GauntletWizard/Juniper Config

## gistfile1.txt
conn internal
    authby=secret
    auto=start

    # Phase 1:
    ike=aes256-sha2-dh14
    ikelifetime=14400s
    # Phase 2:
    esp=aes256-sha2_256
    salifetime=3600s

    leftid=@us
    left=172.16.1.135
    # rsakey AwEAAfCEk
    # leftrsasigkey=0sAwEAAfCEkexyTa9ZM4qBobjXKpTP/mYpgRBr9Dox5KAZNdHABVF8UWcd9tYpKHL/y4cMPW1Tl/QJKKXX08/+2DoPi+O2R/7znqOKUnldM8dQSjMqIHq2mn46yRVf5qBCMyOY5dnFg8JuN8Mid/Jed6lVXtc1j0mcGcHetiBRGcqPCvs+rL8H7UgQ+fE8xri2LYkeuYjaPwIlKm8V/bA5ylWyrYF4+6gG2eyhejUmfMU9NCz6NayfNw6JXM4FcRQlyEm631WSC4DbMfmfUz8YmDXxTniCgooltlFojrNnwbmAh+zbgyorqen+3U0pjEITQDzZ7ncKHU4p/mQUmq42BK7Jnn8Diuafhf+O/f39t/nnVDUtt790h5OYtBBwKLflDXNiL86rTBsxh3nqxQAOOJqiSdd22bZCoHnqafL1yn2zvtK57JEq729YPHhMNwJZWEgnMj4mkK6RdVgjW/A0Se/nsfb1iYK7GL5dc1E9F7jdakKKQGsJoU8vwsXDS877QcKkpCkmy78AnZsplTnjAA/VpMb2uySAkyX2iTljmC3sy2n8g0F/H5cTvMkTPbWFKlOM+CcKpMDpSUAjlxYZjrXFw1WRhHgRMQwIPSqnJkH7sTC8RrZKy4LjEhyfcFd5QGMPeCIllPo8rx7XLkgO1j19E873S8J/yT7OYn9H

    rightid=@them
    right=172.16.1.64
    # rsakey AwEAAbAx0
    # rightrsasigkey=0sAwEAAbAx0gBzeCInprN56SrtKZ9BTQnkMtQO1Pz/Ei++URF54VMsWI0gl8TpcaQcf9c3+BEbH6nqWAr0WeN0+7D3qLWyFopZyZ6dq0HOz6VnXtvp2Cron7Sk+A75xrdcsDavK/cAuz/90QZHRqa7AgrXWOPayAX0l3o64BqwRDsiLUaIjsX7+2vzbkKTuqfHMno4JfUgvibtIlRLO1DIoGrwaDNvy7SLebRH0sM9l+nl0jLTy+swkXu74SesUbp1Utzn1ELowDWIPUt0OHqsk9cJYXP3cOCLj5zCcNPvXkvXhir/c3JLS1UH7RWPfC0RLisZt76d4xcC0LLColkQbtBNTy6d6VJTC6KthvecgpOpmj3c52y2FhZmnJaeGct+lTsF/+tq7DIX/GLpfivIMIHvaSAbiBM6Zg8T4GWEeCvI3Fw64M8+P/V11AxOs95ElZQSNUa4CTVnZcyIh/45KU85TeS7Q5Of5LJOEMaDu5/MxtccL1VwBERVRdRACypGSQ7wClxufWHEs+hq4tjvJpYlH0ALVc7ujZ5/KWaNb08VdV1QbxmZTpJR3TmzDv02PNjKVHSg8S9M4Rr8yEIzpQxIo+k=

## gistfile2.txt
000 "internal": 172.16.1.64<172.16.1.64>[@them]...172.16.1.135<172.16.1.135>[@us]; unrouted; eroute owner: #0
000 "internal":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "internal":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "internal":   our auth:secret, their auth:secret
000 "internal":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "internal":   labeled_ipsec:no;
000 "internal":   policy_label:unset;
000 "internal":   ike_life: 14400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "internal":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "internal":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "internal":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "internal":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "internal":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "internal":   our idtype: ID_FQDN; our id=@them; their idtype: ID_FQDN; their id=@us
000 "internal":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "internal":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "internal":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048
000 "internal":   ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(12), half-open(12), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #2: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #3: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #5: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #7: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #8: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #10: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #12: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #13: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #15: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
000 #17: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set

## juniper commands
request dhcp client renew all

show security ike security-associations
show security ipsec inactive-tunnels
show security ipsec security-associations

# IPS and aliases:
@ Test1/Terraform
set security address-book global address Host1-Net 172.16.1.238/32
# Test2/Manual:
set security address-book global address Host2-Net 172.16.1.245/32

#
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.150/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.1/32
set routing-options static route 0.0.0.0/0 next-hop 172.16.13.2
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0

# https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html

set security nat source pool pool_1 address 192.0.2.250/32
set security nat source rule-set SR_SET_1 from zone trust
set security nat source rule-set SR_SET_1 to zone untrust
# match sources from our local network
set security nat source rule-set SR_SET_1 rule rule1 match source-address 172.16.0.0/12
# External nat
set security nat source rule-set SR_SET_1 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set SR_SET_1 rule rule1 then source-nat pool pool_1

## Juniper Config
https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-policy-based-ipsec-vpns.html#id-understanding-policy-based-ipsec-vpns
https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-aws-guide-pwp.pdf
- Page 23 has interface mappings.
https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html
https://www.juniper.net/documentation/en_US/day-one-books/AWS_vSRX_Cookbook22.pdf

Someone else's config:
https://gist.github.com/dijeesh/3e1f5526ca06846a715142b82fdf53c0
AWS Guide to juniper:
https://docs.aws.amazon.com/vpn/latest/s2svpn/Juniper_Troubleshooting.html

https://support.juniper.net/support/tools/vpnconfig/#ipTypes
	conn internal
	authby=secret
	auto=start

	# Phase 1:
	ike=aes256-sha2-dh14
	ikelifetime=14400s
	# Phase 2:
	esp=aes256-sha2_256
	salifetime=3600s

	leftid=@us
	left=172.16.1.135
	# rsakey AwEAAfCEk
	# leftrsasigkey=0sAwEAAfCEkexyTa9ZM4qBobjXKpTP/mYpgRBr9Dox5KAZNdHABVF8UWcd9tYpKHL/y4cMPW1Tl/QJKKXX08/+2DoPi+O2R/7znqOKUnldM8dQSjMqIHq2mn46yRVf5qBCMyOY5dnFg8JuN8Mid/Jed6lVXtc1j0mcGcHetiBRGcqPCvs+rL8H7UgQ+fE8xri2LYkeuYjaPwIlKm8V/bA5ylWyrYF4+6gG2eyhejUmfMU9NCz6NayfNw6JXM4FcRQlyEm631WSC4DbMfmfUz8YmDXxTniCgooltlFojrNnwbmAh+zbgyorqen+3U0pjEITQDzZ7ncKHU4p/mQUmq42BK7Jnn8Diuafhf+O/f39t/nnVDUtt790h5OYtBBwKLflDXNiL86rTBsxh3nqxQAOOJqiSdd22bZCoHnqafL1yn2zvtK57JEq729YPHhMNwJZWEgnMj4mkK6RdVgjW/A0Se/nsfb1iYK7GL5dc1E9F7jdakKKQGsJoU8vwsXDS877QcKkpCkmy78AnZsplTnjAA/VpMb2uySAkyX2iTljmC3sy2n8g0F/H5cTvMkTPbWFKlOM+CcKpMDpSUAjlxYZjrXFw1WRhHgRMQwIPSqnJkH7sTC8RrZKy4LjEhyfcFd5QGMPeCIllPo8rx7XLkgO1j19E873S8J/yT7OYn9H

	rightid=@them
	right=172.16.1.64
	# rsakey AwEAAbAx0
	# rightrsasigkey=0sAwEAAbAx0gBzeCInprN56SrtKZ9BTQnkMtQO1Pz/Ei++URF54VMsWI0gl8TpcaQcf9c3+BEbH6nqWAr0WeN0+7D3qLWyFopZyZ6dq0HOz6VnXtvp2Cron7Sk+A75xrdcsDavK/cAuz/90QZHRqa7AgrXWOPayAX0l3o64BqwRDsiLUaIjsX7+2vzbkKTuqfHMno4JfUgvibtIlRLO1DIoGrwaDNvy7SLebRH0sM9l+nl0jLTy+swkXu74SesUbp1Utzn1ELowDWIPUt0OHqsk9cJYXP3cOCLj5zCcNPvXkvXhir/c3JLS1UH7RWPfC0RLisZt76d4xcC0LLColkQbtBNTy6d6VJTC6KthvecgpOpmj3c52y2FhZmnJaeGct+lTsF/+tq7DIX/GLpfivIMIHvaSAbiBM6Zg8T4GWEeCvI3Fw64M8+P/V11AxOs95ElZQSNUa4CTVnZcyIh/45KU85TeS7Q5Of5LJOEMaDu5/MxtccL1VwBERVRdRACypGSQ7wClxufWHEs+hq4tjvJpYlH0ALVc7ujZ5/KWaNb08VdV1QbxmZTpJR3TmzDv02PNjKVHSg8S9M4Rr8yEIzpQxIo+k=
	000 "internal": 172.16.1.64<172.16.1.64>[@them]...172.16.1.135<172.16.1.135>[@us]; unrouted; eroute owner: #0
	000 "internal": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
	000 "internal": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
	000 "internal": our auth:secret, their auth:secret
	000 "internal": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
	000 "internal": labeled_ipsec:no;
	000 "internal": policy_label:unset;
	000 "internal": ike_life: 14400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
	000 "internal": retransmit-interval: 500ms; retransmit-timeout: 60s;
	000 "internal": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
	000 "internal": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
	000 "internal": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
	000 "internal": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
	000 "internal": our idtype: ID_FQDN; our id=@them; their idtype: ID_FQDN; their id=@us
	000 "internal": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
	000 "internal": newest ISAKMP SA: #0; newest IPsec SA: #0;
	000 "internal": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048
	000 "internal": ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128
	000
	000 Total IPsec connections: loaded 1, active 0
	000
	000 State Information: DDoS cookies not required, Accepting new IKE connections
	000 IKE SAs: total(12), half-open(12), open(0), authenticated(0), anonymous(0)
	000 IPsec SAs: total(0), authenticated(0), anonymous(0)
	000
	000 #2: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #3: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #5: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #7: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #8: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #10: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #12: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #13: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #15: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	000 #17: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set
	request dhcp client renew all

	show security ike security-associations
	show security ipsec inactive-tunnels
	show security ipsec security-associations

	# IPS and aliases:
	@ Test1/Terraform
	set security address-book global address Host1-Net 172.16.1.238/32
	# Test2/Manual:
	set security address-book global address Host2-Net 172.16.1.245/32

	#
	set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.150/24
	set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
	set interfaces lo0 unit 0 family inet address 10.100.100.1/32
	set routing-options static route 0.0.0.0/0 next-hop 172.16.13.2
	set security zones security-zone trust host-inbound-traffic system-services all
	set security zones security-zone trust interfaces ge-0/0/0.0
	set security zones security-zone untrust host-inbound-traffic system-services ike
	set security zones security-zone untrust host-inbound-traffic system-services ping
	set security zones security-zone untrust interfaces ge-0/0/1.0

	# https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html

	set security nat source pool pool_1 address 192.0.2.250/32
	set security nat source rule-set SR_SET_1 from zone trust
	set security nat source rule-set SR_SET_1 to zone untrust
	# match sources from our local network
	set security nat source rule-set SR_SET_1 rule rule1 match source-address 172.16.0.0/12
	# External nat
	set security nat source rule-set SR_SET_1 rule rule1 match destination-address 0.0.0.0/0
	set security nat source rule-set SR_SET_1 rule rule1 then source-nat pool pool_1
	https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-policy-based-ipsec-vpns.html#id-understanding-policy-based-ipsec-vpns
	https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-aws-guide-pwp.pdf
	- Page 23 has interface mappings.
	https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html
	https://www.juniper.net/documentation/en_US/day-one-books/AWS_vSRX_Cookbook22.pdf

	Someone else's config:
	https://gist.github.com/dijeesh/3e1f5526ca06846a715142b82fdf53c0
	AWS Guide to juniper:
	https://docs.aws.amazon.com/vpn/latest/s2svpn/Juniper_Troubleshooting.html

	https://support.juniper.net/support/tools/vpnconfig/#ipTypes