Skip to content

Juniper SRX IPSEC

May 12, 2013

I have setup a couple of my juniper srx unit’s with vpn’s. I spent a day or two getting it to work so I thought I would post my config to help others trying to make it work.

Once you get your head around it it’s very easy and awesome. The power of the junos cli makes it easy to reuse config and adapt it for new environment. I {> junos.

My first setup was a test between two srx210 box’s. One machine at our head office was setup with a public static i.p. the other at my house has a dynamic i.p. via a ppp (adsl) connection.

I used pre shared keys because these are site to site vpn’s and I don’t have a certificate server setup.

Box 1 setup
1. First I setup my vpn interface with a private i.p. for the vpn network. The vpn endpoints all need their own i.p’s so I gave that network the 10.3.43.0/24 subnet.

set interfaces st0 unit 0 family inet address 10.3.43.2/24

2. Then I put the vpn interface in a new zone so that I can regulate traffic to and from it via the powerful junos security policies.

set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0

3. I then setup my ike proposal

set security ike proposal HeadOffice-PSK authentication-method pre-shared-keys
set security ike proposal HeadOffice-PSK dh-group group2
set security ike proposal HeadOffice-PSK authentication-algorithm sha1
set security ike proposal HeadOffice-PSK encryption-algorithm des-cbc
set security ike proposal HeadOffice-PSK lifetime-seconds 86400

4. I then setup my ike policy, which references my proposal above.

set security ike policy HeadOffice-PSK mode aggressive
set security ike policy HeadOffice-PSK proposals HeadOffice-PSK
set security ike policy HeadOffice-PSK pre-shared-key ascii-text "$9$8Sz7b2ZGi.mTZUqf5QCA"

5. I then setup my ike gateway which references my gateway. This has dead peer detection active to pickup dead ike connections. the local-identity cannot be more than 20chars (a limitation) I initially had it set to a full tld but this was too long. The local-identity is needed because this is a dynamic connection if this enpoint was static we would configure it a little different (which I will demonstrate in a later post).

set security ike gateway HeadOffice-VPNGW ike-policy HeadOffice-PSK
set security ike gateway HeadOffice-VPNGW address xx.xx.xx.xx
set security ike gateway HeadOffice-VPNGW dead-peer-detection interval 60
set security ike gateway HeadOffice-VPNGW dead-peer-detection threshold 2
set security ike gateway HeadOffice-VPNGW local-identity hostname myhostname
set security ike gateway HeadOffice-VPNGW external-interface pp0

6. Next I setup my ipsec policy

set security ipsec policy HeadOffice-VPN perfect-forward-secrecy keys group2
set security ipsec policy HeadOffice-VPN proposal-set standard

7. Then the actual ipsec connection. There is a couple of things going on here. First I bind the interface to st0. Then I turn on vpn-monitor which checks the other side and re-init’s the connection if it drops out. Optimized is just a specy add on for monitor so it doesn’t just use icmp. Then I setup the proxy identity local and remote subnets. and tell it to establish the vpn.

set security ipsec vpn HeadOffice-VPN bind-interface st0.0
set security ipsec vpn HeadOffice-VPN vpn-monitor optimized
set security ipsec vpn HeadOffice-VPN vpn-monitor source-interface st0
set security ipsec vpn HeadOffice-VPN vpn-monitor destination-ip 10.3.43.1
set security ipsec vpn HeadOffice-VPN ike gateway HeadOffice-VPNGW
set security ipsec vpn HeadOffice-VPN ike proxy-identity local 192.168.x.x/24
set security ipsec vpn HeadOffice-VPN ike proxy-identity remote 10.3.x.x/24
set security ipsec vpn HeadOffice-VPN ike proxy-identity service any
set security ipsec vpn HeadOffice-VPN ike ipsec-policy HeadOffice-VPN
set security ipsec vpn HeadOffice-VPN establish-tunnels immediately

8. The only thing left to do is setup the routing, we need to tell the router to send the remote subnet via the other side’s vpn interface.

set routing-options static route 10.3.x.0/24 next-hop 10.3.43.1

Next post I will be setting up the other side (box 2).

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: