Configure Route-based site2site VPN on Juniper SRX

This article is a detailed guide on creating and verifying the configuration output for the route based site 2 site VPN on Juniper SRX firewalls. VPN troubleshooting will be demonstrated in a separate article.
Concept
Route based site to site VPN requires a secure tunnel interface to be created and that secure tunnel interface is then assigned to the external interface (where VPN traffic will be terminated). Interested VPN traffic is then required to be routed through the secure tunnel interface. For simplicity, I am using the static routing in this article. Using zone based security policies, you can restrict (permit or deny) the traffic passing over the VPN.
Example
In this article, I am demonstrating the VPN configuration for following requirements between two Juniper SRX firewalls. Refer to the above-mentioned diagram as well.
Local Network – 172.16.59.0/24
Remote Network – 172.16.112.0/24
Phase 1 parameters: Pre-shared-keys, DH-group2, Sha1, Aes-128, 86400 sec, Main mode.
Phase 2 parameters: ESP, Hmac-sha1, Aes-128, 3600 sec
Configuration
Interface and Zone configuration
set interfaces st0 unit 0 family inet address 10.10.10.10/24
set security zones security-zone OUTSIDE host-inbound-traffic system-services ike
set security zones security-zone VPN-REMOTE_FW interfaces st0.0

Static Route configuration
set routing-options static route 172.16.112.0/24 next-hop st0.0
Address-book configuration
set security address-book global address 172.16.59.0/24 172.16.59.0/24
set security address-book global address 172.16.112.0/24 172.16.112.0/24
set security address-book global address-set VPN-REMOTE_FW address 172.16.112.0/24
IKE Phase 1 configuration
set security ike proposal PRE-GR2-SHA1-AES128 authentication-method pre-shared-keys
set security ike proposal PRE-GR2-SHA1-AES128 dh-group group2
set security ike proposal PRE-GR2-SHA1-AES128 authentication-algorithm sha1
set security ike proposal PRE-GR2-SHA1-AES128 encryption-algorithm aes-128-cbc
set security ike proposal PRE-GR2-SHA1-AES128 lifetime-seconds 86400
!
set security ike policy IKE-POL-VPN-REMOTE_FW mode main
set security ike policy IKE-POL-VPN-REMOTE_FW proposals PRE-GR2-SHA1-AES128
set security ike policy IKE-POL-VPN-REMOTE_FW pre-shared-key ascii-text <pre-share-key>
!
set security ike gateway GW-VPN-REMOTE_FW external-interfacereth0.0
set security ike gateway GW-VPN-REMOTE_FW ike-policy IKE-POL-VPN-REMOTE_FW
set security ike gateway GW-VPN-REMOTE_FW address <Peer IP>
NOTE: There is an order of operation for this configuration; IKE gateway requires an IKE policy. IKE policy requires an IKE proposal .

IKE Phase 2 configuration
set security ipsec proposal ESP-SHA-AES128 protocol esp
set security ipsec proposal ESP-SHA-AES128 authentication-algorithm hmac-sha1-96
set security ipsec proposal ESP-SHA-AES128 encryption-algorithm aes-128-cbc
set security ipsec proposal ESP-SHA-AES128 lifetime-seconds 3600
!
set security ipsec policy IPSEC-POL-VPN-REMOTE_FW proposals ESP-SHA-AES128
set security ipsec policy IPSEC-POL-VPN-REMOTE_FW perfect-forward-secrecy keys group2
!
set security ipsec vpn VPN-REMOTE_FW ike gateway GW-VPN-REMOTE_FW
set security ipsec vpn VPN-REMOTE_FW ike ipsec-policy IPSEC-POL-VPN-REMOTE_FW
set security ipsec vpn VPN-REMOTE_FW bind-interface st0.0
NOTE: There is an order of operation for this configuration; IPSec gateway requires an IPSec policy. IPSec policy requires an IPSec proposal .

Security Policies configuration
set security policies from-zone INSIDE to-zone VPN-REMOTE_FW policy VPN-INSIDE-REMOTE_FW match source-address 172.16.59.0/24
set security policies from-zone INSIDE to-zone VPN-REMOTE_FW policy VPN-INSIDE-REMOTE_FW match destination-address VPN-REMOTE_FW
set security policies from-zone INSIDE to-zone VPN-REMOTE_FW policy VPN-INSIDE-REMOTE_FW match application any
set security policies from-zone INSIDE to-zone VPN-REMOTE_FW policy VPN-INSIDE-REMOTE_FW then permit
!
set security policies from-zone VPN-REMOTE_FW to-zone INSIDE policy VPN-REMOTE_FW-INSIDE match source-address VPN-REMOTE_FW
set security policies from-zone VPN-REMOTE_FW to-zone INSIDE policy VPN-REMOTE_FW-INSIDE match destination-address 172.16.59.0/24
set security policies from-zone VPN-REMOTE_FW to-zone INSIDE policy VPN-REMOTE_FW-INSIDE match application any
set security policies from-zone VPN-REMOTE_FW to-zone INSIDE policy VPN-REMOTE_FW-INSIDE then permit
Optional configuration
# To limit the MTU size on a secure tunnel interface
set interfaces st0 unit 0 family inet mtu 1436
# To enable the DPD or dead peer detection on an IKE gateway
set security ike gateway GW-VPN-REMOTE_FW dead-peer-detection
# To clear the Don’t Fragment bit
set security ipsec vpn VPN-REMOTE_FW df-bit clear
# To limit the TCP-MSS
set security flow tcp-mss ipsec-vpn mss 1350

Output
Interface and Zone output
user@host# show interfaces st0
unit 0 {
family inet {
address 10.10.10.10/24;
}
}

user@host# show security zones security-zone OUTSIDE
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
reth0.0;
}

user@host# show security zones security-zone VPN-REMOTE_FW
interfaces {
st0.0;
}
Static Route output
user@host# show routing-options
static {
route 172.16.112.0/24 next-hop st0.0;;
}
Address-book output
user@host# show security address-book global
address 172.16.59.0/24 172.16.59.0/24;
address 172.16.112.0/24 172.16.112.0/24;
address-set VPN-REMOTE_FW {
address 172.16.112.0/24;
}
IKE Phase 1 output
user@host# show security ike
proposal PRE-GR2-SHA1-AES128 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy IKE-POL-VPN-REMOTE_FW {
mode main;
proposals PRE-GR2-SHA1-AES128;
pre-shared-key ascii-text “<pre-share-key hash>”; ## SECRET-DATA
}
gateway GW-VPN-REMOTE_FW {
ike-policy IKE-POL-VPN-REMOTE_FW;
address <Peer IP>;
external-interface reth0.0;
}
IKE Phase 2 output
user@host# show security ipsec
proposal ESP-SHA-AES128 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL-VPN-REMOTE_FW {
perfect-forward-secrecy {
keys group2;
}
proposals ESP-SHA-AES128;
}
vpn VPN-REMOTE_FW {
bind-interface st0.0;
ike {
gateway GW-VPN-REMOTE_FW;
ipsec-policy IPSEC-POL-VPN-REMOTE_FW;
}
}
Security Policies output
user@host# show security policies from-zone INSIDE to-zone VPN-REMOTE_FW
policy VPN-INSIDE-LOCATION {
match {
source-address 172.16.59.0/24;
destination-address VPN-REMOTE_FW;
application any;
}
then {
permit;
}
}

user@host# show security policies from-zone VPN-REMOTE_FW to-zone INSIDE
policy VPN-REMOTE_FW-INSIDE {
match {
source-address VPN-REMOTE_FW;
destination-address 172.16.59.0/24;
application any;
}
then {
permit;
}
}

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

Bài liên quan

Configure IPSec VPN With Dynamic IP in Cisco IOS Router

Backup startup-config và iOS trên thiết bị Cisco

Configure iBGP in Cisco IOS Router

Configure Static NAT in Cisco IOS Router

Juniper SRX IPsec LAN-to-LAN VPN Part 2

EdgeRouter – Site-to-Site IPsec VPN to Juniper SRX

Configure VRF in Cisco IOS Router

Tìm hiểu về IP Access Control Lists trên router Cisco

Configure Dynamic Port Address Translations (PAT) in Cisco IOS Router

Redistribute Static Route into EIGRP in Cisco IOS Router

Run a packet capture on a Juniper SRX

Configure LACP between Cisco and Juniper

Configure MPLS IP on Cisco IOS Router

Configure VRRP in Cisco IOS Router

Configure eBGP in Cisco IOS Router

Configure HSRP in Cisco IOS Router

Chassis Cluster Configuration on Juniper SRX-1500 firewalls

Configure site2site VPN between Juniper SRX and Cisco ASA firewalls

Configuring a Policy-Based VPN Site to Site SRX Series and SSG Series

Configure LACP EtherChannel in Cisco IOS Switch

LINK AGGREGATION – PART 3 (LACP CONFIGURATION ON JUNIPER DEVICES)

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

LACP Configuration on Cisco Devices – Part 2

Upgrade and Backup JunOS Image of Juniper SRX Device

Understand Control plane vs Data Plane log differences on Juniper SRX

prev next