[POC] Juniper SRX IPSec tunnel (Aggressive mode) SOP configuration

In order to prepare the future migration from Juniper SSG to SRX, so I tried to use SRX GUI interface to see how its easy for operation team to sustain this.

This is the first time I tried to use GUI to manage a router, and if you are not familiar with Juniper SRX features and functions, I have to say its a quick start to have a glance overview of Juniper SRX by web interface.

For many junior engineers, if they can have what-you-see-what-you-get interface, they will accept new technology as fast as they can or they might refuse to try or to learn new technology if there's no time pressure or instructions from high-level managers directly .

We are still using CLI to control most routing and switching network device today, but I believe someday the condition may change if the network virtualization come true.(I think no one would like to control firewall by CLI, isn't it ?)


In Juniper SRX, it provide some wizards for those common and lousy configuration needed features like PPPoE, FW, VPN and NAT. It's important for those new Juniper customers to do these jobs quickly without the JUNOS knowledge, and that's what I am trying to know the possibility to manage SRX as VPN device by GUI only.

The other benefits of GUI is the QoS visibility, if you are a JUNOS user, you would find out that Juniper QoS is a little difficult to understand and know how to use command line to see the class of service.

If you want to see whether your JUNOS CoS is running correctly on your SRX, please try to login your SRX by web then you might surprise the functions of Class of Service dash board in GUI. (I spent lots time to find out the interface CoS MIB of each class...now here it is, you can check the class of service in each interface, CoS value, RED profile...), its great!

 Another advantage is that many juniper users would like to have similar function of Cisco IP SLA. Juniper has similar features which is called RPM(Real-time Performance Monitoring). But many people did not apply the features because there's no good network management tool to collect the information and provide a graphic statistics. But now you can leverage the embedded J-web to see the long-term status monitoring as below. You can configure the RPM functions directly without any JUNOS knowledge and then you will see the result later!



Today, I will use the Site-to-site IPSec VPN wizard to see the steps and each mandatory field of related configuration.

1. As below is the first screen shot of VPN Wizard, its very clear and simple. Just select which vpn type you would like to setup.



2. In this step, just fill the VPN name, zone, tunnel interface(st0.X) and the outbound physical interface selection.(in my case, I will trust all tunnel interface but untrust the internet facing interface)

3. In this step, you have to fill the remote side VPN internet public IP(in my case, its in the lab, so I still use private IP for SRX inter-connection).

For the Local/Remote Network, the wizard will try to use static route to ensure your VPN sites can communicate to each other after this wizard. So if you have your own dynamic routing protocol, I will suggest you should clear the static route manually after you finished the wizard.

4. In IPSec VPN configuration, you need to keep the same security level & policy for IKE and IPSec negotiation phase. In this wizard, you can just select the pre-defined policy to choose if you don't have special concern. Of course, if you want select desired DH group, encryption, integrity check method, you can modify these parameters after this wizard was finished and commit.

5. In my case, I will allow all service between VPN sites across this vpn tunnel, so I keep the default setting to permit all.

6. This is the final step, it will list all previously configuration steps you have, if it is okay, just press the commit button and it will upload the config and commit immediately.



As you see, there's only 6 steps to setup your site-to-site IPSec VPN! Its quite easy, isn't it ?

Don't forget that you need to login the other SRX to do the same procedure with correct parameters to finish this site-to-site vpn.


Finally, I reviewed the wizard configuration and clean up what configuration I don't need in our routine job, then I generate a simple CLI version of SOP to setup a site-to-site IPSec VPN in SRX as below.
You can re-use my sample config and convert them to become your network operators SOP.

PS1: I choosed aggressive mode to match the frequently network change in branch office.
PS2: I removed all static routing and source/destination prefix security policy.


SJDC Site:
Set system host-name SJDC-VPN
set interfaces st0.0 family inet address X.X.X.X/30 => SJDC side tunnel IP
set security zones security-zone trust interfaces st0.0
set security ike policy ike_pol_SJDC-ADC mode aggressive
set security ike policy ike_pol_SJDC-ADC proposal-set compatible
set security ike policy ike_pol_SJDC-ADC pre-shared-key ascii-text trend
set security ike gateway gw_SJDC-ADC ike-policy ike_pol_SJDC-ADC
set security ike gateway gw_SJDC-ADC dynamic hostname ADC-VPN => ADC VPN hostname
set security ike gateway gw_SJDC-ADC dead-peer-detection
set security ike gateway gw_SJDC-ADC external-interface fe-0/0/0.0 => Internet facing 
set security ipsec policy ipsec_pol_SJDC-ADC perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_SJDC-ADC proposal-set compatible
set security ipsec vpn SJDC-ADC bind-interface st0.0
set security ipsec vpn SJDC-ADC vpn-monitor
set security ipsec vpn SJDC-ADC ike gateway gw_SJDC-ADC
set security ipsec vpn SJDC-ADC ike ipsec-policy ipsec_pol_SJDC-ADC
set security ipsec vpn SJDC-ADC establish-tunnels immediately
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping


set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services traceroute

ADC Site:
Set system host-name ADC-VPN
set interfaces st0.0 family inet address X.X.X.X/30 => ADC side tunnel IP
set security zones security-zone trust interfaces st0.0
set security ike policy ike_pol_ADC-SJDC mode aggressive
set security ike policy ike_pol_ADC-SJDC proposal-set compatible
set security ike policy ike_pol_ADC-SJDC pre-shared-key ascii-text trend
set security ike gateway gw_ADC-SJDC ike-policy ike_pol_ADC-SJDC
set security ike gateway gw_ADC-SJDC address X.X.X.X => SJDC side IP
set security ike gateway gw_ADC-SJDC local-identity hostname ADC-VPN => ADC VPN hostname
set security ike gateway gw_ADC-SJDC dead-peer-detection
set security ike gateway gw_ADC-SJDC external-interface fe-0/0/0.0 => Internet facing interface
set security ipsec policy ipsec_pol_ADC-SJDC perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_ADC-SJDC proposal-set compatible
set security ipsec vpn ADC-SJDC bind-interface st0.0
set security ipsec vpn ADC-SJDC vpn-monitor
set security ipsec vpn ADC-SJDC ike gateway gw_ADC-SJDC
set security ipsec vpn ADC-SJDC ike ipsec-policy ipsec_pol_ADC-SJDC
set security ipsec vpn ADC-SJDC establish-tunnels immediately
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services snmp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services traceroute

In order to ensure these configuration samples is really works, so I cleaned the SRX configuration (# load factory-default) then copy & paste these configuration sample and update all the interface IP.

[edit]
root@ADC-VPN# run show interfaces st0.0 terse        
Interface               Admin Link Proto    Local                 Remote
st0.0                   up    up   inet     172.1.1.2/30  

[edit]

root@ADC-VPN# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
4663556 UP     3be2bd0d72642302  12df6d0b8a84f2a3  Aggressive     10.1.1.1      

[edit]

root@ADC-VPN# run show security ipsec security-associations 
  Total active tunnels: 1
  ID       Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  < 131073 ESP:3des/sha1 4c82c912 1964/ unlim   U   root 500   10.1.1.1        
  > 131073 ESP:3des/sha1 77f4b2d0 1964/ unlim   U   root 500   10.1.1.1  

[edit]

root@ADC-VPN# run show security ipsec security-associations index 131073 
  Virtual-system: root
  Local Gateway: 10.1.1.2, Remote Gateway: 10.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Direction: inbound, SPI: 4c82c912, AUX-SPI: 0
                              , VPN Monitoring: UP
    Hard lifetime: Expires in 1240 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 606 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 77f4b2d0, AUX-SPI: 0

                              , VPN Monitoring: UP
    Hard lifetime: Expires in 1240 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 606 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

[edit]

root@ADC-VPN# run show security ipsec statistics index 131073   
ESP Statistics:
  Encrypted bytes:           147344
  Decrypted bytes:            90836
  Encrypted packets:           1084
  Decrypted packets:           1084
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

The State field shows the status of the phase 1 SA.   The State can either be UP or DOWN.
The Mon field displays the Link status thru the VPN Monitor feature. 
Here are the possible values of the Mon field:
  • - :  Hyphen means VPN Monitor is not configured
  • U:  VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
  • D:  VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.  This could be happening because the device that is being pinged is down or has ping disabled.  This could also be happening if the other side of the VPN is not a Juniper Firewall.

Comments

Popular posts from this blog

TCP/IP 明確擁塞通知 (ECN)

集中式數位交換機(CENTREX)系統

WRR(Weighted Round Robin) vs SRR(Shared/Shaped Round Robin)