Friday, 22 March 2013

SRX IPSec VPN - Route Based

In this post a route-based IPSec VPN will be configured. This exercise assumes all other device configuration including routing has already be completed. The diagram below outlines the lab topology.



Configure BRANCH-A SRX
1. Create Secure Tunnel Interface
The secure tunnel interface (st0.x) is used as the interface of the VPN tunnel. When traffic is routed to the secure tunnel interface it is encrypted and send across the VPN tunnel. Secure tunnel interfaces are configured in the same was as physical interfaces. See the screenshot below for details. 

2. Create Phase 1 Policy
The phase 1 policy defines the VPN mode (which can be main or aggressive), the proposal (in this case pre-defined), and authentication key (in this case is a password). See the screenshot below for configuration steps

3. Create Gateway
The gateway defines the remote/far-end device. The external interface and remote side IP address are configured along with the phase 1 policy. See the screenshot below for details.

4. Create Phase 2 Policy
In this step the Phase 2 policy is defined by specifying the Phase 2 proposal (in this case pre-defined). Optionally perfect forward secrecy can be used. This forces the VPN to go through Phase 1 negotiations again once the secure Phase 2 channel is set up. In this example we configured perfect forward secrecy.

5. Create VPN
In this step the VPN is created by specifying the gateway and Phase 2 policy. See the screenshot below for details.



Configure HUB SRX
The configuration steps for the second device (HUB SRX) are almost identical except for device specific information such as IP addresses/networks etc. The following steps outline the configuration steps that were completed on HUB SRX
1. Create Secure Tunnel Interface

2. Create Phase 1 Policy


3. Create Gateway

4. Create Phase 2 Policy

5. Create VPN



Verify IPSec Status
1. Verify Phase 1 Security Associations


2. Verify Phase 2 Security Associations


3. Verify VPN Statistics




Conclusion
Security policies are not required as part of the VPN configuration. It is important to remember that they will be needed to permit traffic just as you would to/from any other interface. The next post will focus on hub and spoke (multi-point) VPN configuration.