Policy Based IPSec VPN Junos
Hello! I’m going to dedicate this post to talk about Policy Based IPSec VPN in Juniper Networks device. For the purpose of setting up IPSec VPN, I’ve prepared a lab in GNS3 using three vSRX machines, one Cisco 2691 router and three Cirros machines. However, for now, I’ll be using only two vSRX devices for policy based VPN because I plan to use other one for configuring Route based VPN. Here’s how my lab topology looked like:
Lab Overview
For this particular post, let’s just look at the vSRX named as KTM on the left, Cisco router named as ISP in middle and vSRX named as PKR on the top right. Here, I’m going to setup policy based IPSec VPN between the sites KTM and PKR. For my lab topology, I’m using KTM as a head-office site, and PKR and BRT as the branches. Since I need to allow access between local area network of one site and that of other site, I’m using IPSec VPN between these two sites. Now, let’s get started with the configuration:
Basic Configuration
Assuming that I’ve got fresh installation of vSRX devices, let’s start this setup from the beginning itself i.e. definition of root authentication, system hostname, interfaces and security zones. In real scenario, you might also want to configure DNS, DHCP, NAT, and so on.
root# set system root-authentication plain-password root# set system host-name KTM root# commit
Here, KTM vSRX has two interfaces: ge-0/0/0 connecting to ISP router and ge-0/0/1 connecting LAN.
root@KTM# set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/30 root@KTM# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
Junos, by default comes with two security zones named trust and untrust, and their corresponding interfaces assignment. I usually like to delete the default config and set my own custom configuration. I’m defining a security zone called DC-Net containing LAN and interface ge-0/0/1. All system services will be allowed from this zone to the device.
root@KTM# delete security zones security-zone trust interfaces ge-0/0/0.0 root@KTM# set security zones security-zone DC-Net interfaces ge-0/0/1 root@KTM# set security zones security-zone DC-Net host-inbound-traffic system-services all
Similary, I’m creating another security zone named as Public-Net containing interface ge-0/0/0, which is facing the ISP. Only Ping and IKE traffic will be allowed from this zone to the device.
root@KTM# set security zones security-zone Public-Net host-inbound-traffic system-services ike root@KTM# set security zones security-zone Public-Net host-inbound-traffic system-services ping root@KTM# set security zones security-zone Public-Net interfaces ge-0/0/0
I also define the address books for the networks and hosts in the zones I created. This helps in easier identification, categorization and use of networks and hosts during the configuration process. It also makes things extremely quick and effective when we need to make modifications in addresses or associated configurations.
root@KTM# set security zones security-zone DC-Net address-book address DC-Network 172.16.1.0/24 root@KTM# set security zones security-zone DC-Net address-book address DC-Server-1 172.16.1.2/32 root@KTM# set security zones security-zone DC-Net address-book address-set DC-Servers address DC-Server-1
root@KTM# set security zones security-zone Public-Net address-book address PKR-Network 172.16.2.0/24 root@KTM# set security zones security-zone Public-Net address-book address PKR-Server-1 172.16.2.2/32
Before completing our basic configuration, let’s also add a default route using next hop address as the ISP router’s IP address.
root@KTM# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
IPSec Phase I Configuration
Now, begins the section where we actually configure our IPSec VPN. IPSec contains two phases: Phase 1 – IKE Association and Phase 2 – IPSec VPN. So, let’s first setup our IKE configuration. Defining the IKE proposal is the next thing we need to do. This proposal creation process can be skipped if we would like to use the available proposal sets (basic, compatible or standard).
root@KTM# edit security ike root@KTM# set proposal KTM-PKR-IKE-Phase1-Proposal authentication-method pre-shared-keys root@KTM# set proposal KTM-PKR-IKE-Phase1-Proposal dh-group group2 root@KTM# set proposal KTM-PKR-IKE-Phase1-Proposal authentication-algorithm sha1 root@KTM# set proposal KTM-PKR-IKE-Phase1-Proposal encryption-algorithm aes-128-cbc
Then, we need to configure the IKE phase 1 policy. Here, we mainly choose the mode, proposal and pre-shared key for the VPN. For now, I’m using main mode as I’ve got static IP addresses at both of my peers. However, we would need to set aggressive mode if we’ve dynamic IP address at one of the peers and then, the peer with dynamic IP should be the one to begin the IKE negotiation. We then call the proposal we defined above and set the pre-shared key for authentication between the peers.
root@KTM# set policy KTM-PKR-IKE-Phase1-Policy mode main root@KTM# set policy KTM-PKR-IKE-Phase1-Policy proposals KTM-PKR-IKE-Phase1-Proposal root@KTM# set policy KTM-PKR-IKE-Phase1-Policy pre-shared-key ascii-text Secret@123
The last step in Phase I is to configure IKE gateway. Here, we call the policy we created above, set the peer’s IP address and external interface participating in VPN.
root@KTM# set gateway GW-PKR ike-policy KTM-PKR-IKE-Phase1-Policy root@KTM# set gateway GW-PKR address 2.2.2.2 root@KTM# set gateway GW-PKR external-interface ge-0/0/0
IPSec Phase II Configuration
Now that we’ve got our IPSec Phase I configuration completed, we can proceed to the Phase II of the VPN. Basically, our Phase I will create a tunnel between the two participating peers and Phase II will control the traffic flowing through this tunnel. In phase II, we define proposal, policy and VPN to complete our IPSec setup.
root@KTM# top edit security ipsec root@KTM# set proposal KTM-PKR-IPSec-Phase2-Proposal protocol esp root@KTM# set proposal KTM-PKR-IPSec-Phase2-Proposal authentication-algorithm hmac-sha1-96 root@KTM# set proposal KTM-PKR-IPSec-Phase2-Proposal encryption-algorithm aes-128-cbc
Then, let’s define the IPSec phase II policy with the appropriate PFS option and proposal.
root@KTM# set policy KTM-PKR-IPSec-Phase2-Policy perfect-forward-secrecy keys group2 root@KTM# set policy KTM-PKR-IPSec-Phase2-Policy proposals KTM-PKR-IPSec-Phase2-Proposal
To complete our IPSec Phase II config, let’s define a VPN which will later be referenced by the security policies to pass traffic between remote sites. To set it, we need to provide the IKE gateway that we created in the phase I gateway configuration and the IPSec policy. We can also provide additional option like “establish-tunnels immediately” to start VPN as soon as the necessary conditions are met.
root@KTM# set vpn KTM-PKR-VPN ike gateway GW-PKR root@KTM# set vpn KTM-PKR-VPN ike ipsec-policy KTM-PKR-IPSec-Phase2-Policy root@KTM# set vpn KTM-PKR-VPN establish-tunnels immediately
This completes our IPSec VPN configuration in Juniper Networks device.
Security Policies
Well, as the title of this post suggested, this is an example of a Policy based IPSec VPN. So, the security policies play a very important role in this setup as they’re the ones which control the IPSec traffic. Let’s just begin the configuration of security policies with the outbound connections i.e from zone DC-Net to zone Public-Net. These policies will match all the traffic originating from DC-Network to PKR-Network and pass them through the IPSec VPN tunnel called KTM-PKR-VPN that we created above. We also define a pair-policy for the traffic matching the reverse connections.
root@KTM# top delete security policies root@KTM# edit security policies root@KTM# set from-zone DC-Net to-zone Public-Net policy KTM-PKR-VPN match source-address DC-Network root@KTM# set from-zone DC-Net to-zone Public-Net policy KTM-PKR-VPN match destination-address PKR-Network root@KTM# set from-zone DC-Net to-zone Public-Net policy KTM-PKR-VPN match application any root@KTM# set from-zone DC-Net to-zone Public-Net policy KTM-PKR-VPN then permit tunnel ipsec-vpn KTM-PKR-VPN root@KTM# set from-zone DC-Net to-zone Public-Net policy KTM-PKR-VPN then permit tunnel pair-policy PKR-KTM-VPN
This policy is for all the normal traffic that originate from the internal network and are destined to the external network or Internet. Make sure this policy is placed after the policy for IPSec traffic, otherwise it’ll match everything and take its actions even for the IPSec traffic. If you’ve got your IPSec related security policy after this type of policy, use insert to place it before other policies.
root@KTM# set from-zone DC-Net to-zone Public-Net policy Permit-Any match source-address any root@KTM# set from-zone DC-Net to-zone Public-Net policy Permit-Any match destination-address any root@KTM# set from-zone DC-Net to-zone Public-Net policy Permit-Any match application any root@KTM# set from-zone DC-Net to-zone Public-Net policy Permit-Any then permit
Conversely, let’s also define security policies for the inbound traffic i.e. from Public-Net zone to DC-Net zone. It’s much like the security policy for outbound connections except that it matches opposite source and destination addresses. The tunnel pair-policy is the policy we created above for inbound traffic.
root@KTM# set from-zone Public-Net to-zone DC-Net policy PKR-KTM-VPN match source-address PKR-Network root@KTM# set from-zone Public-Net to-zone DC-Net policy PKR-KTM-VPN match destination-address DC-Network root@KTM# set from-zone Public-Net to-zone DC-Net policy PKR-KTM-VPN match application any root@KTM# set from-zone Public-Net to-zone DC-Net policy PKR-KTM-VPN then permit tunnel ipsec-vpn KTM-PKR-VPN root@KTM# set from-zone Public-Net to-zone DC-Net policy PKR-KTM-VPN then permit tunnel pair-policy KTM-PKR-VPN root@KTM# commit check root@KTM# commit and-quit
This completes our entire configuration in KTM device for the proposed Policy based IPSec VPN. Now, we need to configure our next peer i.e. PKR device according to the IPSec parameters that we defined in KTM device. Otherwise, the IPSec VPN won’t work. But before we setup PKR device, let’s first prepare our ISP router. In real scenario, we don’t have access to ISP router. However, since this is my internal lab, I need to configure it to make this lab work. In ISP router, all I need to do is to assign the IP addresses to its interfaces as shown in the topology above.
ISP# conf t ISP# int f0/0 ISP# ip address 1.1.1.1 255.255.255.252 ISP# exit ISP# int f0/1 ISP# ip address 2.2.2.1 255.255.255.252 ISP# end
Configuration of PKR
Actually, all of the configuration required in PKR is almost similar to that of KTM device. So, I’m just putting the entire config statements without any explanation.
root# set system host-name PKR root# set system root-authentication plain-password root# delete security zones root# set security zones security-zone PKR-Net interfaces ge-0/0/1 root# set security zones security-zone PKR-Net host-inbound-traffic system-services all root# set security zones security-zone Public-Net host-inbound-traffic system-services ike root# set security zones security-zone Public-Net host-inbound-traffic system-services ping root# set security zones security-zone Public-Net interfaces ge-0/0/0 root# set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/30 root# set interfaces ge-0/0/1 unit 0 family inet address 172.16.2.1/24 root# show | compare root# commit
root@PKR# set security zones security-zone PKR-Net address-book address PKR-Network 172.16.2.0/24 root@PKR# set security zones security-zone PKR-Net address-book address PKR-Server-1 172.16.2.2/32 root@PKR# set security zones security-zone PKR-Net address-book address-set PKR-Servers address PKR-Server-1 root@PKR# set security zones security-zone Public-Net address-book address KTM-Network 172.16.1.0/24 root@PKR# set security zones security-zone Public-Net address-book address KTM-Server-1 172.16.1.2/32 root@PKR# set security zones security-zone Public-Net address-book address-set KTM-Servers address KTM-Server-1 root@PKR# set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1
root@PKR# edit security ike root@PKR# set proposal PKR-KTM-IKE-Phase1-Proposal authentication-method pre-shared-keys root@PKR# set proposal PKR-KTM-IKE-Phase1-Proposal dh-group group2 root@PKR# set proposal PKR-KTM-IKE-Phase1-Proposal authentication-algorithm sha1 root@PKR# set proposal PKR-KTM-IKE-Phase1-Proposal encryption-algorithm aes-128-cbc root@PKR# set policy PKR-KTM-IKE-Phase1-Policy mode main root@PKR# set policy PKR-KTM-IKE-Phase1-Policy proposals PKR-KTM-IKE-Phase1-Proposal root@PKR# set policy PKR-KTM-IKE-Phase1-Policy pre-shared-key ascii-text Secret@123 root@PKR# set gateway GW-KTM ike-policy PKR-KTM-IKE-Phase1-Policy root@PKR# set gateway GW-KTM address 1.1.1.2 root@PKR# set gateway GW-KTM external-interface ge-0/0/0
root@PKR# top edit security ipsec root@PKR# set proposal PKR-KTM-IPSec-Phase2-Proposal protocol esp root@PKR# set proposal PKR-KTM-IPSec-Phase2-Proposal authentication-algorithm hmac-sha1-96 root@PKR# set proposal PKR-KTM-IPSec-Phase2-Proposal encryption-algorithm aes-128-cbc root@PKR# set policy PKR-KTM-IPSec-Phase2-Policy perfect-forward-secrecy keys group2 root@PKR# set policy PKR-KTM-IPSec-Phase2-Policy proposals PKR-KTM-IPSec-Phase2-Proposal root@PKR# set vpn PKR-KTM-VPN ike gateway GW-KTM root@PKR# set vpn PKR-KTM-VPN ike ipsec-policy PKR-KTM-IPSec-Phase2-Policy root@PKR# set vpn PKR-KTM-VPN establish-tunnels immediately
root@PKR# top edit security policies root@PKR# set from-zone PKR-Net to-zone Public-Net policy PKR-KTM-VPN match source-address PKR-Network root@PKR# set from-zone PKR-Net to-zone Public-Net policy PKR-KTM-VPN match destination-address KTM-Network root@PKR# set from-zone PKR-Net to-zone Public-Net policy PKR-KTM-VPN match application any root@PKR# set from-zone PKR-Net to-zone Public-Net policy PKR-KTM-VPN then permit tunnel ipsec-vpn PKR-KTM-VPN root@PKR# set from-zone PKR-Net to-zone Public-Net policy PKR-KTM-VPN then permit tunnel pair-policy KTM-PKR-VPN root@PKR# set from-zone PKR-Net to-zone Public-Net policy Permit-Any match source-address any root@PKR# set from-zone PKR-Net to-zone Public-Net policy Permit-Any match destination-address any root@PKR# set from-zone PKR-Net to-zone Public-Net policy Permit-Any match application any root@PKR# set from-zone PKR-Net to-zone Public-Net policy Permit-Any then permit
root@PKR# set from-zone Public-Net to-zone PKR-Net policy KTM-PKR-VPN match source-address KTM-Network root@PKR# set from-zone Public-Net to-zone PKR-Net policy KTM-PKR-VPN match destination-address PKR-Network root@PKR# set from-zone Public-Net to-zone PKR-Net policy KTM-PKR-VPN match application any root@PKR# set from-zone Public-Net to-zone PKR-Net policy KTM-PKR-VPN then permit tunnel ipsec-vpn PKR-KTM-VPN root@PKR# set from-zone Public-Net to-zone PKR-Net policy KTM-PKR-VPN then permit tunnel pair-policy PKR-KTM-VPN root@PKR# commit check root@PKR# commit and-quit
Verification and Troubleshooting
As of now, we’ve completed the IPSec VPN configuration in both of our vSRX devices. So, let’s verify if our configuration is working properly or not. Since we trying to setup an IPSec VPN in this lab, let’s first check its status.
root@KTM> show security ike sa Index State Initiator cookie Responder cookie Mode Remote Address 3251960 UP e2a8e7ae826c18dc 22eec17362ab46a4 Main 2.2.2.2
Well, our Phase 1 or IKE security association is up and running. This is good and expected. Let’s also view its details.
root@KTM> show security ike sa detail Role: Responder, State: UP Initiator cookie: e2a8e7ae826c18dc, Responder cookie: 22eec17362ab46a4 Exchange type: Main, Authentication method: Pre-shared-keys Local: 1.1.1.2:500, Remote: 2.2.2.2:500 Lifetime: Expires in 28673 seconds Peer ike-id: 2.2.2.2 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes128-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 968 Output bytes : 884 Input packets: 5 Output packets: 4 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 1.1.1.2:500, Remote: 2.2.2.2:500 ---(more)---
From the information provided, it’s evident that the KTM device is acting as a responder for IKE negotiation and most of the other information include parameters defined during proposal creation. It also displays the traffic statistics and status of IKE SA.
Next, let’s check the status of IPSec Phase II or IPSec Security Association.
root@KTM> show security ipsec sa Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <2 ESP:aes-128/sha1 f91310cc 3398/ unlim - root 500 2.2.2.2 >2 ESP:aes-128/sha1 264612fd 3398/ unlim - root 500 2.2.2.2
Similarly, we can use other monitoring commands like:
root@KTM> show security ipsec statistics root@KTM> show security flow session
To test the traffic flow through the IPSec tunnel, we can just ping some host in one LAN from a host in another remote LAN. Since our security policy is configured to allow ICMP traffic, the hosts should be pingable from each other. On pinging hosts over IPSec tunnel, we can also monitor the traffic flow in the vSRX device.
root@KTM> show security flow session Session ID: 198, Policy name: PKR-KTM-VPN/9, Timeout: 2, Valid In: 172.16.2.2/1 --> 172.16.1.2/30209;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 Out: 172.16.1.2/30209 --> 172.16.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84 Session ID: 199, Policy name: KTM-PKR-VPN/7, Timeout: 2, Valid In: 172.16.1.2/3 --> 172.16.2.2/30977;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84 Out: 172.16.2.2/30977 --> 172.16.1.2/3;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 Session ID: 200, Policy name: PKR-KTM-VPN/9, Timeout: 2, Valid In: 172.16.2.2/2 --> 172.16.1.2/30209;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84 Out: 172.16.1.2/30209 --> 172.16.2.2/2;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84
Another tool we can use is traceroute from the host itself. Let’s try to trace the packet from a host belonging to KTM to a host belonging to PKR. The result looks like this:
$ traceroute 172.16.2.2 traceroute to 172.16.2.2 (172.16.2.2), 30 hops max, 46 byte packets 1 172.16.1.1 (172.16.1.1) 44.700 ms 3.276 ms 4.544 ms 2 2.2.2.2 (2.2.2.2) 49.048 ms 15.659 ms 19.628 ms 3 172.16.2.2 (172.16.2.2) 19.543 ms 39.007 ms 24.301 ms
This completes this blog post on how to setup Policy Based IPSec VPN between Juniper Networks devices. I hope you’ve found it useful. Please let me know of your feedback and suggestion in the Comments section below. Thank you for reading! 🙂
