vEOS Routers and vSRX

The user can establish an IPsec VTI tunnel between vEOS router and vSRX router. A GRE with IPsec tunnel cannot be established between the vEOS and the vSRX.

Below is a sample of the vEOS configuration.

switchport default mode routed
!
transceiver qsfp default-mode 4x10G
!
ip security
 ike policy ike1
integrity sha1
version 1
 !
 sa policy sa1
esp encryption aes128
pfs dh-group 14
 !
 profile p1
ike-policy ike1 
sa-policy sa1 
connection start
shared-key arista
!
hostname veos10
!
spanning-tree mode mstp
!
aaa authentication policy on-success log
aaa authentication policy on-failure log
!
no aaa root
!
username ec2-user nopassword
username ec2-user sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtj+
lRa3E5tP/RtuUx7vq24IeRdoOxUsn7VwHqiUuMXe67Cx5SRrQmdRh0uLX6LNJlcmLUQ
kT5A+vpAFtV4Fn9P58qlBjHzi9Dw5rLtn56fzPGZszsSHRNnYEHUBZKlhz6Y/W6VeQz
CvEP+b8yy2nqaJj4fr3r3+RDnFTlu+Cxx4t3alhlFRtfyixEaF6XuiOuVWr1FFkrbQS
Jmd4yy3h/DG0OVBDKGc2cH/a0dSSuZ6y0aEcRRAdKakoYI+a6HGGN4V5kmjlsJXDDFl
+840FLH6zd6ZzJDqA/EpNzdA1YVbRotXc2PNwM9pPE796L2hMgN0Vw3VwcJMJDQJS8j
LNR Sreedhar
!
interface Ethernet1
 no switchport
 ip address dhcp
 dhcp client accept default-route
!
interface Ethernet2
 no switchport
 ip address 10.1.2.65/24
!
interface Tunnel1
 ip address 50.1.1.1/24
 tunnel mode ipsec
 tunnel source 10.1.2.65
 tunnel destination 60.1.1.2
 tunnel ipsec profile p1
!
ip route 60.1.1.2/32 10.1.2.188
!
ip routing
!
end

The sample configuration below shows the show configuration file setup.
root>show configuration 
## Last commit: 2018-01-18 22:33:41 UTC by root
version 15.1X49-D110.4;
groups {
aws-default {
system {
root-authentication {
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtj
+lRa3E5tP/RtuUx7vq24IeRdoOxUsn7VwHqiUuMXe67Cx5SRrQmdRh0uLX6LNJlcmL
UQkT5A+vpAFtV4Fn9P58qlBjHzi9Dw5rLtn56fzPGZszsSHRNnYEHUBZKlhz6Y/W6V
eQzCvEP+b8yy2nqaJj4fr3r3+RDnFTlu+Cxx4t3alhlFRtfyixEaF6XuiOuVWr1FFk
rbQSJmd4yy3h/DG0OVBDKGc2cH/a0dSSuZ6y0aEcRRAdKakoYI+a6HGGN4V5kmjlsJ
XDDFl+840FLH6zd6ZzJDqA/EpNzdA1YVbRotXc2PNwM9pPE796L2hMgN0Vw3VwcJMJ
DQJS8jLNR Sreedhar"; ## SECRET-DATA
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.1.1.214/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.1.1;
}
}
}
}
apply-groups aws-default;
system {
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$tQm9u0IhSevWxcy2aZGq."; ## SECRET-DATA
}
gateway ike-gw {
ike-policy ike-phase1-policy;
address 10.1.2.65;
external-interface lo0.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
}
policy vpn-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn {
bind-interface st0.1;
ike {
gateway ike-gw;
ipsec-policy vpn-policy1;
}
}
}
flow {
inactive: traceoptions {
file flow_trace size 100m;
flag all;
inactive: packet-filter p1 {
protocol esp;
}
packet-filter p2 {
protocol icmp;
}
trace-level {
detail;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
} 
interfaces {
st0.1;
ge-0/0/0.0;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.2.188/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 60.1.1.2/24;
}
}
}
st0 {
unit 1 {
family inet {
address 50.1.1.2/24;
}
}
}
}