Configuring Route-Based Site-to-Site IPSec VPN on the SRX

hello everybody my refer is Peter claim I am a Juniper Networks certified coach and too a Juniper ambassador and today I’m going to tell you about configuring road based site to site a PC creep in on the Juniper SRX series we will consider the following topology with two SRX devices a hand-pickeds a and SRX B both inventions he’ll have an interface G 0:03 connected to the Internet the bandaging on s fixes a is one that one that one that one and on SFX B is do that to the to the two also each SRX has a protected structure behind each structure a or structure be with address in ten that one speck 1/24 and then the two the 2024 respectively currently Astrix a and s superhighways be provide Internet be made available to systems a and B but networks a and B can not at this time communicate with each other and what we want to do is we want to create a secure tunnel through the internet between s Luke’s a and X B and to build networks a and B communicate through this passage at this time we can check that host a for example cannot pink a host B because there is no tunnel hitherto no the communications between those networks is possible so from multitude a I can send the pink to ten that to that to that to and you see it gets a destination unreachable correct what we will do now is we will create a secure tunnel between s pieces a and SRX B and we will go with route located IPSec VPN approach which allows for separation of VPN configuration and security policy configuration we will need to configure internet key exchange or etiquette to be established a dynamic tunnel between ascetics machines and a key works in two phases period 1 which is a secure channel for communication between designs which is configured in edit insurance I key stanza of configuration and phase 2 is a particular VPN tunnel for consumers traffic configured in revise defence IPSec stanza of configuration we can present this as false to aesthetic manoeuvres or set up a Facebook one channel between each other and then employing keys of period 1 they set up a phase 2 direct and users traffic is encrypted and certified employing keys of time 2 so we can say that it so to say it goes inside phase 2 and how exactly we can figure out located a PC qpn we first configure stage 1 and chapter 2 of IPSec VPN and we also configure a passage boundary which is st 0 that x interface and here x is a unit number which can be any number such as 0 1 2 etc and we bind the IPSec VPN to the tunnel interface then any traffic that is routed to the tunnel interface through static or dynamic route goes to this IPSec VPN if of course security policy countenances it now configuration on surface a is shown we configure a passage boundary which is st 0.1 in our case we articulated it into VPN zone this is not required to create a separate zone for passage boundaries but it is convenient so we do it we applied the tunnel interface into separate VPN zone and because traffic “il be going” from trust area to VPN from the perspective of SRX device the security policy must be configured between swept area and VPN zone the actual IPSec containers go out of g0 0 3 interface in the untrust own but note that no policy is needed between VPN and undress areas in such cases nonetheless hosting oblige transaction must be enabled on the untrust own for internet key exchange or etiquette configuring IP phase 1 will require several steps first step is configuring Ikey proposal which is basically a determine of algorithms and some other parameters of the passageway here we choice authentication and encryption algorithms a difficult group and lifetime likewise authentication methods for this tunnel then we configure a key plan which references the proposals which we configured before we elect the procedure of Ikey which can be main or aggressive which is main in our case and we participate the relish key for this tunnel the last step is we configure IP gateway which references the I key program and we can figure the external interface under I key gateway this is the interface in the untrust own also address for I key gateway is the address of the remote SRX device we also here configure host inbound traffic system works I key on the untrust own this is the configuration on line-up a and on place B the configuration are similar except that I key gateway address which should be one that one that one that one on sxb so I will open those bids on both asteroids design and to keep it short I have those observes in my notepad now so I will precisely glue those notes to a circs a and to a cervix B but I simply need to change the Pike gateway address then I need to configure phase two on both manoeuvres this is done under security IPSec stanza of configuration we can figure I piece it recommendations which is again a regulate of constants such as authentication algorithm encryption algorithm protocol and lifetime you configure IPSec policy which references IPSec proposals and optionally we can configure perfect forward secrecy and we configure IPSec VPN which references the I Gateway configured on the previous move and IPSec policy too I turn on VPN monitor this aspect will utter srg device a pink at the end of the passageway to check if the tunnel is still life also alternative support passageways immediately makes a stroke device to basically to establish the tunnel right after it has been configured not just wait a user traffic and we bind the boundary sorry we bind till IPSec VPN to the tunnel interface is 20. 1 in our case those bids are similar on both inventions and I settled those commands on circs a and sxb now we need to configure dental interface and routing on both machines we configure s20 interface with unit 1 and leant family I net on it and we positioned this interface s d0 did one in VPN zone and then we configure static direction on SRX a we tell the device that network B which is standard to the two is behind this passageway interface and on SRX B we can figure out to system a a through this passageway boundary so this our commons for SRX a and similar explains on ethics B with the direction to network a and the last thing is configuring its own security policies so we need to configure programmes between trust area and VPN zone to allow traffic and for opennes we can figure we stand all multitudes in a stone a to communicate with all multitudes in network B in both directions we need to configure address book and for purity I use world address work here on both devices I have enters for system a and system B and I made this in configuration on both manoeuvres and then I have plans from Trust to VPN and from VPN to trust for device a and for manoeuvre B and of course I it is necessary do a dedicate on both designs so now I expect that IPSec VPN will go up and I will be able to check it with following comments social security a key insurance associations shows us the status of stage 1 present protection IPSec security associations shows us the situation of women chapter 2 and I will likewise was hoped that a machine a will now be able to pink that is host a will now be able to ping cross B so let’s check the status of the tunnel on Essex a for example show security Ikey security associations you see it time 1 is up substantiate defence IPSec security associations we establish we be understood that phase 2 is up and on legion a we can send the pink which wasn’t working initially but at this time we be understood that pink departs penalize on any machine we can watch statistics shows you guilty IPSec statistics that shows that actually we have some encrypted and decrypted packets and this list is actually increase increasing with time which means that the traffic is actually encrypted and decrypted another helpful observation is Shore out which which is supposed to show us that traffic is actually directed to the tunnel interface and here we see that on SRX a the traffic that goes to network B to network tended to the to such 24 is actually routed to the tunnel interface so you see that now everything is fine traffic is able to go from Network a to Network B so that’s all thanks for listening and I hope this learning byte will help you in your future work good luck visit the Juniper education services website to better understand courses end our full reach of classroom online and e-learning courses learning itineraries manufacture segments and technological sciences specific learn routes Juniper Networks certification program the eventual exhibition of your confidence and the training community from forums to social media join the discussion

You May Also Like