Policy Based IPSec VPN in Juniper SRX to SRX
Of course The Policy Based IPSec VPN is a little bit different than Route Based IPsec VPN. Here I am going to explain and show How to configure a Policy Based IPSec VPN in Juniper SRX to SRX devices. It is configured as an example of Policy based IPSec VPN.
Policy Based IPSec VPN can be implemented similarly within different Products like Juniper, Cisco, Fortigate, Sonic wall etc. However the policy based IPSec VPN is considered as less flexible to use as it is being easy for implementation. Click on the link to find the differences between policy based and route based IPSec VPN.

Here I have tabulated the IPSec VPN parameters for both side and these must be same on both side of devices except the locally significant parameters. It can be changed as per the network scenario and requirements but remember the changed parameters must be same on both side.
IPSEC (Phase-I and Phase-II) VPN parameters
The following VPN parameters are significant to establish Policy based Ipsec VPN between Juniper SRX to SRX device.
VPN Parameters
|
SIDE A SRX |
SIDE B SRX |
Phase-I(IKE) |
Authentication Method |
Preshared key |
Preshared key |
Authentication- Algorithm |
Sha1 |
Sha1 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
dh-group |
5 |
52 |
Lifetime (sec) |
28800 |
28800 |
Mode |
Main |
Main |
Remote gateway Address |
10.10.20.2 |
10.10.10.2 |
Nat-keepalive |
10 |
10 |
Phase-II(IPSEC) |
Protocol |
Esp |
Esp |
Authentication- Algorithm |
sha1-96 |
sha1-96 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
PFS keys Groups |
5 |
5 |
Lifetime (sec) |
86400 |
86400 |
Proxy-identity |
local |
192.168.100.0/24 |
192.168.200.0/24 |
remote |
192.168.200.0/24 |
192.168.100.0/24 |
Service |
Any |
Any |
Locally Significant |
Outgoing interface |
ge-0/0/0 |
ge-0/0/0 |
Now I am going to configure the Policy Based IPSec VPN in Juniper Side A SRX device in below. The Side B SRX device can be configured similarly using the VPN parameters tabulated in above.
Configuring VPN in Juniper SRX [side A]
I have configured this template in SRX210 with Junos 11.4.
Configure the WAN side interface and assigning the IP address
user@SRX#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “
user@SRX#set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30
|
Configure the LAN side interfaces and assigning the IP address
user@SRX#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “
user@SRX#set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24
|
Configure default route and route for VPN tunnel traffic
For route of VPN tunnel traffic, same next-hop use what is used for the internet traffic .
user@SRX#set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1
|
Configure security zones and assign interfaces to the zone and adding host-inbound system services in these zones
IKE must be defined as host-inbound system services in internet facing zone (WAN) to establish the IKE negotiations between VPN peer devices.
user@SRX#set security zones security-zone WAN host-inbound-traffic system-services ike
user@SRX#set security zones security-zone WAN interfaces ge-0/0/0.0
user@SRX#set security zones security-zone LAN host-inbound-traffic system-services all
user@SRX#set security zones security-zone LAN interfaces ge-0/0/1.0
|
Configure the Local IP address in LAN Zone and Remote IP address in WAN zone
user@SRX#set security zones security-zone LAN address-book address LOCAL_IP 192.168.100.0/24
user@SRX#set security zones security-zone WAN address-book address REMOTE_IP 192.168.200.0/24
|
Configure Phase-I IKE proposal and Policy for main mode as listed above in Table
Here I have defined the VPN parameters manually instead of using the default for Phase-I.
user@SRX#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
user@SRX#set security ike proposal IKE-PROPOSAL dh-group group5
user@SRX#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
user@SRX#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
user@SRX#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
user@SRX#set security ike policy IKE-POLICY mode main
user@SRX#set security ike policy IKE-POLICY proposals IKE-PROPOSAL
user@SRX#set security ike policy IKE-POLICY pre-shared-key ascii-text <preshared-key>
|
Configure the VPN gateway (Phase-I) with policy, peer address and outgoing interface
To identify the remoteIKEpeer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device.
user@SRX#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
user@SRX#set security ike gateway VPN-GATEWAY address 10.10.20.2
user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
user@SRX#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
user@SRX#set security ike gateway VPN-GATEWAY nat-keepalive 10
user@SRX#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
|
Configure Phase-II Proposal and Policy as listed in above Table
Here I have defined the VPN parameters manually instead of using the default for Phase-II.
user@SRX#set security ipsec proposal IPSEC-PROPOSAL protocol esp
user@SRX#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
user@SRX#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
user@SRX#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
user@SRX#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
user@SRX#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
|
Configure IPSEC VPN (Phase-II) with IKE gateway and IPSEC policy
user@SRX#set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity local 192.168.100.0/24
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity remote 192.168.200.0/24
user@SRX#set security ipsec vpn IPSEC-VPN ike proxy-identity service any
user@SRX#set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
user@SRX#set security ipsec vpn IPSEC-VPN establish-tunnels immediately
|
Configure the security policy for VPN Traffic from LAN to WAN zone: Note that the VPN policy must be top of policy list . Here, a single policy is configured but multiple policies with different services can be configured. Configuring multiple policy increases the IPSec tunnel as policy based vpn created equal number of tunnel to the number of policy whic is one of disadvantage of policy based VPN.
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address LOCAL_IP
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address REMOTE_IP
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any
user@SRX#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit tunnel ipsec-vpn IPSEC-VPN
|
Configure the security policy for VPN Traffic from WAN to LAN zone and note that the policy must be top of policy list .
user@SRX#set security policies from-zone WAN to-zone LAN policy WAN_LAN match source-address REMOTE_IP
user@SRX#set security policies from-zone WAN to-zone LAN policy WAN_LAN match destination-address LOCAL_IP
user@SRX#set security policies from-zone WAN to-zone LAN policy WAN_LAN match application any
user@SRX#set security policies from-zone WAN to-zone LAN policy WAN_LAN then permit tunnel ipsec-vpn IPSEC-VPN
|
Configure the security NAT for internet Traffic from LAN to WAN zone
It is important to configure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address will be translated to the egress interface IP of SRX as source IP when it goes to internet. And there should be NAT OFF policy above this policy for passing the VPN traffic.
user@SRX#set security nat source rule-set LAN-TO_WAN from zone LAN
user@SRX#set security nat source rule-set LAN-TO_WAN to zone WAN
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0
user@SRX#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface
|
Configure NAT OFF for VPN traffic : It is very important to configure NAT policy for VPN traffic with NAT off and it should be above the NAT permitting policies.
user@SRX#set security nat source rule-set LAN-TO_WAN from zone LAN
user@SRX#set security nat source rule-set LAN-TO_WAN to zone WAN
user@SRX#set security nat source rule-set LAN-TO_WAN rule NAT-OFF match source-address 192.168.100.0/24
user@SRX#set security nat source rule-set LAN-TO_WAN rule NAT-OFF match destination-address 192.168.200.0/24
user@SRX#set security nat source rule-set LAN-TO_WAN rule NAT-OFF then source-nat off
|
Configure tcp-mss to eliminate fragmentation of TCP traffic across tunnel
The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment
user@SRX#set security flow tcp-mss ipsec-vpn mss 1350
The Juniper SRX [Side B] device can be configured similarly using the VPN parameters tabulated in above and following the steps to configure VPN in above.
Following command verifies the vpn tunnel and status.
- user@SRX>show security ike security-associations
- user@ SRX >show security ipsec security-associations
- user@SRX>show security ike security-associations detail
- user@ SRX >show security ipsec security-associations detail
- user@ SRX >show security flow session tunnel