[POC] Juniper SRX IPSec tunnel (Aggressive mode) SOP configuration
In order to prepare the future migration from Juniper SSG to SRX, so I tried to use SRX GUI interface to see how its easy for operation team to sustain this.
This is the first time I tried to use GUI to manage a router, and if you are not familiar with Juniper SRX features and functions, I have to say its a quick start to have a glance overview of Juniper SRX by web interface.
The other benefits of GUI is the QoS visibility, if you are a JUNOS user, you would find out that Juniper QoS is a little difficult to understand and know how to use command line to see the class of service.
If you want to see whether your JUNOS CoS is running correctly on your SRX, please try to login your SRX by web then you might surprise the functions of Class of Service dash board in GUI. (I spent lots time to find out the interface CoS MIB of each class...now here it is, you can check the class of service in each interface, CoS value, RED profile...), its great!
Another advantage is that many juniper users would like to have similar function of Cisco IP SLA. Juniper has similar features which is called RPM(Real-time Performance Monitoring). But many people did not apply the features because there's no good network management tool to collect the information and provide a graphic statistics. But now you can leverage the embedded J-web to see the long-term status monitoring as below. You can configure the RPM functions directly without any JUNOS knowledge and then you will see the result later!
4. In IPSec VPN configuration, you need to keep the same security level & policy for IKE and IPSec negotiation phase. In this wizard, you can just select the pre-defined policy to choose if you don't have special concern. Of course, if you want select desired DH group, encryption, integrity check method, you can modify these parameters after this wizard was finished and commit.
As you see, there's only 6 steps to setup your site-to-site IPSec VPN! Its quite easy, isn't it ?
Don't forget that you need to login the other SRX to do the same procedure with correct parameters to finish this site-to-site vpn.
Finally, I reviewed the wizard configuration and clean up what configuration I don't need in our routine job, then I generate a simple CLI version of SOP to setup a site-to-site IPSec VPN in SRX as below.
You can re-use my sample config and convert them to become your network operators SOP.
PS1: I choosed aggressive mode to match the frequently network change in branch office.
PS2: I removed all static routing and source/destination prefix security policy.
SJDC Site:
ADC Site:
In order to ensure these configuration samples is really works, so I cleaned the SRX configuration (# load factory-default) then copy & paste these configuration sample and update all the interface IP.
[edit]
root@ADC-VPN# run show interfaces st0.0 terse
Interface Admin Link Proto Local Remote
st0.0 up up inet 172.1.1.2/30
[edit]
root@ADC-VPN# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4663556 UP 3be2bd0d72642302 12df6d0b8a84f2a3 Aggressive 10.1.1.1
[edit]
root@ADC-VPN# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
< 131073 ESP:3des/sha1 4c82c912 1964/ unlim U root 500 10.1.1.1
> 131073 ESP:3des/sha1 77f4b2d0 1964/ unlim U root 500 10.1.1.1
[edit]
root@ADC-VPN# run show security ipsec security-associations index 131073
Virtual-system: root
Local Gateway: 10.1.1.2, Remote Gateway: 10.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: 4c82c912, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 1240 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 606 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 77f4b2d0, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 1240 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 606 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
[edit]
root@ADC-VPN# run show security ipsec statistics index 131073
ESP Statistics:
Encrypted bytes: 147344
Decrypted bytes: 90836
Encrypted packets: 1084
Decrypted packets: 1084
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
This is the first time I tried to use GUI to manage a router, and if you are not familiar with Juniper SRX features and functions, I have to say its a quick start to have a glance overview of Juniper SRX by web interface.
For many junior engineers, if they can have what-you-see-what-you-get interface, they will accept new technology as fast as they can or they might refuse to try or to learn new technology if there's no time pressure or instructions from high-level managers directly .
We are still using CLI to control most routing and switching network device today, but I believe someday the condition may change if the network virtualization come true.(I think no one would like to control firewall by CLI, isn't it ?)
In Juniper SRX, it provide some wizards for those common and lousy configuration needed features like PPPoE, FW, VPN and NAT. It's important for those new Juniper customers to do these jobs quickly without the JUNOS knowledge, and that's what I am trying to know the possibility to manage SRX as VPN device by GUI only.
The other benefits of GUI is the QoS visibility, if you are a JUNOS user, you would find out that Juniper QoS is a little difficult to understand and know how to use command line to see the class of service.
If you want to see whether your JUNOS CoS is running correctly on your SRX, please try to login your SRX by web then you might surprise the functions of Class of Service dash board in GUI. (I spent lots time to find out the interface CoS MIB of each class...now here it is, you can check the class of service in each interface, CoS value, RED profile...), its great!
Another advantage is that many juniper users would like to have similar function of Cisco IP SLA. Juniper has similar features which is called RPM(Real-time Performance Monitoring). But many people did not apply the features because there's no good network management tool to collect the information and provide a graphic statistics. But now you can leverage the embedded J-web to see the long-term status monitoring as below. You can configure the RPM functions directly without any JUNOS knowledge and then you will see the result later!
Today, I will use the Site-to-site IPSec VPN wizard to see the steps and each mandatory field of related configuration.
1. As below is the first screen shot of VPN Wizard, its very clear and simple. Just select which vpn type you would like to setup.
2. In this step, just fill the VPN name, zone, tunnel interface(st0.X) and the outbound physical interface selection.(in my case, I will trust all tunnel interface but untrust the internet facing interface)
3. In this step, you have to fill the remote side VPN internet public IP(in my case, its in the lab, so I still use private IP for SRX inter-connection).
For the Local/Remote Network, the wizard will try to use static route to ensure your VPN sites can communicate to each other after this wizard. So if you have your own dynamic routing protocol, I will suggest you should clear the static route manually after you finished the wizard.
4. In IPSec VPN configuration, you need to keep the same security level & policy for IKE and IPSec negotiation phase. In this wizard, you can just select the pre-defined policy to choose if you don't have special concern. Of course, if you want select desired DH group, encryption, integrity check method, you can modify these parameters after this wizard was finished and commit.
5. In my case, I will allow all service between VPN sites across this vpn tunnel, so I keep the default setting to permit all.
6. This is the final step, it will list all previously configuration steps you have, if it is okay, just press the commit button and it will upload the config and commit immediately.
As you see, there's only 6 steps to setup your site-to-site IPSec VPN! Its quite easy, isn't it ?
Don't forget that you need to login the other SRX to do the same procedure with correct parameters to finish this site-to-site vpn.
Finally, I reviewed the wizard configuration and clean up what configuration I don't need in our routine job, then I generate a simple CLI version of SOP to setup a site-to-site IPSec VPN in SRX as below.
You can re-use my sample config and convert them to become your network operators SOP.
PS1: I choosed aggressive mode to match the frequently network change in branch office.
PS2: I removed all static routing and source/destination prefix security policy.
SJDC Site:
Set system host-name SJDC-VPN
set
interfaces st0.0
family inet
address X.X.X.X/30
=> SJDC side tunnel IP
set security
zones security-zone trust interfaces st0.0
set security
ike
policy ike_pol_SJDC-ADC mode
aggressive
set
security ike
policy ike_pol_SJDC-ADC proposal-set
compatible
set security
ike
policy ike_pol_SJDC-ADC pre-shared-key
ascii-text
trend
set
security ike
gateway gw_SJDC-ADC ike-policy
ike_pol_SJDC-ADC
set
security ike gateway gw_SJDC-ADC dynamic
hostname ADC-VPN
=> ADC VPN hostname
set security
ike
gateway gw_SJDC-ADC dead-peer-detection
set
security ike
gateway gw_SJDC-ADC external-interface
fe-0/0/0.0 => Internet facing
set
security ipsec
policy ipsec_pol_SJDC-ADC perfect-forward-secrecy
keys group2
set
security ipsec
policy ipsec_pol_SJDC-ADC proposal-set
compatible
set
security ipsec vpn SJDC-ADC bind-interface
st0.0
set
security ipsec vpn SJDC-ADC vpn-monitor
set
security ipsec vpn SJDC-ADC ike gateway
gw_SJDC-ADC
set security
ipsec vpn SJDC-ADC ike ipsec-policy
ipsec_pol_SJDC-ADC
set security
ipsec vpn SJDC-ADC
establish-tunnels immediately
set
security policies from-zone trust to-zone trust policy trust-to-trust match
source-address any
set
security policies from-zone trust to-zone trust policy trust-to-trust match
destination-address any
set
security policies from-zone trust to-zone trust policy trust-to-trust match
application any
set
security policies from-zone trust to-zone trust policy trust-to-trust then
permit
set
security zones security-zone untrust
interfaces fe-0/0/0.0
host-inbound-traffic system-services dhcp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services tftp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services https
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services snmp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ssh
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ping
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services traceroute
Set
system host-name ADC-VPN
set interfaces
st0.0
family inet
address X.X.X.X/30
=> ADC side tunnel IP
set security
zones security-zone trust interfaces st0.0
set
security ike
policy ike_pol_ADC-SJDC mode
aggressive
set
security ike
policy ike_pol_ADC-SJDC proposal-set
compatible
set security
ike
policy ike_pol_ADC-SJDC pre-shared-key
ascii-text
trend
set
security ike
gateway gw_ADC-SJDC ike-policy
ike_pol_ADC-SJDC
set
security ike
gateway gw_ADC-SJDC
address X.X.X.X
=> SJDC side IP
set
security ike gateway gw_ADC-SJDC local-identity hostname ADC-VPN
=> ADC VPN hostname
set security
ike
gateway gw_ADC-SJDC dead-peer-detection
set
security ike
gateway gw_ADC-SJDC external-interface
fe-0/0/0.0 => Internet facing interface
set
security ipsec
policy ipsec_pol_ADC-SJDC perfect-forward-secrecy
keys group2
set
security ipsec
policy ipsec_pol_ADC-SJDC proposal-set
compatible
set
security ipsec vpn ADC-SJDC bind-interface
st0.0
set
security ipsec vpn ADC-SJDC vpn-monitor
set
security ipsec vpn ADC-SJDC ike gateway
gw_ADC-SJDC
set security
ipsec vpn ADC-SJDC ike ipsec-policy
ipsec_pol_ADC-SJDC
set security
ipsec vpn ADC-SJDC establish-tunnels
immediately
set
security policies from-zone trust to-zone trust policy trust-to-trust match
source-address any
set
security policies from-zone trust to-zone trust policy trust-to-trust match
destination-address any
set
security policies from-zone trust to-zone trust policy trust-to-trust match
application any
set
security policies from-zone trust to-zone trust policy trust-to-trust then
permit
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services dhcp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services tftp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ike
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services https
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services snmp
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ssh
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services ping
set
security zones security-zone untrust
interfaces fe-0/0/0.0 host-inbound-traffic
system-services traceroute
[edit]
root@ADC-VPN# run show interfaces st0.0 terse
Interface Admin Link Proto Local Remote
st0.0 up up inet 172.1.1.2/30
[edit]
root@ADC-VPN# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4663556 UP 3be2bd0d72642302 12df6d0b8a84f2a3 Aggressive 10.1.1.1
[edit]
root@ADC-VPN# run show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
< 131073 ESP:3des/sha1 4c82c912 1964/ unlim U root 500 10.1.1.1
> 131073 ESP:3des/sha1 77f4b2d0 1964/ unlim U root 500 10.1.1.1
[edit]
root@ADC-VPN# run show security ipsec security-associations index 131073
Virtual-system: root
Local Gateway: 10.1.1.2, Remote Gateway: 10.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: 4c82c912, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 1240 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 606 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 77f4b2d0, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 1240 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 606 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
[edit]
root@ADC-VPN# run show security ipsec statistics index 131073
ESP Statistics:
Encrypted bytes: 147344
Decrypted bytes: 90836
Encrypted packets: 1084
Decrypted packets: 1084
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
The State field shows the status of the phase 1 SA. The State can either be UP or DOWN.
The Mon field displays the Link status thru the VPN Monitor feature.
Here are the possible values of the Mon field:
- - : Hyphen means VPN Monitor is not configured
- U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP
- D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings. This could be happening because the device that is being pinged is down or has ping disabled. This could also be happening if the other side of the VPN is not a Juniper Firewall.
Comments