SRX Policy based VPN

From Network Security Wiki
Jump to navigation Jump to search


Srx vpn topology.png

Source: Juniper.net

SRX Config

Configuring Basic Network, Security Zone, and Address Book Information

set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ike 
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services all 
set security address-book book1 address sunnyvale 10.10.10.0/24 
set security address-book book1 attach zone trust 
set security address-book book2 address chicago 192.168.168.0/24 
set security address-book book2 attach zone untrust

Configuring IKE

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2 
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t
set security ike gateway gw-chicago external-interface ge-0/0/3.0
set security ike gateway gw-chicago ike-policy ike-phase1-policy 
set security ike gateway gw-chicago address 2.2.2.2 

Configuring IPsec

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago
set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy

Configuring Security Policies

set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address sunnyvale
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address sunnyvale
set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpn-chicago
set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr
set security policies from-zone trust to-zone untrust policy permit-any match source-address any
set security policies from-zone trust to-zone untrust policy permit-any match destination-address any
set security policies from-zone trust to-zone untrust policy permit-any match application any
set security policies from-zone trust to-zone untrust policy permit-any then permit
insert security policies from-zone trust to-zone untrust policy vpn-tr-untr before policy permit-any 

Configuring TCP-MSS

set security flow tcp-mss ipsec-vpn mss 1350

SSG Config

Configuring the SSG Series Device

set interface ethernet0/6 zone Trust
set interface ethernet0/0 zone Untrust
set interface ethernet0/6 ip 192.168.168.1/24
set interface ethernet0/6 route
set interface ethernet0/0 ip 2.2.2.2/30
set interface ethernet0/0 route
set flow tcp-mss 1350
set address Trust “local-net” 192.168.168.0 255.255.255.0
set address Untrust "corp-net" 10.10.10.0 255.255.255.0
set ike gateway corp-ike address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standard
set vpn corp-vpn gateway corp-ike replay tunnel idletime 0 sec-level standard
set policy id 11 from Trust to Untrust “local-net” “corp-net” “ANY” tunnel vpn “corp-vpn” pair-policy 10
set policy id 10 from Untrust to Trust “corp-net” “local-net” “ANY” tunnel vpn “corp-vpn” pair-policy 11
set policy id 1 from Trust to Untrust “ANY” “ANY” “ANY” nat src permit
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1




blog comments powered by Disqus