The following scenario IPSec Tunnel Between GCP Cloud VPN to Juniper SRX
Create VPN Connections -> Classic VPN
No need to configure parameter phase 1 & phase 2, because cloud VPN auto-negotiates the connection as long as the peer side uses a supported IKE cipher setting. Check documentation
The following Juniper SRX Configuration
Create interface:
set interfaces st0 unit 0 family inet mtu 1460
Configure security zone:
set security zones security-zone VPN-GCP interfaces st0.0
Configure security policy:
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match source-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match destination-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match application any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST then permit
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match source-address any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match destination-address any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP match application any
set security policies from-zone TRUST to-zone VPN-GCP policy TRUST-VPNGCP then permit
Configure IKE:
set security ike proposal IKE_PROPOSAL_GCP_TRIAL authentication-method pre-shared-keys
set security ike proposal IKE_PROPOSAL_GCP_TRIAL dh-group group2
set security ike proposal IKE_PROPOSAL_GCP_TRIAL authentication-algorithm sha1
set security ike proposal IKE_PROPOSAL_GCP_TRIAL encryption-algorithm aes-128-cbc
set security ike proposal IKE_PROPOSAL_GCP_TRIAL lifetime-seconds 3600
set security ike policy GCP-TRIAL-IPSEC-IKE mode main
set security ike policy GCP-TRIAL-IPSEC-IKE proposals IKE_PROPOSAL_GCP_TRIAL
set security ike policy GCP-TRIAL-IPSEC-IKE pre-shared-key ascii-text $9$t4OL0OIylMX7VCtyKMW-dik.Pfz0ORcyeAp87Vw4oJGDHmTn6AIEytu”
set security ike gateway GCP_TRIAL_IPSEC ike-policy GCP-TRIAL-IPSEC-IKE
set security ike gateway GCP_TRIAL_IPSEC address 35.234.42.X
set security ike gateway GCP_TRIAL_IPSEC local-identity inet 103.75.X.X
set security ike gateway GCP_TRIAL_IPSEC external-interface ge-0/0/0
set security ike gateway GCP_TRIAL_IPSEC local-address 103.75.X.X
set security ike gateway GCP_TRIAL_IPSEC version v2-only
Configure IPSec:
set security ipsec proposal IPSEC_GCP_TRIAL protocol esp
set security ipsec proposal IPSEC_GCP_TRIAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_GCP_TRIAL encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_GCP_TRIAL lifetime-seconds 3600
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match source-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match destination-address any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST match application any
set security policies from-zone VPN-GCP to-zone TRUST policy VPNGCP-TRUST then permit
set security ipsec vpn VPN_GCP_TRIAL_IPSEC bind-interface st0.0
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike gateway GCP_TRIAL_IPSEC
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike proxy-identity local 192.168.38.0/24
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike proxy-identity remote 10.140.0.0/20
set security ipsec vpn VPN_GCP_TRIAL_IPSEC ike ipsec-policy IPSEC_POLICY_GCP_TRIAL
set security ipsec vpn VPN_GCP_TRIAL_IPSEC establish-tunnels immediately
Configure static route:
set routing-options static route 10.140.0.0/20 next-hop st0.0
We can verify site to site connection between GCP to On-prem ( Juniper SRX )