When we need a secure connection between multiple fixed location, site-to-site VPN is one of the most popular option for network engineers. Today, in this lesson, we will learn how to configure site-to-site policy based IPSec VPN on juniper SRX firewall.

We will be using below diagram for our IPSec lab. We assume that, CTG end configuration is already completed. Here we will configure our DHK end firewall only.

How to configure Site-to-Site Policy based IPSec VPN on Juniper SRX

VPN Gateway Details:

VPN IP Details DHK CTG
VPN Gateway IP 1.1.1.2 2.2.2.2
LAN IP 10.1.1.0/24 172.16.0.0/24

VPN NegotiationParameters:

Phase 1
Authentication Method Pre-Shared Key
Authentication-algorithm sha-256
Diffie-Hellman Group Group 5
Encryption Algorithm 3des-cbc
Lifetime (for renegotiation SEC) 86400
Main or Aggressive Mode Main
Pre Shared Key letsconfig
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3des-cbc
Authentication Algorithm hmac-sha1-96
Perfect Forward Secrecy No PFS
Lifetime (for renegotiation) 28800

Configuration:

First of all, let’s verify the ping reachability from DHK end to CTG end IP.

root@DHK> ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=63 time=11.684 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=63 time=10.274 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=63 time=10.190 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=63 time=10.640 ms
^C
--- 2.2.2.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.190/10.697/11.684/0.594 ms

root@DHK>

Ping result shows a full reachability to ipsec peer IP.

We also need to check IKE is allowed in our untrust (outside) zone or not. If it’s not allowed we have to allow it.

root@DHK# show | display set | match security-zone
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0

Here, in our lab everything is allowed. You might need to allow specific services in production networks. If you do so, make sure Ike is allowed which is must needed to form IPSec peer. Use below command to allow.

set security zones security-zone untrust host-inbound-traffic system-services ike

Now, move to the main part of ipsec configuration. Here we will configure Phase 1 and 2.

IKE_Proposal: We will configure IKE proposal, according our ipsec parameter table.

set security ike proposal our-ike-proposal authentication-method pre-shared-keys
set security ike proposal our-ike-proposal dh-group group5
set security ike proposal our-ike-proposal authentication-algorithm sha-256
set security ike proposal our-ike-proposal encryption-algorithm 3des-cbc
set security ike proposal our-ike-proposal lifetime-seconds 86400

IKE_Policy: Our pre-shared-key is “letsconfig” which will be added here and combine proposal here with it.

set security ike policy our-ike-policy mode main
set security ike policy our-ike-policy proposals our-ike-proposal
set security ike policy our-ike-policy pre-shared-key ascii-text letsconfig

IKE_Gateway: Here we will assign our external interface, peer id, and ike policy.

set security ike gateway our-ike-gateway ike-policy our-ike-policy
set security ike gateway our-ike-gateway address 2.2.2.2
set security ike gateway our-ike-gateway external-interface ge-0/0/0.0

Now move to the phase 2 configuration.

IPSec_Proposal: IPsec proposal parameter are given above.

set security ipsec proposal our-ipsec-proposal protocol esp
set security ipsec proposal our-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal our-ipsec-proposal encryption-algorithm 3des-cbc
set security ipsec proposal our-ipsec-proposal lifetime-seconds 28800

IPSec_Policy: In IPsec policy section, we will announce our IPSec proposal into the policy.

set security ipsec policy our-ipsec-policy proposals our-ipsec-proposal

IPSec_VPN: This is the section where phase 1 and phase 2 join together.

set security ipsec vpn our-ipsec-vpn-1 ike gateway our-ike-gateway
set security ipsec vpn our-ipsec-vpn-1 ike ipsec-policy our-ipsec-policy
set security ipsec vpn our-ipsec-vpn-1 establish-tunnels immediately

Let’s define our inside and outside IP addresses just like below.

set security zones security-zone untrust address-book address out-ip 172.16.0.0/24
set security zones security-zone trust address-book address in-ip 10.1.1.0/24

Now, We need to configure security policy for our policy based IPSec VPN.

Inside to Outside policy:
edit security policies from-zone trust to-zone untrust policy in-to-out 
          set match source-address in-ip
          set match destination-address out-ip
          set match application any
          set then permit tunnel ipsec-vpn our-ipsec-vpn-1
          set then permit tunnel pair-policy out-to-in

Outside to inside policy:
edit security policies from-zone untrust to-zone trust policy out-to-in
          set match source-address out-ip
          set match destination-address in-ip
          set match application any
          set then permit tunnel ipsec-vpn our-ipsec-vpn-1
          set then permit tunnel pair-policy in-to-out

Verification:

The first command will show our phase 1 status and second one will show phase 2 status.

  • run show security ike security-associations
  • run show security ipsec security-associations
root@DHK# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3042402 UP     e0537e4ce947e7f6  1c1ce74c43f4c092  Main           2.2.2.2

Output shows our phase 1 is UP. Now, lets check pahse 2 status.

root@DHK# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <2    ESP:3des/sha1   2ad8a287 17791/unlim   -   root 500   2.2.2.2
  >2    ESP:3des/sha1   c6671bf7 17791/unlim   -   root 500   2.2.2.2

It’s confgirmed that our tunnel are up.

run show security ipsec statistics” is another useful command which shows the encryption and decryption count.

root@DHK# run show security ipsec statistics
ESP Statistics:
  Encrypted bytes:          1296304
  Decrypted bytes:           834828
  Encrypted packets:           9532
  Decrypted packets:           9947
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

[edit]
root@DHK#

Now, ping from 10.1.1.10 PC to 172.16.0.10.

C:\>ping 172.16.0.10

Pinging 172.16.0.10 with 32 bytes of data:
Reply from 172.16.0.10: bytes=32 time=5ms TTL=115
Reply from 172.16.0.10: bytes=32 time=4ms TTL=115
Reply from 172.16.0.10: bytes=32 time=6ms TTL=115
Reply from 172.16.0.10: bytes=32 time=5ms TTL=115

Ping statistics for 172.16.0.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 6ms, Average = 5ms

C:\>

So, it’s working 🙂

Juniper provides a fantastic tool to generate Site-to-Site VPN Configuration for SRX & J Series devices. Please have a look – https://www.juniper.net/support/tools/vpnconfig/

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *