Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Wireless

Juniper Dynamic Site-to-Site VPN between SRX and SSG

no Comments

Here is an example configuration to setup up a dynamic site-to-site VPN with Juniper SRX and SSG. we will configure VPN using IPSec protocol which is currently a preferred secure protocol. In this configuration, we will allocate static public IP address to SSG. SRX will use dynamic IP address from ISP (which may be public IP or private IP). The diagram below shows devices and its IP addresses. The SRX 210 is on the left and SSG is on the right.

SRX 210 Configuration

Set the IP addresses on the SRX device for private and tunnel network. The public interface ge-0/0/0 will get dynamic IP from ISP. Dynamic IP can be obtained from ISP via PPPoE connection or ADSL connection.

set interfaces ge-0/0/0 unit 0 family inet dhcp (set to get dynamic IP from ISP)

set interfaces ge-0/0/1 unit 0 family inet address 192.168.4.1/24

set interfaces st0 unit 0 family inet address 192.168.10.1/24

Next we configure routing options for SRX device

set routing-options static route 192.168.100.0/24 next-hop st0.0

set routing-options static route 0.0.0.0/0 next-hop ge-0/0/0

Then configure the security zones and interfaces and inbound traffic.

set security zones security-zone untrust tcp-rst

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust interfaces ge-0/0/0.0

set security zones security-zone untrust interfaces st0.0

set security zones security-zone trust tcp-rst

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/1.0

Next we configure phase 1 IKE configuration

set security ike proposal P1proposal authentication-method pre-shared-keys

set security ike proposal P1proposal dh-group group2

set security ike proposal P1proposal encryption-algorithm des-cbc

set security ike proposal P1proposal authentication-algorithm sha1

set security ike proposal P1proposal lifetime-seconds 86400

set security ike policy P1policy mode aggressive

set security ike policy P1policy proposals P1proposal

set security ike policy P1policy pre-shared-key ascii-text p@ssword”

set security ike gateway P1gateway ike-policy P1policy

set security ike gateway P1gateway address 2.2.2.2

set security ike gateway P1gateway dead-peer-detection interval 10

set security ike gateway P1gateway dead-peer-detection threshold 3

set security ike gateway P1gateway local-identity user-at-hostname “sonny@sonnysinghbrar.com”

set security ike gateway P1gateway external-interface ge-0/0/0

After configuring the phase 1 IKE above, lets now configure phase 2 IKE configuration

set security ipsec proposal P2proposal protocol esp

set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96

set security ipsec proposal P2proposal encryption-algorithm des-cbc

set security ipsec proposal P2proposal lifetime-seconds 36000

set security ipsec policy P2policy perfect-forward-secrecy keys group2

set security ipsec policy P2policy proposals P2proposal

set security ipsec vpn site1-to-site2-vpn bind-interface st0.0

set security ipsec vpn site1-to-site2-vpn ike gateway P1gateway

set security ipsec vpn site1-to-site2-vpn ike ipsec-policy P2policy

set security ipsec vpn site1-to-site2-vpn establish-tunnels immediately

Now create security policy to allow traffic from site1 to site2 and vice-versa.

set security policies from-zone trust to-zone untrust policy allowALL match source-address any

set security policies from-zone trust to-zone untrust policy allowALL match destination-address any

set security policies from-zone trust to-zone untrust policy allowALL match application any

set security policies from-zone trust to-zone untrust policy allowALL then permit

set security policies from-zone untrust to-zone trust policy fromInternet match source-address any

set security policies from-zone untrust to-zone trust policy fromInternet match destination-address any

set security policies from-zone untrust to-zone trust policy fromInternet match application any

set security policies from-zone untrust to-zone trust policy fromInternet then permit

Note: – Make sure that you have allowed both remote networks 192.168.100.1/24 and 192.168.10.0/24 for incoming traffic on the home network.

SSG 20

Login to the SSG web management via web browser. Configure the IP addresses to the corresponding interfaces like we did in SRX. After login into SSG20 expand Network and further expand interfaces and select List. In this figure you can click edit button on the right and configure the IP addresses.

In the same window on the top right select Tunnel IP in the drop down menu and click new. Doing so allows you to create new tunnel interface for VPN connection. This is similar to creating st0.0 tunnel interface in SRX. After clicking new the following page appears.

Now make the above changes and leave other as default and click ok. By now we have completed setting the interfaces.

We now begin VPN configuration by defining the phase 1 and phase 2 options. Expand VPNs tab and then further expand AutoKey Advanced tab. Select P1 proposal. In the main window, click new button which is on top right of the page. This is similar to creating phase 1 proposal in SRX. The following page appears after clicking new button.

Make the above changes and hit ok. Make sure that the phase 1 proposal here and the proposal that we configured on SRX are same.

Similarly, select P2proposal on the left navigation window and click new button in the main window. The following page appears. This is similar to phase 2 proposal we configured on SRX. Remember the configuration must be same on both.

After making the above changes click ok. Now select gateway button on the left pane and click new button on the main window. The following page appears,

We are configuring the dynamic VPN so select the dynamic IP Address option and give Peer ID of remote gateway i.e. bipin@mustbegeek.com. Now instead of clicking ok, click Advanced button. You will now see following options.

We are configuring IKEv1, leave the IKE2 Auth Method as it is on the top of the page. Type the preshared key, which is p@ssword (must be same on SRX). On Security Level option click Custom and select P1proposal from the drop down. Select DPD button in Peer Status Detection and enter the values for Interval and Retry. After setting all the parameters click return and then click ok. Our gateway option is now configured. Now click on AutoKey IKE tab under VPNs tab and click new button in main window. The following page appears,

Type the name of VPN as site-to-site-VPN. Then select predefined button and select P1gateway from the dropdown option. Now click advanced button below. This click will give with following page,

Here select Phase 2 Proposal from drop down. Similarly, select Bind to Tunnel Interface and select tunnel.1 and click return. Now click ok.

Now configure the security policy options and allow the remote network to enter local network and vice-versa. When creating policy, make sure that you are allowing the remote network both the internal network (192.168.4.0/24) and tunnel network (192.168.10.0/24) network to enter the current home network.

The last step is to configure the routing options in SSG. The following figure shows how to do just that.

Viola! you are done.