SRX Route-Based IPSec VPN

Configuring VPN in Juniper SRX [side C]

I have configured this template in SRX210 with Junos 11.4.

Configure the WAN side interface and assigning the IP address

user@SRX-C#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “ user@SRX-C#set interfaces ge-0/0/0 unit 0 family inet address 10.10.30.1/30 Configure the LAN side interfaces and assigning the IP address user@SRX-C#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “ user@SRX-C#set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 Configure the VPN tunnel interfaces: Tunnel interface is assigned IP 172.16.1.1/30 for this site to make Point to Point tunnel. There should be same subnet Ip in SRX B side. user@SRX-C#set interfaces st0 unit 0 description ” VPN SECURE TUNNEL “ user@SRX-C#set interfaces st0 unit 0 family inet 172.16.1.1/30 Configure default route and route for VPN tunnel traffic

For route of VPN tunnel traffic, secure tunnel interface is configured as next-hop tunnel. Another site tunnel IP can also be assigned for net-hop tunnel. Dynamic routing can also be implemented to the secure tunnel interface.

user@SRX-C#set routing-options static route 0.0.0.0/0 next-hop 10.10.30.2 user@SRX-C#set routing-options static route 192.168.200.0/24 next-hop st0.0 Configure security zones and assign interfaces to the zone and adding host-inbound system services in these zones

IKE must be defined as host-inbound system services in internet facing zone (WAN) to establish the IKE negotiations between VPN peer devices. To make separate the security policies for non-VPN and VPN traffic, the secure tunnel is assigned in different zone named VPN than the WAN and LAN zone. user@SRX-C#set security zones security-zone WAN host-inbound-traffic system-services ike user@SRX-C#set security zones security-zone WAN interfaces ge-0/0/0.0 user@SRX-C#set security zones security-zone LAN host-inbound-traffic system-services all user@SRX-C#set security zones security-zone LAN interfaces ge-0/0/1.0 user@SRX-C#set security zones security-zone VPN interfaces st0.0 Configure the Local IP address in LAN Zone and Remote IP address in WAN zone

user@SRX-C#set security zones security-zone LAN address-book address LOCAL_IP 192.168.1.0/24 user@SRX-C#set 192.168.200.0/24 Configure Phase-I IKE proposal and Policy for main mode as listed above in Table Here I have defined the VPN parameters manually instead of using the default for Phase-I. user@SRX-C#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys user@SRX-C#set security ike proposal IKE-PROPOSAL dh-group group5 user@SRX-C#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1 user@SRX-C#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc user@SRX-C#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800 user@SRX-C#set security ike policy IKE-POLICY mode main user@SRX-C#set security ike policy IKE-POLICY proposals IKE-PROPOSAL user@SRX-C#set security ike policy IKE-POLICY pre-shared-key ascii-text Configure the VPN gateway (Phase-I) with policy, peer address and outgoing interface

To identify the remote IKE peer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device. user@SRX-C#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY security zones security-zone VPN address-book address REMOTE_IP user@SRX-C#set security ike gateway VPN-GATEWAY address 10.10.20.1 user@SRX-C#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10 user@SRX-C#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1 user@SRX-C#set security ike gateway VPN-GATEWAY nat-keepalive 10 user@SRX-C#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0 Configure Phase-II Proposal and Policy as listed in above Table

Here I have defined the VPN parameters manually instead of using the default for Phase-II. user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL protocol esp user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96 user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 800 user@SRX-C#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5 user@SRX-C#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL Configure IPSEC VPN (Phase-II) with IKE gateway and IPSEC policy user@SRX-C#set security ipsec IPSEC-VPN bind-interface st0.0 user@SRX-C#set security ipsec IPSEC-VPN ike gateway VPN-GATEWAY user@SRX-C#set security ipsec IPSEC-VPN ike proxy-identity local 192.168.1.0/24 user@SRX-C#set security ipsec IPSEC-VPN ike proxy-identity remote 192.168.200.0/24 user@SRX-C#set security ipsec IPSEC-VPN ike proxy-identity service any user@SRX-C#set security ipsec IPSEC-VPN ike ipsec-policy IPSEC-POLICY user@SRX-C#set security ipsec IPSEC-VPN establish-tunnels immediately Configure the security policy for VPN Traffic from and to LAN to VPN zone:

user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match source-address LOCAL_IP user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match destination-address REMOTE_IP user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match application any user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN then permit user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match source-address REMOTE_IP user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match destination-address LOCAL_IP user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match application any user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN then permit Configure the security policy for internet Traffic from LAN to WAN zone

user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address any user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address any user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit Configure the security NAT for internet Traffic from LAN to WAN zone

It is important to configure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address

will be translated to the egress interface IP of SRX as source IP when it goes to internet. And there should be NAT OFF policy above this policy for passing the VPN traffic. user@SRX-C#set security nat source rule-set LAN-TO_WAN from zone LAN user@SRX-C#set security nat source rule-set LAN-TO_WAN to zone WAN user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0 user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0 user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface Configure tcp-mss to eliminate fragmentation of TCP traffic across tunnel

The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment

user@SRX-C#set security flow tcp-mss ipsec- mss 1350

The Juniper SRX [Side B] device can be configured similarly using the VPN parameters tabulated in above and following the steps to configure VPN in above.

Following command verifies the tunnel and status.

user@SRX-C>show security ike security-associations user@SRX-C>show security ipsec security-associations user@SRX-C>show security ike security-associations detail user@SRX-C>show security ipsec security-associations detail user@SRX-C>show security flow session tunnel