Static Site to Site VPN in Juniper SRX and SSG

Share This Article: Share on Facebook0Share on Google+1Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0Email this to someone

Static site to site VPN is different from dynamic site to site VPN. The basic requirement for static site-to-site VPN is static public IP address in both ends. VPN between two different platform can be difficult. Here, I will show static site to site VPN in Juniper SRX and SSG.

Static Site to Site VPN in Juniper SRX and SSG

The diagram below shows two sites, site 1 and site 2 with static IP addresses configured.

Static Site to Site VPN in Juniper SRX and SSG

Configure VPN in Juniper SRX

Let’s configure on SRX device first. Set the IP addresses on the SRX device for public, private and tunnel interface.

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1
set interfaces ge-0/0/1 unit 0 family inet address 192.168.4.1/24
set interfaces st0 unit 0 family inet address 192.168.10.1/24
 
Configure the routing options
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 [Gateway IP Address]
set routing-options static route 192.168.100.0/24 next-hop st0.0
 
Then configure the security zones and interfaces and inbound traffic
set security zones security-zone untrust tcp-rst
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0
 
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0

Let’s now configure phase 1 IKE configuration.

set security ike proposal P1proposal authentication-method pre-shared-keys
set security ike proposal P1proposal dh-group group2
set security ike proposal P1proposal encryption-algorithm des-cbc
set security ike proposal P1proposal lifetime-seconds 86400
 
set security ike policy P1policy mode main
set security ike policy P1policy proposals P1proposal
set security ike policy P1policy pre-shared-key ascii-text “p@ssword”
 
set security ike gateway P1gateway ike-policy P1policy
set security ike gateway P1gateway address 2.2.2.2
set security ike gateway P1gateway dead-peer-detection interval 10
set security ike gateway P1gateway dead-peer-detection threshold 3
set security ike gateway P1gateway external-interface ge-0/0/0
 
After configuring the phase 1 IKE, now configure phase 2 IKE configurations.
set security ipsec proposal P2proposal protocol esp
set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal P2proposal encryption-algorithm des-cbc
set security ipsec proposal P2proposal lifetime-seconds 36000
 
set security ipsec policy P2policy perfect-forward-secrecy keys group2
set security ipsec policy P2policy proposals P2proposal
 
set security ipsec vpn site1-to-site2 bind-interface st0.0
set security ipsec vpn site1-to-site2 ike gateway P1gateway
set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
set security ipsec vpn site1-to-site2 establish-tunnels immediately
 
Now create security policy to allow traffic from site1 to site2 and vice-versa.
set security policies from-zone trust to-zone untrust policy allowALL match source-address any
set security policies from-zone trust to-zone untrust policy allowALL match destination-address any
set security policies from-zone trust to-zone untrust policy allowALL match application any
set security policies from-zone trust to-zone untrust policy allowALL then permit
 
set security policies from-zone untrust to-zone trust policy fromInternet match source-address any
set security policies from-zone untrust to-zone trust policy fromInternet match destination-address any
set security policies from-zone untrust to-zone trust policy fromInternet match application any
set security policies from-zone untrust to-zone trust policy fromInternet then permit

Note: – Make sure that you have allowed both remote network 192.168.100.1/24 and 192.168.10.0/24 network for incoming traffic on the home network.

Configure VPN in Juniper SSG 20

The configuration for SRX 210 is finished. Now, let’s get into SSG20.

First of all, login to the SSG web management via web browser. Configure the IP addresses to the corresponding interfaces like we did in SRX. After login into SSG20 expand Network and further expand interfaces and select List. In this figure you can click edit button on the right and configure the IP addresses.

In the same window on the top right select Tunnel IP in the drop down menu and click new. Doing so allows you to create new tunnel interface for VPN connection. This is similar to creating st0.0 tunnel interface in SRX. After clicking new the following page appears.

Static Site to Site VPN in Juniper SRX and SSG

Now make the above changes and leave other as default and click ok. By now we have completed setting the interfaces.

We now begin VPN configuration by defining the phase 1 and phase 2 options. Expand VPNs tab and then further expand AutoKey Advanced tab. Select P1 proposal. In the main window, click “new” button which is on top right of the page. This is similar to creating phase 1 proposal in SRX. The following page appears after clicking new button.

Static Site to Site VPN in Juniper SRX and SSG

Make the above changes and hit ok. Make sure that the phase 1 proposal here and the proposal that we configured on SRX are same.

Similarly, select P2proposal on the left navigation window and click new button in the main window. The following page appears. This is similar to phase 2 proposal we configured on SRX. Remember the configuration must be same on both.

Static Site to Site VPN in Juniper SRX and SSG

After making the above changes click OK. Now select gateway button on the left pane and click new button on the main window. The following page appears,

Phase 1 Gateway

Since we are configuring the static VPN select the static option and give the IP address of remote gateway i.e. of site1 SRX’s public IP address. Now instead of clicking ok click Advanced button. You will now see following options.

Configuring IPSec Phase 1 Gateway Advanced Options

We are configuring IKEv1, leave the IKE2 Auth Method as it is on the top of the page. Type the preshared key, which is p@ssword (same on SRX). On Security Level option click Custom and select P1proposal from the drop down. Select DPD button in Peer Status Detection and enter the values for Interval and Retry. After setting all the parameters click return and then click OK. Our gateway option is now configured. Now click on AutoKey IKE tab under VPNs tab and click new button in main window. The following page appears,

AutoKey IDE Options

Type the name of VPN as site-to-site-VPN. Then select predefined button and select P1gateway from the dropdown option. Now click advanced button below. This click will give with following page,

IPSec AutoKey IKE Advanced Options

Here select Phase 2 Proposal from drop down. Similarly, select Bind to Tunnel Interface and select tunnel.1 and click return. Now click OK.

Now configure the security policy options and allow the remote network to enter local network and vice-versa. When creating policy, make sure that you are allowing the remote network both the internal network (192.168.4.0/24) and tunnel network (192.168.10.0/24) network to enter the current home network.

Configure Route

Lastly, lets configure route,

Configure Route in SSG

References

  1. How to configure IPSec VPN
  2. Configuring a NetScreen-Remote Dial-Up VPN

 

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.