Today we will configure dynamic site to site VPN in Juniper SRX and SSG gateway. There are many protocols for configuring VPN. Here we will configure VPN using IPSec protocol. IPSec protocol is considered to be secure. In our configuration, SSG will have static public IP address. Similarly, SRX will have dynamic IP address from ISP (which may be public IP or private IP). The diagram below shows devices and its IP addresses.
Dynamic site to site VPN in Juniper SRX and SSG
SRX 210
Set the IP addresses on the SRX device for private and tunnel network. The public interface ge-0/0/0 will get dynamic IP from ISP. Dynamic IP can be obtained from ISP via PPPoE connection or ADSL connection.
set interfaces ge-0/0/0 unit 0 family inet dhcp (set to get dynamic IP from ISP) set interfaces ge-0/0/1 unit 0 family inet address 192.168.4.1/24 set interfaces st0 unit 0 family inet address 192.168.10.1/24After configuring interface address now configure routing options for SRX device
set routing-options static route 192.168.100.0/24 next-hop st0.0 set routing-options static route 0.0.0.0/0 next-hop ge-0/0/0Then configure the security zones and interfaces and inbound traffic.
Let’s now configure phase 1 IKE configuration
set security ike proposal P1proposal authentication-method pre-shared-keys set security ike proposal P1proposal dh-group group2 set security ike proposal P1proposal encryption-algorithm des-cbc set security ike proposal P1proposal authentication-algorithm sha1 set security ike proposal P1proposal lifetime-seconds 86400 set security ike policy P1policy mode aggressive set security ike policy P1policy proposals P1proposal set security ike policy P1policy pre-shared-key ascii-text p@ssword” set security ike gateway P1gateway ike-policy P1policy set security ike gateway P1gateway address 2.2.2.2 set security ike gateway P1gateway dead-peer-detection interval 10 set security ike gateway P1gateway dead-peer-detection threshold 3 set security ike gateway P1gateway local-identity user-at-hostname “bipin@mustbegeek.com” set security ike gateway P1gateway external-interface ge-0/0/0After configuring the phase 1 IKE, now configure phase 2 IKE configurations.
set security ipsec proposal P2proposal protocol esp set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal P2proposal encryption-algorithm des-cbc set security ipsec proposal P2proposal lifetime-seconds 36000 set security ipsec policy P2policy perfect-forward-secrecy keys group2 set security ipsec policy P2policy proposals P2proposal set security ipsec vpn site1-to-site2-vpn bind-interface st0.0 set security ipsec vpn site1-to-site2-vpn ike gateway P1gateway set security ipsec vpn site1-to-site2-vpn ike ipsec-policy P2policy set security ipsec vpn site1-to-site2-vpn establish-tunnels immediatelyNow create security policy to allow traffic from site1 to site2 and vice-versa.
set security policies from-zone trust to-zone untrust policy allowALL match source-address any set security policies from-zone trust to-zone untrust policy allowALL match destination-address any set security policies from-zone trust to-zone untrust policy allowALL match application any set security policies from-zone trust to-zone untrust policy allowALL then permit set security policies from-zone untrust to-zone trust policy fromInternet match source-address any set security policies from-zone untrust to-zone trust policy fromInternet match destination-address any set security policies from-zone untrust to-zone trust policy fromInternet match application any set security policies from-zone untrust to-zone trust policy fromInternet then permitNote: – Make sure that you have allowed both remote network 192.168.100.1/24 and 192.168.10.0/24 network for incoming traffic on the home network.
SSG 20
First of all, login to the SSG web management via web browser. Configure the IP addresses to the corresponding interfaces like we did in SRX. After login into SSG20 expand Network and further expand interfaces and select List. In this figure you can click edit button on the right and configure the IP addresses.
In the same window on the top right select Tunnel IP in the drop down menu and click new. Doing so allows you to create new tunnel interface for VPN connection. This is similar to creating st0.0 tunnel interface in SRX. After clicking new the following page appears.
Now make the above changes and leave other as default and click ok. By now we have completed setting the interfaces.
We now begin VPN configuration by defining the phase 1 and phase 2 options. Expand VPNs tab and then further expand AutoKey Advanced tab. Select P1 proposal. In the main window, click new button which is on top right of the page. This is similar to creating phase 1 proposal in SRX. The following page appears after clicking new button.
Make the above changes and hit ok. Make sure that the phase 1 proposal here and the proposal that we configured on SRX are same.
Similarly, select P2proposal on the left navigation window and click new button in the main window. The following page appears. This is similar to phase 2 proposal we configured on SRX. Remember the configuration must be same on both.
After making the above changes click ok. Now select gateway button on the left pane and click new button on the main window. The following page appears,
We are configuring the dynamic VPN so select the dynamic IP Address option and give Peer ID of remote gateway i.e. bipin@mustbegeek.com. Now instead of clicking ok, click Advanced button. You will now see following options.
We are configuring IKEv1, leave the IKE2 Auth Method as it is on the top of the page. Type the preshared key, which is p@ssword (must be same on SRX). On Security Level option click Custom and select P1proposal from the drop down. Select DPD button in Peer Status Detection and enter the values for Interval and Retry. After setting all the parameters click return and then click ok. Our gateway option is now configured. Now click on AutoKey IKE tab under VPNs tab and click new button in main window. The following page appears,
Type the name of VPN as site-to-site-VPN. Then select predefined button and select P1gateway from the dropdown option. Now click advanced button below. This click will give with following page,
Here select Phase 2 Proposal from drop down. Similarly, select Bind to Tunnel Interface and select tunnel.1 and click return. Now click ok.
Now configure the security policy options and allow the remote network to enter local network and vice-versa. When creating policy, make sure that you are allowing the remote network both the internal network (192.168.4.0/24) and tunnel network (192.168.10.0/24) network to enter the current home network.
Now at last configure the routing options in SSG. The follwoing figure shows just that.
References
- How to configure IPSec VPN on a J Series or SRX Series device
- Configuring a NetScreen-Remote Dial-Up VPN
You may also like -
Latest posts by Bipin (see all)
- Install Exchange 2019 in Windows Server 2019 - November 28, 2020
- Why Backup your Microsoft Office 365 - November 27, 2020
- What’s New in VMware vSphere 7 - September 18, 2020