EdgeRouter - Site-to-Site IPsec VPN to Juniper SRX


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Juniper SRX.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Configuring the Policy-Based VPN
  4. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the routers:

ER-4

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

Juniper SRX

  • ge-0/0/0 (WAN) - 192.0.2.1
  • ge-0/0/1 (LAN) - 172.16.1.1/24

topology.png


Configuring the Policy-Based VPN


Back to Top

CLI: Access the command line interface on the ER. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the remote peer and define the local and remote subnets.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24

7. Commit the changes and save the configuration.

commit ; save

CLI: Access the command line interface (CLI) on the Juniper SRX.

1. Enter configuration mode.

configure

2. Link the interfaces to the relevant zones and allow IKE on the WAN interface.

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike

3. Define the local and remote subnets as address ranges in an address book.

set security address-book global address remote 192.168.1.0/24
set security address-book global address local 172.16.1.0/24

4. Allow the IPsec traffic between the untrust and trust zones and link the address books.

set security policies from-zone trust to-zone untrust policy trust-to-ipsec match source-address local
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match destination-address remote
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match application any
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel pair-policy ipsec-to-trust

set security policies from-zone untrust to-zone trust policy ipsec-to-trust match source-address remote
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match destination-address local
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match application any
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel pair-policy trust-to-ipsec
NOTE: The tunnel pair-policy statement links the untrust to the trust policy and vice versa. These policies link the address books to the IPsec tunnel and define the local and remote subnets.

5. Make sure that the IPsec traffic policies are matched before the existing policy rules.

insert security policies from-zone trust to-zone untrust policy trust-to-ipsec before policy default-permit
insert security policies from-zone untrust to-zone trust policy ipsec-to-trust before policy default-deny

6. Exclude IPsec traffic from being translated in NAT.

set security nat source rule-set sourcenat from zone trust
set security nat source rule-set sourcenat to zone untrust

set security nat source rule-set sourcenat rule nat match source-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat match destination-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat then source-nat interface

set security nat source rule-set sourcenat rule ipsec match source-address-name local
set security nat source rule-set sourcenat rule ipsec match destination-address-name remote
set security nat source rule-set sourcenat rule ipsec then source-nat off

7. Make sure that the IPsec NAT exclusion rule is matched before the existing Source-NAT rule.

insert security nat source rule-set sourcenat rule ipsec before rule nat

8. Create an IKE proposal that matches the defined SAs on the EdgeRouter.

set security ike proposal ike-proposal authentication-method pre-shared-keys
set security ike proposal ike-proposal dh-group group14
set security ike proposal ike-proposal authentication-algorithm sha1
set security ike proposal ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal ike-proposal lifetime-seconds 28800

9. Create an IKE policy and link it to the IKE proposal (replace <secret> with your desired passphrase).

set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-proposal
set security ike policy ike-policy pre-shared-key ascii-text <secret>

10. Create an IKE gateway and link it to the IKE policy.

set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 203.0.113.1
set security ike gateway ike-gateway external-interface ge-0/0/0
set security ike gateway ike-gateway local-address 192.0.2.1

11. Create an ESP proposal matching the defined SAs on the EdgeRouter.

set security ipsec proposal esp-proposal protocol esp
set security ipsec proposal esp-proposal authentication-algorithm sha1
set security ipsec proposal esp-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal esp-proposal lifetime-seconds 3600

12. Create the ESP policy and link it to the ESP proposal.

set security ipsec policy esp-policy proposals esp-proposal

13. Create the VPN connection and link it to the IKE gateway and ESP policy.

set security ipsec vpn ipsec-tunnel ike gateway ike-gateway
set security ipsec vpn ipsec-tunnel ike ipsec-policy esp-policy

14. Commit the changes.

commit

Related Articles


Back to Top

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!