Route-Based IPSec VPN in Juniper SRX to SRX
I have explained How to configure Policy Based IPSec VPN in my previous articles. Now I am going to explain the configuration and implementation scenario for Route-Based IPsec VPN in Juniper SRX to SRX. Route based IPSec VPN is more scalable than Policy based VPN. It has more recommendation points than policy based VPN. The basic implementation of both VPNs are explained in Policy-based vs Route-Based IPsec VPN.
Network Scenario:

IPSEC (Phase-I and Phase-II) VPN parameters
The following VPN parameters are significant to establish Route based IPSec VPN between Juniper SRX to SRX device.
VPN Parameters
|
SRX C |
SRX B |
Phase-I (IKE) |
Authentication Method |
Preshared key |
Preshared key |
Authentication- Algorithm |
Sha1 |
Sha1 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
dh-group |
5 |
5 |
Lifetime (sec) |
28800 |
28800 |
Mode |
Main |
Main |
Remote gateway Address |
10.10.20.1 |
10.10.30.1 |
Nat-keepalive |
10 |
10 |
Phase-II (IPSEC) |
Protocol |
Esp |
Esp |
Authentication- Algorithm |
sha1-96 |
sha1-96 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
PFS keys Groups |
5 |
5 |
Lifetime (sec) |
86400 |
86400 |
Proxy-identity |
local |
192.168.1.0/24 |
192.168.200.0/24 |
remote |
192.168.200.0/24 |
192.168.1.0/24 |
Service |
Any |
Any |
Locally Significant |
Outgoing interface |
ge-0/0/0 |
ge-0/0/0 |
tunnel interface |
st0.0 |
st0.0 |
Now I am going to configure the Route Based IPSec VPN in Juniper SRX C for above Network Scenario in below. The SRX B can be configured similarly using the VPN parameters tabulated in above.
Configuring VPN in Juniper SRX [side C]
I have configured this template in SRX210 with Junos 11.4.
Configure the WAN side interface and assigning the IP address
user@SRX-C#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “
user@SRX-C#set interfaces ge-0/0/0 unit 0 family inet address 10.10.30.1/30
|
Configure the LAN side interfaces and assigning the IP address
user@SRX-C#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “
user@SRX-C#set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
|
Configure the VPN tunnel interfaces: Tunnel interface is assigned IP 172.16.1.1/30 for this site to make Point to Point tunnel. There should be same subnet Ip in SRX B side.
user@SRX-C#set interfaces st0 unit 0 description ” VPN SECURE TUNNEL “
user@SRX-C#set interfaces st0 unit 0 family inet 172.16.1.1/30
|
Configure default route and route for VPN tunnel traffic
For route of VPN tunnel traffic, secure tunnel interface is configured as next-hop tunnel. Another site tunnel IP can also be assigned for net-hop tunnel. Dynamic routing can also be implemented to the secure tunnel interface.
user@SRX-C#set routing-options static route 0.0.0.0/0 next-hop 10.10.30.2
user@SRX-C#set routing-options static route 192.168.200.0/24 next-hop st0.0
|
Configure security zones and assign interfaces to the zone and adding host-inbound system services in these zones
IKE must be defined as host-inbound system services in internet facing zone (WAN) to establish the IKE negotiations between VPN peer devices. To make separate the security policies for non-VPN and VPN traffic, the secure tunnel is assigned in different zone named VPN than the WAN and LAN zone.
user@SRX-C#set security zones security-zone WAN host-inbound-traffic system-services ike
user@SRX-C#set security zones security-zone WAN interfaces ge-0/0/0.0
user@SRX-C#set security zones security-zone LAN host-inbound-traffic system-services all
user@SRX-C#set security zones security-zone LAN interfaces ge-0/0/1.0
user@SRX-C#set security zones security-zone VPN interfaces st0.0
|
Configure the Local IP address in LAN Zone and Remote IP address in WAN zone
user@SRX-C#set security zones security-zone LAN address-book address LOCAL_IP 192.168.1.0/24
user@SRX-C#set security zones security-zone VPN address-book address REMOTE_IP 192.168.200.0/24
|
Configure Phase-I IKE proposal and Policy for main mode as listed above in Table
Here I have defined the VPN parameters manually instead of using the default for Phase-I.
user@SRX-C#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
user@SRX-C#set security ike proposal IKE-PROPOSAL dh-group group5
user@SRX-C#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
user@SRX-C#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
user@SRX-C#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
user@SRX-C#set security ike policy IKE-POLICY mode main
user@SRX-C#set security ike policy IKE-POLICY proposals IKE-PROPOSAL
user@SRX-C#set security ike policy IKE-POLICY pre-shared-key ascii-text <preshared-key>
|
Configure the VPN gateway (Phase-I) with policy, peer address and outgoing interface
To identify the remote IKE peer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device.
user@SRX-C#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
user@SRX-C#set security ike gateway VPN-GATEWAY address 10.10.20.1
user@SRX-C#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
user@SRX-C#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
user@SRX-C#set security ike gateway VPN-GATEWAY nat-keepalive 10
user@SRX-C#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
|
Configure Phase-II Proposal and Policy as listed in above Table
Here I have defined the VPN parameters manually instead of using the default for Phase-II.
user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL protocol esp
user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
user@SRX-C#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
user@SRX-C#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
user@SRX-C#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
|
Configure IPSEC VPN (Phase-II) with IKE gateway and IPSEC policy
user@SRX-C#set security ipsec vpn IPSEC-VPN bind-interface st0.0
user@SRX-C#set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
user@SRX-C#set security ipsec vpn IPSEC-VPN ike proxy-identity local 192.168.1.0/24
user@SRX-C#set security ipsec vpn IPSEC-VPN ike proxy-identity remote 192.168.200.0/24
user@SRX-C#set security ipsec vpn IPSEC-VPN ike proxy-identity service any
user@SRX-C#set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
user@SRX-C#set security ipsec vpn IPSEC-VPN establish-tunnels immediately
|
Configure the security policy for VPN Traffic from and to LAN to VPN zone:
user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match source-address LOCAL_IP
user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match destination-address REMOTE_IP
user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN match application any
user@SRX-C#set security policies from-zone LAN to-zone VPN policy LAN_VPN then permit
user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match source-address REMOTE_IP
user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match destination-address LOCAL_IP
user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN match application any
user@SRX-C#set security policies from-zone VPN to-zone LAN policy VPN_LAN then permit
|
Configure the security policy for internet Traffic from LAN to WAN zone
user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address any
user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address any
user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any
user@SRX-C#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit
|
Configure the security NAT for internet Traffic from LAN to WAN zone
It is important to configure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address will be translated to the egress interface IP of SRX as source IP when it goes to internet. And there should be NAT OFF policy above this policy for passing the VPN traffic.
user@SRX-C#set security nat source rule-set LAN-TO_WAN from zone LAN
user@SRX-C#set security nat source rule-set LAN-TO_WAN to zone WAN
user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0
user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0
user@SRX-C#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface
|
Configure tcp-mss to eliminate fragmentation of TCP traffic across tunnel
The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment
user@SRX-C#set security flow tcp-mss ipsec-vpn mss 1350
The Juniper SRX [Side B] device can be configured similarly using the VPN parameters tabulated in above and following the steps to configure VPN in above.
Following command verifies the vpn tunnel and status.
- user@SRX-C>show security ike security-associations
- user@SRX-C>show security ipsec security-associations
- user@SRX-C>show security ike security-associations detail
- user@SRX-C>show security ipsec security-associations detail
- user@SRX-C>show security flow session tunnel