Wednesday, 22 May 2013

SRX IPSec VPN - Multipoint

In this post a route-based multipoint IPSec VPN will be configured. This exercise builds off of the existing configuration steps completed in the previous post SRX IPSec VPN - Route Based so make sure to review the previous post. Essentially IPSec configuration is added to support the new SRX "Branch-B" and the st0.0 interface on SRX "Hub" is reconfigured as a multipoint interface. The diagram below outlines the lab topology.

 Configure HUB
1. Create Gateway (for new IPSec tunnel to Branch-B)
The gateway defines the remote/far end device. It should be noted that in the screenshot below that the existing Phase 1 policy "PHASE1-POL" is used.

2. Create VPN (for new IPSec tunnel to Branch-B)
In this step the VPN is created. It should be noted that in the screenshot below that the existing Phase 2 policy "PHASE2-POL" is used.

3. Configure Secure Tunnel (ST) Interface as Multipoint
This step configures the Secure Tunnel interfaces as a multipoint interface. This allows for multiple IPSec security associations to be bound to a single secure tunnel interface. This is the most important configuration step of this post. See the screenshot below for details. Keep in mind that the st0.0 interface was configured in the previous post. This command is in addition to the previous configuration.

Configure BRANCH-B
The configuration steps for the BRANCH-B are almost identical to BRANCH-A in the previous post SRX IPSec VPN - Route Based. The following steps and screenshots outline the configuration steps that were completed on BRANCH-B SRX.
1. Create Phase 1 Policy

2. Create Gateway

3. Create Phase 2 Policy

4. Create VPN

Configure Intra-Zone Policy
1. Permit Access between BRANCH-A and BRANCH-B
Traffic to/from BRANCH-A and BRANCH-B will need to traverse the device HUB. For this reason firewall policies are needed to permit the traffic. In this case st0.0 is in the zone VPN, so the from-zone and to-zone will both be VPN.

Verify IPSec Status
1. Verify Phase 1 & Phase 2 Security Associations on device BRANCH-A

2. Verify Phase 1 & Phase 2 Security Associations on device BRANCH-B

3. Verify Phase 1 & Phase 2 Security Associations on device HUB

4. Verify Next Hop Tunnel Bindings
The screenshot below confirms that both IPSec tunnels terminate on interface st0.0 on the hub device.

Using multipoint IPSec VPNs can be ideal for hub and spoke topologies as a single interface on the hub can be used for multiple IPSec tunnels.