IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

pfs-jsrx100-ipsec-pbvpn

Today (with the help of my friend and skillful netadmin Malte) we finally figured out how to bring up an IPsec Site-to-Site Policy-based VPN with multiple phase2-entries behind the PfSense and a single subnet behind the SRX100.

For this to work with a Policy-Based VPN (since PfSense can’t do route-based VPN) you need to create a policy for each combination of the subnets so that juniper can generate the correct proxy-id’s. If you miss one, you end up with an error like:

 

Here’s the config from the J-Point of view:

Took us some time to figure out why we still had some problems but in the end we found the culprit:

Seems to me, that PfSense and Juniper don’t play very nice when PFS is enabled.
After deleting the PFS-Group all 3 subnets went up and traffic was able to flow.

Hopefully this short article can save you some pain in the ass 😉

Leave a Comment

Captcha * Time limit is exhausted. Please reload CAPTCHA.