1. Create Gateway (for new IPSec tunnel to Branch-B)
The gateway defines the remote/far end device. It should be noted that in the screenshot below that the existing Phase 1 policy "PHASE1-POL" is used.
2. Create VPN (for new IPSec tunnel to Branch-B)
In this step the VPN is created. It should be noted that in the screenshot below that the existing Phase 2 policy "PHASE2-POL" is used.
3. Configure Secure Tunnel (ST) Interface as Multipoint
This step configures the Secure Tunnel interfaces as a multipoint interface. This allows for multiple IPSec security associations to be bound to a single secure tunnel interface. This is the most important configuration step of this post. See the screenshot below for details. Keep in mind that the st0.0 interface was configured in the previous post. This command is in addition to the previous configuration.
The configuration steps for the BRANCH-B are almost identical to BRANCH-A in the previous post SRX IPSec VPN - Route Based. The following steps and screenshots outline the configuration steps that were completed on BRANCH-B SRX.
1. Create Phase 1 Policy
2. Create Gateway
3. Create Phase 2 Policy
4. Create VPN
Configure Intra-Zone Policy
1. Permit Access between BRANCH-A and BRANCH-B
Traffic to/from BRANCH-A and BRANCH-B will need to traverse the device HUB. For this reason firewall policies are needed to permit the traffic. In this case st0.0 is in the zone VPN, so the from-zone and to-zone will both be VPN.
Verify IPSec Status
1. Verify Phase 1 & Phase 2 Security Associations on device BRANCH-A
2. Verify Phase 1 & Phase 2 Security Associations on device BRANCH-B
3. Verify Phase 1 & Phase 2 Security Associations on device HUB
4. Verify Next Hop Tunnel Bindings
The screenshot below confirms that both IPSec tunnels terminate on interface st0.0 on the hub device.
Using multipoint IPSec VPNs can be ideal for hub and spoke topologies as a single interface on the hub can be used for multiple IPSec tunnels.