For this exercise, I'm setting up a routed site-to-site IPSec VPN from the R1 cluster to R2. I will use static routes to guide traffic between the two LANs through the st0.0 tunnel interface. I've created two loopbacks in the untrusted zones on each router with public addressing to provide the external interface for the tunnel. R1 lo0.0 will use 198.51.100.1 and R2 lo0.0 will use 203.0.113.1. These addresses are coming out of their respective /24 public pools that I'm using to otherwise NAT their private LANs to public networks.
R1 IKE Configuration
On the R1 cluster, you need to set up the IKE proposal, policy, and gateway configuration under the Security / IKE hierarchy.
For the proposal, I'm enabling pre-shared-keys as opposed to certificate based IKE. I'm also enabling Diffie Helman group2 so we can exchange the key over an insecure connection. I've chosen Sha1 for the authentication algorithm and set a lifetime of one day.
{primary:node0}[edit security ike]
myuser@R1-A# show proposal Remote-Office
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
lifetime-seconds 86400;
{primary:node0}[edit security ike]
myuser@R1-A# show policy Remote-Office-Policy
mode main;
proposals Remote-Office;
pre-shared-key ascii-text "$9$RF/crvxNboJDWLJDikTQEcy"; ## SECRET-DATA
Finally for IKE on R1, I setup the gateway configuration. I reference the policy. I set the destination address for R2's loopback and I set the source of R1 to be the local loopback. I disable nat-traversal, because the tunnel will be created using public addresses which are not behind a NAT policy.
{primary:node0}[edit security ike]
myuser@R1-A# show gateway R2
ike-policy Remote-Office-Policy;
address 203.0.113.1;
no-nat-traversal;
external-interface lo0.0;
R1 IPSec Configuration
For the IPSec portion of the configuration, we need to setup proposal, policy, and vpn settings. These go under the Security / IPSec hierarchy.
For the proposal, I'm going to use ESP to encrypt the traffic as opposed to AH. I will use aes-192-cbc for encryption and hmac-sha1-96 for the authentication hash. A lifetime of 1 hour is configured.
{primary:node0}[edit security ipsec]
myuser@R1-A# show proposal Remote-Office
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-192-cbc;
lifetime-seconds 3600;
I enable perfect-forward-secrecy on the policy so phase 1 is renegotiated securely before proceeding to IKE phase 2. Again, I use DH group2.
{primary:node0}[edit security ipsec]
myuser@R1-A# show policy Remote-Office-Policy
perfect-forward-secrecy {
keys group2;
}
proposals Remote-Office;
Finally for the IPSec portion on R1, I setup the vpn binding configuration. I also enable establishment immediately for the tunnel as opposed to waiting for traffic.
{primary:node0}[edit security ipsec]
myuser@R1-A# show vpn R2
bind-interface st0.0;
ike {
gateway R2;
ipsec-policy Remote-Office-Policy;
}
establish-tunnels immediately;
I create Lo0.0 and St0.0 with IPv4 addresses.
{primary:node0}[edit]
myuser@R1-A# show interfaces st0.0
family inet {
address 192.168.100.1/24;
}
{primary:node0}[edit]
myuser@R1-A# show interfaces lo0.0
family inet {
address 198.51.100.1/32;
}
I need a static route for the R2 LAN with a next-hop pointing to R2's st0.0 ip address.
myuser@R1-A# show routing-options
graceful-restart;
static {
route 198.51.100.0/24 discard;
route 192.168.2.0/24 next-hop 192.168.100.2;
}
autonomous-system 2 loops 2;
Don't forget to setup the security zone and policy configuration to allow this all to work!
myuser@R1-A# show security zones
functional-zone management {
host-inbound-traffic {
system-services {
ssh;
ping;
http;
https;
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
protocols {
bgp;
}
}
interfaces {
ge-0/0/0.0;
ge-2/0/0.0;
lo0.0;
}
}
security-zone trust {
address-book {
address 192.168.1.0/24 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone vpn {
address-book {
address 192.168.2.0/24 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
st0.0;
}
}
The intrazone vpn traffic isn't needed, but I've added it incase I want to add another router and have a hub and spoke site-to-site vpn topology.
{primary:node0}[edit]
myuser@R1-A# show security policies
from-zone trust to-zone trust {
policy INTRAZONE-ALLOWED {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-untrust-allowed-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone vpn to-zone vpn {
policy INTRAZONE-ALLOWED {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust {
match {
source-address 192.168.2.0/24;
destination-address 192.168.1.0/24;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone vpn {
policy trust-vpn {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
R2 should look similar to what I have done on R1. Below is configuration for R2. I've bolded all of the configuration I created for this exercise.
R2's Complete Configuration
myuser@R2> show configuration
## Last commit: 2011-06-05 18:41:43 UTC by myuser
version 10.4R3.4;
system {
host-name R2;
root-authentication {
encrypted-password "REMOVED"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
message "Welcome To The SuperCore Netwurx";
user myuser {
uid 2000;
class super-user;
authentication {
encrypted-password "REMOVED"; ## SECRET-DATA
}
}
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
name-server {
8.8.8.8;
}
router {
192.168.2.1;
}
pool 192.168.2.0/24 {
address-range low 192.168.2.200 high 192.168.2.250;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.0.2.202/30;
}
family inet6 {
address 2001:db8:aaaa:f::2/64 {
ndp 2001:db8:aaaa:f::1 mac 56:47:de:ad:01:f2;
}
address ::ffff:192.0.2.202/126 {
ndp ::ffff:192.0.2.201 mac 56:47:de:ad:01:f2;
}
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.0.2.206/30;
}
family inet6 {
address 2001:db8:aaaa:1f::2/64 {
ndp 2001:db8:aaaa:1f::1 mac 56:47:de:ad:01:f3;
}
address ::ffff:192.0.2.206/126 {
ndp ::ffff:192.0.2.205 mac 56:47:de:ad:01:f3;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching;
}
}
lo0 {
unit 0 {
family inet {
address 203.0.113.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.100.2/24;
}
}
}
vlan {
unit 0 {
description R2-LAN;
family inet {
address 192.168.2.1/24;
}
family inet6 {
address 2001:db8:beef:2::1/64;
}
}
}
}
routing-options {
static {
route 203.0.113.0/24 discard;
route 192.168.1.0/24 next-hop 192.168.100.1;
}
autonomous-system 2 loops 2;
}
protocols {
bgp {
group ebgp-peers {
type external;
family inet {
any;
}
family inet6 {
any;
}
peer-as 1;
neighbor 192.0.2.201 {
import PEER_192.0.2.201_IMPORT;
export PEER_192.0.2.201_EXPORT;
}
neighbor 192.0.2.205 {
import PEER_192.0.2.205_IMPORT;
export PEER_192.0.2.205_EXPORT;
}
}
}
}
policy-options {
policy-statement PEER_192.0.2.201_EXPORT {
term ALLOWED {
from {
family inet;
route-filter 203.0.113.0/24 exact;
}
then {
metric subtract 1000;
accept;
}
}
term ALLOWED_INET6 {
from {
family inet6;
route-filter 2001:db8:beef:2::/64 exact;
}
then {
metric add 1000;
accept;
}
}
term DENY {
then reject;
}
}
policy-statement PEER_192.0.2.201_IMPORT {
term TERM1 {
then {
local-preference 120;
accept;
}
}
}
policy-statement PEER_192.0.2.205_EXPORT {
term ALLOWED {
from {
family inet;
route-filter 203.0.113.0/24 exact;
}
then {
metric add 1000;
accept;
}
}
term ALLOWED_INET6 {
from {
family inet6;
route-filter 2001:db8:beef:2::/64 exact;
}
then {
metric subtract 1000;
accept;
}
}
term DENY {
then reject;
}
}
policy-statement PEER_192.0.2.205_IMPORT {
term TERM1 {
then {
local-preference 80;
accept;
}
}
}
}
security {
ike {
proposal Remote-HQ {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
lifetime-seconds 86400;
}
policy Remote-HQ-Policy {
mode main;
proposals Remote-HQ;
pre-shared-key ascii-text "$9$UYiqf36A1RSTzRSreXxDik"; ## SECRET-DATA
}
gateway R1 {
ike-policy Remote-HQ-Policy;
address 198.51.100.1;
no-nat-traversal;
external-interface lo0.0;
}
}
ipsec {
proposal Remote-HQ {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-192-cbc;
lifetime-seconds 3600;
}
policy Remote-HQ-Policy {
perfect-forward-secrecy {
keys group2;
}
proposals Remote-HQ;
}
vpn R1 {
bind-interface st0.0;
ike {
gateway R1;
ipsec-policy Remote-HQ-Policy;
}
establish-tunnels immediately;
}
}
nat {
source {
pool r2-lan {
address {
203.0.113.0/24;
}
}
rule-set untrust-trust {
from zone untrust;
to zone trust;
rule r2-lan {
match {
source-address 192.168.2.0/24;
}
then {
source-nat {
pool {
r2-lan;
}
}
}
}
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
protocols {
bgp;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
lo0.0;
}
}
security-zone trust {
address-book {
address 192.168.2.0/24 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone vpn {
address-book {
address 192.168.1.0/24 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone trust {
policy INTRAZONE {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy INTRAZONE {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy ALLOWED {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone vpn {
policy ALLOWED {
match {
source-address 192.168.2.0/24;
destination-address 192.168.1.0/24;
application any;
}
then {
permit;
}
}
}
}
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
}
vlans {
r2-lan {
vlan-id 3;
interface {
fe-0/0/2.0;
fe-0/0/3.0;
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
fe-0/0/7.0;
}
l3-interface vlan.0;
}
}
R1's Complete Configuration
myuser@R1-A> show configuration
## Last commit: 2011-06-05 18:43:30 UTC by myuser
version 10.4R3.4;
groups {
node1 {
system {
host-name R1-B;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.0.1.213/24;
}
}
}
}
}
node0 {
system {
host-name R1-A;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.0.1.212/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "REMOVED"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user myuser {
uid 2000;
class super-user;
authentication {
encrypted-password "REMOVED"; ## SECRET-DATA
}
}
}
static-host-mapping {
services.netscreen.com inet 207.17.137.227;
www.juniper.net inet 207.17.137.239;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface fxp0.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.200 high 192.168.1.250;
name-server {
8.8.8.8;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 2;
heartbeat-interval 2000;
heartbeat-threshold 8;
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
preempt;
hold-down-interval 5;
interface-monitor {
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.0.2.194/30;
}
family inet6 {
address 2001:0db8:aaaa:d::2/64 {
ndp 2001:0db8:aaaa:d::1 mac 56:47:de:ad:01:db;
}
address ::ffff:192.0.2.194/126 {
ndp ::ffff:192.0.2.193 mac 56:47:de:ad:01:db;
}
}
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth0;
}
}
ge-2/0/0 {
unit 0 {
family inet {
address 192.0.2.198/30;
}
family inet6 {
address 2001:0db8:aaaa:e::2/64 {
ndp 2001:0db8:aaaa:e::1 mac 56:47:de:ad:01:fe;
}
address ::ffff:192.0.2.198/126 {
ndp ::ffff:192.0.2.197 mac 56:47:de:ad:01:fe;
}
}
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth0;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/4;
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/4;
fe-2/0/5;
}
}
}
fxp0 {
description "Management Interface - fe-0/0/6";
unit 0 {
family inet {
address 10.0.1.211/24 {
master-only;
}
}
}
}
lo0 {
unit 0 {
family inet {
address 198.51.100.1/32;
}
}
}
reth0 {
description "R1 LAN";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
family inet6 {
address 2001:0db8:beef:1::1/64;
}
}
}
st0 {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
}
routing-options {
graceful-restart;
static {
route 198.51.100.0/24 discard;
route 192.168.2.0/24 next-hop 192.168.100.2;
}
autonomous-system 2 loops 2;
}
protocols {
bgp {
group bgp-external {
type external;
family inet {
any;
}
family inet6 {
any;
}
peer-as 1;
neighbor 192.0.2.193 {
import [ PEER_192.0.2.193_IMPORT PEER_2001:0DB8:AAAA:1::1_IMPORT ];
export [ PEER_192.0.2.193_EXPORT PEER_2001:0DB8:AAAA:1::1_EXPORT ];
}
neighbor 192.0.2.197 {
import [ PEER_192.0.2.197_IMPORT PEER_2001:0DB8:AAAA:2::1_IMPORT ];
export [ PEER_192.0.2.197_EXPORT PEER_2001:0DB8:AAAA:2::1_EXPORT ];
}
}
}
}
policy-options {
policy-statement PEER_192.0.2.193_EXPORT {
term TERM1 {
from {
family inet;
route-filter 198.51.100.0/24 exact;
}
then {
metric subtract 1000;
accept;
}
}
}
policy-statement PEER_192.0.2.193_IMPORT {
term TERM1 {
from family inet;
then {
local-preference 120;
accept;
}
}
}
policy-statement PEER_192.0.2.197_EXPORT {
term TERM1 {
from {
family inet;
route-filter 198.51.100.0/24 exact;
}
then {
metric add 1000;
accept;
}
}
}
policy-statement PEER_192.0.2.197_IMPORT {
term TERM1 {
from family inet;
then {
local-preference 80;
accept;
}
}
}
policy-statement PEER_2001:0DB8:AAAA:1::1_EXPORT {
term TERM1 {
from {
family inet6;
route-filter 2001:0DB8:BEEF:1::/64 exact;
}
then {
metric subtract 1000;
accept;
}
}
}
policy-statement PEER_2001:0DB8:AAAA:1::1_IMPORT {
term TERM1 {
from family inet6;
then {
local-preference 80;
accept;
}
}
}
policy-statement PEER_2001:0DB8:AAAA:2::1_EXPORT {
term TERM1 {
from {
family inet6;
route-filter 2001:0DB8:BEEF:1::/64 exact;
}
then {
metric add 1000;
accept;
}
}
}
policy-statement PEER_2001:0DB8:AAAA:2::1_IMPORT {
term TERM1 {
from family inet6;
then {
local-preference 120;
accept;
}
}
}
}
security {
ike {
proposal Remote-Office {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
lifetime-seconds 86400;
}
policy Remote-Office-Policy {
mode main;
proposals Remote-Office;
pre-shared-key ascii-text "$9$RF/crvxNboJDWLJDikTQEcy"; ## SECRET-DATA
}
gateway R2 {
ike-policy Remote-Office-Policy;
address 203.0.113.1;
no-nat-traversal;
external-interface lo0.0;
}
}
ipsec {
proposal Remote-Office {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-192-cbc;
lifetime-seconds 3600;
}
policy Remote-Office-Policy {
perfect-forward-secrecy {
keys group2;
}
proposals Remote-Office;
}
vpn R2 {
bind-interface st0.0;
ike {
gateway R2;
ipsec-policy Remote-Office-Policy;
}
establish-tunnels immediately;
}
}
nat {
source {
pool PUBLICPAT {
address {
198.51.100.1/32;
}
}
rule-set untrust-trust {
from zone untrust;
to zone trust;
rule pat {
match {
source-address 192.168.1.0/24;
}
then {
source-nat {
pool {
PUBLICPAT;
}
}
}
}
}
}
}
zones {
functional-zone management {
host-inbound-traffic {
system-services {
ssh;
ping;
http;
https;
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
protocols {
bgp;
}
}
interfaces {
ge-0/0/0.0;
ge-2/0/0.0;
lo0.0;
}
}
security-zone trust {
address-book {
address 192.168.1.0/24 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone vpn {
address-book {
address 192.168.2.0/24 192.168.2.0/24;
}
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
st0.0;
}
}
}
policies {
from-zone trust to-zone trust {
policy INTRAZONE-ALLOWED {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-untrust-allowed-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone vpn to-zone vpn {
policy INTRAZONE-ALLOWED {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust {
match {
source-address 192.168.2.0/24;
destination-address 192.168.1.0/24;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone vpn {
policy trust-vpn {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
}
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
}
Useful Commands
There are a bunch of useful commands on the SRX. Here are a few:
You can check the IKE SA status
{primary:node0}
myuser@R1-A> show security ike ?
Possible completions:
active-peer Show IKE active peers
pre-shared-key Show IKE pre-shared key information for a particular group-ike-id user
security-associations Show IKE security association information
You can also check the IPSec SA Status and statistics
{primary:node0}
myuser@R1-A> show security ipsec ?
Possible completions:
next-hop-tunnels Show manual and auto next-hop-tunnel entries
security-associations Show IPSec security association information
statistics Show IPSec statistics
{primary:node0}
If you run into problems you can enable IKE and IPSec traceoptions. You can also check out the hidden command:
myuser@R1-A> request security ike debug-enable local 192.168.100.1 remote 192.168.100.2 level 15
myuser@R1-A> show log kmd
Disable debugging with:
myuser@R1-A> request security ike debug-disable
I found the above in the Junos Security book on Page 315. I imagine you want to be very careful with the above on production equipment!
No comments:
Post a Comment