Hi
I have SRX in the branch, the SRX is behind a NAT device, so the public IP is in the NAT device and the SRX external interface has private IP address.
We need to setup site to site VPN with a Cisco ASA in HQ.
I configured the Juniper SRX as below commands but neither phase1 nor phase2 goes up.
set security ike proposal HQ-VPN authentication-method pre-shared-keys
set security ike proposal HQ-VPN dh-group group2
set security ike proposal HQ-VPN authentication-algorithm sha1
set security ike proposal HQ-VPN encryption-algorithm aes-128-cbc
set security ike proposal HQ-VPN lifetime-seconds 86400
set security ike policy HQ-VPN mode main
set security ike policy HQ-VPN proposals HQ-VPN
set security ike policy HQ-VPN pre-shared-key ascii-text "$9$dDVgaJZD.PQHqT369OBvWLN-bwYgGDkqm0BREyr24o"
set security ike gateway HQ-VPN ike-policy HQ-VPN
set security ike gateway HQ-VPN address "Peer public IP"
set security ike gateway HQ-VPN local-identity inet "NAT device Public IP"
set security ike gateway HQ-VPN external-interface ge-0/0/0.0
set security ipsec proposal HQ-VPN protocol esp
set security ipsec proposal HQ-VPN authentication-algorithm hmac-sha1-96
set security ipsec proposal HQ-VPN encryption-algorithm aes-128-cbc
set security ipsec proposal HQ-VPN lifetime-seconds 28800
set security ipsec policy HQ-VPN proposals HQ-VPN
set security ipsec vpn HQ-VPN ike gateway HQ-VPN
set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x
set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
set security ipsec vpn HQ-VPN ike ipsec-policy HQ-VPN
set security ipsec vpn HQ-VPN establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any
set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0