Skip to content

Juniper SRX IPSEC Part 2

June 8, 2013

Ok so continuing on from my last post, this is the config on the second side of the vpn connection (my head office).

First we need to setup the st interface (vpn endpoint interface) on this box. I am using multipoint because I am terminating a number of vpn’s at this interface


set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet address 10.3.43.1/24

Then we need a zone for this interface.


set security zones security-zone IPSECVPN host-inbound-traffic system-services all
set security zones security-zone IPSECVPN host-inbound-traffic protocols all
set security zones security-zone IPSECVPN interfaces st0.0

Then we need to allow certain traffic for that zone

set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match source-address any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match destination-address any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit match application any
set security policies from-zone trust to-zone IPSECVPN policy defaultPermit then permit
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match source-address any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match destination-address any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit match application any
set security policies from-zone IPSECVPN to-zone trust policy defaultPermit then permit

We also need to allow vpn traffic inbound on our external connection


set security zones security-zone publicip host-inbound-traffic system-services ike

Now for the VPN part first thing is first we need ike setup correctly, so first we setup the proposal.


set security ike traceoptions flag routing-socket
set security ike proposal MTLGateway-PSK authentication-method pre-shared-keys
set security ike proposal MTLGateway-PSK dh-group group2
set security ike proposal MTLGateway-PSK authentication-algorithm sha1
set security ike proposal MTLGateway-PSK encryption-algorithm des-cbc
set security ike proposal MTLGateway-PSK lifetime-seconds 86400

Then the gateway


set security ike policy MTL-Gateway-PSK mode aggressive
set security ike policy MTL-Gateway-PSK proposals MTLGateway-PSK
set security ike policy MTL-Gateway-PSK pre-shared-key ascii-text mysecretkey # (same as the other side)

Then the gateway, note here that we use “dynamic hostname” this set’s it up for dynamic i.p. using pre shared keys. Need to make sure the other side has the same hostname more on this in another post.


set security ike gateway MTL-Gateway-PSK ike-policy MTL-Gateway-PSK
set security ike gateway MTL-Gateway-PSK dynamic hostname mtlgateway
set security ike gateway MTL-Gateway-PSK dead-peer-detection interval 60
set security ike gateway MTL-Gateway-PSK dead-peer-detection threshold 2
set security ike gateway MTL-Gateway-PSK external-interface vlan.0

Now for the ipsec guts, first the policy i reused this with all my ipsec tunnels.


set security ipsec policy MTLGateway-VPN perfect-forward-secrecy keys group2
set security ipsec policy MTLGateway-VPN proposal-set standard

And now the final ipsec stuff


set security ipsec vpn MTLGateway-VPN bind-interface st0.0
set security ipsec vpn MTLGateway-VPN vpn-monitor optimized
set security ipsec vpn MTLGateway-VPN vpn-monitor source-interface st0
set security ipsec vpn MTLGateway-VPN vpn-monitor destination-ip 10.3.43.2
set security ipsec vpn MTLGateway-VPN ike gateway MTL-Gateway-PSK
set security ipsec vpn MTLGateway-VPN ike proxy-identity local 10.3.45.0/24
set security ipsec vpn MTLGateway-VPN ike proxy-identity remote 192.168.1.0/24
set security ipsec vpn MTLGateway-VPN ike proxy-identity service any
set security ipsec vpn MTLGateway-VPN ike ipsec-policy MTLGateway-VPN
set security ipsec vpn MTLGateway-VPN establish-tunnels immediately

Finally routing! for .1.0 subnet next hop is vpn endpoint of remote box! easy…


set routing-options static route 192.168.1.0/24 next-hop 10.3.43.2

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: