IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

pfs-jsrx100-ipsec-pbvpn

Today (with the help of my friend and skillful netadmin Malte) we finally figured out how to bring up an IPsec Site-to-Site Policy-based VPN with multiple phase2-entries behind the PfSense and a single subnet behind the SRX100.

For this to work with a Policy-Based VPN (since PfSense can’t do route-based VPN) you need to create a policy for each combination of the subnets so that juniper can generate the correct proxy-id’s. If you miss one, you end up with an error like:

 

Here’s the config from the J-Point of view:

Took us some time to figure out why we still had some problems but in the end we found the culprit:

Seems to me, that PfSense and Juniper don’t play very nice when PFS is enabled.
After deleting the PFS-Group all 3 subnets went up and traffic was able to flow.

Hopefully this short article can save you some pain in the ass 😉

2 thoughts on “IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

  1. Gary

    Christian, do you happen to have the PFSense config still (I see the post is old so no worries if not)?

    Reply
    1. christianscholz Post author

      Hi Gary,

      I might indeed be able to fetch it from my Archives – I will see what I can find
      But remember: this is still an old Version of PFSense and an SRX100 that we are talking about.
      Nowadays, there are many secure ways to connect PFSense and the SRX300, for example.

      –Christian

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.