Wednesday 1 May 2013

Juniper SRX - Route Based VPN How To

Hi everyone,

I'm currently working on my JNCIE-SEC, and figured I'd start posting some of the labs I'm working on. This one is the basis for all of my route-based VPN configuration.

Basic topology (we'll build on this later for more interesting things like OSPF over GRE):


We'll do this for SRX210_A only, mirror the config to SRX210_B with slight adjustments if you're following along:

Creating a route-based IPSEC VPN

Create the Secure Tunnel Interface (st0.0)

set interfaces st0 unit 0 family inet address 172.16.30.1/30
set security zones security-zone VPN interfaces st0.0

Create the IKE policy and proposal (phase one)

set security ike proposal ike_aes_128 dh-group group2
set security ike proposal ike_aes_128 authentication-method pre-shared-keys
set security ike proposal ike_aes_128 authentication-algorithm sha1
set security ike proposal ike_aes_128 encryption-algorithm aes-128-cbc

set security ike policy phase1_aes_128 mode main
set security ike policy phase1_aes_128 pre-shared-key ascii-text vpn123
set security ike policy phase1_aes_128 proposals ike_aes_128

Create the IKE Gateway (SRX210_B across ae1.0 - 172.19.1.2)

set security ike gateway SRX210_B ike-policy phase1_aes_128
set security ike gateway SRX210_B external-interface ae1.0
set security ike gateway SRX210_B address 172.19.1.2
Create the IPSEC policy and proposal (phase two)

set security ipsec proposal ipsec_aes_128 protocol esp
set security ipsec proposal ipsec_aes_128 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_aes_128 encryption-algorithm aes-128-cbc
set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
Create the VPN and bind it to st0.0
set security ipsec vpn VPN_To_SRX210_B ike gateway SRX210_B
set security ipsec vpn VPN_To_SRX210_B ike ipsec-policy phase2_aes_128
set security ipsec vpn VPN_To_SRX210_B establish-tunnels immediately
set security ipsec vpn VPN_To_SRX210_B bind-interface st0.0

Verify the tunnel is up and working correctly (after configuring the peer):
show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
2534013 UP     1e051d13d519794d  1d833a97c85cf299  Main           172.19.1.2    

show security ipsec security-associations
Total active tunnels: 1
ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
<131073 ESP:aes-128/sha1 c7570e07 3526/ unlim -  root 500   172.19.1.2  
>131073 ESP:aes-128/sha1 21a14b61 3526/ unlim -  root 500   172.19.1.2

And we're done! (sort of...)
We still have to configure a security policy to allow traffic to traverse between our VPN zone and our internal resources, as well as to create the correct routes for our peer's encryption domains. Since I'll be doing a tutorial on how to setup OSPF over GRE later on (to work with those pesky, lesser vendors), I'll leave this part blank for now. I'm sure you already know how to do this anyways :)

Github for the full configuration

Edit: Since someone has already asked how to make a generic working-config, this is basically how you do it:

Add a route for the remote encryption domain pointing to your secure tunnel interface:
set routing-options static route 10.200.200.0/24 next-hop st0.0

Add appropriate policies to permit traffic (bidirectional optional):
set security policies from-zone VPN to-zone DMZ policy Allow_All match source-address any destination-address any application any
set security policies from-zone VPN to-zone DMZ policy Allow_All then permit
set security policies from-zone VPN to-zone DMZ policy Allow_All then log session-init

set security policies from-zone DMZ to-zone VPN policy Allow_All match source-address any destination-address any application any
set security policies from-zone DMZ to-zone VPN policy Allow_All then permit
set security policies from-zone DMZ to-zone VPN policy Allow_All then log session-init

No comments:

Post a Comment