ON THIS PAGE
Example: Configuring a Single SRX Series Device in a Branch Office
This example provides a step-by-step procedure for configuring and commands for verifying a chassis cluster on a single SRX Series device in a branch office.
Requirements
This example uses the following hardware and software components:
SRX240 Services Gateways
Junos OS Release 12.1 or later
This configuration example has been tested using the software release listed and is assumed to work on all later releases.
Overview
To implement a link-level high availability deployment, each branch office requires two WAN connections and two IPsec virtual private network (VPN) tunnels for each data center. Traffic is load-balanced across each pair of tunnels. Whenever traffic is directed to a given data center, sessions are load-balanced in a round-robin fashion across each IPsec tunnel going to that data center. In turn, the tunnels are configured in such a way that each tunnel uses a different egress link, resulting in a balance of the upstream links for VPN traffic.
Topology
Figure 1 shows a link-level redundancy configuration with connection to a data center. Note that even though multiple data centers might be used, from the branch high availability perspective, the configuration is identical. Only the IPsec tunnel configurations and their route settings change. For simplicity, only the IPsec configuration to one of the data centers is shown. A sample configuration for setting up redundant IPsec VPN tunnels on an SRX Series device is shown.
Figure 2 shows the zone configuration. VPN tunnels are part of a separate zone named the VPN zone. Also when designing security policies, the VPN tunnels must be formed as part of a separate zone because traffic that goes to the data centers (or other branches) exits through this zone.
Configuration
Configuring Redundant IPsec VPN Tunnels on an SRX Series Device
Step-by-Step Procedure
To configure redundant IPsec VPN tunnels:
Specify global VPN settings.
content_copy zoom_out_map[edit] user@host# set security ipsec vpn-monitor-options interval 5 user@host# set security ipsec vpn-monitor-options threshold 5
Configure the IKE policy for main mode, predefined standard proposal set, and preshared key.
content_copy zoom_out_map[edit] user@host# set security ike policy preShared mode main user@host# set security ike policy preShared proposal-set standard user@host# set security ike policy preShared pre-shared-key ascii-text "$9$5Q69tuORcypuxNVwg469CA1RvWL" user@host# set security ike policy preShared_2 mode main user@host# set security ike policy preShared_2 proposal-set standard user@host# set security ike policy preShared_2 pre-shared-key ascii-text "$9$-9V24JGDkmfZGCt0BEh24oaikFn/"
Configure the IKE gateways with a peer IP address, an IKE policy, and an outgoing interface.
content_copy zoom_out_map[edit] user@host# set security ike gateway DCA_1 ike-policy preShared user@host# set security ike gateway DCA_1 address 4.4.4.2 user@host# set security ike gateway DCA_1 external-interface ge-0/0/4.0 user@host# set security ike gateway DCA_2 ike-policy preShared_2 user@host# set security ike gateway DCA_2 address 5.5.5.2 user@host# set security ike gateway DCA_2 external-interface ge-0/0/5.0
Configure the IPsec policy and the binding for tunnel interface
st0.0In this example, use the standard proposal set. However, you can create a unique proposal and then specify it in the IPsec policy, if needed.
content_copy zoom_out_map[edit] user@host# set security ipsec policy std proposal-set standard user@host# set security ipsec vpn DCA_1 bind-interface st0.0 user@host# set security ipsec vpn DCA_1 vpn-monitor optimized user@host# set security ipsec vpn DCA_1 ike gateway DCA_1 user@host# set security ipsec vpn DCA_1 ike no-anti-replay user@host# set security ipsec vpn DCA_1 ike proxy-identity local 0.0.0.0/0 user@host# set security ipsec vpn DCA_1 ike proxy-identity remote 0.0.0.0/0 user@host# set security ipsec vpn DCA_1 ike proxy-identity service any user@host# set security ipsec vpn DCA_1 ike ipsec-policy std user@host# set security ipsec vpn DCA_1 establish-tunnels immediately
Configure the binding for the tunnel interface
st0.1content_copy zoom_out_map[edit] user@host# set security ipsec vpn DCA_2 bind-interface st0.1 user@host# set security ipsec vpn DCA_2 vpn-monitor optimized user@host# set security ipsec vpn DCA_2 ike gateway DCA_2 user@host# set security ipsec vpn DCA_2 ike no-anti-replay user@host# set security ipsec vpn DCA_2 ike proxy-identity local 0.0.0.0/0 user@host# set security ipsec vpn DCA_2 ike proxy-identity remote 0.0.0.0/0 user@host# set security ipsec vpn DCA_2 ike proxy-identity service any user@host# set security ipsec vpn DCA_2 ike ipsec-policy std user@host# set security ipsec vpn DCA_2 establish-tunnels immediately
Configure both
st0.0andst0.1interface multipoints.content_copy zoom_out_map[edit] user@host# set interfaces st0 unit 0 multipoint user@host# set interfaces st0 unit 0 family inet mtu 1500 user@host# set interfaces st0 unit 0 family inet address 10.255.1.5/24 user@host# set interfaces st0 unit 1 multipoint user@host# set interfaces st0 unit 1 family inet mtu 1500 user@host# set interfaces st0 unit 1 family inet address 10.255.2.5/24
Configure the static route for both the tunnel interfaces.
content_copy zoom_out_map[edit] user@host# set routing-options static route 0.0.0.0/0 next-hop 10.204.115.254 user@host# set routing-options static route 172.16.0.0/24 next-hop 10.255.1.254 user@host# set routing-options static route 172.16.0.0/24 next-hop 10.255.2.254 user@host# set routing-options forwarding-table export load-balancing-policy user@host# set policy-options policy-statement load-balancing-policy then load-balance per-packet
Configure the management zone.
content_copy zoom_out_map[edit] user@host# set security zones functional-zone management interfaces ge-0/0/2.0 user@host# set security zones functional-zone management host-inbound-traffic system-services all user@host# set security zones functional-zone management host-inbound-traffic protocols all
Configure the trust zone.
content_copy zoom_out_map[edit] user@host# set security zones security-zone trust address-book address 0.0.0.0/0 0.0.0.0/0 user@host# set security zones security-zone trust host-inbound-traffic system-services any-service user@host# set security zones security-zone trust host-inbound-traffic protocols all
Configure the untrust zone.
content_copy zoom_out_map[edit] user@host# set security zones security-zone untrust host-inbound-traffic system-services all user@host# set security zones security-zone untrust host-inbound-traffic protocols all user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services any-service user@host# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all user@host# set security zones security-zone untrust interfaces lo0.0 user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 user@host# set security zones security-zone untrust interfaces ge-0/0/4.0 user@host# set security zones security-zone untrust interfaces ge-0/0/5.0 user@host# set security zones security-zone VPN host-inbound-traffic system-services all
Configure security zones by assigning interfaces and host-inbound services.
content_copy zoom_out_map[edit] user@host# set security zones security-zone VPN host-inbound-traffic system-services all user@host# set security zones security-zone VPN host-inbound-traffic protocols all user@host# set security zones security-zone VPN interfaces st0.0 user@host# set security zones security-zone VPN interfaces st0.1
Results
From operational mode, confirm your configuration by
entering the show configuration | no-more command. If the
output does not display the intended configuration, repeat the instructions
in this example to correct the configuration.
user@host>show configuration | no-more
## Last commit: 2013-05-28 20:10:49 UTC by root
version 12.1R5.5;
system {
root-authentication {
encrypted-password "$1$ltXYoZky$Gg3OHOmBGCBKwPET6ijPw0"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
services {
web-management {
http;
}
}
syslog {
file default-message {
any any;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.204.115.166/24;
address 30.30.30.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.10.99.1/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 20.20.20.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 4.4.4.1/30;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 5.5.5.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
mtu 1500;
address 10.255.1.5/24;
}
}
unit 1 {
multipoint;
family inet {
mtu 1500;
address 10.255.2.5/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.204.115.254;
route 172.16.0.0/24 next-hop [ 10.255.1.254 10.255.2.254 ];
}
forwarding-table {
export load-balancing-policy;
}
}
policy-options {
policy-statement load-balancing-policy {
then {
load-balance per-packet;
}
}
}
security {
ike {
policy preShared {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$5Q69tuORcypuxNVwg469CA1RvWL"; ## SECRET-DATA
}
policy preShared_2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$-9V24JGDkmfZGCt0BEh24oaikFn/"; ## SECRET-DATA
}
gateway DCA_1 {
ike-policy preShared;
address 4.4.4.2;
external-interface ge-0/0/4.0;
}
gateway DCA_2 {
ike-policy preShared_2;
address 5.5.5.2;
external-interface ge-0/0/5.0;
}
}
ipsec {
vpn-monitor-options {
interval 5;
threshold 5;
}
policy std {
proposal-set standard;
}
vpn DCA_1 {
bind-interface st0.0;
vpn-monitor {
optimized;
}
ike {
gateway DCA_1;
no-anti-replay;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy std;
}
establish-tunnels immediately;
}
vpn DCA_2 {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway DCA_2;
no-anti-replay;
proxy-identity {
local 0.0.0.0/0;
remote 0.0.0.0/0;
service any;
}
ipsec-policy std;
}
establish-tunnels immediately;
}
}
policies {
default-policy {
permit-all;
}
}
zones {
functional-zone management {
interfaces {
ge-0/0/2.0;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
}
lo0.0;
ge-0/0/1.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone trust {
address-book {
address 0.0.0.0/0 0.0.0.0/0;
}
host-inbound-traffic {
system-services {
any-service;
}
protocols {
all;
}
}
}
security-zone VPN {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
st0.1;
}
}
}
}
Verification
Confirm that the configuration is working properly.
- Verifying the Tunnel Interfaces
- Verifying the IKE Status
- Verifying IPsec Security Associations
- Verifying the Route Entries
Verifying the Tunnel Interfaces
Purpose
Verify that the tunnel interfaces configuration is working properly.
Action
From operational mode, enter the show interfaces
terse | match st command.
user@host>show interfaces terse | match st
st0 up up st0.0 up up inet 10.255.1.5/24 st0.1 up up inet 10.255.2.5/24
Meaning
The show interfaces terse | match st command
displays the status of the tunnel interfaces.
Verifying the IKE Status
Purpose
Verify the IKE status.
Action
From operational mode, enter the show security
ike sa command.
user@host>show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address 1898257 UP c3cc256b779db5ec 258300201eaba783 Main 5.5.5.2 1898255 UP ca13acf3daceb369 0921e2e7abf91a05 Main 4.4.4.2
Meaning
The show security ike sa command lists all
active IKE Phase 1 SAs. If no SAs are listed, there was a problem
with Phase 1 establishment. Check the IKE policy parameters and external
interface settings in your configuration.
If SAs are listed, review the following information:
Index—This value is unique for each IKE SA, which you can use in the
show security ike security-associations index detailcommand to get more information about the SA.Remote Address—Verify that the remote IP address is correct.
State
UP—The Phase 1 SA has been established.
DOWN—There was a problem establishing the Phase 1 SA.
Mode—Verify that the correct mode is being used.
Verifying IPsec Security Associations
Purpose
Verify IPsec security associations.
Action
From operational mode, enter the show security
ipsec sa command.
user@host>show security ipsec sa
Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:3des/sha1 3ca3386b 2492/ unlim U root 500 4.4.4.2 >131073 ESP:3des/sha1 be66b350 2492/ unlim U root 500 4.4.4.2 <131074 ESP:3des/sha1 84080019 2491/ unlim U root 500 5.5.5.2 >131074 ESP:3des/sha1 deabdb54 2491/ unlim U root 500 5.5.5.2
Meaning
The output indicates that:
There is a configured IPsec SA pair available . The port number 500 indicates that a standard IKE port is used. Otherwise, it is Network Address Translation-Traversal (NAT-T), 4500, or random high port.
The security parameter index (SPI) is used for both directions. The lifetime or usage limits of the SA is expressed either in seconds or in kilobytes. In the output, 2492/ unlim indicates Phase 2 lifetime is set to expire in 2492 seconds and there is no specified lifetime size.
The ID number shows the unique index value for each IPsec SA.
Verifying the Route Entries
Purpose
Verify the route entries in the routing table.
Action
From operational mode, enter the show route command.
user@host>show route
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 10w5d 22:23:53
> to 10.204.115.254 via ge-0/0/0.0
4.4.4.0/30 *[Direct/0] 00:18:45
> via ge-0/0/4.0
4.4.4.1/32 *[Local/0] 00:18:45
Local via ge-0/0/4.0
5.5.5.0/30 *[Direct/0] 00:18:45
> via ge-0/0/5.0
5.5.5.1/32 *[Local/0] 00:18:45
Local via ge-0/0/5.0
10.10.99.1/32 *[Local/0] 10w5d 22:24:03
Reject
10.204.115.0/24 *[Direct/0] 10w5d 22:23:53
> via ge-0/0/0.0
10.204.115.166/32 *[Local/0] 10w5d 22:24:04
Local via ge-0/0/0.0
10.255.1.0/24 *[Direct/0] 00:18:40
> via st0.0
10.255.1.5/32 *[Local/0] 4d 02:50:20
Local via st0.0
10.255.2.0/24 *[Direct/0] 00:18:40
> via st0.1
10.255.2.5/32 *[Local/0] 4d 02:50:20
Local via st0.1
20.20.20.0/24 *[Direct/0] 03:46:19
> via ge-0/0/2.0
20.20.20.1/32 *[Local/0] 03:46:19
Local via ge-0/0/2.0
30.30.30.0/24 *[Direct/0] 03:46:19
> via ge-0/0/0.0
30.30.30.1/32 *[Local/0] 03:46:19
Local via ge-0/0/0.0
172.16.0.0/24 *[Static/5] 00:18:40
> to 10.255.1.254 via st0.0
to 10.255.2.254 via st0.1
172.16.1.0/24 *[Direct/0] 00:15:55
> via lo0.0
172.16.1.1/32 *[Local/0] 00:15:55
Local via lo0.0
Meaning
The output indicates that there are 19 routes and all the routes are active.
