Example: Configuring Group VPN (CLI)

The configuration instructions in this topic describe how to configure a group VPN on server and member devices.

• Overview
• Configuring the Group Server
• Configuring Member1
• Configuring Member2
• Viewing Dynamic Policies

Overview

In Figure 53, a group VPN consists of two member devices (member1 and member2) and a group server (the IP address of the loopback interface on the server is 20.0.0.1). The group identifier is 1.

The Phase 2 group VPN SAs must be protected by a Phase 1 SA. Therefore, group VPN configuration must include configuring IKE Phase 1 negotiations on both the group server and the group members. In addition, the same group identifier must be configured on both the group server and the group member.

Group policies are configured on the group server. All group policies configured for a group are downloaded to group members. Scope policies configured on a group member determine which group policies are actually installed on the member. In this example, the following group policies are configured on the group server for downloading to all group members:

• p1—Allows all traffic from 10.1.0.0/16 to 10.2.0.0./16
• p2—Allows all traffic from 10.2.0.0./16 to 10.1.0.0/16
• p3—Allows multicast traffic from 10.1.1.1/32

The member1 device is configured with scope policies that allow all unicast traffic to and from the 10.0.0.0/8 subnetwork. There is no scope policy configured on member1 to allow multicast traffic; therefore, the SA policy p3 is not installed on member1.

The member2 device is configured with scope policies that drop traffic from 10.1.0.0/16 from the trust zone to the untrust zone and to 10.1.0.0/16 from the untrust zone to the trust zone. Therefore the SA policy p2 is not installed on member2.

Before you begin:

1. Configure the Juniper Networks security devices for network communication.
2. Configure network interfaces on server and member devices. See the JUNOS Software Interfaces Configuration Guide for Security Devices.

Configuring the Group Server

On the group server device, configure the following:

1. Configure the loopback address on the device.
   [edit] user@host# edit interfaces[edit interfaces]user@host# set lo0 unit 0 family inet address 20.0.0.1/32
2. Configure IKE Phase 1 SA (this configuration must match the Phase 1 SA configured on the group members).
   [edit security group-vpn server ike]user@host# set proposal srv-prop authentication-method pre-shared-keys dh-group group2 authentication-algorithm sha1 encryption-algorithm 3des-cbcuser@host# set policy srv-pol mode main proposals srv-prop pre-shared-key ascii-text "$9$c1grK8-VYZUHX7UHqmF3Sre"user@host# set gateway gw1 ike-policy srv-pol address 10.1.0.1user@host# set gateway gw2 ike-policy srv-pol address 10.2.0.1
3. Configure the Phase 2 SA exchange.
   [edit security group-vpn server ipsec]user@host# set proposal group-prop authentication-algorithm hmac-sha1–96 encryption-algorithm 3des-cbc lifetime-seconds 3600
4. Configure the group identifier, IKE gateway, antireplay time, and server address.
   [edit security group-vpn server group grp1]user@host# set group-id 1 ike-gateway srv-gw anti-replay-time-window 120 server-address 20.0.0.1
5. Configure server-to-member communications.
   [edit security group-vpn server group grp1]user@host# set server-member-communication communication-type unicast encryption-algorithm aes-128-cbc sig-hash-algorithm md5 certificate “srv-cert”
6. Configure the group policies to be downloaded to group members.
   [edit security group-vpn server group grp1 ipsec-sa group-sa proposal group-prop]user@host# set match-policy p1 source 10.1.0.0/16 destination 10.2.0.0/16 source-port 0 destination-port 0 protocol 0user@host# set match-policy p2 source 10.2.0.0/16 destination 10.1.0.0/16 source-port 0 destination-port 0 protocol 0user@host# set match-policy p3 source 10.1.1.1/16 destination 239.1.1.1/32 source-port 0 destination-port 0 protocol 0
7. Confirm your configuration by entering the show security group-vpn server command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
   [edit]user@host# show security group-vpn server ike {proposal srv-prop {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy srv-pol {mode main;proposals srv-prop;pre-shared-key ascii-text "$9$gfJUHf5FnCu"; ## SECRET-DATA}gateway gw1 {ike-policy srv-pol;address 10.1.0.1;}gateway gw2 {ike-policy srv-pol;address 10.2.0.1;}}ipsec {proposal group-prop {authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 3600;}}group grp1 {group-id 1;anti-replay-time-window 120;ike-gateway srv-gw;server-address 20.0.0.1;server-member-communication {communication-type unicast;encryption-algorithm aes-128-cbc;sig-hash-algorithm md5;certificate srv-cert;}ipsec-sa group-sa {proposal group-prop;match-policy p1 {source 10.1.0.0/16;destination 10.2.0.0/16;source-port 0;destination-port 0;protocol 0;}match-policy p2 {source 10.2.0.0/16;destination 10.1.0.0/16;source-port 0;destination-port 0;protocol 0;}match-policy p3 {source 10.1.1.1/16;destination 239.1.1.1/32;source-port 0;destination-port 0;protocol 0;}}
8. If you are done configuring the device, enter commit from configuration mode.
   [edit]user@host# commit

Configuring Member1

On member1, configure the following:

1. Configure Phase 1 SA (this configuration must match the Phase 1 SA configured on the group server).
   [edit security group-vpn member ike]user@member1# set proposal prop1 authentication-method pre-shared-keys dh-group group2 authentication-algorithm sha1 encryption-algorithm 3des-cbcuser@member1# set policy pol1 mode main proposals prop1 pre-shared-key ascii-text "$9$c1grK8-VYZUHX7UHqmF3Sre"user@member1# set gateway g1 ike-policy pol1 address 20.0.0.1 local-address 10.1.0.1
2. Configure the group identifier, IKE gateway, and interface for member1.
   [edit security group-vpn member ipsec]user@member1# set vpn v1 group 1 ike-gateway g1 group-vpn-external-interface ge-0/1/0

   Note: To prevent packet fragmentation issues, we recommend that the interface used by the group member to connect to the MPLS network be configured for a maximum transmission unit (MTU) size no larger than 1400 bytes. Use the set interface mtu configuration statement to set the MTU size.

3. Configure address book entries for the 10.0.0.0/8 subnet.
   [edit security zones]user@member1# set security-zone trust address-book address 10_subnet 10.0.0.0/8user@member1# set security-zone untrust address-book address 10_subnet 10.0.0.0/8
4. Configure a scope policy from the trust zone to the untrust zone that allows unicast traffic to and from the 10.0.0.0/8 subnetwork.
   [edit security policies from-zone trust to-zone untrust]user@member1# set policy scope1 match source-address 10_subnet destination-address 10_subnet application any user@member1# set policy scope1 then permit tunnel ipsec-group-vpn v1
5. Configure a scope policy from the untrust zone to the trust zone that allows unicast traffic to and from the 10.0.0.0/8 subnetwork.
   [edit security policies from-zone untrust to-zone trust]user@member1# set policy scope1 match source-address 10_subnet destination-address 10_subnet application any user@member1# set policy scope1 then permit tunnel ipsec-group-vpn v1
6. Confirm your configuration by entering the show security group-vpn member and show security policies commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

   Note: In the list of configured security policies, make sure that the scope policies are listed before the default policies.

   [edit]user@member1# show security group-vpn member ike {proposal prop1 {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy pol1 {mode main;proposals prop1;pre-shared-key ascii-text "$9$CeS6uBEleWLNb"; ## SECRET-DATA}gateway g1 {ike-policy pol1;address 20.0.0.1;local-address 10.1.0.1;}}ipsec {vpn v1 {ike-gateway g1;group-vpn-external-interface ge-0/1/0;group 1;}}
   [edit]user@member1# show security policies from-zone trust to-zone trust {policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone trust to-zone untrust {policy scope1 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v1;}}}}policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone untrust to-zone trust {policy scope1 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v1;}}}}policy default-deny {match {source-address any;destination-address any;application any;}then {deny;}}}
7. If you are done configuring the device, enter commit from configuration mode.
   [edit]user@host# commit

Configuring Member2

On member2, configure the following:

1. Configure Phase 1 SA (this configuration must match the Phase 1 SA configured on the group server).
   [edit security group-vpn member ike]user@member2# set proposal prop2 authentication-method pre-shared-keys dh-group group2 authentication-algorithm sha1 encryption-algorithm 3des-cbcuser@member2# set policy pol2 mode main proposals prop2 pre-shared-key ascii-text "$9$c1grK8-VYZUHX7UHqmF3Sre"user@member2# set gateway g2 ike-policy pol2 address 20.0.0.1 local-address 10.2.0.1
2. Configure the group identifier, IKE gateway, and interface for member2:
   [edit security group-vpn member ipsec]user@member2# set vpn v2 group 1 ike-gateway g2 group-vpn-external-interface ge-0/1/0

   Note: To prevent packet fragmentation issues, we recommend that the interface used by the group member to connect to the MPLS network be configured for a maximum transmission unit (MTU) size no larger than 1400 bytes. Use the set interface mtu configuration statement to set the MTU size.

3. Configure address book entries for the trust zone.
   [edit security zones security-zone trust]user@member2# set address-book address 10_subnet 10.0.0.0/8user@member2# set address-book address 10_1_0_0_16 10.1.0.0/16user@member2# set address-book address multicast_net 239.0.0.0/8
4. Configure address book entries for the untrust zone.
   [edit security zones security-zone untrust]user@member2# set address-book address 10_subnet 10.0.0.0/8user@member2# set address-book address 10_1_0_0_16 10.1.0.0/16user@member2# set address-book address multicast_net 239.0.0.0/8
5. Configure a scope policy from the trust zone to the untrust zone that blocks traffic from 10.1.0.0/16.
   [edit security policies from-zone trust to-zone untrust]user@member2# set policy deny2 match source-address 10_1_0_0_16 destination-address any application any user@member2# set policy deny2 then rejectuser@member2# set policy scope2 match source-address 10_subnet destination-address 10_subnet application any user@member2# set policy scope2 then permit tunnel ipsec-group-vpn v2user@member2# set policy multicast-scope2 match source-address 10_subnet destination-address multicast-net application any user@member2# set policy multicast-scope2 then permit tunnel ipsec-group-vpn v2
6. Configure a scope policy from the untrust zone to the trust zone that blocks traffic to 10.1.0.0/16.
   [edit security policies from-zone untrust to-zone trust]user@member2# set policy deny2 match source-address any destination-address 10_1_0_0_16 application any user@member2# set policy deny2 then rejectuser@member2# set policy scope2 match source-address 10_subnet destination-address 10_subnet application any user@member2# set policy scope2 then permit tunnel ipsec-group-vpn v2user@member2# set policy multicast-scope2 match source-address 10_subnet destination-address multicast-net application any user@member2# set policy multicast-scope2 then permit tunnel ipsec-group-vpn v2
7. Confirm your configuration by entering the show security group-vpn member and show security policies commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

   Note: In the list of configured security policies, make sure that the scope policies are listed before the default policies.

   [edit]user@member2# show security group-vpn member ike {proposal prop2 {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy pol2 {mode main;proposals prop2;pre-shared-key ascii-text "$9$Hm5FCA0BEy"; ## SECRET-DATA}gateway g2 {ike-policy pol2;address 20.0.0.1;local-address 10.2.0.1;}}ipsec {vpn v2 {ike-gateway g2;group-vpn-external-interface ge-0/1/0;group 1;}}
   [edit]user@member2# show security policies from-zone trust to-zone trust {policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone trust to-zone untrust {policy deny2 {match {source-address 10_1_0_0_16;destination-address any;application any;}then {reject;}}policy scope2 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v2;}}}}policy multicast-scope2 {match {source-address 10_subnet;destination-address multicast-net;application any;}then {permit {tunnel {ipsec-group-vpn v2;}}}}policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone untrust to-zone trust {policy deny2 {match {source-address any;destination-address 10_1_0_0_16;application any;}then {reject;}}policy scope2 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v2;}}}}policy multicast-scope2 {match {source-address 10_subnet;destination-address multicast-net;application any;}then {permit {tunnel {ipsec-group-vpn v2;}}}}policy default-deny {match {source-address any;destination-address any;application any;}then {deny;}}}
8. If you are done configuring the device, enter commit from configuration mode.
   [edit]user@host# commit

Viewing Dynamic Policies

After the group server downloads keys to member1, use the show security dynamic-policies command to view the dynamic policies installed on member1. Note that the multicast policy p3 from the server is not installed on member1, because there is no scope policy configured on member1 that allows multicast traffic.

Policy: scope1-0001, action-type: permit, State: enabled, Index: 1048580,AI: disabled, Scope Policy: 4
  Policy Type: Dynamic
  Sequence number: 1
  From zone: untrust, To zone: trust
  Source addresses: 10.1.0.0/16
  Destination addresses: 10.2.0.0/16 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

Policy: scope1–0001, action-type: permit, State: enabled, Index: 1048581,AI: disabled, Scope Policy: 5
  Policy Type: Dynamic
  Sequence number: 2
  From zone: trust, To zone: untrust
  Source addresses: 10.1.0.0/16
  Destination addresses: 10.2.0.0/16 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

After the group server downloads keys to member2, use the show security dynamic-policies command to view the dynamic policies installed on member2. Note that the policy p2 (for traffic from 10.1.0.0/16 to 10.2.0.0/16) from the server is not installed on member2, because it matches the deny2 security policy configured on member2.

Policy: scope2-0001, action-type: permit, State: enabled, Index: 1048580,AI: disabled, Scope Policy: 4
  Policy Type: Dynamic
  Sequence number: 1
  From zone: untrust, To zone: trust
  Source addresses: 10.1.0.0/16
  Destination addresses: 10.2.0.0/16 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

Policy: scope2-0001, action-type: permit, State: enabled, Index: 1048580,AI: disabled, Scope Policy: 4
  Policy Type: Dynamic
  Sequence number: 1
  From zone: untrust, To zone: trust
  Source addresses: 10.1.1.1/32
  Destination addresses: 239.1.1.1/32 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

Policy: scope2–0001, action-type: permit, State: enabled, Index: 1048581,AI: disabled, Scope Policy: 5
  Policy Type: Dynamic
  Sequence number: 2
  From zone: trust, To zone: untrust
  Source addresses: 10.2.0.0/16/0
  Destination addresses: 10.1.0.0/16 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

Policy: scope2–0001, action-type: permit, State: enabled, Index: 1048581,AI: disabled, Scope Policy: 5
  Policy Type: Dynamic
  Sequence number: 2
  From zone: trust, To zone: untrust
  Source addresses: 10.1.1.1/32
  Destination addresses: 239.1.1.1/32 
  Application: Unknown
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Tunnel: INSTANCE-gvpn_133955586, Type: IPSec, Index: 133955586

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Group VPN Overview
• Group VPN Configuration Overview
• Example: Configuring Group VPN with Server-Member Colocation (CLI)