11.2.6.1. Connections using the IPSec (inter-site tunnel) function

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1
For vSRX , IPsec is supported. The setting of a tunnel for inter-site connections using IPsec is described.
Building up an IPsec tunnel allows connections and communications between the intra-site network of both sides, through the IPsec tunnel.

Note

  • It has been identified that the CPU values of the control plane tend to become high under specific scenarios when ver.15.1X49D105.1 is used. For occurrence conditions and details to note, refer to Points to note when using ver.15.1X49D105.1 .

IPsec (site-to-site mode) connections

Presumed case for sample setting

  • To make VPN connections (tunnel connections) between Firewalls and enable communications between virtual routers under individual Firewalls

  • To use the IPsec function (site-to-site) as the VPN connection method

  • To set authentication parameters for IPsec, in accordance with the table below

Note

  • Before making IPsec settings, make two vSRXs (here vSRX-01 and vSRX-03) be ready for mutual IP communications.

  • For vSRX, two kinds of connection methods are available: root base VPN and policy base VPN. In this tutorial, the connection method using root base VPN is described. Root base VPN is a method which enables target communications using an IPsec tunnel in accordance with the routing setting.

  • For policy base VPN, refer to ‘Juniper Networks official website <https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-application-advanced-policy-based-routing.html#jd0e49>’_.

  • Root base VPN and policy base VPN cannot be used together.

IPsec parameter information

Parameters needed for Firewall to perform IPsec negotiation and encryption are to be set as follows:

Parameter

Value

Phase1  
Authentication Method Pre-shared key
Pre-shared key password IPSEC_KEY_1
DH group group14
Encryption Algorithm AES256-GCM
ISAKMP SA lifetime 28800 seconds
IKE version v2only
Phase2  
Security protocol ESP
Encryption Algorithm AES256-GCM
IPSEC SA lifetime 3600 seconds
perfect-forward-secrecy keys group14
Establish-tunnels immediately

Setting flow in a presumed case

1.Set a proposal (proposal name: IKE_PROP1) regarding ike.
  • Set “Authentication Method”, “DH group”, “Encryption Algorithm”, and “lifetime-seconds” as shown in the parameter table above.

2.Set a policy (policy name: IKE_POL1) regarding .ike.
  • Set “Pre-shared key” as shown in the parameter table above.

  • Set the execution mode of IKE mode through the main mode.

  • Set the proposal (IKE_PROP1) to be applied to the policy.

3.Set a gateway (gateway name: GW1) regarding .ike.
  • Set “IKE version” as shown in the parameter table above.

  • Set the policy (IKE_POL1) to be applied to the gateway.

  • Setting the IPsec destination IP address (192.168.3.103)

  • Setting the source interface

4.Set a proposal (proposal name: IPSEC_PROP1) regarding IPsec.
  • Set “Security Protocol”, “Encryption Algorithm”, and “IPSEC SA lifetime” as shown in the parameter table above.

5.Set a policy (policy name: IPSEC_POL1) regarding IPsec.
  • Set “perfect-forward-secrecy keys” as shown in the parameter table above.

  • Set the IPsec proposal (IPSEC_PROP1) to be applied to the policy.

6.Set IPsecVPNb(VPN name: VPN1).
  • Set “Establish-tunnels” as shown in the parameter table above.

  • Set the gateway (here GW1) of the set IKE.

  • Set the IPsec policy (IPSEC_POL1).

7.Set route base VPN.
  • Tunnel interface (st0.0) creation and IP address setting

  • Apply the created st0.0 to a zone (here untrust).

  • Setting for using for IPsecVPN settings (Setting under VPN1)

  • Setting a static route for flowing IPsec communications

8.Zone base Firewall setting
  • Set a local network and remote network

[vSRX-01] LOCAL_LAN: 192.168.11.0/24, REMOTE_LAN: 192.168.33.0/24

[vSRX-03] LOCAL_LAN: 192.168.33.0/24, REMOTE_LAN: 192.168.11.0/24

  • Setting for allowing communications from LOACL_LAN (trust zone) to REMOTE_LAN (untrust zone), for IPsec communications

Note

  • For settings such as a zone base Firewall setting policy and network setting, make settings in accordance with the environment in use.

  • Settings are assumed which allow all communications initiated from a trust zone in an apparatus.

Command to be entered with CLI

  • Command which is input to the vSRX-01 side

(設定のながれ1~3)
user01@vSRX-01# set security ike proposal IKE_PROP1 authentication-method pre-shared-keys
user01@vSRX-01# set security ike proposal IKE_PROP1 dh-group group14
user01@vSRX-01# set security ike proposal IKE_PROP1 encryption-algorithm aes-256-gcm
user01@vSRX-01# set security ike proposal IKE_PROP1 lifetime-seconds 28800
user01@vSRX-01# set security ike policy IKE_POL1 pre-shared ascii-text IPSEC_KEY_1
user01@vSRX-01# set security ike policy IKE_POL1 mode main
user01@vSRX-01# set security ike policy IKE_POL1 proposals IKE_PROP1
user01@vSRX-01# set security ike gateway GW1 version v2-only
user01@vSRX-01# set security ike gateway GW1 ike-policy IKE_POL1
user01@vSRX-01# set security ike gateway GW1 address 192.168.3.103
user01@vSRX-01# set security ike gateway GW1 external-interface ge-0/0/2.0

(設定のながれ4~6)
user01@vSRX-01# set security ipsec proposal IPSEC_PROP1 protocol esp
user01@vSRX-01# set security ipsec proposal IPSEC_PROP1 encryption-algorithm aes-256-gcm
user01@vSRX-01# set security ipsec proposal IPSEC_PROP1 lifetime-seconds 3600
user01@vSRX-01# set security ipsec policy IPSEC_POL1 perfect-forward-secrecy keys group14
user01@vSRX-01# set security ipsec policy IPSEC_POL1 proposals IPSEC_PROP1
user01@vSRX-01# set security ipsec vpn VPN1 establish-tunnels immediately
user01@vSRX-01# set security ipsec vpn VPN1 ike gateway GW1
user01@vSRX-01# set security ipsec vpn VPN1 ike ipsec-policy IPSEC_POL1

(設定のながれ7)
user01@vSRX-01# set interfaces st0 unit 0 family inet address 172.16.13.1/24
user01@vSRX-01# set security zones security-zone untrust interfaces st0.0
user01@vSRX-01# set security ipsec vpn VPN1 bind-interface st0.0
user01@vSRX-01# set routing-options static route 192.168.33.0/24 next-hop st0.0

(設定のながれ8)
user01@vSRX-01# set security address-book global address LOCAL_LAN 192.168.11.0/24
user01@vSRX-01# set security address-book global address REMOTE_LAN 192.168.33.0/24
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy fromIPSEC match source-address REMOTE_LAN
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy fromIPSEC match destination-address LOCAL_LAN
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy fromIPSEC match application any
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy fromIPSEC then permit
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy DENY-ALL match source-address any
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy DENY-ALL match destination-address any
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy DENY-ALL match application any
user01@vSRX-01# set security policies from-zone untrust to-zone trust policy DENY-ALL then deny
  • Command which is input to the vSRX-03 side

(設定のながれ1~3)
user01@vSRX-03# set security ike proposal IKE_PROP1 authentication-method pre-shared-keys
user01@vSRX-03# set security ike proposal IKE_PROP1 dh-group group14
user01@vSRX-03# set security ike proposal IKE_PROP1 encryption-algorithm aes-256-gcm
user01@vSRX-03# set security ike proposal IKE_PROP1 lifetime-seconds 28800
user01@vSRX-03# set security ike policy IKE_POL1 pre-shared ascii-text IPSEC_KEY_1
user01@vSRX-03# set security ike policy IKE_POL1 mode main
user01@vSRX-03# set security ike policy IKE_POL1 proposals IKE_PROP1
user01@vSRX-03# set security ike gateway GW1 version v2-only
user01@vSRX-03# set security ike gateway GW1 ike-policy IKE_POL1
user01@vSRX-03# set security ike gateway GW1 address 192.168.1.101
user01@vSRX-03# set security ike gateway GW1 external-interface ge-0/0/1.0

(設定のながれ4~6)
user01@vSRX-03# set security ipsec proposal IPSEC_PROP1 protocol esp
user01@vSRX-03# set security ipsec proposal IPSEC_PROP1 encryption-algorithm aes-256-gcm
user01@vSRX-03# set security ipsec proposal IPSEC_PROP1 lifetime-seconds 3600
user01@vSRX-03# set security ipsec policy IPSEC_POL1 perfect-forward-secrecy keys group14
user01@vSRX-03# set security ipsec policy IPSEC_POL1 proposals IPSEC_PROP1
user01@vSRX-03# set security ipsec vpn VPN1 establish-tunnels immediately
user01@vSRX-03# set security ipsec vpn VPN1 ike gateway GW1
user01@vSRX-03# set security ipsec vpn VPN1 ike ipsec-policy IPSEC_POL1

(設定のながれ7)
user01@vSRX-03# set interfaces st0 unit 0 family inet address 172.16.13.3/24
user01@vSRX-03# set security zones security-zone untrust interfaces st0.0
user01@vSRX-03# set security ipsec vpn VPN1 bind-interface st0.0
user01@vSRX-03# set routing-options static route 192.168.11.0/24 next-hop st0.0

(設定のながれ8)
user01@vSRX-03# set security address-book global address LOCAL_LAN 192.168.33.0/24
user01@vSRX-03# set security address-book global address REMOTE_LAN 192.168.11.0/24
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy fromIPSEC match source-address REMOTE_LAN
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy fromIPSEC match destination-address LOCAL_LAN
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy fromIPSEC match application any
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy fromIPSEC then permit
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy DENY-ALL match source-address any
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy DENY-ALL match destination-address any
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy DENY-ALL match application any
user01@vSRX-03# set security policies from-zone untrust to-zone trust policy DENY-ALL then deny

The configuration after completion of appropriate settings is as follows.

  • vSRX-01 configuration

security {
    ike {
        proposal IKE_PROP1 {
            authentication-method pre-shared-keys;
            dh-group group14;
            encryption-algorithm aes-256-gcm;
            lifetime-seconds 28800;
        }
        policy IKE_POL1 {
            mode main;
            proposals IKE_PROP1;
            pre-shared-key ascii-text "$9$Lf4x-bwY4ZDHfT3/tOhcXxNdbYDiqz6Cq."; ## SECRET-DATA
        }
        gateway GW1 {
            ike-policy IKE_POL1;
            address 192.168.3.103;
            external-interface ge-0/0/2.0;
            version v2-only;
        }
    }
    ipsec {
        proposal IPSEC_PROP1 {
            protocol esp;
            encryption-algorithm aes-256-gcm;
            lifetime-seconds 3600;
        }
        policy IPSEC_POL1 {
            perfect-forward-secrecy {
                keys group14;
            }
            proposals IPSEC_PROP1;
        }
        vpn VPN1 {
            bind-interface st0.0;
            ike {
                gateway GW1;
                ipsec-policy IPSEC_POL1;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address REMOTE_LAN 192.168.33.0/24;
            address LOCAL_LAN 192.168.11.0/24;
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy fromIPSEC {
                match {
                    source-address REMOTE_LAN;
                    destination-address LOCAL_LAN;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
                st0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.11.101/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.1.101/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 172.16.13.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 192.168.33.0/24 next-hop st0.0;
    }
}
  • vSRX-03 configuration

security {
    ike {
        proposal IKE_PROP1 {
            authentication-method pre-shared-keys;
            dh-group group14;
            encryption-algorithm aes-256-gcm;
            lifetime-seconds 28800;
        }
        policy IKE_POL1 {
            mode main;
            proposals IKE_PROP1;
            pre-shared-key ascii-text "$9$Lf4x-bwY4ZDHfT3/tOhcXxNdbYDiqz6Cq."; ## SECRET-DATA
        }
        gateway GW1 {
            ike-policy IKE_POL1;
            address 192.168.1.101;
            external-interface ge-0/0/1.0;
            version v2-only;
        }
    }
    ipsec {
        proposal IPSEC_PROP1 {
            protocol esp;
            encryption-algorithm aes-256-gcm;
            lifetime-seconds 3600;
        }
        policy IPSEC_POL1 {
            perfect-forward-secrecy {
                keys group14;
            }
            proposals IPSEC_PROP1;
        }
        vpn VPN1 {
            bind-interface st0.0;
            ike {
                gateway GW1;
                ipsec-policy IPSEC_POL1;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address REMOTE_LAN 192.168.11.0/24;
            address LOCAL_LAN 192.168.33.0/24;
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy fromIPSEC {
                match {
                    source-address REMOTE_LAN;
                    destination-address LOCAL_LAN;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                st0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.3.103/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.33.103/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 172.16.13.3/24;
            }
        }
    }
}
routing-options {
    static {
        route 192.168.11.0/24 next-hop st0.0;
    }
}

Operation check result

The log allowed to confirm that IPsec tunnel connections between vSRX-01 and vSRX-03 were made and communications passing through the IPsec tunnel, between the affiliate routers were also possible.

Result of communications from virtual router (192.168.11.201) to virtual router (192.168.33.203)

user01@vRouter-01:~$ ping 192.168.33.203 count 10
PING 192.168.33.203 (192.168.33.203) 56(84) bytes of data.
64 bytes from 192.168.33.203: icmp_seq=1 ttl=62 time=9.46 ms
64 bytes from 192.168.33.203: icmp_seq=2 ttl=62 time=2.87 ms
64 bytes from 192.168.33.203: icmp_seq=3 ttl=62 time=3.04 ms
64 bytes from 192.168.33.203: icmp_seq=4 ttl=62 time=3.57 ms
64 bytes from 192.168.33.203: icmp_seq=5 ttl=62 time=2.70 ms
64 bytes from 192.168.33.203: icmp_seq=6 ttl=62 time=3.25 ms
64 bytes from 192.168.33.203: icmp_seq=7 ttl=62 time=3.10 ms
64 bytes from 192.168.33.203: icmp_seq=8 ttl=62 time=2.55 ms
64 bytes from 192.168.33.203: icmp_seq=9 ttl=62 time=3.29 ms
64 bytes from 192.168.33.203: icmp_seq=10 ttl=62 time=2.93 ms

--- 192.168.33.203 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9013ms
rtt min/avg/max/mdev = 2.552/3.680/9.468/1.950 ms
user01@vRouter-01:~$

Result of communications from virtual router (192.168.33.203) to virtual router (192.168.11.201)

user01@vRouter-03:~$ ping 192.168.11.201 count 10
PING 192.168.11.201 (192.168.11.201) 56(84) bytes of data.
64 bytes from 192.168.11.201: icmp_seq=1 ttl=62 time=13.3 ms
64 bytes from 192.168.11.201: icmp_seq=2 ttl=62 time=3.61 ms
64 bytes from 192.168.11.201: icmp_seq=3 ttl=62 time=3.22 ms
64 bytes from 192.168.11.201: icmp_seq=4 ttl=62 time=3.14 ms
64 bytes from 192.168.11.201: icmp_seq=5 ttl=62 time=2.90 ms
64 bytes from 192.168.11.201: icmp_seq=6 ttl=62 time=3.24 ms
64 bytes from 192.168.11.201: icmp_seq=7 ttl=62 time=3.60 ms
64 bytes from 192.168.11.201: icmp_seq=8 ttl=62 time=3.17 ms
64 bytes from 192.168.11.201: icmp_seq=9 ttl=62 time=2.91 ms
64 bytes from 192.168.11.201: icmp_seq=10 ttl=62 time=3.31 ms

--- 192.168.11.201 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9014ms
rtt min/avg/max/mdev = 2.905/4.253/13.387/3.053 ms
user01@vRouter-03:~$
  • IPSEC connection status check regarding vSRX-01

user01@vSRX-01> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
137031  UP     4994f91cc5a7afd7  5e2c4c8cf061daa5  IKEv2          192.168.3.103

user01@vSRX-01> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-gcm-256/None 8e61521c 1799/ unlim - root 500 192.168.3.103
  >131073 ESP:aes-gcm-256/None fa047078 1799/ unlim - root 500 192.168.3.103
  • IPSEC connection status check regarding vSRX-03

user01@vSRX-03> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7856221 UP     4994f91cc5a7afd7  5e2c4c8cf061daa5  IKEv2          192.168.1.101

user01@vSRX-03> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-gcm-256/None fa047078 1633/ unlim - root 500 192.168.1.101
  >131073 ESP:aes-gcm-256/None 8e61521c 1633/ unlim - root 500 192.168.1.101