Site To Site IPSec VPN in Juniper SSG with one side dynamic IP Part 2
The VPN with one side static and another side dynamic IP is a type of site to site IPSEC VPN. In this Example, I have designed and configured Site to site IPSEC VPN in Juniper SSG with one side dynamic IP. It can be implemented in the scenario where one side has static IP address and another side has dynamic IP address by replacing the desired values of VPN parameters and others.
The IPSEC VPN having one side static and another side dynamic IP address, VPN always initiates by the side having dynamic IP address. Here I have configured local-id and peer-id to establish the IPSEC VPN between these two sides having one side static and another side Dynamic IP address.
Site to Site IPSec VPN in Juniper SSG with one side dynamic IP
The IPSEC VPN Phase-I and Phase-II proposal parameters used here are manually defined so that any parameters can be defined easily by studying the given scenario here. The table shows Phase-I and Phase-II VPN parameters that must be same on both side of VPN configured devices and some other parameters are locally significant and these must be unique to the existing values on local SSG Device configuration.
The configuration has been prepared on assumption of there is already basic configuration on both side of devices. Here I have configured very simple and basic configuration with minimum requirements to configure site to site IPSEC VPN with one side having static IP address and another side having dynamic IP address or IP assigned by DHCP in Juniper SSG Series devices.
I am going to show both way of configuring the SSG with CLI and WEB step by step below. Configuring SSG device by WEB is far easy than CLI Procedure for the users who are less familiar to the NetscreenOS CLI. Though I most like to prefer the CLI every time.
Firstly, I am going to configure using CLI Procedure for both location in part 1 than I will show the WEB Procedure as well in part 2.
IPSEC (Phase-I and Phase-II) VPN parameters
|
VPN Parameters |
SIDE A SSG | SIDE B SSG | ||
| Phase-I(IKE) | Authentication Method | Preshared key | Preshared key | |
| Authentication- Algorithm | Sha1 | Sha1 | ||
| Encryption- Algorithm | Des-cbc | Des-cbc | ||
| dh-group | 2 | 2 | ||
| Lifetime (sec) | 28800 | 28800 | ||
| Mode | Aggressive | Aggressive | ||
| Remote gateway Address | 0.0.0.0 | 10.10.10.1 | ||
| Peer – id | dynamic@vpn | |||
| Local-id | dynamic@vpn | |||
| Phase-II(IPSEC) | Protocol | Esp | Esp | |
| Authentication- Algorithm | sha1-96 | sha1-96 | ||
| Encryption- Algorithm | Des-cbc | Des-cbc | ||
| PFS keys Groups | 2 | 2 | ||
| Lifetime (sec) | 86400 | 86400 | ||
| Proxy-identity | local | 192.168.100.0/24 | 192.168.200.0/24 | |
| remote | 192.168.200.0/24 | 192.168.100.0/24 | ||
| Service | Any | Any | ||
| Locally Significant | Outgoing interface | Eth0/0 | Eth0/0 | |
| Tunnel interface | Tunnel.1 | Tunnel.1 | ||
| VPN ID | 0x1 | 0x1 | ||
| Policy id | xx | xx | ||
Side A SSG configuration
Side A SSG has static IP to the interface facing internet/WAN. All the configuration steps here are based on the VPN parameters listed in above table. I have configured the VPN tunnel 1 interface in SSG device. The tunnel interface is bonded to Trust zone. you can bind it in different zone than trust zone as your desire so that I could not add more policies for the user if there is already a policy in basic configurations. The destination network is routed with the tunnel 1 interface to reach another side SSG through the internet cloud which is bounded to the Phase-II VPN. The traffic passing through in internet cloud becomes encrypted to protect the unauthorized access of data.
WEB Procedure: The configuration steps from Step1 to Step7 are needed for the Side A SSG having Static IP Address to the interface facing Internet and similarly another side B SSG having Dynamic IP to the interface facing internet can be configured putting the locally significant values beside Step4. For this side B SSG the Step4 should be configure as Step8 and other configuration remains similar as described.
Step 1 Configure Tunnel Interface
- Go to Network > Interfaces
- Select Tunnel IF from the drop down and click New
- Enter the tunnel interface number – 1
- Select the Zone- Trust (trust-vr). This will be the outgoing zone and the corresponding Virtual Router.
- First select Unnumbered and select the interface- ethernet0/1(trust-vr) from drop down. It will be local interface that the un-encrypted traffic will arrive on.
- Select OK
Step 2 Configure Phase-I Proposal
- Go to VPN>autokey Advanced>P1 proposal and Select New
- Enter and select the Parameters as required
Step 3 Configure Phase-I Proposal
- Go to VPN>autokey Advanced>P2 proposal and Select New
- Enter and select the Parameters as required
Step 4 Configure Phase-I VPN Parameters for SSG having static IP address
- Goto VPNs > AutoKey Advanced > Gateway and select new
- Enter the Gateway Name
- Select Dynamic IP address and add peer ID
Configuring Advanced parameters
- Select Adavanced
- Enter the Preshared Key
- Select Outgoing interface. It will be Untrust interface.
- Select User Defined Custom and select your Phase 1 proposal.
- Select the mode Aggressive
- Select Return
- Select OK
Step 5 Configure Phase-II VPN Parameters
- Click VPN >AutoKeyIKE > New
- Add your VPN name
- Select gateway
Configuring Advanced parameters
- Click Advanced
- Select User defined Custom
- Select Phase 2 Proposal
- Select Bind to Tunnel Interface and select Tunnel Interface created earlier from Drop Down.
- Select Return
- Select OK
Configuring Proxy IDs
- Click proxy ID
- Enter local IP, remote IP and services
- Select New.
Step 6 Configure security Policies
- Go to Policy> policies and select the from Zone in from drop down and to Zone from Drop down
- Create a new policy from trust to trust
- Add your source address, destination address and service
- Check the box logging, at session beginning and Position at Top
- Select the Action as Permit.
- Click OK
Note: Create another reverse zone and addresses policy for traffic going the other way similarly.
Step 7 Configure route for remote Network
- Go to Network > Routing>Destination and click New
- Enter the IP address/Netmas. It will be the remote Network.
- Select the next hop as gateway.
- Then select tunnel interface from the drop down.
- Click OK
Step 8 Configure Phase-I VPN Parameters for SSG having dynamic IP address
- Goto VPNs > AutoKey Advanced > Gateway and select new
- Enter the Gateway Name
- Select static IP address and add IP address/Hostname
Configuring Advanced parameters
- Select Adavanced
- Enter the Preshared Key
- Enter the local ID
- Select Outgoing interface. It will be Untrust interface.
- Select User Defined Custom and select your Phase 1 proposal.
- Select the mode Aggressive
- Select Return
- Select OK
Verifying the commands
get sa active : it shows the active VPN
get sa stat : it shows the VPN status
ping <IP address> from ethernet0/1 : The interface should be LAN side of local device and IP address should be remote site LAN interface IP.
Verifying the rechability from SITE-A LAN interface eth0/1 to SITE-B LAN interface IP 192.168.200.1
SITE-A-> ping 192.168.200.1 from eth0/1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 1 seconds from ethernet0/1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=490/505/516 ms
Verifying the rechability from SITE-B LAN interface eth0/1 to SITE-A LAN interface IP 192.168.100.1
SITE-B-> ping 192.168.100.1 from eth0/1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 1 seconds from ethernet0/1
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=491/506/518 ms