close
keyboard_arrow_left
Table of Contents
- play_arrow vSRX Virtual Firewall Deployment for KVM
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in KVM
- Prepare Your Server for vSRX Virtual Firewall Installation
- Install vSRX Virtual Firewall with KVM
- Example: Install and Launch vSRX Virtual Firewall on Ubuntu
- Load an Initial Configuration on a vSRX Virtual Firewall with KVM
- Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances
- play_arrow vSRX Virtual Firewall VM Management with KVM
- Configure vSRX Virtual Firewall Using the CLI
- Connect to the vSRX Virtual Firewall Management Console on KVM
- Add a Virtual Network to a vSRX Virtual Firewall VM with KVM
- Add a Virtio Virtual Interface to a vSRX Virtual Firewall VM with KVM
- SR-IOV and PCI
- Upgrade a Multi-core vSRX Virtual Firewall
- Monitor the vSRX Virtual Firewall VM in KVM
- Manage the vSRX Virtual Firewall Instance on KVM
- Recover the Root Password for vSRX Virtual Firewall in a KVM Environment
- play_arrow Configure vSRX Virtual Firewall Chassis Clusters on KVM
-
- play_arrow vSRX Virtual Firewall Deployment for VMware
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in VMware
- play_arrow vSRX Virtual Firewall VM Management with VMware
- play_arrow Configure vSRX Virtual Firewall Chassis Clusters in VMware
-
- play_arrow vSRX Virtual Firewall Deployment for Microsoft Hyper-V
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Microsoft Hyper-V
- play_arrow vSRX Virtual Firewall VM Management with Microsoft Hyper-V
- play_arrow Configure vSRX Virtual Firewall Chassis Clusters
-
- play_arrow vSRX Virtual Firewall Deployment for Contrail
- play_arrow Overview of vSRX Virtual Firewall Service Chains in Contrail
- play_arrow Install vSRX Virtual Firewall in Contrail
- play_arrow vSRX Virtual Firewall VM Management with Contrail
-
- play_arrow vSRX Virtual Firewall Deployment for Nutanix
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Nutanix
-
- play_arrow vSRX Virtual Firewall Deployment for AWS
- play_arrow Overview
- play_arrow Configure and Manage Virtual Firewall in AWS
- Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall
- Launch a vSRX Virtual Firewall Instance on an Amazon Virtual Private Cloud
- Enroll a vSRX Virtual Firewall on AWS with Juniper ATP Cloud
- Using Cloud-Init to Automate the Initialization of vSRX Virtual Firewall Instances in AWS
- AWS Elastic Load Balancing and Elastic Network Adapter
- Multi-Core Scaling Support on AWS with SWRSS and ENA
- Centralized Monitoring and Troubleshooting using AWS Features
- Deploying vSRX Virtual Firewall 3.0 for Securing Data using AWS KMS
- Configure vSRX Virtual Firewall Using the CLI
- Configure vSRX Virtual Firewall Using the J-Web Interface
- Upgrade Junos OS Software on a vSRX Virtual Firewall Instance
- Remove a vSRX Virtual Firewall Instance on AWS
- Geneve Flow Infrastructure on vSRX Virtual Firewall 3.0
- AWS Gateway Load Balancing with Geneve
- play_arrow Virtual Firewall in AWS Use Cases
-
- play_arrow vSRX Virtual Firewall Deployment for Google Cloud Platform
- play_arrow Overview
- play_arrow Install vSRX Virtual Firewall in Google Cloud
-
- play_arrow vSRX Virtual Firewall Deployment for IBM Cloud
- play_arrow Overview
- play_arrow Installing and Configuring vSRX Virtual Firewall in IBM
- Performing vSRX Virtual Firewall Basics in IBM Cloud
- vSRX Virtual Firewall Readiness Checks in IBM Cloud
- Managing VLANs with a gateway appliance
- Working with the vSRX Virtual Firewall Default Configurations
- Migrating Legacy Configurations to the Current vSRX Virtual Firewall Architecture
- Allowing SSH and Ping to a Public Subnet
- Performing vSRX Virtual Firewall Advanced Tasks in IBM Cloud
- Upgrading the vSRX Virtual Firewall in IBM Cloud
- play_arrow Managing vSRX Virtual Firewall in IBM Cloud
- play_arrow Monitoring and Troubleshooting
-
- play_arrow vSRX Virtual Firewall Deployment for OCI
- play_arrow Overview
- play_arrow Installing vSRX Virtual Firewall in OCI
- play_arrow vSRX Virtual Firewall Licensing
-
list Table of Contents
keyboard_arrow_right
Example: Configure an IPsec VPN Between Two vSRX Virtual Firewall Instances
date_range
27-May-23
This example shows how to configure an IPsec VPN between two instances of vSRX Virtual Firewall in Microsoft Azure.
Before You Begin
Ensure that you have installed and launched a vSRX Virtual Firewall instance in Microsoft Azure virtual network.
See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.
Overview
You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure using two vSRX Virtual Firewall instances.
vSRX Virtual Firewall IPsec VPN Configuration
vSRX1 VPN Configuration
Step-by-Step Procedure
To configure IPsec VPN on vSRX1:
Log in to the vSRX1 in configuration edit mode (see Configure vSRX Using the CLI).
Set the IP addresses for vSRX1 interfaces.
content_copy zoom_out_mapset interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Set up the untrust security zone.
content_copy zoom_out_mapset security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Set up the trust security zone.
content_copy zoom_out_mapset security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configure IKE.
content_copy zoom_out_mapset security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Be sure to replace
198.51.100.10in this example with the correct public IP address.Configure IPsec.
content_copy zoom_out_mapset security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure routing.
content_copy zoom_out_mapset routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN Configuration
Step-by-Step Procedure
To configure IPsec VPN on vSRX2:
Log in to the vSRX2 in configuration edit mode (See Configure vSRX Using the CLI.
Set the IP addresses for the vSRX2 interfaces.
content_copy zoom_out_mapset interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
Set up the untrust security zone.
content_copy zoom_out_mapset security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Set up the trust security zone.
content_copy zoom_out_mapset security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Configure IKE.
content_copy zoom_out_mapset security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Be sure to replace
203.0.113.10in this example with the correct public IP address. Also note that the SiteB local-identity and remote-identity should be in contrast with the SiteA local-identity and remote-identity.Configure IPsec.
content_copy zoom_out_mapset security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure routing.
content_copy zoom_out_mapset routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Verification
Verify Active VPN Tunnels
Purpose
Verify that the tunnel is up on both vSRX Virtual Firewall instances.
Action
content_copy zoom_out_map
root@> show security ipsec security-associations
content_copy zoom_out_map
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX
