Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

EdgeRouter - Site-to-Site IPsec VPN to Juniper SRX

Overview

Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Juniper SRX.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Devices used in this article:

Table of Contents

  1. Frequently Asked Questions (FAQ)
  2. Setting up a Policy-Based VPN
  3. Related Articles

FAQ

Back to Top

1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options for IKE and ESP?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Setting up a Policy-Based VPN

Back to Top

topology.png

The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the VPN.

CLI: Access the Command Line Interface on the EdgeRouter.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the remote peer and define the local and remote subnets.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24

7. Commit the changes and save the configuration.

commit ; save
CLI: Access the Command Line Interface on the Juniper SRX.

1. Enter configuration mode.

configure

2. Link the interfaces to the relevant zones and allow IKE on the WAN interface.

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike

3. Define the local and remote subnets as address ranges in an address book.

set security address-book global address remote 192.168.1.0/24
set security address-book global address local 172.16.1.0/24

4. Allow the IPsec traffic between the untrust and trust zones and link the address books.

set security policies from-zone trust to-zone untrust policy trust-to-ipsec match source-address local
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match destination-address remote
set security policies from-zone trust to-zone untrust policy trust-to-ipsec match application any
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone trust to-zone untrust policy trust-to-ipsec then permit tunnel pair-policy ipsec-to-trust

set security policies from-zone untrust to-zone trust policy ipsec-to-trust match source-address remote
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match destination-address local
set security policies from-zone untrust to-zone trust policy ipsec-to-trust match application any
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel ipsec-vpn ipsec-tunnel
set security policies from-zone untrust to-zone trust policy ipsec-to-trust then permit tunnel pair-policy trust-to-ipsec

5. Make sure that the IPsec traffic policies are matched before the existing policy rules.

insert security policies from-zone trust to-zone untrust policy trust-to-ipsec before policy default-permit
insert security policies from-zone untrust to-zone trust policy ipsec-to-trust before policy default-deny

6. Exclude IPsec traffic from being translated in NAT.

set security nat source rule-set sourcenat from zone trust
set security nat source rule-set sourcenat to zone untrust

set security nat source rule-set sourcenat rule nat match source-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat match destination-address 0.0.0.0/0
set security nat source rule-set sourcenat rule nat then source-nat interface

set security nat source rule-set sourcenat rule ipsec match source-address-name local
set security nat source rule-set sourcenat rule ipsec match destination-address-name remote
set security nat source rule-set sourcenat rule ipsec then source-nat off

7. Make sure that the IPsec NAT exclusion rule is matched before the existing Source-NAT rule.

insert security nat source rule-set sourcenat rule ipsec before rule nat

8. Create an IKE proposal that matches the defined SAs on the EdgeRouter.

set security ike proposal ike-proposal authentication-method pre-shared-keys
set security ike proposal ike-proposal dh-group group14
set security ike proposal ike-proposal authentication-algorithm sha1
set security ike proposal ike-proposal encryption-algorithm aes-128-cbc
set security ike proposal ike-proposal lifetime-seconds 28800

9. Create an IKE policy and link it to the IKE proposal (replace <secret> with your desired passphrase).

set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-proposal
set security ike policy ike-policy pre-shared-key ascii-text <secret>

10. Create an IKE gateway and link it to the IKE policy.

set security ike gateway ike-gateway ike-policy ike-policy
set security ike gateway ike-gateway address 203.0.113.1
set security ike gateway ike-gateway external-interface ge-0/0/0
set security ike gateway ike-gateway local-address 192.0.2.1

11. Create an ESP proposal matching the defined SAs on the EdgeRouter.

set security ipsec proposal esp-proposal protocol esp
set security ipsec proposal esp-proposal authentication-algorithm sha1
set security ipsec proposal esp-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal esp-proposal lifetime-seconds 3600

12. Create the ESP policy and link it to the ESP proposal.

set security ipsec policy esp-policy proposals esp-proposal

13. Create the VPN connection and link it to the IKE gateway and ESP policy.

set security ipsec vpn ipsec-tunnel ike gateway ike-gateway
set security ipsec vpn ipsec-tunnel ike ipsec-policy esp-policy

14. Commit the changes.

commit

Related Articles

Back to Top

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
17 out of 17 found this helpful