[j-nsp] Help needed with IPSEC VPN on J-Series

Mike Devlin juniper at meeksnet.ca
Thu Mar 21 10:49:54 EDT 2013


Bill,

Maybe i missed it, but i havent seen your full ipsec vpn config, would you
mind sending it through?

Our company is switching from netscreen ssg's to junos srx's, so im going
to apologize that these are generic and in the full set command syntax, but
this is what i sent to my colleagues as a guideline.


set interfaces fe-0/0/0 description Outside
set interfaces fe-0/0/0 unit 0 family inet address X.X.X.X/XX

set interfaces fe-0/0/1 description Inside
set interfaces fe-0/0/1 vlan-tagging

set interfaces fe-0/0/1 unit 215 description VLAN-Name_215
set interfaces fe-0/0/1 unit 215 vlan-id 215
set interfaces fe-0/0/1 unit 215 family inet address 172.31.215.5/24

set interfaces fe-0/0/1 unit 219 description VLAN-Name_219
set interfaces fe-0/0/1 unit 219 vlan-id 219
set interfaces fe-0/0/1 unit 219 family inet address 172.31.219.5/24

set interfaces st0 unit 0
set interfaces st0 unit 1

set routing-options static route 0/0 next-hop X.X.X.X/XX
set routing-options static route 172.31.215.0/24 next-hop 172.31.215.1/24
set routing-options static route 172.31.219.0/24 next-hop 172.31.219.1/24

set routing-options static route 10.8.0.0/16 next-hop st0.0
set routing-options static route 10.25.0.0/16 next-hop st0.1

set security ike proposal ike-phase1-proposal authentication-method
pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group5
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text
some_psk_text_here

set security ike gateway DSG_Wloo ike-policy ike-phase1-policy
set security ike gateway DSG_Wloo address X.X.X.X/XX
set security ike gateway DSG_Wloo external-interface fe-0/0/0

set security ike gateway DSG_Q9 ike-policy ike-phase1-policy
set security ike gateway DSG_Q9 address X.X.X.X/XX
set security ike gateway DSG_Q9 external-interface fe-0/0/0

set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm
hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm
3des-cbc
set security ipsec proposal ipsec-phase2-proposal lifetime-seconds 3600
set security ipsec proposal ipsec-phase2-proposal lifetime-kilobytes
2147483647

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys
group5
set security ipsec policy ipsec-phase2-policy proposals
ipsec-phase2-proposal

set security ipsec vpn DSG_Wloo_P2-0 bind-interface st0.0
set security ipsec vpn DSG_Wloo_P2-0 ike gateway DSG_Wloo
set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity local 172.31.0.0/16
set security ipsec vpn DSG_Wloo_P2-0 ike proxy-identity remote 10.8.0.0/16
set security ipsec vpn DSG_Wloo_P2-0 ike ipsec-policy ipsec-phase2-policy

set security ipsec vpn DSG_Q9_P2-0 bind-interface st0.1
set security ipsec vpn DSG_Q9_P2-0 ike gateway DSG_Q9
set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity local 172.31.0.0/16
set security ipsec vpn DSG_Q9_P2-0 ike proxy-identity remote 10.25.0.0/16
set security ipsec vpn DSG_Q9_P2-0 ike ipsec-policy ipsec-phase2-policy

set security zones security-zone outside host-inbound-traffic
system-services ike
set security zones security-zone outside host-inbound-traffic
system-services ping
set security zones security-zone outside interfaces fe-0/0/0.0


set security zones security-zone ipsec-dsg-wloo address-book address
DSG_WLOO-01 10.8.0.0/16
set security zones security-zone ipsec-dsg-wloo address-book address-set
DSG_WLOO_Net address DSG_WLOO-01
set security zones security-zone ipsec-dsg-wloo interfaces st0.0


set security zones security-zone ipsec-dsg-q9 address-book address
DSG_Q9-01 10.25.0.0/16
set security zones security-zone ipsec-dsg-q9 address-book address-set
DSG_Q9_Net address DSG_Q9-01
set security zones security-zone ipsec-dsg-q9 interfaces st0.1


set security zones security-zone inside address-book address Office-Name-01
172.31.215.0/24
set security zones security-zone inside address-book address Office-Name-02
172.31.219.0/24
set security zones security-zone inside address-book address-set Office_Net
address Office-Name-01
set security zones security-zone inside address-book address-set Office_Net
address Office-Name-02
set security zones security-zone inside interfaces fe-0/0/1.215
set security zones security-zone inside interfaces fe-0/0/1.219
set security zones security-zone inside host-inbound-traffic
system-services all



set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match source-address Office_Net
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match destination-address DSG_WLOO_Net
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match application any
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo match application junos-icmp-all
set security policies from-zone inside to-zone ipsec-dsg-wloo policy
inside-dsg_wloo then permit


set security policies from-zone ipsec-dsg-wloo to-zone inside policy
dsg_wloo-inside match source-address DSG_WLOO_Net
set security policies from-zone ipsec-dsg-wloo to-zone inside policy
dsg_wloo-inside match destination-address Office_Net
set security policies from-zone ipsec-dsg-wloo to-zone inside policy
dsg_wloo-inside match application any
set security policies from-zone ipsec-dsg-wloo to-zone inside policy
dsg_wloo-inside match application junos-icmp-all
set security policies from-zone ipsec-dsg-wloo to-zone inside policy
dsg_wloo-inside then permit


set security policies from-zone inside to-zone ipsec-dsg-q9 policy
inside-dsg_q9 match source-address Office_Net
set security policies from-zone inside to-zone ipsec-dsg-q9 policy
inside-dsg_q9 match destination-address DSG_Q9_Net
set security policies from-zone inside to-zone ipsec-dsg-q9 policy
inside-dsg_q9 match application any
set security policies from-zone inside to-zone ipsec-dsg-q9 policy
inside-dsg_q9 match application junos-icmp-all
set security policies from-zone inside to-zone ipsec-dsg-q9 policy
inside-dsg_q9 then permit


set security policies from-zone ipsec-dsg-q9 to-zone inside policy
dsg_q9-inside match source-address DSG_Q9_Net
set security policies from-zone ipsec-dsg-q9 to-zone inside policy
dsg_q9-inside match destination-address Office_Net
set security policies from-zone ipsec-dsg-q9 to-zone inside policy
dsg_q9-inside match application any
set security policies from-zone ipsec-dsg-q9 to-zone inside policy
dsg_q9-inside match application junos-icmp-all
set security policies from-zone ipsec-dsg-q9 to-zone inside policy
dsg_q9-inside then permit









On Thu, Mar 21, 2013 at 2:34 AM, ashish verma <ashish.scit at gmail.com> wrote:

> Commit full?
>
> Also do you a have static route for the peer gateway IP?
> I tried the deactivate, commit, reactivate, commit method…no such luck :(
>
>
>
>
>
>
>
> On 2013-03-20 2:12 PM, "Gabriel Blanchard" <gabe at teksavvy.ca> wrote:
>
> >Same thing here, that or I had to
> >
> >deactivate security vpn <name>
> >commit
> >and reactivate.
> >commit
> >
> >On 13-03-20 02:03 PM, Bjørn Tore wrote:
> >> As I mentioned offline - I once had to reboot an SRX 240 after changing
> >>IPSEC config, to make things come up. Might not be the case here, but
> >>with the code quality these days - who knows..
> >>
> >> Bjørn Tore @ mobil
> >>
> >> Den 20. mars 2013 kl. 18:57 skrev Patrick Dickey
> >><dickeypjeep at yahoo.com>:
> >>
> >>> I'd start to suspect the other side of the tunnel. What is your peer
> >>>device?
> >>>
> >>>
> >>>
> >>> On Mar 20, 2013, at 11:55 AM, Bill Sandiford
> >>><bill at telnetcommunications.com> wrote:
> >>>
> >>>> So I added the following configuration in.  The syntax was a little
> >>>> different than what you sent, but basically the same thing (I think).
> >>>>
> >>>>> show configuration security policies
> >>>> from-zone trust to-zone trust {
> >>>>   policy policy1 {
> >>>>       match {
> >>>>           source-address any;
> >>>>           destination-address any;
> >>>>           application any;
> >>>>       }
> >>>>       then {
> >>>>           permit;
> >>>>       }
> >>>>   }
> >>>> }
> >>>> default-policy {
> >>>>   permit-all;
> >>>> }
> >>>>
> >>>>
> >>>>
> >>>> Šbut still not working :(
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 2013-03-20 12:29 PM, "Aaron Dewell" <aaron.dewell at gmail.com>
> wrote:
> >>>>
> >>>>>
> >>>>> You'll also need a policy which allows traffic from trust to trust,
> >>>>>i.e.:
> >>>>>
> >>>>> set security policies from-zone trust to-zone trust match
> >>>>>source-address
> >>>>> any
> >>>>> set security policies from-zone trust to-zone trust match
> >>>>> destination-address any
> >>>>> set security policies from-zone trust to-zone trust match protocol
> >>>>>any
> >>>>> set security policies from-zone trust to-zone trust then permit
> >>>>>
> >>>>> Cross-interface traffic is not allowed by default even within the
> >>>>>same
> >>>>> zone.
> >>>>>
> >>>>> On Mar 20, 2013, at 10:16 AM, Bill Sandiford wrote:
> >>>>>> For the most part this J-series has always just acted as a router
> >>>>>> without
> >>>>>> any tunnels per se.  As such, I have always had all interfaces in
> >>>>>>the
> >>>>>> trust zone, as follows
> >>>>>>
> >>>>>> zones {
> >>>>>>  security-zone trust {
> >>>>>>      tcp-rst;
> >>>>>>      host-inbound-traffic {
> >>>>>>          system-services {
> >>>>>>              any-service;
> >>>>>>          }
> >>>>>>          protocols {
> >>>>>>              all;
> >>>>>>          }
> >>>>>>      }
> >>>>>>      interfaces {
> >>>>>>          all;
> >>>>>>      }
> >>>>>>  }
> >>>>>> }
> >>>>>>
> >>>>>> Will this accomplish what you are suggesting?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 2013-03-20 11:52 AM, "Patrick Dickey" <dickeypjeep at yahoo.com>
> >>>>>>wrote:
> >>>>>>
> >>>>>>> I don't remember if the J series behaves exactly like the SRXs
> >>>>>>>when it
> >>>>>>> comes
> >>>>>>> to IPSec, but if it is make sure to put the st0.x interface into a
> >>>>>>> security
> >>>>>>> zone and have a security policy allowing the traffic.
> >>>>>>>
> >>>>>>> I believe that's only a requirement if you're running the enhanced
> >>>>>>> services/security code on the J, but I think you have to be to get
> >>>>>>> IPSec.
> >>>>>>>
> >>>>>>> HTH
> >>>>>>>
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: juniper-nsp-bounces at puck.nether.net
> >>>>>>> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill
> >>>>>>> Sandiford
> >>>>>>> Sent: Wednesday, March 20, 2013 8:47 AM
> >>>>>>> To: juniper-nsp at puck.nether.net
> >>>>>>> Subject: [j-nsp] Help needed with IPSEC VPN on J-Series
> >>>>>>>
> >>>>>>> Hi All,
> >>>>>>>
> >>>>>>> I need some help with an IPSEC tunnel that I just can't seem to get
> >>>>>>> working
> >>>>>>> on a J-6350.  I have been able to get the tunnels to come up, but
> >>>>>>>can't
> >>>>>>> seem
> >>>>>>> to pass traffic over the tunnels
> >>>>>>>
> >>>>>>> I've done the usual things.  I've created an st0.0 interface and
> >>>>>>>bound
> >>>>>>> it
> >>>>>>> to
> >>>>>>> the tunnel using the bind-interface command.  I've created a static
> >>>>>>> route
> >>>>>>> and pointed it at the st0.0 interface.  I just can't seem to get
> >>>>>>> traffic
> >>>>>>> to
> >>>>>>> pass over the tunnel.
> >>>>>>>
> >>>>>>> Any help or suggestions would be appreciated.  I'm also willing to
> >>>>>>>put
> >>>>>>> a
> >>>>>>> $$$
> >>>>>>> bounty on this for anyone that is willing to help me get it
> >>>>>>>working via
> >>>>>>> teamviewer.
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>> Bill
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list