Static site to site VPN is different from dynamic site to site VPN. The basic requirement for static site-to-site VPN is static public IP address in both ends. VPN between two different platform can be difficult. Here, I will show static site to site VPN in Juniper SRX and SSG.
Static Site to Site VPN in Juniper SRX and SSG
The diagram below shows two sites, site 1 and site 2 with static IP addresses configured.
Configure VPN in Juniper SRX
Let’s configure on SRX device first. Set the IP addresses on the SRX device for public, private and tunnel interface.
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1 set interfaces ge-0/0/1 unit 0 family inet address 192.168.4.1/24 set interfaces st0 unit 0 family inet address 192.168.10.1/24 Configure the routing options set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 [Gateway IP Address] set routing-options static route 192.168.100.0/24 next-hop st0.0 Then configure the security zones and interfaces and inbound traffic set security zones security-zone untrust tcp-rst set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.0 set security zones security-zone trust tcp-rst set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/1.0Let’s now configure phase 1 IKE configuration.
set security ike proposal P1proposal authentication-method pre-shared-keys set security ike proposal P1proposal dh-group group2 set security ike proposal P1proposal encryption-algorithm des-cbc set security ike proposal P1proposal lifetime-seconds 86400 set security ike policy P1policy mode main set security ike policy P1policy proposals P1proposal set security ike policy P1policy pre-shared-key ascii-text “p@ssword” set security ike gateway P1gateway ike-policy P1policy set security ike gateway P1gateway address 2.2.2.2 set security ike gateway P1gateway dead-peer-detection interval 10 set security ike gateway P1gateway dead-peer-detection threshold 3 set security ike gateway P1gateway external-interface ge-0/0/0 After configuring the phase 1 IKE, now configure phase 2 IKE configurations. set security ipsec proposal P2proposal protocol esp set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal P2proposal encryption-algorithm des-cbc set security ipsec proposal P2proposal lifetime-seconds 36000 set security ipsec policy P2policy perfect-forward-secrecy keys group2 set security ipsec policy P2policy proposals P2proposal set security ipsec vpn site1-to-site2 bind-interface st0.0 set security ipsec vpn site1-to-site2 ike gateway P1gateway set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy set security ipsec vpn site1-to-site2 establish-tunnels immediately Now create security policy to allow traffic from site1 to site2 and vice-versa. set security policies from-zone trust to-zone untrust policy allowALL match source-address any set security policies from-zone trust to-zone untrust policy allowALL match destination-address any set security policies from-zone trust to-zone untrust policy allowALL match application any set security policies from-zone trust to-zone untrust policy allowALL then permit set security policies from-zone untrust to-zone trust policy fromInternet match source-address any set security policies from-zone untrust to-zone trust policy fromInternet match destination-address any set security policies from-zone untrust to-zone trust policy fromInternet match application any set security policies from-zone untrust to-zone trust policy fromInternet then permitNote: – Make sure that you have allowed both remote network 192.168.100.1/24 and 192.168.10.0/24 network for incoming traffic on the home network.
Configure VPN in Juniper SSG 20
The configuration for SRX 210 is finished. Now, let’s get into SSG20.
First of all, login to the SSG web management via web browser. Configure the IP addresses to the corresponding interfaces like we did in SRX. After login into SSG20 expand Network and further expand interfaces and select List. In this figure you can click edit button on the right and configure the IP addresses.
In the same window on the top right select Tunnel IP in the drop down menu and click new. Doing so allows you to create new tunnel interface for VPN connection. This is similar to creating st0.0 tunnel interface in SRX. After clicking new the following page appears.
Now make the above changes and leave other as default and click ok. By now we have completed setting the interfaces.
We now begin VPN configuration by defining the phase 1 and phase 2 options. Expand VPNs tab and then further expand AutoKey Advanced tab. Select P1 proposal. In the main window, click “new†button which is on top right of the page. This is similar to creating phase 1 proposal in SRX. The following page appears after clicking new button.
Make the above changes and hit ok. Make sure that the phase 1 proposal here and the proposal that we configured on SRX are same.
Similarly, select P2proposal on the left navigation window and click new button in the main window. The following page appears. This is similar to phase 2 proposal we configured on SRX. Remember the configuration must be same on both.
After making the above changes click OK. Now select gateway button on the left pane and click new button on the main window. The following page appears,
Since we are configuring the static VPN select the static option and give the IP address of remote gateway i.e. of site1 SRX’s public IP address. Now instead of clicking ok click Advanced button. You will now see following options.
We are configuring IKEv1, leave the IKE2 Auth Method as it is on the top of the page. Type the preshared key, which is p@ssword (same on SRX). On Security Level option click Custom and select P1proposal from the drop down. Select DPD button in Peer Status Detection and enter the values for Interval and Retry. After setting all the parameters click return and then click OK. Our gateway option is now configured. Now click on AutoKey IKE tab under VPNs tab and click new button in main window. The following page appears,
Type the name of VPN as site-to-site-VPN. Then select predefined button and select P1gateway from the dropdown option. Now click advanced button below. This click will give with following page,
Here select Phase 2 Proposal from drop down. Similarly, select Bind to Tunnel Interface and select tunnel.1 and click return. Now click OK.
Now configure the security policy options and allow the remote network to enter local network and vice-versa. When creating policy, make sure that you are allowing the remote network both the internal network (192.168.4.0/24) and tunnel network (192.168.10.0/24) network to enter the current home network.
Configure Route
Lastly, lets configure route,
References
You may also like -
Latest posts by Bipin (see all)
- Install Exchange 2019 in Windows Server 2019 - November 28, 2020
- Why Backup your Microsoft Office 365 - November 27, 2020
- What’s New in VMware vSphere 7 - September 18, 2020