Tuesday, January 24, 2012

Simple IPsec VPN in Junos


Simple IPsec VPN in Junos

I figured I’d write something up quick about doing IPSec VPN on Junos. If you’re just looking for a simple tunnel, it really couldn’t be easier.
Starting on R1, create your IKE proposal. In our case we will use:
  • DH Group 2
  • SHA1
  • AES-128-CBC
  • 3600 second lifetime
set security ike proposal IKE_PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE_PROPOSAL dh-group group2
set security ike proposal IKE_PROPOSAL authentication-algorithm sha1
set security ike proposal IKE_PROPOSAL encryption-algorithm aes-128-cbc
set security ike proposal IKE_PROPOSAL lifetime-seconds 3600
Next we create our IKE policy, and specify the IKE_PROPOSAL proposal. We also specify our pre-shared key here:
set security ike policy IKE_POLICY proposals IKE_PROPOSAL
set security ike policy IKE_POLICY pre-shared-key foobarpsk
Finally, we have to specify our IKE gateway information. In this example:
  • We’re going to use our IKE_POLICY policy
  • Our peer address is 2.2.2.2
  • The interface our IPSec tunnel is running on is ge-0/0/0.0
set security ike gateway IKE_GW ike-policy IKE_POLICY
set security ike gateway IKE_GW address 2.2.2.2
set security ike gateway IKE_GW external-interface ge-0/0/0
Great! Next up is our IPSec proposal. We’ll be using:
  • ESP
  • SHA1
  • AES-128-CBC
  • 3600 second lifetime
set security ipsec proposal IPSEC_PROPOSAL protocol esp
set security ipsec proposal IPSEC_PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROPOSAL encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PROPOSAL lifetime-seconds 3600
Following this is our IPSec policy, which specifies to use the IPSEC_PROPOSAL proposal:
set security ipsec policy IPSEC_POLICY proposals IPSEC_PROPOSAL
Last but not least, we have to tie it all together. We’re going to use the following:
  • Secure Tunnel interface st0.0
  • IKE gateway IKE_GW
  • IPSec Policy IPSEC_POLICY
We will also use the “establish-tunnels immediately” configuration option that specifies that the tunnel should come up immediately.
set security ipsec vpn VPN bind-interface st0.0
set security ipsec vpn VPN ike gateway IKE_GW
set security ipsec vpn VPN ike ipsec-policy IPSEC_POLICY
set security ipsec vpn VPN establish-tunnels immediately
Now we can add an IP address to our st0.0 interface, and we can even run OSPF across the tunnel:
set interfaces st0 unit 0 family inet address 10.0.0.1/30
set protocols ospf area 0 interfaces st0.0
Beyond this, we need to add st0.0 to a zone, and be sure there is a policy permitting that traffic. Also keep in mind your Untrust zone is going to require host-inbond-traffic to allow the IPSec VPN to establish. Be sure to commit!
Duplicate the configuration on the other side, changing IP addresses as necessary, and you’re done!

No comments: