EdgeRouter - Site-to-Site IPsec VPN to Juniper SRX
Overview
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Juniper SRX.
- EdgeRouter 4 (ER-4)
- Juniper SRX
Table of Contents
FAQ
1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options for IKE and ESP?
Encryption
Hashing
|
Setting up a Policy-Based VPN
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret> with your desired passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the remote peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24
7. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Link the interfaces to the relevant zones and allow IKE on the WAN interface.
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
3. Define the local and remote subnets as address ranges in an address book.
set security address-book global address remote 192.168.1.0/24
set security address-book global address local 172.16.1.0/24
4. Allow the IPsec traffic between the untrust and trust zones and link the address books.
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match source-address local
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match destination-address remote
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match application any
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel pair-policy ipsec-to-trust
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match source-address remote
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match destination-address local
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match application any
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel pair-policy trust-to-ipsec
5. Make sure that the IPsec traffic policies are matched before the existing policy rules.
insert security policies from-zone trust to-zone untrust policy trust-to-ipsec before policy default-permit
insert security policies from-zone untrust to-zone trust policy ipsec-to-trust before policy default-deny
6. Exclude IPsec traffic from being translated in NAT.
set security nat source rule-set sourcenat from zone trust
set security nat source rule-set sourcenat to zone untrust
set security nat source rule-set sourcenat rule nat match source-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat match destination-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat then source-nat interface
set security nat source rule-set sourcenat rule ipsec match source-address-name local
set security nat source rule-set sourcenat rule ipsec match destination-address-name remote
set security nat source rule-set sourcenat rule ipsec then source-nat off
7. Make sure that the IPsec NAT exclusion rule is matched before the existing Source-NAT rule.
insert security nat source rule-set sourcenat rule ipsec before rule nat
8. Create an IKE proposal that matches the defined SAs on the EdgeRouter.
set security ike proposal ike-proposal authentication-method pre-shared-keys
set security ike proposal ike-proposal dh-group group14
set security ike proposal ike-proposal authentication-algorithm sha1
set security ike proposal ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal ike-proposal lifetime-seconds 28800
9. Create an IKE policy and link it to the IKE proposal (replace <secret> with your desired passphrase).
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-proposal
set security ike policy ike-policy pre-shared-key ascii-text <secret>
10. Create an IKE gateway and link it to the IKE policy.
set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 203.0.113.1
set security ike gateway ike-gateway external-interface ge-0/0/0
set security ike gateway ike-gateway local-address 192.0.2.1
11. Create an ESP proposal matching the defined SAs on the EdgeRouter.
set security ipsec proposal esp-proposal protocol esp
set security ipsec proposal esp-proposal authentication-algorithm sha1
set security ipsec proposal esp-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal esp-proposal lifetime-seconds 3600
12. Create the ESP policy and link it to the ESP proposal.
set security ipsec policy esp-policy proposals esp-proposal
13. Create the VPN connection and link it to the IKE gateway and ESP policy.
set security ipsec vpn ipsec-tunnel ike gateway ike-gateway
set security ipsec vpn ipsec-tunnel ike ipsec-policy esp-policy
14. Commit the changes.
commit
Related Articles
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH