128-dh20 set security ipsec vpn cf-wan-ipsec-vpn-01 establish-tunnels immediately set security ipsec vpn cf-wan-ipsec-vpn-02 bind-interface st0.2 set security ipsec vpn cf-wan-ipsec-vpn-02 ike gateway cf-wan-ike-gw-02 set security ipsec vpn cf-wan-ipsec-vpn-02 ike no-anti-replay set security ipsec vpn cf-wan-ipsec-vpn-02 ike ipsec-policy ipsec-aes256cbc-sha256-128-dh20 set security ipsec vpn cf-wan-ipsec-vpn-02 establish-tunnels immediately ``` Explain Code Note Enabling `establish-tunnels-immediately` ensures the SRX is always the tunnel initiator. This is crucial as Cloudflare will never initiate the IPsec tunnel. If you do not enable this option, you will need to generate some traffic that will traverse the IPsec tunnels at which point the SRX will initiate the tunnel in an on-demand fashion. ### MSS Clamping _Perform in Configuration Mode_ The SRX platform is unique in that it allows you to configure MSS Clamping that only applies to IPsec tunnels as opposed to per interface or globally. This ensures the overhead associated with IKE/IPsec packet headers is factored in and will minimize opportunities for fragmentation as traffic ingresses and egresses the IPsec tunnels. Note The recommended MSS value 1360 may need to be adjusted based on the nature of the traffic traversing the Cloudflare WAN IPsec Tunnels. ``` set security flow tcp-mss ipsec-vpn mss 1360 ``` See [How to change the MSS of TCP traffic passing through an IPsec VPN ↗](https://supportportal.juniper.net/s/article/SRX-How-to-change-the-MSS-of-TCP-traffic-passing-through-an-IPsec-VPN) for more details. ### Security Policies _Perform in Configuration Mode_ * Security policies are required to permit traffic between zones * The Ethernet interface `ge-0/0/1.0` is in the `trust` security zone * The tunnel interfaces `st0.1` and `st0.2` are in the `cloudflare` security zone The following example allows all source & destination IPs, ports, and protocols/services between `cloudflare` and `trust` as well as between `trust` and `cloudflare`. | **Attribute** | **Value** | | ------------------- | ------------- | | source-address | any | | destination-address | any | | application | any | | action | permit | | log | session-close | ``` set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match source-address any set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match destination-address any set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit match application any set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit then permit set security policies from-zone cloudflare to-zone trust policy cloudflare-to-trust-permit then log session-close set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match source-address any set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match destination-address any set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit match application any set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit then permit set security policies from-zone trust to-zone cloudflare policy trust-to-cloudflare-permit then log session-close ``` Explain Code ### Filter-Based Forwarding - Policy-Based Routing _Perform in Configuration Mode_ HPE Juniper Networking provides multiple methods for performing Policy-Based Routing. [Filter-Based Forwarding ↗](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html) is the preferred method as it permits selectively routing traffic based on source, destination, protocol (and a wide variety of other matching criteria) through Cloudflare WAN or local Internet breakout with ease. This example assumes traffic originating from 192.168.125.0/24 (ingress interface `ge-0/0/1.0` zone `trust`) to any destination will be routed via the Cloudflare WAN IPsec Tunnels. Implementing Filter-Based Forwarding (FBF) requires four steps: 1. Create a Forwarding Routing Instance * Think of the Routing Instance as a "bucket" containing an alternate routing table * The Routing Instance contains the destination prefix(es) and next hop addresses (VTI on Cloudflare side of the tunnels) 2. Create a Firewall Filter * Think of a Firewall Filter as the "brain" that determines which packets to send to the "bucket" * The Firewall Filter acts as a "classifier" that identifies the traffic you want to divert to the Routing Instance 3. Configure the RIB Group and Bind Routes * Think of this as the "bridge" that copies interface routes to the "bucket" * The Routing Instance is not part of the default routing table. * This step instructs the SRX how to reach directly connected networks and resolve next-hops found in the main table (`inet.0`) and the Cloudflare WAN Routing Instance's routing table `CF_WAN_RI.inet.0` 4. Apply the Firewall Filter to the ingress traffic interface(s) * Think of this as the "trigger" that starts processing packets as they enter the ingress interface * As traffic ingresses the interface(s) to which it is applied, traffic is processed in a top-down fashion #### Define a Routing Instance The Routing Instance defines the destination for your steered traffic. Unlike a standard VRF, FBF typically uses an instance type of `forwarding`. This example effectively sets the default gateway (0.0.0.0/0) for any traffic landing on this Routing Instance to get routed to the IP address of the VTIs on the Cloudflare side of the IPsec tunnels: ``` set routing-instances CF_WAN_RI instance-type forwarding set routing-instances CF_WAN_RI routing-options static route 0.0.0.0/0 next-hop 169.254.250.0 set routing-instances CF_WAN_RI routing-options static route 0.0.0.0/0 next-hop 169.254.250.2 ``` #### Create a Firewall Filter Add a firewall filter called `CF_WAN_FBF_ALL` with two `terms` (rules): The first term `CF_WAN_FWD_RI` ensures any traffic originating from the LAN subnet (192.168.125.0/24) to any destination address (0.0.0.0/0) is processed against the `CF_WAN_RI` routing instance. The second term `EVERYTHING_ELSE` effectively instructs the SRX to continue processing any traffic not matching the term `CF_WAN_FWD_RI` via the default routing table (`inet.0`). Note the addition of the action `count` in both statements. This option defines a counter you can view to determine how many packets are processed on each `term`. ``` set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI from source-address 192.168.125.0/24 set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI from destination-address 0.0.0.0/0 set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI then count CF_WAN_FWD_RI_count set firewall family inet filter CF_WAN_FBF_ALL term CF_WAN_FWD_RI then routing-instance CF_WAN_RI set firewall family inet filter CF_WAN_FBF_ALL term EVERYTHING_ELSE then count EVERYTHING_ELSE_count set firewall family inet filter CF_WAN_FBF_ALL term EVERYTHING_ELSE then accept ``` #### Configure the RIB Group and Bind Interface Routes Create a RIB Group and import both the default route table (`inet.0`) and the route table associated with the newly created Forwarding Routing Instance: ``` set routing-options rib-groups CF_WAN_RG import-rib inet.0 set routing-options rib-groups CF_WAN_RG import-rib CF_WAN_RI.inet.0 ``` Bind the RIB Group to the Interface Routes: ``` set routing-options interface-routes rib-group inet CF_WAN_RG ``` #### Apply the Firewall Filter to the Ingress Interface * Traffic originating on the LAN subnet will ingress interface `ge-0/0/1.0` * Apply the Firewall Filter `CF_WAN_FBF_ALL` as an `input` filter ``` set interfaces ge-0/0/1 unit 0 family inet filter input CF_WAN_FBF_ALL ``` Commit changes, then test traffic from a host on the 192.168.125.0/24 subnet to ensure it is forwarded through the Cloudflare WAN IPsec Tunnels. Note If you have Cloudflare One configured to perform [HTTPS traffic inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/), ensure that you [install the Root CA certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) prior to testing connectivity to any HTTPS-based sites, otherwise you will receive untrusted certificate warning messages. ## Troubleshooting ### Common issues * Always check IKE Phase 1 & IPsec Phase 2 negotiated successfully - look for "no proposal chosen" in logs * Verify Pre-Shared-Key and/or Local-Identity values are accurate and assigned to the correct tunnel * Use ping to determine reachability between the CPE and Cloudflare sides of the VTI * Tunnel 1: CPE VTI to Cloudflare VTI: `ping source 169.254.250.1 169.254.250.0` * Tunnel 2: CPE VTI to Cloudflare VTI: `ping source 169.254.250.3 169.254.250.2` ### View IKE Security Associations _Perform in Operational Mode_ Use the CLI to verify IKE (Phase 1) and IPsec (Phase 2) security associations established. ``` admin@srx> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 403838 UP a2d16e54c9d83ad5 873b1da714f0ca8f IKEv2 162.159.135.1 403839 UP 476288ac95d878e2 e72ef64e00b623e6 IKEv2 172.64.135.1 ``` ### View IPsec Security Associations _Perform in Operational Mode_ ``` admin@srx> show ipsec security associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-256/sha256-96 9b429dd3 27739/unlim - root 500 162.159.135.1 >131073 ESP:aes-cbc-256/sha256-96 28931d57 27739/unlim - root 500 162.159.135.1 <131074 ESP:aes-cbc-256/sha256-96 eb2a275e 27739/unlim - root 500 172.64.135.1 >131074 ESP:aes-cbc-256/sha256-96 4134d7a8 27739/unlim - root 500 172.64.135.1 ``` ### Enable Debug Logging (traceoptions) for IKE (Phase 1) and IPsec (Phase 2) In the event you encounter issues with IPsec tunnel negotiation, you can enable `traceoptions` for IKE and/or IPsec. Note Debug logging can create significant overhead on firewalls with high utilization. Ensure you monitor CPU and memory utilization closely and only enable debug logging when it is needed. #### Enable IKE Traceoptions _Perform in Configuration Mode_ ``` set security ike traceoptions file ike-debug.log set security ike traceoptions file size 1m set security ike traceoptions file files 3 set security ike traceoptions file world-readable set security ike traceoptions flag all ``` #### View IKE Debug Log _Perform in Operational Mode_ View the log with the following command: ``` admin@srx> show log ike-debug.log ``` Press `CTRL + C` to stop viewing the log. #### Disable IKE Traceoptions _Perform in Configuration Mode_ ``` delete security ike traceoptions commit ``` #### Enable IPsec Traceoptions _Perform in Configuration Mode_ ``` set security ipsec traceoptions file ipsec-debug.log set security ipsec traceoptions file size 1m set security ipsec traceoptions file files 3 set security ipsec traceoptions file world-readable set security ipsec traceoptions flag all ``` #### View IPsec Debug Logging _Perform in Operational Mode_ View the log with the following command: ``` admin@srx> show log ipsec-debug.log ``` Press `CTRL + C` to stop viewing the log. #### Disable IPsec Debug Logging _Perform in Configuration Mode_ ``` delete security ipsec traceoptions commit ``` ### Disable/Enable IKE Gateways and/or IPsec VPN Tunnels _Perform in Configuration Mode_ Junos provides the ability to administratively enable/disable IKE gateways and IPsec tunnels independently. This allows you to forcefully set up and tear down VPN tunnels which can be very useful during troubleshooting. #### Deactivate IKE Gateway ``` deactivate security ike gateway cf-wan-ike-gw-01 ``` #### Deactivate IPsec VPN ``` deactivate security ipsec vpn cf-wan-ipsec-vpn-01 ``` Perform a `commit` to ensure the IKE Gateway and IPSec VPN objects are disabled. #### Verify Inactive State Note the presence of `inactive: security ike gateway cf-wan-ike-gw-01` at the top of the IKE gateway stanza: ``` admin@srx# show security ike gateway cf-wan-ike-gw-01 ## ## inactive: security ike gateway cf-wan-ike-gw-01 ## ike-policy cf-wan-ike-pol-01; address 162.159.135.1; local-identity hostname bf6c493d03.ipsec.cloudflare.com; external-interface ge-0/0/0.0; local-address 203.0.113.100; version v2-only; ``` Explain Code Note the presence of `inactive: security ipsec vpn cf-wan-ike-gw-01` at the top of the IPsec VPN stanza: ``` [edit] admin@srx# show security ipsec vpn cf-wan-ipsec-vpn-01 ## ## inactive: security ipsec vpn cf-wan-ipsec-vpn-01 ## bind-interface st0.1; ike { gateway cf-wan-ike-gw-01; no-anti-replay; ipsec-policy ipsec-aes256cbc-sha256-128-dh20; } establish-tunnels immediately; ``` Explain Code #### Activate IKE Gateway and IPsec VPN Objects Reverse the process with the `activate` command: ``` activate security ike gateway cf-wan-ike-gw-01 activate security ipsec vpn cf-wan-ipsec-vpn-01 commit ``` ### Restart IPsec Daemon _Perform in Operational Mode_ The IKE and IPsec lifetimes are set to 28800 seconds (8 hours). You can force tunnel establishment by restarting the IPsec daemon (kmd). This will invalidate the IKE and IPsec security associations and forcefully reconnect the IPsec VPN tunnels. This can be accomplished with the following command: ``` admin@srx> restart ipsec-key-management ``` ### Ensure Reachability Across IPsec Tunnels _Perform in Operational Mode_ Use ping to verify connectivity to the Cloudflare side of the Virtual Tunnel Interface ``` admin@srx> ping 169.254.250.0 source 169.254.250.1 admin@srx> ping 169.254.250.2 source 169.254.250.3 ``` ### Show Tunnel Event Statistics _Perform in Operational Mode_ ``` admin@srx> show security ipsec tunnel-events-statistics ``` Resulting output: ``` External interface's zone received. Information updated : 2 Bind-interface's zone received. Information updated : 2 Bind-interface's address received. Information updated : 2 IKE SA negotiation successfully completed : 2 IPSec SA negotiation successfully completed : 2 Tunnel is ready. Waiting for trigger event or peer to trigger negotiation : 2 ``` ### Display Route Tables _Perform in Operational Mode_ #### Default Route Table - inet.0 ``` show route table inet.0 inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 169.254.247.0/31 *[Direct/0] 00:02:10 > via st0.1 169.254.247.1/32 *[Local/0] 1d 05:35:54 Local via st0.1 169.254.247.2/31 *[Direct/0] 00:02:09 > via st0.2 169.254.247.3/32 *[Local/0] 1d 05:35:54 Local via st0.2 169.254.250.0/31 *[Direct/0] 00:02:09 > via st0.1 169.254.250.1/32 *[Local/0] 00:02:09 Local via st0.1 169.254.250.2/31 *[Direct/0] 00:02:09 > via st0.2 169.254.250.3/32 *[Local/0] 00:02:09 Local via st0.2 192.168.125.0/24 *[Direct/0] 00:02:10 > via ge-0/0/1.0 192.168.125.1/32 *[Local/0] 00:02:10 Local via ge-0/0/1.0 203.0.113.100/32 *[Local/0] 00:02:10 Reject ``` Explain Code #### Routing Instance Route Table (CF\_WAN\_RI.inet.0) ``` show route table CF_WAN_RI.inet.0 CF_WAN_RI.inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:01:04 > to 169.254.250.0 via st0.1 to 169.254.250.2 via st0.2 169.254.247.0/31 *[Direct/0] 00:02:58 > via st0.1 169.254.247.1/32 *[Local/0] 00:02:58 Local via st0.1 169.254.247.2/31 *[Direct/0] 00:02:57 > via st0.2 169.254.247.3/32 *[Local/0] 00:02:57 Local via st0.2 169.254.250.0/31 *[Direct/0] 00:02:57 > via st0.1 169.254.250.1/32 *[Local/0] 00:02:57 Local via st0.1 169.254.250.2/31 *[Direct/0] 00:02:57 > via st0.2 169.254.250.3/32 *[Local/0] 00:02:57 Local via st0.2 192.168.125.0/24 *[Direct/0] 00:02:58 > via ge-0/0/1.0 192.168.125.1/32 *[Local/0] 00:02:58 Local via ge-0/0/1.0 203.0.113.100/32 *[Local/0] 00:02:58 Reject ``` Explain Code ### Display Firewall Filter Counters ``` admin@srx> show firewall counter filter CF_WAN_FBF_ALL CF_WAN_FWD_RI_count Filter: CF_WAN_FBF_ALL Counters: Name Bytes Packets CF_WAN_FWD_RI_count 14855935 189746 ``` ``` admin@srx> show firewall counter filter CF_WAN_FBF_ALL EVERYTHING_ELSE_count Filter: CF_WAN_FBF_ALL Counters: Name Bytes Packets EVERYTHING_ELSE_count 4371377 18732 ``` ## Resources - Juniper Product Documentation Refer to the CLI Reference Guide for further details on each command referenced within this document: * [CLI Reference Guide ↗](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/) * [Route-Based IPsec VPNs ↗](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-ipsec-vpns.html) * [Route-Based VPN with IKEv2 ↗](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-vpns-for-ikev2.html) * [Route-Based and Policy-Based VPNs with NAT-T ↗](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html) * [Configuring Filter-Based Forwarding ↗](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/filter-based-forwarding-example.html) ## Resources - Juniper Knowledge Base Valid support credentials may be required to view some/all of the following documents: * [\[SRX\] How do I tell if a VPN Tunnel SA (Security Association) is active - KB10090 ↗](https://supportportal.juniper.net/s/article/SRX-How-do-I-tell-if-a-VPN-Tunnel-SA-Security-Association-is-active) * [\[SRX\] How to configure syslog to display VPN status messages - KB10097 ↗](https://supportportal.juniper.net/s/article/SRX-How-to-configure-syslog-to-display-VPN-status-messages) * [\[SRX\] How to troubleshoot IKE Phase 2 VPN connection issues - KB10099 ↗](https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-2-VPN-connection-issues) * [\[SRX\] How to enable VPN (IKE/IPsec) traceoptions for specific SAs (Security Associations) - KB19943 ↗](https://supportportal.juniper.net/s/article/SRX-How-to-enable-VPN-IKE-IPsec-traceoptions-for-specific-SAs-Security-Associations) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-wan/configuration/","name":"Configuration"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-wan/configuration/third-party/","name":"Third-party integration"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-wan/configuration/third-party/juniper/","name":"HPE Juniper Networking SRX Series Firewalls"}}]} ```