In this lab, we are going to configure a simple IPSec tunnel in the main mode (which requires fixed IP at both ends) between two firewalls SRX1 for OAM network, and SRX2 for CORP network.
Below are parameters for the IPSec tunnel.
Phase 1:
- Authentication method: Pre-shared Key
- dh-group: group2
- Authentication algorithm: md5
- encryption algorithm: 3des-cbc
- lifetime: 86400
Phase 2:
- ESP protocol
- Authentication algorithm: hmac-md5-96
- Encryption algorithm: 3des-cbc
- Lifetime: 3600
Firewall policy is configured to allow 2x CORP subnets (VLAN 200 and 201) to access pre-defined applications on VLAN100 in OAM network. OAM network can access Internet except FTP.
Topology
Configuration
Base config (interface, routing)
interfaces { protect: ge-0/0/0 { description "MGMT Interface - DO NOT DELETE"; unit 0 { family inet { address 10.210.14.135/27; } } } ge-0/0/3 { description "Link to Internet Router"; vlan-tagging; unit 1 { vlan-id 1; family inet { address 123.1.1.2/30; } } } ge-0/0/4 { description "Link to OAM Virtual Router"; vlan-tagging; unit 100 { vlan-id 100; family inet { /* Limitation of running Junos on VM. * Reduce MTU to match the other end */ mtu 1496; address 10.10.100.1/24; } } } lo0 { unit 1 { family inet { address 192.168.1.1/32; } } } st0 { unit 0 { description "IPSec Tunnel to SRX2 CORP Firewall"; family inet { address 10.10.1.1/30; } } } } routing-options { static { route 0.0.0.0/0 next-hop 123.1.1.1; } } protocols { ospf { traceoptions { file ospf; flag error; flag event; flag hello; } area 0.0.0.0 { interface st0.0; interface ge-0/0/4.100 { interface-type p2p; } } } lldp { interface all; } }
IPSec configuration
lab@SRX1# show security ike { proposal phase1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } policy phase1-policy { mode main; proposals phase1; pre-shared-key ascii-text "$9$zyG8F9t0BEcyKCtLNbwJZF369Cu1RSeMX"; ## SECRET-DATA } gateway phase1-gateway { ike-policy phase1-policy; address 123.1.2.2; dead-peer-detection { interval 20; threshold 5; } external-interface ge-0/0/3.1; } } ipsec { proposal phase2 { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy phase2-policy { perfect-forward-secrecy { keys group2; } proposals phase2; } vpn to-remote-SRX { bind-interface st0.0; ike { gateway phase1-gateway; ipsec-policy phase2-policy; } establish-tunnels immediately; } }
Security Policy configuration
[edit] lab@SRX1# show applications application Custom-Defined { protocol udp; source-port 50000; destination-port 50001; } application-set OAM-Apps { application Custom-Defined; application junos-telnet; application junos-ping; } [edit] lab@SRX1# show security | find policies policies { /* Sample policy to deny FTP from OAM to Internet */ from-zone OAM to-zone Untrust { policy deny-ftp { match { source-address any; destination-address any; application junos-ftp; } then { reject; } } policy allow-all { match { source-address [ OAM_VL100 OAM_VL101 ]; destination-address any; application any; } then { permit; } } } from-zone CORP to-zone OAM { policy CORP-to-OAM { match { source-address [ CORP_VL200 CORP_VL201 ]; /* This sample policy only allow CORP to access VLAN100 in OAM */ destination-address OAM_VL100; application OAM-Apps; } then { permit; log { session-init; session-close; } } } } } zones { protect: functional-zone management { interfaces { ge-0/0/0.0; } host-inbound-traffic { system-services { all; } } } security-zone OAM { address-book { address OAM_VL101 10.10.101.0/24; address OAM_VL100 10.10.100.0/24; } interfaces { ge-0/0/4.100 { host-inbound-traffic { protocols { ospf; } } } } } security-zone Untrust { address-book { address SRX2 123.1.2.0/30; address internet-host 88.88.88.88/32; } interfaces { ge-0/0/3.1; } } security-zone CORP { address-book { address CORP_VL200 10.10.200.0/24; address CORP_VL201 10.10.201.0/24; } interfaces { st0.0 { host-inbound-traffic { system-services { ike; } protocols { ospf; } } } } } }
Verification
lab@SRX1> show interfaces st0 terse Interface Admin Link Proto Local Remote st0 up up st0.0 up up inet 10.10.1.1/30 lab@SRX1> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3501187 UP b1dc0e544d88f7bb d1a0f576f6215442 Main 123.1.2.2 lab@SRX1> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 131073 ESP:3des/md5 a88a5f9e 3184/ unlim - root 500 123.1.2.2 lab@SRX1> show security ipsec security-associations index 131073 ID: 131073 Virtual-system: root, VPN Name: to-remote-SRX Local Gateway: 123.1.1.2, Remote Gateway: 123.1.2.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear Bind-interface: st0.0 Port: 500, Nego#: 4, Fail#: 0, Def-Del#: 0 Flag: 600a29 Tunnel Down Reason: Lifetime expired Direction: inbound, SPI: cb8e80ee, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3162 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2524 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: a88a5f9e, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3162 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2524 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Try accessing Telnet from CORP to VLAN100
ab@SRX1> clear security ipsec statistics lab@VR> telnet 10.10.100.10 routing-instance CORP Trying 10.10.100.10... Connected to 10.10.100.10. Escape character is '^]'. VR (ttyp1) login: lab Password: lab@SRX1> show security ipsec statistics ESP Statistics: Encrypted bytes: 584 Decrypted bytes: 344 Encrypted packets: 5 Decrypted packets: 6 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 lab@SRX1> show security flow session Session ID: 14, Policy name: N/A, Timeout: N/A, Valid In: 123.1.2.2/52110 --> 123.1.1.2/33006;esp, If: ge-0/0/3.1, Pkts: 0, Bytes: 0 Session ID: 15, Policy name: N/A, Timeout: N/A, Valid In: 123.1.2.2/0 --> 123.1.1.2/0;esp, If: ge-0/0/3.1, Pkts: 0, Bytes: 0 Session ID: 17, Policy name: self-traffic-policy/1, Timeout: 60, Valid In: 10.10.1.2/1 --> 224.0.0.5/1;ospf, If: st0.0, Pkts: 933, Bytes: 75116 Out: 224.0.0.5/1 --> 10.10.1.2/1;ospf, If: .local..0, Pkts: 0, Bytes: 0 Session ID: 32, Policy name: self-traffic-policy/1, Timeout: 1800, Valid In: 10.210.14.130/49727 --> 10.210.14.135/23;tcp, If: ge-0/0/0.0, Pkts: 4432, Bytes: 233490 Out: 10.210.14.135/23 --> 10.210.14.130/49727;tcp, If: .local..0, Pkts: 2400, Bytes: 294899 Session ID: 127, Policy name: self-traffic-policy/1, Timeout: 60, Valid In: 10.10.100.10/1 --> 224.0.0.5/1;ospf, If: ge-0/0/4.100, Pkts: 359, Bytes: 24536 Out: 224.0.0.5/1 --> 10.10.100.10/1;ospf, If: .local..0, Pkts: 0, Bytes: 0 Session ID: 150, Policy name: CORP-to-OAM/6, Timeout: 1764, Valid In: 10.10.200.10/56606 --> 10.10.100.10/23;tcp, If: st0.0, Pkts: 50, Bytes: 2779 Out: 10.10.100.10/23 --> 10.10.200.10/56606;tcp, If: ge-0/0/4.100, Pkts: 36, Bytes: 2191 Session ID: 152, Policy name: self-traffic-policy/1, Timeout: 52, Valid In: 123.1.1.2/500 --> 123.1.2.2/500;udp, If: .local..0, Pkts: 3, Bytes: 336 Out: 123.1.2.2/500 --> 123.1.1.2/500;udp, If: ge-0/0/3.1, Pkts: 3, Bytes: 336 Total sessions: 7