Tuesday, 22 January 2013

SRX IPSec VPN - Policy Based

In this post a policy-based IPSec VPN will be configured. This exercise assumes all other device configuration including routing has already be completed. The 192.168.1.0/24 subnet will simulate the internet. The diagram outlines the lab topology.


Configure BRANCH-A SRX
1. Create Phase 1 Proposal
The phase 1 proposal defines authentication and encryption standards to use. JunOS does contain predefined proposals which can be used. They are basic, compatible and standard. In this example we created a custom defined proposal and did not use the predefined options. See the screenshot below for details. 

2. Create Phase 1 Policy
The phase 1 policy defines the VPN mode (which can be main or aggressive), the proposal (the predefined or custom phase 1 proposal), and authentication key (in this case is a password). See the screenshot below for configuration steps.

3. Create Gateway
The gateway defines the remote/far-end device. The external interface and remote side IP address are configured along with the phase 1 policy. See the screenshot below for details.

4. Create Phase 2 Proposal
In step 1 we created a proposal for Phase 1 negotiations, in this step we are creating a proposal for Phase 2 negotiations. There are also predefined proposals that can be used for Phase 2 proposals, in this example we will create a custom Phase 2 proposal. See the screenshot below for details.

5. Create Phase 2 Policy
In this step the Phase 2 policy is defined by specifying the Phase 2 proposal. Optionally perfect forward secrecy can be used. This forces the VPN to go through Phase 1 negotiations again once the secure Phase 2 channel is set up. In this example we configured perfect forward secrecy.

6. Create VPN
In this step the VPN is created by specifying the gateway and Phase 2 policy. See the screenshot below for details.

7. Create Address Book Entries
Address book entries are created so that these objects can be referenced in the policy that will be created in the next step.

8. Create Security Policy
A security policy is needed to force traffic across the tunnel (as this is a policy based VPN). The 'permit tunnel' statement provides the logic so that traffic will be encapsulated in the VPN tunnel. A second policy is also created for the reverse direction. This will allow either side to initiate a connection. The statement 'pair-policy' is used so both rules can be linked to the same VPN.




Configure HUB SRX
The configuration steps for the second device (HUB SRX) are almost identical except for device specific information such as IP addresses/networks etc. The following steps outline the configuration steps that were completed on HUB SRX.

1. Create Phase 1 Proposal

2. Create Phase 1 Policy

3. Create Gateway

4. Create Phase 2 Proposal

5. Create Phase 2 Policy

6. Create VPN

7. Create Address Book Entries

8. Create Security Policy



Verify IPSec Status
1. Verify Phase 1 Security Associations
The command 'show security ike security-associations' outlines the Phase 1 negotiations, in this example Phase 1 negotiations are up.

2. Verify Phase 2 Security Associations
The command 'show security ipsec security-associations' outlines the Phase 2 negotiations, in this example Phase 2 negotiations are up.

3. Verify VPN Statistics
The command 'show security ipsec statistics' outlines byte and packet counters and is a good indicator that actual traffic is passing through the VPN.

4. Verify Phase 1 Security Associations in Detail
The command 'show security ike security-associations detail' provides an expanded output of Phase 1 negotiations.

4. Verify Phase 2 Security Associations in Detail
The command 'show security ipsec security-associations detail' provides an expanded output of Phase 2 negotiations.




Conclusion
The next post will focus on basic route based IPSec VPNs. Also as part of this category I hope to complete point to multipoint IPSec VPNs and certificate based IPSec VPNs.


2 comments:

  1. This exercise assumes all other mask ip device configuration including routing has already be completed. The 192.168.1.0/24 subnet will simulate the internet.

    ReplyDelete