Configure an IPsec VPN
IPSec VPN Design Goals
Your IPsec VPN must meet these criteria:
- Configure a dynamic IPsec VPN to support DHCP address assignment to the WAN interface by the Internet service provider.
- Ensure that only traffic originating in the trust zone is able to use the IPsec tunnel.
- Ensure that only traffic destined to the 172.168.200.0/24 subnet uses the IPsec tunnel.
Parameter | Value |
---|---|
Tunnel interface | st0 |
Branch Tunnel IP | 10.0.0.1/24 |
Corporate Tunnel IP | 10.0.0.2/24 |
IKE Proposal | standard |
IKE mode | aggressive |
Pre-shared key | "srx_branch" |
Tunnel establishment | immediately |
Branch identity | branch |
Corporate identity | hq |
Tunnel security zone | vpn |
Configure a Route-Based IPsec VPN
Let's get going and configure an IPsec VPN!
- Log in as root on the device console. Start the CLI, and enter configuration
mode.
login: branch_srx (ttyu0) root@branch_srx% cli root@branch_srx> configure Entering configuration mode [edit] root@branch_srx#
- Configure the st0 tunnel interface. An unnumbered tunnel is supported in
this scenario. Here, we opt to number the tunnel end points. One benefit of
numbering the tunnel is to permit ping testing of the tunnel end points to
help debug any connectivity
issues.
[edit] root@branch_srx# set interfaces st0 unit 0 family inet address 10.0.0.1/24
- Define a static route to direct traffic destined to 172.16.200.0/24 into the
IPsec
tunnel.
[edit] root@branch_srx# set routing-options static route 172.16.200.0/24 next-hop st0.0
- Configure the IKE parameters. The local-identity and remote-identity
parameters are important for supporting a dynamic IPsec VPN. When static IP
addresses are used, you define a local and remote IKE gateway specifying
those static IP addresses.
By the way, we'll be configuring security stuff for a bit so you park yourself at the
[edit security]
hierarchy:[edit security] root@branch_srx# set ike proposal standard authentication-method pre-shared-keys root@branch_srx# set ike policy ike-pol mode aggressive root@branch_srx# set ike policy ike-pol proposals standard root@branch_srx# set ike policy ike-pol pre-shared-key ascii-text branch_srx root@branch_srx# set ike gateway ike-gw ike-policy ike-pol root@branch_srx# set ike gateway ike-gw address 172.16.1.1 root@branch_srx# set ike gateway ike-gw local-identity hostname branch root@branch_srx# set ike gateway ike-gw remote-identity hostname hq root@branch_srx# set ike gateway ike-gw external-interface ge-0/0/0
Note:To support a dynamic IPsec VPN, the remote end must have the
set security ike gateway ike-gw dynamic hostname <name>
statement configured in the IKE proposal. When the remote end initiates a connection, the name is used to match the IKE proposal rather than an IP. This method is used when IP addresses can change due to dynamic assignment. - Configure the IPsec tunnel
parameters.
[edit security] root@branch_srx# set ipsec proposal standard root@branch_srx# set ipsec policy ipsec-pol proposals standard root@branch_srx# set ipsec vpn to_hq bind-interface st0.0 root@branch_srx# set ipsec vpn to_hq ike gateway ike-gw root@branch_srx# set ipsec vpn to_hq ike ipsec-policy ipsec-pol root@branch_srx# set ipsec vpn to_hq establish-tunnels immediately
- Adjust the security policies to create a vpn zone, and to
permit traffic to flow from the trust zone to the
vpn zone. We configure the vpn
zone to allow host-bound ping for use in debugging, given we opted to number
our IPsec tunnel. In this step, you also place the IPsec tunnel interface in
the vpn zone.
[edit security] root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn match application any root@branch_srx# set policies from-zone trust to-zone vpn policy trust-to-vpn then permit root@branch_srx# set security zones security-zone vpn host-inbound-traffic system-services ping root@branch_srx# set zones security-zone vpn interfaces st0.0
Note:In this example, we keep it simple and match on any source or destination IP address. We rely on the static route to only direct traffic destined to the remote site into the tunnel. For better security, consider defining address book entries for the local branch 192.168.2.0/24 and the remote 172.16.200.0/24 subnets. With address book entries defined for the two subnets, you match on
source-address <source_name>
anddestination-address <dest_name>
in your security policy. Including the source and destination subnets in your policy makes it that much more explicit as to the traffic that is able to use the tunnel. - Hang in there, you're almost done. Recall that IKE is used to negotiate the
shared keys for securing the IPsec tunnel. IKE messages must be sent and
received over the WAN interface to establish the tunnel on the st0
interface.
You'll need to modify the local host services that are accessible over the untrust WAN interface to include IKE.
[edit security] root@branch_srx# set zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
That's it. You've configured the IPsec route-based VPN at the branch location. Be sure to commit your changes.
Results
Let's display the result of your IPsec route-based VPN configuration. We omit parts of the default configuration for brevity.
[edit] root@branch-srx# show interfaces st0 unit 0 { family inet { address 10.0.0.1/24; } } [edit] root@branch-srx# show routing-options static { route 172.16.200.0/24 next-hop st0.0; } ike { proposal standard { authentication-method pre-shared-keys; } policy ike-pol { mode aggressive; proposals standard; pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39"; ## SECRET-DATA } gateway ike-gw { ike-policy ike-pol; address 172.16.1.1; local-identity hostname branch; remote-identity hostname hq; external-interface ge-0/0/0; } } ipsec { proposal standard; policy ipsec-pol { proposals standard; } vpn to_hq { bind-interface st0.0; ike { gateway ike-gw; ipsec-policy ipsec-pol; } establish-tunnels immediately; } } . . . policies { . . . from-zone trust to-zone vpn { policy trust-to-vpn { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { .. security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { . . . ike; . . . } } } } } . . . security-zone vpn { host-inbound-traffic { system-services { ping; } } interfaces { st0.0; } } }
Be sure to commit your configuration to activate the changes on the branch SRX.
Quick Configurations
Quick Configuration: Branch Office
To quickly configure an IPsec VPN, use the following set
statements. Simply edit the configuration statements as needed for your
environment, and paste them into your SRX.
Here's the IPsec VPN configuration for the branch SRX:
set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw address 172.16.1.1 set security ike gateway ike-gw local-identity hostname branch set security ike gateway ike-gw remote-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone vpn interfaces st0.0 set security zones security-zone vpn host-inbound-traffic system-services ping set interfaces st0 unit 0 family inet address 10.0.0.1/24 set routing-options static route 172.16.200.0/24 next-hop st0.0
Quick Configuration: Remote Location
For completeness, here's the matching IPsec VPN Quick Configuration for the
remote site. It's similar to the one we detailed for the branch. The key
differences are that we use the dynamic hostname
statement, and
a different destination for the static route used to steer traffic into the
tunnel. We allow ping in the vpn zone at the remote site. As
a result, you ping both the tunnel endpoints (we numbered our tunnel), as well
as the loopback interface. The loopback interface at the remote site represents
the 172.16.200.0/24 subnet. The remote site's lo0 interface is placed in the
vpn zone.
set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$1POEhrKMX7NbSrvLXNY2puORyKWLN-wg" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw dynamic hostname branch set security ike gateway ike-gw local-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/6 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/6.0 host-inbound-traffic system-services ping set security zones security-zone vpn interfaces st0.0 set security zones security-zone vpn interfaces lo0.0 set security zones security-zone vpn host-inbound-traffic system-services ping set interfaces lo0 unit 0 family inet address 172.16.200.1/32 set interfaces st0 unit 0 family inet address 10.0.0.2/24 set routing-options static route 192.168.2.0/24 next-hop st0.0
Be sure to commit the changes. In the next section, we'll show you how to verify that your IPsec tunnel works correctly.