Dynamic site to site VPN in Juniper SRX and SSG

Share This Article: Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0Email this to someone

Today we will configure dynamic site to site VPN in Juniper SRX and SSG gateway. There are many protocols for configuring VPN. Here we will configure VPN using IPSec protocol. IPSec protocol is considered to be secure. In our configuration, SSG will have static public IP address. Similarly, SRX will have dynamic IP address from ISP (which may be public IP or private IP). The diagram below shows devices and its IP addresses.

Dynamic site to site VPN in Juniper SRX and SSG

Dynamic site to site VPN in Juniper SRX and SSG

SRX 210

Set the IP addresses on the SRX device for private and tunnel network. The public interface ge-0/0/0 will get dynamic IP from ISP. Dynamic IP can be obtained from ISP via PPPoE connection or ADSL connection.

set interfaces ge-0/0/0 unit 0 family inet dhcp (set to get dynamic IP from ISP)
set interfaces ge-0/0/1 unit 0 family inet address 192.168.4.1/24
set interfaces st0 unit 0 family inet address 192.168.10.1/24

After configuring interface address now configure routing options for SRX device

set routing-options static route 192.168.100.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop ge-0/0/0

Then configure the security zones and interfaces and inbound traffic.

set security zones security-zone untrust tcp-rst
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0

Let’s now configure phase 1 IKE configuration

set security ike proposal P1proposal authentication-method pre-shared-keys
set security ike proposal P1proposal dh-group group2
set security ike proposal P1proposal encryption-algorithm des-cbc
set security ike proposal P1proposal authentication-algorithm sha1
set security ike proposal P1proposal lifetime-seconds 86400
 
set security ike policy P1policy mode aggressive
set security ike policy P1policy proposals P1proposal
set security ike policy P1policy pre-shared-key ascii-text p@ssword”
 
set security ike gateway P1gateway ike-policy P1policy
set security ike gateway P1gateway address 2.2.2.2
set security ike gateway P1gateway dead-peer-detection interval 10
set security ike gateway P1gateway dead-peer-detection threshold 3
set security ike gateway P1gateway local-identity user-at-hostname “bipin@mustbegeek.com”
set security ike gateway P1gateway external-interface ge-0/0/0

After configuring the phase 1 IKE, now configure phase 2 IKE configurations.

set security ipsec proposal P2proposal protocol esp
set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal P2proposal encryption-algorithm des-cbc
set security ipsec proposal P2proposal lifetime-seconds 36000
 
set security ipsec policy P2policy perfect-forward-secrecy keys group2
set security ipsec policy P2policy proposals P2proposal
 
set security ipsec vpn site1-to-site2-vpn bind-interface st0.0
set security ipsec vpn site1-to-site2-vpn ike gateway P1gateway
set security ipsec vpn site1-to-site2-vpn ike ipsec-policy P2policy
set security ipsec vpn site1-to-site2-vpn establish-tunnels immediately

Now create security policy to allow traffic from site1 to site2 and vice-versa.

set security policies from-zone trust to-zone untrust policy allowALL match source-address any
set security policies from-zone trust to-zone untrust policy allowALL match destination-address any
set security policies from-zone trust to-zone untrust policy allowALL match application any
set security policies from-zone trust to-zone untrust policy allowALL then permit
 
set security policies from-zone untrust to-zone trust policy fromInternet match source-address any
set security policies from-zone untrust to-zone trust policy fromInternet match destination-address any
set security policies from-zone untrust to-zone trust policy fromInternet match application any
set security policies from-zone untrust to-zone trust policy fromInternet then permit

Note: – Make sure that you have allowed both remote network 192.168.100.1/24 and 192.168.10.0/24 network for incoming traffic on the home network.

SSG 20

First of all, login to the SSG web management via web browser. Configure the IP addresses to the corresponding interfaces like we did in SRX. After login into SSG20 expand Network and further expand interfaces and select List. In this figure you can click edit button on the right and configure the IP addresses.

Configuring SSG Interfaces

In the same window on the top right select Tunnel IP in the drop down menu and click new. Doing so allows you to create new tunnel interface for VPN connection. This is similar to creating st0.0 tunnel interface in SRX. After clicking new the following page appears.

Creating VPN Tunnel interface in SSG

Now make the above changes and leave other as default and click ok. By now we have completed setting the interfaces.

We now begin VPN configuration by defining the phase 1 and phase 2 options. Expand VPNs tab and then further expand AutoKey Advanced tab. Select P1 proposal. In the main window, click new button which is on top right of the page. This is similar to creating phase 1 proposal in SRX. The following page appears after clicking new button.

Configuring IPSec Phase 1 Proposal in SSG

Make the above changes and hit ok. Make sure that the phase 1 proposal here and the proposal that we configured on SRX are same.

Similarly, select P2proposal on the left navigation window and click new button in the main window. The following page appears. This is similar to phase 2 proposal we configured on SRX. Remember the configuration must be same on both.

Configuring IPSec Phase 2 Proposal in SSG

After making the above changes click ok. Now select gateway button on the left pane and click new button on the main window. The following page appears,

Configuring IPSec Phase 1 Gateway in SSG

We are configuring the dynamic VPN so select the dynamic IP Address option and give Peer ID of remote gateway i.e. bipin@mustbegeek.com. Now instead of clicking ok, click Advanced button. You will now see following options.

Configuring IPSec Phase 1 Gateway Advanced Options in SSG

We are configuring IKEv1, leave the IKE2 Auth Method as it is on the top of the page. Type the preshared key, which is p@ssword (must be same on SRX). On Security Level option click Custom and select P1proposal from the drop down. Select DPD button in Peer Status Detection and enter the values for Interval and Retry. After setting all the parameters click return and then click ok. Our gateway option is now configured. Now click on AutoKey IKE tab under VPNs tab and click new button in main window. The following page appears,

IPSed AutoKey IKE configuration in SSG

Type the name of VPN as site-to-site-VPN. Then select predefined button and select P1gateway from the dropdown option. Now click advanced button below. This click will give with following page,

IPSed AutoKey IKE Advanced Options configuration in SSG

Here select Phase 2 Proposal from drop down. Similarly, select Bind to Tunnel Interface and select tunnel.1 and click return. Now click ok.

Now configure the security policy options and allow the remote network to enter local network and vice-versa. When creating policy, make sure that you are allowing the remote network both the internal network (192.168.4.0/24) and tunnel network (192.168.10.0/24) network to enter the current home network.

Now at last configure the routing options in SSG. The follwoing figure shows just that.

Setting Routing Table in SSG

References

  1. How to configure IPSec VPN on a J Series or SRX Series device
  2. Configuring a NetScreen-Remote Dial-Up VPN

 

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.