SRX Rules for creating IPSec Tunnel between Amazon VPC and Juniper SRX

IPSec VPN between Amazon VPC and Juniper SRX

Tunnel 1 
===================================

set security ike proposal ike-prop-vpn-to-aws-1 authentication-method pre-shared-keys 
set security ike proposal ike-prop-vpn-to-aws-1 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-to-aws-1 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-to-aws-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-to-aws-1 dh-group group2

set security ike policy ike-pol-vpn-to-aws-1 mode main 
set security ike policy ike-pol-vpn-to-aws-1 proposals ike-prop-vpn-to-aws-1
set security ike policy ike-pol-vpn-to-aws-1 pre-shared-key ascii-text xxxxx

set security ike gateway gw-vpn-to-aws-1 ike-policy ike-pol-vpn-to-aws-1
set security ike gateway gw-vpn-to-aws-1 external-interface reth2.0
set security ike gateway gw-vpn-to-aws-1 address x.x.x.x

set security ipsec proposal ipsec-prop-vpn-to-aws-1 protocol esp
set security ipsec proposal ipsec-prop-vpn-to-aws-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-to-aws-1 encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-prop-vpn-to-aws-1 lifetime-seconds 3600

set security ipsec policy ipsec-pol-vpn-to-aws-1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol-vpn-to-aws-1 proposals ipsec-prop-vpn-to-aws-1

set security ipsec vpn vpn-to-aws-1 bind-interface st0.1
set security ipsec vpn vpn-to-aws-1 ike gateway gw-vpn-to-aws-1
set security ipsec vpn vpn-to-aws-1 ike ipsec-policy ipsec-pol-vpn-to-aws-1
set security ipsec vpn vpn-to-aws-1 df-bit clear 

set security ike gateway gw-vpn-to-aws-1 dead-peer-detection

set interfaces st0.1 family inet address 169.254.45.226/30
set interfaces st0.1 family inet mtu 1436
set security zones security-zone AWC_VPC interfaces st0.1

set security ipsec vpn vpn-to-aws-1 vpn-monitor source-interface st0.1 
set security ipsec vpn vpn-to-aws-1 vpn-monitor destination-ip 169.254.45.225


Tunnel 2
===================================
set security ike proposal ike-prop-vpn-to-aws-2 authentication-method pre-shared-keys 
set security ike proposal ike-prop-vpn-to-aws-2 authentication-algorithm sha1
set security ike proposal ike-prop-vpn-to-aws-2 encryption-algorithm aes-128-cbc
set security ike proposal ike-prop-vpn-to-aws-2 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-to-aws-2 dh-group group2


set security ike policy ike-pol-vpn-to-aws-2 mode main 
set security ike policy ike-pol-vpn-to-aws-2 proposals ike-prop-vpn-to-aws-2
set security ike policy ike-pol-vpn-to-aws-2 pre-shared-key ascii-text xxxxxx

set security ike gateway gw-vpn-to-aws-2 ike-policy ike-pol-vpn-to-aws-2
set security ike gateway gw-vpn-to-aws-2 external-interface reth2.0
set security ike gateway gw-vpn-to-aws-2 address x.x.x.x

set security ipsec proposal ipsec-prop-vpn-to-aws-2 protocol esp
set security ipsec proposal ipsec-prop-vpn-to-aws-2 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-to-aws-2 encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-prop-vpn-to-aws-2 lifetime-seconds 3600

set security ipsec policy ipsec-pol-vpn-to-aws-2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-pol-vpn-to-aws-2 proposals ipsec-prop-vpn-to-aws-2

set security ipsec vpn vpn-to-aws-2 bind-interface st0.2
set security ipsec vpn vpn-to-aws-2 ike gateway gw-vpn-to-aws-2
set security ipsec vpn vpn-to-aws-2 ike ipsec-policy ipsec-pol-vpn-to-aws-2
set security ipsec vpn vpn-to-aws-2 df-bit clear 

set security ike gateway gw-vpn-to-aws-2 dead-peer-detection

set interfaces st0.2 family inet address 169.254.44.162/30
set interfaces st0.2 family inet mtu 1436
set security zones security-zone AWC_VPC interfaces st0.2

set security zones security-zone Public host-inbound-traffic system-services ike
set security flow tcp-mss ipsec-vpn mss 1387
set security ipsec vpn vpn-to-aws-2 vpn-monitor source-interface st0.2 
set security ipsec vpn vpn-to-aws-2 vpn-monitor destination-ip 169.254.44.161


set security flow tcp-mss ipsec-vpn mss 1387

set security zones security-zone Public host-inbound-traffic system-services ike


# Static Routes
===================================

set routing-options static route 172.31.0.0/16 next-hop st0.1  
set routing-options static route 172.31.0.0/16 next-hop st0.2 preference 10


# Address book entries
===================================

set security zones security-zone AWS_VPC address-book address 172_31_0_0_16 172.31.0.0/16

# Security Policies
===================================


set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match source-address x.x.x.x
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match destination-address 172_31_0_0_16
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC match application any
set security policies from-zone internal-1 to-zone AWS_VPC policy DMZ_TO_AWS_VPC then permit

set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match source-address 172_31_0_0_16
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match destination-address x.x.x.x.x
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ match application any
set security policies from-zone AWS_VPC to-zone internal-1 policy AWS_VPC_TO_DMZ then permit


#Logging 
===================================
set security ike traceoptions file kmd
set security ike traceoptions file size 1024768
set security ike traceoptions file files 10
set security ike traceoptions flag all


AWS Side preparation :
===================================

 1: Create a Customer Gateway
 2: Create a Virtual Private Gateway
 3: Enable Route Propagation / Add static routes in Your Route Table
 4: Update Your Security Group to Enable Inbound Access from on-premise network
 5: Create a VPN Connection and Configure the Customer Gateway
 6: Launch an Instance Into Your VPC