Mar
6
2017

How to configure route based site to site IPSec VPN on Juniper SRX Router

Route Based Site To Site IPSec VPN on Juniper:

In this article I will show you how to configure route based site to site IPSec VPN on Juniper SRX series router. In our topology we have two SRX juniper routers and both devices have the interface ge-0/0/3.0 which are connected to internet. This interface is configured with the IP address 1.1.1.1/30 on SRX-A and 2.2.2.2/30 on SRX-B. Both router are connected with their LAN network i.e. 10.1.1.0/24 on SRX-A and 10.2.2.0/24 on SRX-B.

site to site IPSec VPN on Juniper SRX series router

Lab Objectives:

Currently, SRX-A & SRX-B provides internet access to LAN networks, both LANs are required to communicate security via internet.

Our task is to make communication between host-A and Host-B over via internet. For this we need to configure a VPN between them. We will configure a secure tunnel using Route-based IPSec VPN which allows for separation of VPN configuration and security policy configuration. For configuring Route based VPN we are required to configure the following:

  1. Configure internet key exchange (IKE) protocol to set up a dynamic tunnel between SRX devices.
  2. IKE works in 2 phases
    1. Phase-1 Secure Channel for communication between device
    2. particular VPN tunnel for user’s traffic
  3. For Route Based VPN you need to configure tunnel interface st0.x, where x is a number and bind VPN to that interface. Any traffic that is routed to st0.x will go to the tunnel, if security policy permits it.
  4. Configure security policy on both routers

Configuration of IKE on Site A:

We configure tunnel interface that is st0.x in our case, we put this interface into VPN zone. Also we need to define the security policies here. IPsec packets go out of ge-0/0/3 in zone untrusted and no policy is needed between VPM and untrust zones. However you need to enable host-inbound-traffic for IKE.

In first step of configuration you are required to define the IKE keys their life-time, encryption type and algo type.

set security ike proposal IKE-PROP lifetime-seconds 3600

set security ike proposal IKE-PROP authentication-method pre-shared-keys

set security ike proposal IKE-PROP authentication-algorithm shal

set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc

set security ike proposal IKE-PROP dh-group group5

2nd step is configuring IKE policy and their mode. and then enter the pre shared keys

set security ike policy IKE-POL proposal IKE-PROP

set security ike policy IKE-POL mode main

set security ike policy IKE-POL pre-shared-key ascii-test juniper

Now configure the remote host setting and IPs on SRX-A.

set security ike gateway IKE-GW ike-policy IKE-POL

set security ike gateway IKE-GW address 2.2.2.2

set security ike gateway IKE-GW external-interface ge-0/0/3.0

Set security zones security-zone untrust host-inbounf-traffic system-services ike

Configuration of IKE on Site B:

Same configurations are required on the router SRX-B with little changes of IPs.

set security ike proposal IKE-PROP lifetime-seconds 3600

set security ike proposal IKE-PROP authentication-method pre-shared-keys

set security ike proposal IKE-PROP authentication-algorithm shal

set security ike proposal IKE-PROP encryption-algorithm aes-128-cbc

set security ike proposal IKE-PROP dh-group group5

2nd step is configuring IKE policy and their mode. and then enter the pre shared keys

set security ike policy IKE-POL proposal IKE-PROP

set security ike policy IKE-POL mode main

set security ike policy IKE-POL pre-shared-key ascii-test juniper

Now configure the remote host setting and IPs on SRX-A.

set security ike gateway IKE-GW ike-policy IKE-POL

set security ike gateway IKE-GW address 1.1.1.1

set security ike gateway IKE-GW external-interface ge-0/0/3.0

Set security zones security-zone untrust host-inbounf-traffic system-services ike

Phase-2 Configuring IKE (configure both router with same configuration)

set security ipsec proposal IPSEC-PROP lifetime-seconds 3600

set security ipsec proposal IPSEC-PROP protocol esp

set security ipsec proposal IPSEC-PROP authenication-algorithm hmac-shal-96

set security ipsec proposal IPSEC-PROP encryption-algorithm ae-128-cbc

 

set security ipsec policy IPSEC-POL proposals IPSEC-PROP

set security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5

 

set security ipsec vpn IPSEC-VPN ike gatewat IKE-GW

set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POL

set security ipsec vpn IPSEC-VPN vpn-monitor

set security ipsec vpn IPSEC-VPN establish-tunnels immediately

 

set security ipsec vpn vpn IPSEC-VPN bind-interface st0.1

Configuring Tunnel interfaces:

Now we need to configure our tunnel interfaces, for this we will create st0 interface with family inet and place this into VPN security zone. For this you are required the following commands on both routers i.e.  on SRX-A & SRX-B.

set interfaces st0 unit 1 family inet

set security zones security-zone VPN interface st0.1

Now we need to configure the static routes on both routers. on SRX-A we create a static route for 10.2.2.0/24 & on SRX-B we tell them that network 10.1.1.0/24 is behind the interface st0.1.

SRX-A

set routing-options static route 10.2.2 /24 next-hop st0.1

SRX-B

set routing-options static route 10.1.1/24 next-hop st0.1

Configuring the security policy

For the final step we need to configure the security policy, we will configure the security policy between trust zone to VPN zone. For simplicity we are allowing all hosts from A to B and vice versa. For this we are configuring address book on both devices.

Address Book (Both Routers)

set security adder-book global address network-A 10.1.1.0/24

set security adder-book global address network-B 10.2.2.0/24

Security policy on SRX-A

set security policies from-zone trust to-zone VPN policy Trust-to-VPN match

source-address network-A destination-address network-B application any

set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit

set security policy from-zone VPN to-zone trust policy VPN-to-trust match

source-address network-B destination-address network-A application any

set security policies from-zone VPN to-zone Trust policy VPN-to-Trust then permit

Security policy on SRX-B

set security policies from-zone trust to-zone VPN policy Trust-to-VPN match

source-address network-B destination-address network-A application any

set security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit

set security policy from-zone VPN to-zone trust policy VPN-to-trust match

source-address network-A destination-address network-B application any

set security policies from-zone VPN to-zone Trust policy VPN-to-Trust then permit

How to verify VPN configurations:

Following are useful commands for verifying VPN:

  • show security ike security-associations
  • show route
  • show security ipsec statistics

 

Output of show security ipsec security-associations

output of show security ipsec security-associations

Ping from host-A to host-B will be successful.

Leave a comment