Site to Site VPN IPSec Between GCP and Juniper SRX

The following scenario IPSec Tunnel Between GCP Cloud VPN to Juniper SRX





Create VPN Connections -> Classic VPN




No need to configure parameter phase 1 & phase 2, because cloud VPN auto-negotiates the connection as long as the peer side uses a supported IKE cipher setting. Check documentation


The following Juniper SRX Configuration

Create interface:

set interfaces st0 unit 0 family inet mtu 1460

Configure security zone:

set security zones security-zone VPN-GCP interfaces st0.0

Configure security policy:

set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match source-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match destination-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match application any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST then permit

set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match source-address any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match destination-address any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match application any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP then permit

Configure IKE:

set security ike proposal IKE_PROPOSAL_GCP_TRIAL authentication-method pre-shared-keys
set security ike proposal IKE_PROPOSAL_GCP_TRIAL dh-group group2
set security ike proposal IKE_PROPOSAL_GCP_TRIAL authentication-algorithm sha1
set security ike proposal IKE_PROPOSAL_GCP_TRIAL encryption-algorithm aes-128-cbc
set security ike proposal IKE_PROPOSAL_GCP_TRIAL lifetime-seconds 3600

set security ike policy GCP-TRIAL-IPSEC-IKE mode main
set security ike policy GCP-TRIAL-IPSEC-IKE proposals IKE_PROPOSAL_GCP_TRIAL
set security ike policy GCP-TRIAL-IPSEC-IKE pre-shared-key ascii-text $9$t4OL0OIylMX7VCtyKMW-dik.Pfz0ORcyeAp87Vw4oJGDHmTn6AIEytu”

set security ike gateway GCP_TRIAL_IPSEC ike-policy GCP-TRIAL-IPSEC-IKE
set security ike gateway GCP_TRIAL_IPSEC address 35.234.42.X
set security ike gateway GCP_TRIAL_IPSEC local-identity inet 103.75.X.X
set security ike gateway GCP_TRIAL_IPSEC external-interface ge-0/0/0
set security ike gateway GCP_TRIAL_IPSEC local-address 103.75.X.X
set security ike gateway GCP_TRIAL_IPSEC version v2-only

Configure IPSec:

set security ipsec proposal IPSEC_GCP_TRIAL protocol esp
set security ipsec proposal IPSEC_GCP_TRIAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_GCP_TRIAL encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_GCP_TRIAL lifetime-seconds 3600

set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match source-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match destination-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match application any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST then permit

set security ipsec vpn VPN_GCP_TRIAL_IPSEC bind-interface st0.0
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike gateway GCP_TRIAL_IPSEC
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike proxy-identity local 192.168.38.0/24
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike proxy-identity remote 10.140.0.0/20
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike ipsec-policy IPSEC_POLICY_GCP_TRIAL
set security ipsec vpn VPN_GCP_TRIAL_IPSEC establish-tunnels immediately

Configure static route:

set routing-options static route 10.140.0.0/20 next-hop st0.0


We can verify site to site connection between GCP to On-prem ( Juniper SRX )

Leave a Reply

Your email address will not be published. Required fields are marked *