Route Based IPSec VPN in JunOS

Route Based IPSec VPN in JunOS

In this blog, I’m going to cover how to setup a Route based IPSec VPN in Juniper Networks’ JunOS. I hope you’ve read my┬áprevious blog which was about configuring Policy based IPSec VPN in JunOS. In case you haven’t, you can find it here: Policy Based IPSec VPN in JunOS┬áThe reason I’m mentioning about the previous post is that the Route based IPSec VPN is much similar to the Policy based one. Yes, there are some distinctive differences between the two, however the basic concepts of IPSec VPN in Junos holds same for both. Here, I’ll be pointing out those differences along with the configuration.

Lab Overview
GNS3 Lab Topology-IPSec VPN
GNS3 Lab Topology-IPSec VPN

In this lab, my objective is to setup a route based IPSec VPN between the KTM device and the BRT device. And as usual, I’ve got my ISP router between the two VPN endpoints. Now, without any further adieu, let’s get started with the configuration steps:

Basic Configuration

Since I’ve already performed basic configuration in KTM router in the previous blog post, I’m not going to repeat it here. Just for your reference, you can find it here. So, I’m just going to configure BRT router.

root# set system host-name BRT
root# set system root-authentication plain-text-password
root# delete security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone BRT-Net interfaces ge-0/0/1
root# set security zones security-zone BRT-Net host-inbound-traffic system-services all
root# set security zones security-zone Public-Net host-inbound-traffic system-services ike
root# set security zones security-zone Public-Net host-inbound-traffic system-services ping
root# set security zones security-zone Public-Net interfaces ge-0/0/0
root# set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.2/30
root# set interfaces ge-0/0/1 unit 0 family inet address 172.16.3.1/24
root# set security zones security-zone BRT-Net address-book address BRT-Network 172.16.3.0/24
root# set security zones security-zone BRT-Net address-book address BRT-Server-1 172.16.3.2/32
root# set security zones security-zone BRT-Net address-book address-set BRT-Servers address BRT-Server-1
root# set security zones security-zone Public-Net address-book address KTM-Network 172.16.1.0/24
root@BRT# set routing-options static route 0.0.0.0/0 next-hop 3.3.3.1 
root@BRT# edit security ike
root@BRT# set proposal BRT-KTM-IKE-Phase1-Proposal authentication-method pre-shared-keys 
root@BRT# set proposal BRT-KTM-IKE-Phase1-Proposal dh-group group2
root@BRT# set proposal BRT-KTM-IKE-Phase1-Proposal authentication-algorithm sha1 
root@BRT# set proposal BRT-KTM-IKE-Phase1-Proposal encryption-algorithm aes-128-cbc

root@BRT# set policy BRT-KTM-IKE-Phase1-Policy mode main
root@BRT# set policy BRT-KTM-IKE-Phase1-Policy proposals BRT-KTM-IKE-Phase1-Proposal 
root@BRT# set policy BRT-KTM-IKE-Phase1-Policy pre-shared-key ascii-text Secret@1234

root@BRT# set gateway GW-KTM ike-policy BRT-KTM-IKE-Phase1-Policy
root@BRT# set gateway GW-KTM address 1.1.1.2
root@BRT# set gateway GW-KTM external-interface ge-0/0/0

root@BRT# top
root@BRT# set routing-options static route 172.16.1.0/24 next-hop 4.4.4.1
root@BRT# set interfaces st0 unit 0 family inet address 4.4.4.2/30 
root@BRT# set security zones security-zone Public-Net interfaces st0.0

root@BRT# edit security ipsec
root@BRT# set proposal BRT-KTM-IPSec-Phase2-Proposal protocol esp
root@BRT# set proposal BRT-KTM-IPSec-Phase2-Proposal authentication-algorithm hmac-sha1-96
root@BRT# set proposal BRT-KTM-IPSec-Phase2-Proposal encryption-algorithm aes-128-cbc 

root@BRT# set policy BRT-KTM-IPSec-Phase2-Policy perfect-forward-secrecy keys group2
root@BRT# set policy BRT-KTM-IPSec-Phase2-Policy proposals BRT-KTM-IPSec-Phase2-Proposal

root@BRT# set vpn BRT-KTM-VPN bind-interface st0.0
root@BRT# set vpn BRT-KTM-VPN ike gateway GW-KTM
root@BRT# set vpn BRT-KTM-VPN ike ipsec-policy BRT-KTM-IPSec-Phase2-Policy
root@BRT# set vpn BRT-KTM-VPN establish-tunnels immediately


root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy BRT-KTM match source-address BRT-Network
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy BRT-KTM match destination-address KTM-Network
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy BRT-KTM match application any
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy BRT-KTM then permit

root@BRT# set security policies from-zone Public-Net to-zone BRT-Net policy KTM-BRT match source-address KTM-Network
root@BRT# set security policies from-zone Public-Net to-zone BRT-Net policy KTM-BRT match destination-address BRT-Network
root@BRT# set security policies from-zone Public-Net to-zone BRT-Net policy KTM-BRT match application any
root@BRT# set security policies from-zone Public-Net to-zone BRT-Net policy KTM-BRT then permit
root@BRT# show | compare
root@BRT# commit check
root@BRT# commit

root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy Permit-All match source-address any
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy Permit-All match destination-address any
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy Permit-All match application any
root@BRT# set security policies from-zone BRT-Net to-zone Public-Net policy Permit-All then permit
root@BRT# insert security policies from-zone BRT-Net to-zone Public-Net policy BRT-KTM before policy Permit-All

root@BRT# commit
Configuration in KTM vSRX:
root@KTM# set security zones security-zone Public-Net address-book address BRT-Network 172.16.3.0/24
root@KTM# set routing-options static route 172.16.3.0/24 next-hop 4.4.4.2
root@KTM# set interfaces st0.0 family inet address 4.4.4.1/30
root@KTM# set security zones security-zone Public-Net interfaces st0.0

root@KTM# edit security ike 
root@KTM# set proposal KTM-BRT-IKE-Phase1-Proposal authentication-method pre-shared-keys
root@KTM# set proposal KTM-BRT-IKE-Phase1-Proposal dh-group group2
root@KTM# set proposal KTM-BRT-IKE-Phase1-Proposal authentication-algorithm sha1
root@KTM# set proposal KTM-BRT-IKE-Phase1-Proposal encryption-algorithm aes-128-cbc

root@KTM# set policy KTM-BRT-IKE-Phase1-Policy mode main
root@KTM# set policy KTM-BRT-IKE-Phase1-Policy proposals KTM-BRT-IKE-Phase1-Proposal
root@KTM# set policy KTM-BRT-IKE-Phase1-Policy pre-shared-key ascii-text Secret@1234

root@KTM# set gateway GW-BRT ike-policy KTM-BRT-IKE-Phase1-Policy
root@KTM# set gateway GW-BRT address 3.3.3.2
root@KTM# set gateway GW-BRT external-interface ge-0/0/0 

root@KTM# top edit security ipsec
root@KTM# set proposal KTM-BRT-IPSec-Phase2-Proposal protocol esp
root@KTM# set proposal KTM-BRT-IPSec-Phase2-Proposal authentication-algorithm hmac-sha1-96
root@KTM# set proposal KTM-BRT-IPSec-Phase2-Proposal encryption-algorithm aes-128-cbc

root@KTM# set policy KTM-BRT-IPSec-Phase2-Policy perfect-forward-secrecy keys group2
root@KTM# set policy KTM-BRT-IPSec-Phase2-Policy proposals KTM-BRT-IPSec-Phase2-Proposal

root@KTM# set vpn KTM-BRT-VPN bind-interface st0.0
root@KTM# set vpn KTM-BRT-VPN ike gateway GW-BRT 
root@KTM# set vpn KTM-BRT-VPN ike ipsec-policy KTM-BRT-IPSec-Phase2-Policy
root@KTM# set vpn KTM-BRT-VPN establish-tunnels immediately

root@KTM# top
root@KTM# show | compare
root@KTM# commit check

root@KTM# set security policies from-zone Public-Net to-zone DC-Net policy BRT-KTM match source-address BRT-Network
root@KTM# set security policies from-zone Public-Net to-zone DC-Net policy BRT-KTM match destination-address DC-Network
root@KTM# set security policies from-zone Public-Net to-zone DC-Net policy BRT-KTM match application any
root@KTM# set security policies from-zone Public-Net to-zone DC-Net policy BRT-KTM then permit

root@KTM# commit check
root@KTM# commit

Comments are closed.