Example: Configuring Group VPN with Server-Member Colocation (CLI)

When colocation mode is configured, group server and group member functions can coexist in the same device. In colocation mode, the server and member must have different IP addresses so that packets are delivered properly.

This example shows you how to configure a device for colocation mode. In Figure 54, a group VPN (group identifier is 1) consists of two members (member1 and member2) and a group server (the IP address of the loopback interface is 20.0.0.1). Note that member1 coexists in the same device as the group server. In this example, the interface that member1 uses to connect to the MPLS network (ge-0/1/0) is assigned the IP address 10.1.0.1/32.

Figure 54: Server-Member Colocation Example

Image g031042.gif

Note: The configuration instructions in this topic describe how to configure the group server/member1 device for colocation mode. Configuration of member2 is the same as shown in the previous example.

Before you begin:

Configure the Juniper Networks security devices for network communication.
Configure network interfaces on server and member devices. See the JUNOS Software Interfaces Configuration Guide for Security Devices.

On the group server/member1 device, configure the following:

Configure the loopback address on the device.
[edit interfaces]user@host# set lo0 unit 0 family inet address 20.0.0.1/32

Configure the interface that member1 uses to connect to the MPLS network.

[edit interfaces]user@host# set ge-0/1/0 unit 0 family inet address 10.1.0.1/32

Note: To prevent packet fragmentation issues, we recommend that the interface used by the group member to connect to the MPLS network be configured for a maximum transmission unit (MTU) size no larger than 1400 bytes. Use the set interface mtu configuration statement to set the MTU size.

Configure group VPN colocation on the device.
[edit security group-vpn]user@host# set co-location
Configure IKE Phase 1 SA for the server (this configuration must match the Phase 1 SA configured on group members).
[edit security group-vpn server ike]user@host# set proposal srv-prop authentication-method pre-shared-keys dh-group group2 authentication-algorithm sha1 encryption-algorithm 3des-cbcuser@host# set policy srv-pol proposals srv-prop mode main pre-shared-key ascii-text "$9$c1grK8-VYZUHX7UHqmF3Sre"user@host# set gateway gw1 ike-policy srv-pol address 10.1.0.1user@host# set gateway gw2 ike-policy srv-pol address 10.2.0.1
Configure the Phase 2 SA exchange for the server.
[edit security group-vpn server ipsec]user@host# set proposal group-prop authentication-algorithm hmac-sha1-96 encryption-algorithm 3des-cbc lifetime-seconds 3600
Configure the group identifier, IKE gateway, antireplay time, and server address on the server.
[edit security group-vpn server group grp1]user@host# set group-id 1 ike-gateway srv-gw anti-replay-time-window 120 server-address 20.0.0.1
Configure server to member communications.
[edit security group-vpn server group grp1]user@host# set server-member-communication communication-type unicast encryption-algorithm aes-128-cbc sig-hash-algorithm md5 certificate “srv-cert”
Configure the group policies to be downloaded to group members.
[edit security group-vpn server group grp1 ipsec-sa group-sa proposal group-prop]user@host# set match-policy p1 source 10.1.0.0/16 destination 10.2.0.0/16 source-port 0 destination-port 0 protocol 0user@host# set match-policy p2 source 10.2.0.0/16 destination 10.1.0.0/16 source-port 0 destination-port 0 protocol 0user@host# set match-policy p3 source 10.1.1.1/16 destination 239.1.1.1/32 source-port 0 destination-port 0 protocol 0
Configure Phase 1 SA for member1 (this configuration must match the Phase 1 SA configured for the group server).
[edit security group-vpn member ike]user@host# set proposal prop1 authentication-method pre-shared-keys dh-group group2 authentication-algorithm sha1 encryption-algorithm 3des-cbcuser@host# set policy pol1 mode main proposals prop1 pre-shared-key ascii-text "$9$c1grK8-VYZUHX7UHqmF3Sre"user@host# set gateway g1 ike-policy pol1 address 20.0.0.1 local-address 10.1.0.1
Configure the group identifier, IKE gateway, and interface for member1.
[edit security group-vpn member ipsec]user@host# set vpn v1 group 1 ike-gateway g1 group-vpn-external-interface ge-0/1/0
Configure address book entries for the 10.0.0.0/8 subnet.
[edit security zones]user@member1# set security-zone trust address-book address 10_subnet 10.0.0.0/8user@member1# set security-zone untrust address-book address 10_subnet 10.0.0.0/8
Configure a scope policy from the trust zone to the untrust zone that allows unicast traffic to and from the 10.0.0.0/8 subnetwork.
[edit security policies from-zone trust to-zone untrust]user@member1# set policy scope1 match source-address 10_subnet destination-address 10_subnet application any user@member1# set policy scope1 then permit tunnel ipsec-group-vpn v1
Configure a scope policy from the untrust zone to the trust zone that allows unicast traffic to and from the 10.0.0.0/8 subnetwork.
[edit security policies from-zone untrust to-zone trust]user@member1# set policy scope1 match source-address 10_subnet destination-address 10_subnet application any user@member1# set policy scope1 then permit tunnel ipsec-group-vpn v1
Confirm your configuration by entering the show security group-vpn and show security policies commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
Note: In the list of configured security policies, make sure that the scope policies are listed before the default policies.
[edit]user@host# show security group-vpn member {ike {proposal prop1 {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy pol1 {mode main;proposals prop1;pre-shared-key ascii-text "$9$i.fz9CuORS"; ## SECRET-DATA}gateway g1 {ike-policy pol1;address 20.0.0.1;local-address 10.1.0.1;}}ipsec {vpn v1 {ike-gateway g1;group-vpn-external-interface ge-0/1/0;group 1;}}}server {ike {proposal srv-prop {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy srv-pol {mode main;proposals srv-prop;pre-shared-key ascii-text "$9$hucrK8-ds2aU"; ## SECRET-DATA}gateway gw1 {ike-policy srv-pol;address 10.1.0.1;}gateway gw2 {ike-policy srv-pol;address 10.2.0.1;}}ipsec {proposal group-prop {authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 3600;}}group grp1 {group-id 1;ike-gateway srv-gw;anti-replay-time-window 120;server-address 20.0.0.1;server-member-communication {communication-type unicast;encryption-algorithm aes-128-cbc;sig-hash-algorithm md5;certificate srv-cert;}ipsec-sa group-sa {proposal group-prop;match-policy p1 {source 10.1.0.0/16;destination 10.2.0.0/16;source-port 0;destination-port 0;protocol 0;}match-policy p2 {source 10.2.0.0/16;destination 10.1.0.0/16;source-port 0;destination-port 0;protocol 0;}match-policy p3 {source 10.1.1.1/16;destination 239.1.1.1/32;source-port 0;destination-port 0;protocol 0;}}}}co-location;
[edit]user@host# show security policies from-zone trust to-zone trust {policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone trust to-zone untrust {policy scope1 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v1;}}}}policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone untrust to-zone trust {policy default-deny {match {source-address any;destination-address any;application any;}then {deny;}}policy scope1 {match {source-address 10_subnet;destination-address 10_subnet;application any;}then {permit {tunnel {ipsec-group-vpn v1;}}}}}
If you are done configuring the device, enter commit from configuration mode.
[edit]user@host# commit

Example: Configuring Group VPN with Server-Member Colocation (CLI)

Related Topics