SRX Route based VPN

From Network Security Wiki
Jump to navigation Jump to search


Srx vpn topology.png

Source: Juniper.net

SRX Config[edit]

Configuring Interface, Static Route, Security Zone, and Address Book Information

set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30
set interfaces st0 unit 0 family inet address 10.11.11.10/24 
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options static route 192.168.168.0/24 next-hop st0.0
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ike 
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services all 
set security zones security-zone vpn-chicago interfaces st0.0
set security address-book book1 address sunnyvale 10.10.10.0/24 
set security address-book book1 attach zone trust 
set security address-book book2 address chicago 192.168.168.0/24 
set security address-book book2 attach zone untrust

Configuring IKE

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2 
set security ike proposal ike-phase1-proposal authentication-algorithm sha1 
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc 
set security ike policy ike-phase1-policy mode main 
set security ike policy ike-phase1-policy proposals ike-phase1-proposal 
set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t 
set security ike gateway gw-chicago external-interface ge-0/0/3.0 
set security ike gateway gw-chicago ike-policy ike-phase1-policy 
set security ike gateway gw-chicago address 2.2.2.2 

Configuring IPsec

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc 
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec vpn ike-vpn-chicago ike gateway gw-chicago
set security ipsec vpn ike-vpn-chicago ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn ike-vpn-chicago bind-interface st0.0

Configuring Security Policies

set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match source-address sunnyvale
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match destination-address chicago 
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi match application any 
set security policies from-zone trust to-zone vpn-chicago policy vpn-tr-chi then permit 
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match source-address chicago
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match destination-address sunnyvale 
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr match application any 
set security policies from-zone vpn-chicago to-zone trust policy vpn-chi-tr then permit 

Configuring TCP-MSS

set security flow tcp-mss ipsec-vpn mss 1350

Making VPN always up or on Traffic

set security ipsec vpn ike-vpn-chicago establish-tunnels immediately

or

set security ipsec vpn ike-vpn-chicago establish-tunnels on-traffic

SSG Config[edit]

Configuring the SSG Series Device

set zone name vpn-chicago
set interface ethernet0/6 zone Trust
set interface ethernet0/0 zone Untrust
set interface tunnel.1 zone vpn-chicago
set interface ethernet0/6 ip 192.168.168.1/24
set interface ethernet0/6 route
set interface ethernet0/0 ip 2.2.2.2/30
set interface ethernet0/0 route
set interface tunnel.1 ip 10.11.11.11/24
set flow tcp-mss 1350
set address Trust “192.168.168-net” 192.168.168.0 255.255.255.0
set address vpn-chicago "10.10.10-net" 10.10.10.0 255.255.255.0
set ike gateway corp-ike address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standard
set vpn corp-vpn gateway corp-ike replay tunnel idletime 0 sec-level standard
set vpn corp-vpn monitor optimized rekey
set vpn corp-vpn bind interface tunnel.1
set policy from Trust to Untrust “ANY” “ANY” “ANY” nat src permit
set policy from Trust to vpn-chicago “192.168.168-net” “10.10.10-net” “ANY” permit
set policy from vpn-chicago to Trust “10.10.10-net” “192.168.168-net” “ANY” permit
set route 10.10.10.0/24 interface tunnel.1
set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1

Verifying[edit]

Verifying IKE Phase 1 Status

show security ike security-associations
show security ike security-associations index 1 detail

Verifying IPsec Phase 2 Status

show security ipsec security-associations
show security ipsec security-associations index 16384 detail
show security ipsec inactive-tunnels

Statistics and Errors for an IPsec Security Association

show security ipsec statistics index 16384




blog comments powered by Disqus