5- Site-to-Site VPN IPsec Configuration between 2 firewall
- Jean-luc KRIKER
SRX & J Series Site-to-Site VPN Configuration Generator:Â Â https://www.juniper.net/support/tools/vpnconfig/#localSite
Configuring Route-Based Site-to-Site IPSec VPN on the SRX:Â Â https://www.youtube.com/watch?v=4fhLZIbJ-ls
1- IKE Phase 1:
1a- create ike proposal
1b- create ike policy
1c- create ike gateway
2- Allow IKE traffic inbound to untrusted zone
3- IKE Phase 2 / IPSEC :
3a- create ipsec proposal
3b- create ipsec policy
3c- create ipsec gateway
4- Configure security VPN Zone and security policy between zones
============================================================================
A-Site:
1- IKE Phase 1:
#1a- create ike proposalset security ike proposal IKE-PROP authentication-method pre-shared-keysset security ike proposal IKE-PROP dh-group group5set security ike proposal IKE-PROP authentication-algorithm sha1set security ike proposal IKE-PROP encryption-algorithm aes-128-cbcset security ike proposal IKE-PROP lifetime-seconds 3600
#1c- create ike gatewayset security ike policy IKE-POL mode mainset security ike policy IKE-POL proposals IKE-PROPset security ike policy IKE-POL pre-shared-key ascii-text juniper
#1c- create ike gatewayset security ike gateway IKE-GW ike-policy IKE-POLset security ike gateway IKE-GW address 1.2.3.22 # remote IP@!!!set security ike gateway IKE-GW external-interface ge-0/0/0
#2- allow IKE traffic inbound to untrusted zoneset security zones security-zone untrust host-inbound-traffic system-services ike
#3- IKE Phase 2 / IPSEC :
#3a- create ipsec proposalset security ipsec proposal IPSEC-PROP protocol espset security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbcset security ipsec proposal IPSEC-PROP lifetime-seconds 3600
#3b- create ipsec policyset security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5set security ipsec policy IPSEC-POL proposals IPSEC-PROP
#3c- create ipsec gatewayset security ipsec vpn IPSEC-VPN vpn-monitorset security ipsec vpn IPSEC-VPN ike gateway IKE-GWset security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLset security ipsec vpn IPSEC-VPN establish-tunnels immediatelyset security ipsec vpn IPSEC-VPN bind-interface st0.1
set interfaces st0 unit 1 family inetset security zones security-zone VPN interfaces st0.1set routing-options static route 11.11.11.0/24 next-hop st0.1
#4- Configure sec policy between zones
set security address-book global address Network-A 10.10.10.0/24set security address-book global address Network-B 11.11.11.0/24
set security zones security-zone VPN
#deactivate security policies from-zone trust to-zone untrust policy default-permit#deactivate security policies from-zone untrust to-zone trust policy default-deny
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address Network-Aset security policies from-zone trust to-zone VPN policy Trust-to-VPN match destination-address Network-Bset security policies from-zone trust to-zone VPN policy Trust-to-VPN match application anyset security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address Network-Bset security policies from-zone VPN to-zone trust policy VPN-to-Trust match destination-address Network-Aset security policies from-zone VPN to-zone trust policy VPN-to-Trust match application anyset security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit
==============================================================================================================
B Side:
#1- IKE Phase 1:
#1a- create ike proposalset security ike proposal IKE-PROP authentication-method pre-shared-keysset security ike proposal IKE-PROP dh-group group5set security ike proposal IKE-PROP authentication-algorithm sha1set security ike proposal IKE-PROP encryption-algorithm aes-128-cbcset security ike proposal IKE-PROP lifetime-seconds 3600
#1c- create ike gatewayset security ike policy IKE-POL mode mainset security ike policy IKE-POL proposals IKE-PROPset security ike policy IKE-POL pre-shared-key ascii-text juniper
#1c- create ike gatewayset security ike gateway IKE-GW ike-policy IKE-POLset security ike gateway IKE-GW address 1.2.3.21 # remote IP@!!!set security ike gateway IKE-GW external-interface ge-0/0/0
#2- allow IKE traffic inbound to untrusted zoneset security zones security-zone untrust host-inbound-traffic system-services ike
#3- IKE Phase 2 / IPSEC :
#3a- create ipsec proposalset security ipsec proposal IPSEC-PROP protocol espset security ipsec proposal IPSEC-PROP authentication-algorithm hmac-sha1-96set security ipsec proposal IPSEC-PROP encryption-algorithm aes-128-cbcset security ipsec proposal IPSEC-PROP lifetime-seconds 3600
#3b- create ipsec policyset security ipsec policy IPSEC-POL perfect-forward-secrecy keys group5set security ipsec policy IPSEC-POL proposals IPSEC-PROP
#3c- create ipsec gatewayset security ipsec vpn IPSEC-VPN vpn-monitorset security ipsec vpn IPSEC-VPN ike gateway IKE-GWset security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLset security ipsec vpn IPSEC-VPN establish-tunnels immediatelyset security ipsec vpn IPSEC-VPN bind-interface st0.1
set interfaces st0 unit 1 family inet#set security zones security-zone VPNset security zones security-zone VPN interfaces st0.1set routing-options static route 10.10.10.0/24 next-hop st0.1
#4- Configure sec policy between zones
set security address-book global address Network-A 10.10.10.0/24set security address-book global address Network-B 11.11.11.0/24
#deactivate security policies from-zone trust to-zone untrust policy default-permit#deactivate security policies from-zone untrust to-zone trust policy default-deny
set security policies from-zone trust to-zone VPN policy Trust-to-VPN match source-address Network-Bset security policies from-zone trust to-zone VPN policy Trust-to-VPN match destination-address Network-Aset security policies from-zone trust to-zone VPN policy Trust-to-VPN match application anyset security policies from-zone trust to-zone VPN policy Trust-to-VPN then permit
set security policies from-zone VPN to-zone trust policy VPN-to-Trust match source-address Network-Aset security policies from-zone VPN to-zone trust policy VPN-to-Trust match destination-address Network-Bset security policies from-zone VPN to-zone trust policy VPN-to-Trust match application anyset security policies from-zone VPN to-zone trust policy VPN-to-Trust then permit