I came to set up dynamic routing over IPSec VPN for a scenario. Here I am going to setup an dynamic routing OSPF over IPSec VPN in SRX to SRX. Dynamic routing can only be implemented over IPSec tunnel in Route-based Site to site IPSEC VPN. The VPN Parameter Phase-I and Phase-II proposal parameters used here are manually defined. It can be defined as per the requirements by studying the given scenario here. The table below shows Phase-I and Phase-II VPN parameters. It must be same on both side of VPN configured devices and some other parameters are locally significant. These must be unique to the existing values. The configuration has been prepared on assumption of there is already basic configuration on both side of devices. Junos version used is 11.4.The configuration here is very simple and with minimum requirements to configure site to site IPSEC VPN in SRX Series.
OSPF over IPSec VPN in SRX to SRX

IPSec (Phase-I and Phase-II) VPN parameters
The following VPN parameters are significant to establish Route based IPSec VPN between Juniper SRX to SRX device.
VPN Parameters
|
SRX A
|
SRX B
|
Phase-I (IKE) |
Authentication Method |
Preshared key |
Preshared key |
Authentication- Algorithm |
Sha1 |
Sha1 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
dh-group |
5 |
5 |
Lifetime (sec) |
28800 |
28800 |
Mode |
Main |
Main |
Remote gateway Address |
10.10.20.2 |
10.10.10.2 |
Nat-keepalive |
10 |
10 |
Phase-II (IPSEC) |
Protocol |
Esp |
Esp |
Authentication- Algorithm |
sha1-96 |
sha1-96 |
Encryption- Algorithm |
3Des-cbc |
3Des-cbc |
PFS keys Groups |
5 |
5 |
Lifetime (sec) |
86400 |
86400 |
Proxy-identity |
local |
192.168.100.0/24 |
192.168.200.0/24 |
remote |
192.168.200.0/24 |
192.168.100.0/24 |
Service |
Any |
Any |
Locally Significant |
Outgoing interface |
ge-0/0/0 |
ge-0/0/0 |
Tunnel interface |
st0.0 |
st0.0 |
Now, Following configuration steps need to add on Juniper SRX A side.
Configuring VPN in SRX A
Configure the WAN side interface and assigning the IP address
gsraut@SRXA#set interfaces ge-0/0/0 unit 0 description ” WAN INTERFACE “
gsraut@SRXA#set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30
|
Configure the LAN side interfaces and assigning the IP address
gsraut@SRXA#set interfaces ge-0/0/1 unit 0 description ” LAN INTERFACE “
gsraut@SRXA#set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24
|
Configure the VPN tunnel interfaces
gsraut@SRXA#set interfaces st0 unit 0 description ” VPN SECURE TUNNEL “
gsraut@SRXA#set interfaces st0 unit 0 family inet 192.168.255.1/30
|
Configure default route for internet traffic
gsraut@SRXA#set routing-options static route 0.0.0.0/0 next-hop 10.10.10
|
Configure policy to export the directly connected Network IP to ospf routing.
In the given scenario, there is a directly connected interface and an IP address which need to be exported into OSPF configured over the tunnel interface. This policy differs as per the scenario and also important to route the internal network to OSPF.
gsraut@SRXA#set policy-options policy-statement direct-opsf term T1 from protocol direct
gsraut@SRXA#set policy-options policy-statement direct-opsf term T1 from interface ge-0/0/1.0
gsraut@SRXA#set policy-options policy-statement direct-opsf term T1 from source-address-filter 192.168.100.0/24 orlonger |
Configure dynamic routing OSPF for Tunnel traffic
Routing over tunnel is configured using the tunnel interface and neighbor is another side tunnel IP addre
gsraut@SRXA#set protocols ospf export direct-opsf
gsraut@SRXA#set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
gsraut@SRXA#set protocols ospf area 0.0.0.0 interface st0.0 neighbor 192.168.255.2
|
Configure security zones and assign interfaces to the zone and adding host-inbound system services in these zones
To separate the security policies for non-VPN and VPN traffic, the secure tunnel is assigned in different zone named VPN than the WAN and LAN zone. IKE must be defined as host-inbound system services in internet facing zone (WAN) to establish the IKE negotiations between VPN peer devices. OSPF protocols must be defined at VPN zone.
gsraut@SRXA#set security zones security-zone WAN host-inbound-traffic system-services ike
gsraut@SRXA#set security zones security-zone WAN interfaces ge-0/0/0.0
gsraut@SRXA#set security zones security-zone LAN host-inbound-traffic system-services all
gsraut@SRXA#set security zones security-zone LAN interfaces ge-0/0/1.0
gsraut@SRXA#set security zones security-zone VPN interfaces st0.0
gsraut@SRXA#set security zones security-zone VPN host-inbound-traffic protocols ospf
|
Configure Phase-I IKE proposal and Policy for main mode as listed above in Table
Here I have defined the VPN parameters manually instead of using the default for Phase-I.
gsraut@SRXA#set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
gsraut@SRXA#set security ike proposal IKE-PROPOSAL dh-group group5
gsraut@SRXA#set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
gsraut@SRXA#set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
gsraut@SRXA#set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
gsraut@SRXA#set security ike policy IKE-POLICY mode main
gsraut@SRXA#set security ike policy IKE-POLICY proposals IKE-PROPOSAL
gsraut@SRXA#set security ike policy IKE-POLICY pre-shared-key ascii-text <preshared-key>
|
Configure the VPN gateway (Phase-I) with policy, peer address and outgoing interface
To identify the remote IKE peer, I have used IP address of peer device and outgoing interface ge-0/0/0 of SRX device.
gsraut@SRXA#set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
gsraut@SRXA#set security ike gateway VPN-GATEWAY address 10.10.20.2
gsraut@SRXA#set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
gsraut@SRXA#set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
gsraut@SRXA#set security ike gateway VPN-GATEWAY nat-keepalive 10
gsraut@SRXA#set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
|
Configure Phase-II Proposal and Policy as listed in above Table
Here I have defined the VPN parameters manually instead of using the default for Phase-II.
gsraut@SRXA#set security ipsec proposal IPSEC-PROPOSAL protocol esp
gsraut@SRXA#set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
gsraut@SRXA#set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
gsraut@SRXA#set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
gsraut@SRXA#set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
gsraut@SRXA#set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
|
Configure IPSEC VPN (Phase-II) with IKE gateway, IPSEC policy and Binding the Secure Tunnel st0.0 interface
gsraut@SRXA#set security ipsec vpn IPSEC-VPN bind-interface st0.0
gsraut@SRXA#set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
gsraut@SRXA#set security ipsec vpn IPSEC-VPN ike proxy-identity local 192.168.100.0/24
gsraut@SRXA#set security ipsec vpn IPSEC-VPN ike proxy-identity remote 192.168.200.0/24
gsraut@SRXA#set security ipsec vpn IPSEC-VPN ike proxy-identity service any
gsraut@SRXA#set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
gsraut@SRXA#set security ipsec vpn IPSEC-VPN establish-tunnels immediately
|
Configure the security policy for internet Traffic from LAN to WAN zone
gsraut@SRXA#set security policies from-zone LAN to-zone WAN policy LAN_WAN match source-address any
gsraut@SRXA#set security policies from-zone LAN to-zone WAN policy LAN_WAN match destination-address any
gsraut@SRXA#set security policies from-zone LAN to-zone WAN policy LAN_WAN match application any
gsraut@SRXA#set security policies from-zone LAN to-zone WAN policy LAN_WAN then permit
|
Configure the security NAT for internet Traffic from LAN to WAN zone
It is important to configure NAT for passing internet traffic from LAN to WAN zone. LAN zone IP address will be translated to the egress interface IP of SRX as source IP when it goes to internet.
gsraut@SRXA#set security nat source rule-set LAN-TO_WAN from zone LAN
gsraut@SRXA#set security nat source rule-set LAN-TO_WAN to zone WAN
gsraut@SRXA#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match source-address 0.0.0.0/0
gsraut@SRXA#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT match destination-address 0.0.0.0/0
gsraut@SRXA#set security nat source rule-set LAN-TO_WAN rule SOURCE-NAT then source-nat interface
|
Configure bi-directional security policy for tunnel traffic to and from LAN Zone to VPN zone
Here bi-directional policy is configured to pass the VPN traffic to and from LAN to VPN zone.
gsraut@SRXA#set security policies from-zone LAN to-zone VPN policy LAN_VPN match source-address any
gsraut@SRXA#set security policies from-zone LAN to-zone VPN policy LAN_VPN match destination-address any
gsraut@SRXA#set security policies from-zone LAN to-zone VPN policy LAN_VPN match application any
gsraut@SRXA#set security policies from-zone LAN to-zone VPN policy LAN_VPN then permit
gsraut@SRXA#set security policies from-zone VPN to-zone LAN policy VPN_LAN match source-address any
gsraut@SRXA#set security policies from-zone VPN to-zone LAN policy VPN_LAN match destination-address any
gsraut@SRXA#set security policies from-zone VPN to-zone LAN policy VPN_LAN match application any
gsraut@SRXA#set security policies from-zone VPN to-zone LAN policy VPN_LAN then permit
|
Configure tcp-mss to eliminate fragmentation of TCP traffic across tunnel
The tcp-mss for IPSec traffic is defined to eliminate the possibility of fragmented TCP traffic. It limits the maximum size of a TCP Segment
gsraut@SRXA#set security flow tcp-mss ipsec-vpn mss 1350
Following command verifies the vpn tunnel and status.
-
gsraut@SRXA>show security ike security-associations
-
gsraut@SRXA>show security ipsec security-associations
-
gsraut@SRXA>show ospf neighbor
-
gsraut@SRXA>ping 192.168.200.1 interface ge-0/0/1
In similar way SRX B can be configured and verified the IPSec tunnel and ospf with above commands.