EdgeRouter – Site-to-Site IPsec VPN to Juniper SRX

Network Diagram

ER-X

1. eth0 (WAN) – 203.0.113.1
2. eth1 (LAN) – 192.168.1.1/24

Juniper SRX

1. ge-0/0/0 (WAN) – 192.0.2.1
2. ge-0/0/1 (LAN) – 172.16.1.1/24

Steps: Policy-Based VPN

For the purpose of this article it is assumed that the routing and interface configuration is already in place and that reachability has been tested.

The UDP ports and protocols relevant to IPsec are:

1. UDP 500 (IKE)
2. ESP (Protocol 50)
3. UDP 4500 (NAT-T)

The type of VPN that will be created is called a Policy-Based VPN which uses remote and local subnets, otherwise known as proxy IDs. These values need to match exactly between the two peers and need to be mirrored images of each other. Only the prefixes defined in the proxy IDs will be carried over the tunnel. In the example ER has the 192.168.1.0/24 present on the LAN side, whereas the Juniper side uses 172.16.1.0/24.

The first part of the configuration focuses on the ER, afterwards the VPN will be set up on the SRX.

1. Enter configuration mode.

configure

2. Exclude IPsec traffic from NAT and allow the automatic creation of the firewall rules.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE proposal (P1) and Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256

4. Create the ESP proposal (P2) and Security Associations (SAs).

set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5

5. Define the peer address and the pre-shared-key (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description IPsec

6. Define the local source address (public IP) of the Site-to-Site VPN connection.

set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

7. Link the IKE proposal to the Site-to-Site connection.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0

8. Create a tunnel that defines the remote and local subnets (proxy IDs) and link the ESP proposal.

set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24

9. (Optional) Enable the IPsec offloading feature to increase ESP (not IKE) performance.

set system offload ipsec enable (this requires a reboot to become active)

10. Commit the changes.

commit

11. Save the configuration.

save

Steps: Juniper SRX VPN

Please make sure that the latest stable version of Junos is being used and that the device is capable of reaching the internet. The Juniper side of the Site-to-Site VPN connection is based on the following IPsec article: Configuring a Policy-Based VPN

1. Enter configuration mode.

configure

2. Link the interfaces to the relevant zones and allow IKE (UDP500) on the WAN interface.

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike

3. Define the local and remote subnets as address ranges in an address book.

set security address-book global address remote 192.168.1.0/24
set security address-book global address local 172.16.1.0/24

4. Allow the IPsec traffic between the ‘untrust’ and ‘trust’ zones and link the address books.

set security policies from-zone trust to-zone untrust policy trust-to-ipsec match source-address local
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match destination-address remote
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match application any
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel ipsec-vpn IPsec
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel pair-policy ipsec-to-trust
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match source-address remote
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match destination-address local
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match application any
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel ipsec-vpn IPsec
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel pair-policy trust-to-ipsec

5. Make sure that the IPsec traffic policies are matched before the existing policy rules.

insert security policies from-zone trust to-zone untrust policy trust-to-ipsec before policy default-permit
insert security policies from-zone untrust to-zone trust policy ipsec-to-trust before policy default-deny

6. Exclude IPsec traffic from being translated in NAT.

set security nat source rule-set sourcenat from zone trust
set security nat source rule-set sourcenat to zone untrust

set security nat source rule-set sourcenat rule nat match source-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat match destination-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat then source-nat interface

set security nat source rule-set sourcenat rule ipsec match source-address-name local
set security nat source rule-set sourcenat rule ipsec match destination-address-name remote
set security nat source rule-set sourcenat rule ipsec then source-nat off

7. Make sure that the IPsec NAT exclusion rule is matched before the existing Source-NAT rule.

insert security nat source rule-set sourcenat rule ipsec before rule nat

8. Create the IKE proposal (IKEProposal) matching the defined SAs on the EdgeRouter.

set security ike proposal IKEProposal authentication-method pre-shared-keys
set security ike proposal IKEProposal dh-group group14
set security ike proposal IKEProposal authentication-algorithm sha-256
set security ike proposal IKEProposal encryption-algorithm aes-256-cbc
set security ike proposal IKEProposal lifetime-seconds 86400

9. Create the IKE policy (IKEPolicy) and link it to the IKE proposal (replace <secret> with your desired passphrase).

set security ike policy IKEPolicy mode main
set security ike policy IKEPolicy proposals IKEProposal
set security ike policy IKEPolicy pre-shared-key ascii-text <secret>

10. Create the IKE gateway (IKEGateway) and link it to the IKE policy.

set security ike gateway IKEGateway ike-policy IKEPolicy
set security ike gateway IKEGateway address 203.0.113.1
set security ike gateway IKEGateway external-interface ge-0/0/0
set security ike gateway IKEGateway local-address 192.0.2.1

11. Create the ESP proposal (ESPProposal) matching the defined SAs on the EdgeRouter.

set security ipsec proposal ESPProposal protocol esp
set security ipsec proposal ESPProposal authentication-algorithm hmac-md5-96
set security ipsec proposal ESPProposal encryption-algorithm aes-128-cbc
set security ipsec proposal ESPProposal lifetime-seconds 43200

12. Create the ESP policy (ESPPolicy) and link it to the ESP proposal.

set security ipsec policy ESPPolicy proposals ESPProposal

13. Create the VPN IPsec connection and link it to the IKE gateway and ESP policy.

set security ipsec vpn IPsec ike gateway IKEGateway
set security ipsec vpn IPsec ike ipsec-policy ESPPolicy

14. (Optional) Activate traceoptions for IKE to log messages for troubleshooting purposes.

set security ike traceoptions flag all
set security ike traceoptions file ike.log

15. Commit the changes.

commit

Steps: Testing & Verification

After configuring the IPsec VPN, verify the connection/state using the following commands.

1. Verify the IPsec Security Associations (SAs) and status on the ER:

show vpn ipsec sa
peer-192.0.2.1-tunnel-1: #1, ESTABLISHED, IKEv1, 184447c009d51f80:14cc0f13aff401c0
 local  '203.0.113.1' @ 203.0.113.1
 remote '192.0.2.1' @ 192.0.2.1
 AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 established 237s ago, reauth in 85347s
 peer-192.0.2.1-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_MD5_96
   installed 237 ago, rekeying in 41939s, expires in 42964s
   in  cb321982,    180 bytes,     3 packets,   231s ago
   out 5d4174b1,    180 bytes,     3 packets,   231s ago
   local  192.168.1.0/24
   remote 172.16.1.0/24 
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips):
 uptime: 10 minutes, since Mar 12 09:05:48 2017
 malloc: sbrk 376832, mmap 0, used 269320, free 107512
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 Listening IP addresses:
 203.0.113.1
 192.168.1.1
Connections:
peer-192.0.2.1-tunnel-1:  203.0.113.1...192.0.2.1  IKEv1
peer-192.0.2.1-tunnel-1:   local:  [203.0.113.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   remote: [192.0.2.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   child:  192.168.1.0/24 === 172.16.1.0/24 TUNNEL
Routed Connections:
peer-192.0.2.1-tunnel-1{1}:  ROUTED, TUNNEL
peer-192.0.2.1-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24
Security Associations (1 up, 0 connecting):
peer-192.0.2.1-tunnel-1[1]: ESTABLISHED 5 minutes ago, 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
peer-192.0.2.1-tunnel-1[1]: IKEv1 SPIs: 184447c009d51f80_i* 14cc0f13aff401c0_r, pre-shared key reauthentication in 23 hours
peer-192.0.2.1-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
peer-192.0.2.1-tunnel-1{1}:  INSTALLED, TUNNEL, ESP SPIs: cb321982_i 5d4174b1_o
peer-192.0.2.1-tunnel-1{1}:  AES_CBC_128/HMAC_MD5_96, 180 bytes_i (3 pkts, 324s ago), 180 bytes_o (3 pkts, 324s ago)
peer-192.0.2.1-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24

2. Verify the ER IPsec strongSwan configuration:

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl
config setup
conn %default
       keyexchange=ikev1
conn peer-192.0.2.1-tunnel-1
       left=203.0.113.1
       right=192.0.2.1
       leftsubnet=192.168.1.0/24
       rightsubnet=172.16.1.0/24
       ike=aes256-sha256-modp2048!
       keyexchange=ikev1
       ikelifetime=86400s
       esp=aes128-md5!
       keylife=43200s
       rekeymargin=540s
       type=tunnel
       compress=no
       authby=secret
       auto=route
       keyingtries=%forever
#conn peer-192.0.2.1-tunnel-1

3. Capture the arrival of IKE traffic on the ER external WAN interface:

sudo tcpdump -i eth0 -n udp dst port 500   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others R oakley-quick[E]

4. Capture the ER IPsec VPN logs:

sudo swanctl --log
[KNL] creating acquire job for policy 192.168.1.10/32[icmp/8] === 172.16.1.10/32[icmp/8] with reqid {1}
[IKE] initiating Main Mode IKE_SA peer-192.0.2.1-tunnel-1[1] to 192.0.2.1
[ENC] generating ID_PROT request 0 [ SA V V V V ]
[NET] sending packet: from 203.0.113.1[500] to 192.0.2.1[500] (160 bytes)
[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (108 bytes)
[ENC] parsed ID_PROT response 0 [ SA V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA peer-192.0.2.1-tunnel-1[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
[ENC] generating QUICK_MODE request 561157166 [ HASH SA No ID ID ]
[ENC] parsed QUICK_MODE response 561157166 [ HASH SA No ID ID N((24576)) ]
[IKE] CHILD_SA peer-192.0.2.1-tunnel-1{1} established with SPIs cb321982_i 5d4174b1_o and TS 192.168.1.0/24 === 172.16.1.0/24

5. Verify the IPsec Security Associations (SAs) and statistics on the SRX:

show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
697909  UP     9e9c73d889be2378  abbed46436bd025b  Main           203.0.113.1     

show security ike sa detail
IKE peer 203.0.113.1, Index 2264724, Gateway Name: IKEGateway
 Role: Responder, State: UP
 Initiator cookie: 091c0d059ea7afbe, Responder cookie: baf3c7ea2c2f5016
 Exchange type: Main, Authentication method: Pre-shared-keys
 Local: 192.0.2.1:500, Remote: 203.0.113.1:500
 Lifetime: Expires in 86206 seconds
 Peer ike-id: 203.0.113.1
 Xauth assigned IP: 0.0.0.0
 Algorithms:
  Authentication        : hmac-sha256-128
  Encryption            : aes256-cbc
  Pseudo random function: hmac-sha256
  Diffie-Hellman group  : DH-group-14
 Traffic statistics:
  Input  bytes  :                  928
  Output bytes  :                  788
  Input  packets:                    5
  Output packets:                    4
 Flags: IKE SA is created
 IPSec security associations: 1 created, 0 deleted
 Phase 2 negotiations in progress: 0
   Negotiation type: Quick mode, Role: Responder, Message ID: 0
   Local: 192.0.2.1:500, Remote: 203.0.113.1:500
   Local identity: 192.0.2.1           
   Remote identity: 203.0.113.1
   Flags: IKE SA is created

show security ipsec sa
 Total active tunnels: 1
 ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
 <2    ESP:aes-cbc-128/md5 14ce38b 42981/unlim -  root 500   203.0.113.1     
 >2    ESP:aes-cbc-128/md5 cf29ade9 42981/unlim - root 500   203.0.113.1

show security ipsec sa detail
 ID: 2 Virtual-system: root, VPN Name: IPsec
 Local Gateway: 192.0.2.1, Remote Gateway: 203.0.113.1
 Local Identity: ipv4_subnet(any:0,[0..7]=172.16.1.0/24)
 Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
 Version: IKEv1
   DF-bit: clear
   Policy-name: trust-to-ipsec
 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829
 Last Tunnel Down Reason: SA not initiated
   Direction: inbound, SPI: 14ce38b, AUX-SPI: 0
                             , VPN Monitoring: -
   Hard lifetime: Expires in 42965 seconds
   Lifesize Remaining:  Unlimited
   Soft lifetime: Expires in 42376 seconds
   Mode: Tunnel(0 0), Type: dynamic, State: installed
   Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
   Anti-replay service: counter-based enabled, Replay window size: 64 
   Direction: outbound, SPI: cf29ade9, AUX-SPI: 0
                             , VPN Monitoring: -
   Hard lifetime: Expires in 42965 seconds
   Lifesize Remaining:  Unlimited
   Soft lifetime: Expires in 42376 seconds
   Mode: Tunnel(0 0), Type: dynamic, State: installed
   Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
   Anti-replay service: counter-based enabled, Replay window size: 64 
show security ipsec statistics   
ESP Statistics:
 Encrypted bytes:              360
 Decrypted bytes:              180
 Encrypted packets:              3
 Decrypted packets:              3
AH Statistics:
 Input bytes:                    0
 Output bytes:                   0
 Input packets:                  0
 Output packets:                 0
Errors:
 AH authentication failures: 0, Replay errors: 0
 ESP authentication failures: 0, ESP decryption failures: 0
 Bad headers: 0, Bad trailers: 0

6. Verify the security policies on the SRX:

show security policies detail                                    
Policy: trust-to-ipsec, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
 Policy Type: Configured
 Sequence number: 1
 From zone: trust, To zone: untrust
 Source addresses:                     
   local(global): 172.16.1.0/24
 Destination addresses:
   remote(global): 192.168.1.0/24
 Application: any
   IP protocol: 0, ALG: 0, Inactivity timeout: 0
     Source port range: [0-0]
     Destination port range: [0-0]
 Per policy TCP Options: SYN check: No, SEQ check: No
 Tunnel: IPsec, Type: IPSec, Index: 2
   Pair policy: ipsec-to-trust
Policy: ipsec-to-trust, action-type: permit, State: enabled, Index: 7, Scope Policy: 0
 Policy Type: Configured
 Sequence number: 1
 From zone: untrust, To zone: trust
 Source addresses:
   remote(global): 192.168.1.0/24
 Destination addresses:
   local(global): 172.16.1.0/24
 Application: any
   IP protocol: 0, ALG: 0, Inactivity timeout: 0
     Source port range: [0-0]
     Destination port range: [0-0]
 Per policy TCP Options: SYN check: No, SEQ check: No
 Tunnel: IPsec, Type: IPSec, Index: 2
   Pair policy: trust-to-ipsec

7. Analyze the IKE logs (if captured with traceoptions) on the SRX:

file show /var/log/ike.log
Successfully added SA Config
iked_pm_ike_spd_notify_request: Sending Initial contact
ssh_ike_connect: Start, remote_name = 203.0.113.1:500, xchg = 2, flags = 00090000
ike_init_isakmp_sa: Start, remote = 203.0.113.1:500, initiator = 1
ike_find_pre_shared_key: Find pre shared key key for 192.0.2.1:500, id = No Id -> 203.0.113.1:500, id = No Id
ikev2_fb_qm_local_id: Using ipv4_subnet(any:0,[0..7]=172.16.1.0/24) as local QM identity
ikev2_fb_qm_remote_id: Using ipv4_subnet(any:0,[0..7]=192.168.1.0/24) as remote QM identity
ike_send_notify: Connected, SA = { 9e9c73d8 89be2378 - abbed464 36bd025b}, nego = -1
iked_pm_ike_sa_done: local:192.0.2.1, remote:203.0.113.1 IKEv1
IKE negotiation done for local:192.0.2.1, remote:203.0.113.1 IKEv1 with status: Error ok
Added (spi=0x86968a35, protocol=0) entry to the spi table
Added (spi=0x630753c, protocol=0) entry to the spi table
Added (spi=0x86968a35, protocol=ESP dst=192.0.2.1) entry to the peer hash table
Added (spi=0xcad56e88, protocol=ESP dst=203.0.113.1) entry to the peer hash table
Successfully added ipsec SA PAIR
IPSec  negotiation done successfully for SA-CFG IPsec for local:192.0.2.1, remote:203.0.113.1  IKEv1

8. Send traffic over the tunnel from Server1 to Host1 and vice versa:

ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=63 time=45.9 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=63 time=45.2 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=63 time=45.5 ms
ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10) 56(84) bytes of data.
64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=43.9 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=44.1 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=44.4 ms

Bài liên quan

Configure SYSLOG server for Juniper SRX

Configure Proxy ARP in Juniper SRX Gateway

Configure VRRP in Cisco IOS Router

Configure Private VLANs in Juniper Switch

Cấu hình EX8208 Virtual Chassis

Configure PAgP EtherChannel in Cisco IOS Switch

SRX HA Modes

Cấu hình Access-list (ACLs) trên thiết bị Cisco

Configure Policy Based Routing on Cisco Router

Understand Control plane vs Data Plane log differences on Juniper SRX

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

Redistribute OSPF Route into BGP in Cisco IOS Router

Configure DHCP Server in Juniper SRX Device

Configure VRF in Cisco IOS Router

Configure Inter VLAN Routing in Cisco Router

Chassis Cluster Configuration on Juniper SRX-1500 firewalls

Configure Dynamic NAT in Cisco IOS Router

Juniper SRX High Availability Basics

Configure Dynamic Port Address Translations (PAT) in Cisco IOS Router

Kết nối EX8208 tới External Routing Engines XRE200

Understanding VLANs in Switching World

Configure LACP between Cisco and Juniper

Configure Link Aggregation Group in Junos

Run a packet capture on a Juniper SRX

Secure Spanning-tree on Cisco IOS switches

prev next