Hello,
Firstly I would like to inform that i have never tried and tested the below solutions that I am going to propose so I am not sure of its success but still I wanted to share them with you to see if either of it can work for you.
The solutions are as follows:-
1. If you have Policy based VPNs on SRX then i think you need to make the below two tweaks in the configruation for VPN and then you shuld be able to have Time based IPSEC VPN. The tewaks are as follows:-
- Change the timeout values for IKE ( Phase 1) and IPSEC ( Phase 2) lifetime accordingly so that it does not remains up for 24 hours and 1 hour default lifetime respectively. Also you can have IPSEC vpn idle timeout set so that inactive IPSEC SAs (Phase 2) are timed out even befor the above default values or whatever you will set them. Fore more details on the timeouts please refer the below discussion thread.
https://forums.juniper.net/t5/SRX-Services-Gateway/IKE-life-time-VS-IPSEC-life-time/td-p/140937
- The other tweak you will need is to configure time schedulers on SRX and call them on the policy which is invoking the IPSEC VPN. The schedulers will make the policy active during the specfied time and it will become inactive after that.You can refer the below documetn for configruing schedulers.
2. If you have a route based VPN on SRX then the above solution would not work on SRX. In this case you can use the groups configuration on SRX so that the particular IKE and IPSEC VPn configuartion becomes active only during a certain time of day. The following configuraton example can help you to achieve this:-
set groups test when time 09:20
set groups test when time to 09:25
set groups test security ike policy test-policy mode main
set groups test security ike policy test-policy proposal-set standard
set groups test security ike policy test-policy pre-shared-key ascii-text "$9$l71v8xbs4Di.Ndi.P56/lKMW8xNdbY4a7N"
set groups test security ike gateway test-gw ike-policy test-policy
set groups test security ike gateway test-gw address 2.2.2.2
set groups test security ike gateway test-gw external-interface fe-0/0/6
set groups test security ipsec policy test-policy perfect-forward-secrecy keys group2
set groups test security ipsec policy test-policy proposal-set standard
set groups test security ipsec vpn test-vpn bind-interface st0.0
set groups test security ipsec vpn test-vpn ike gateway test-gw
set groups test security ipsec vpn test-vpn ike ipsec-policy test-policy
set groups test security ipsec vpn test-vpn establish-tunnels on-traffic
set security ike apply-groups test
set security ipsec apply-groups test
The only drawback with the above 2nd solution is that you cannot specify the days in the week when this configuruation should be active but you can only specify the time. hence the IKE and IPSEC configuration will remain active for 14 hours on all 7 days.
Please let me know if you have any queries.
Hope this Helps
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.