Wednesday, February 15, 2012

Building Route Based VPN’s on Juniper SRX


Building Route Based VPN’s on Juniper SRX

One of the best features of the SRX is how easily one can create new VPN’s.  There’s a ton of other features, but doing VPN’s from CLI is a matter of a few simple commands.  After the first VPN is built, some of the configuration can even be re-used, provided the security settings (namely encryption) is the same on subsequent VPN’s.
To create a route based vpn, just follow the steps below.  The example below assumes that you are terminating the VPN on the “trust” interface of your firewall.  If you decide to terminate on another zone, remember that you will need POLICY in place, to allow zone-to-zone communications.
Step 1:  Build the secure tunnel interface
set interfaces st0 unit 0 family inet
set security zones security-zone trust interfaces st0.0
Step 2: Create the route(s) for the remote networks going across the tunnel
set routing-options static route 172.16.0.0/16 next-hop st0.0
set routing-options static route 10.10.200.0/24 next-hop st0.0
Step 3: Set up the IKE Proposal
set security ike proposal P1-AES authentication-method pre-shared-keys
set security ike proposal P1-AES dh-group group2
set security ike proposal P1-AES authentication-algorithm sha1
set security ike proposal P1-AES encryption-algorithm aes-128-cbc
Step 4: Set up IKE Policy and define the remove VPN Gateway
set security ike policy ike-pol-MyVPN mode main
set security ike policy ike-pol-MyVPN proposals P1-AES
set security ike policy ike-pol-MyVPN pre-shared-key ascii-text abc1234567
set security ike gateway gw-TheirGateway address 1.2.3.4
set security ike gateway gw-TheirGateway external-interface fe-0/0/1.0
set security ike gateway gw-TheirGateway ike-policy ike-pol-MyVPN
Step 5:  Set up IPSEC Policy

set security ipsec proposal P2-AES protocol esp
set security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-pol-1 proposals P2-AES
set security ipsec policy ipsec-pol-1 perfect-forward-secrecy keys group2

Step 6: Build the VPN and Join Everything Together
set security ipsec vpn vpn-ToThem ike gateway gw-TheirGateway
set security ipsec vpn vpn-ToThem ike ipsec-policy ipsec-pol-1
set security ipsec vpn vpn-ToThem establish-tunnels immediately
set security ipsec vpn vpn-ToThem bind-interface st0.0
So basically, the method for doing SRX route based VPN is to build the parts, link them together, and commit. The VPN is built using “st0″ interfaces. By simply adding “family inet” only, with no IP, we essentially make the interface an ip unnumbered interface. Then, that interface is placed into the zone desired, resulting in an end point that will take on whatever rule set the zone allows.  Routes are then added, pointing the remote networks down the corresponging logical unit of the st0 interface – in this example st0.0 (the .0 being the logical unit). 
The names of the IKE Policy, IPSec profiles, etc, are free-form, and can be whatever you want them to be.  I like to create them using words like “IKE-POL” for Ike Policy, and “vpn-ToWhatever” to indicate roughly where things are going and what they are for.

No comments:

YouTube Channel