Juniper IPSec Site-to-Site VPN Tunnel Configuration
Juniper IPSec Site-to-Site VPN Tunnel Configuration
By David.K
Note:
Refer to the Juniper website on how to access the J-web interface for the first time and configure SSL Web Access.
Tunnel configuration can be confusing, and a good way to understand it is to keep in mind that just as there are two phases to tunnel negotiation, there are two phases to tunnel configuration. The following procedure lists the order in which you must configure an IPSec tunnel if you use J-Web or the CLI editor.. Although you need not follow this sequence when using the CLI configuration editor, I recommend that you do. If, for example, you go out of sequence and configure a Phase 1 policy before you have configured a proposal, you cannot easily reference the proposal in the policy because it will not appear in the interface.
Phase 1
A. Configure IKE Phase 1 proposals
B. Configure IKE policies (and reference the proposals)
C. Configure IKE gateway (and reference the policy)
Phase 2
A. Configure Phase 2 proposals
B. Configure policies (and reference proposals)
C. Configure IPSec Autokey IKE (and reference the policy and gateway).
Now Phase 1 configuration
Configure IKE Phase 1 proposals
In Phase 1 proposal configuration, you must set the authentication method and authentication and encryption algorithms that will be used to open a secure channel between participants. In this example, you create an IKE proposal called ike_prop_1 and specify that peers use preshared keys for encryption and decryption, and that they use Diffie-Helman group 2 to produce the shared secret for the keys. You specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption. And you specify that after 300 seconds the participants renegotiate a new security association (SA).
Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the authentication method to preshared keys.
To configure Phase 1 proposals you can use either the J-Web or CLI configuration editor.
IKE Phase 1 J-Web Configuration
To configure a Phase 1 proposal in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Proposal, click Add new entry.
5. In the Name box, type Ike_prop_1.
6. From the Authentication algorithm list, select md5.
7. From the Authentication method list, select pre-shared-keys.
8. In the Description box, type new Ike proposal.
9. From the Dh-group list, select group2.
10. From the Encryption algorithm list, select 3des-cbc.
11. In the Lifetime seconds box, type 300 and click OK.
12. To save and commit the configuration, click Commit.
IKE Phase 1 CLI Configuration
To configure a Phase 1 proposal using the CLI editor:
user@host# set security ike proposal ike_prop_1 description "new ike proposal"
user@host# set security ike proposal ike_prop_1 authentication-method pre-shared-keys
user@host# set security ike proposal ike_prop_1 dh-group group2
user@host# set security ike proposal ike_prop_1 authentication-algorithm md5
user@host# set security ike proposal ike_prop_1 encryption-algorithm 3des-cbc
user@host# set security ike proposal ike_prop_1 lifetime-seconds 300
Use the following command to display information about IKE proposals:
user@host# show security ike
Configure IKE policies
During policy configuration, you must set the mode in which the Phase 1 channel will be negotiated, specify the type of key exchange to be used, and reference the Phase 1 proposal. In this example, you create a policy called ike_pol_1, specify that participants exchange proposals in aggressive mode, and reference the proposal called ike_prop_1. You specifiy that the preshared key be of type ASCII, and enter the key.
Note: When configuring an IKE policy for the dynamic VPN feature, note that you must set the mode to aggressive. Also note that you must use preshared keys rather than manual keys or certificates.
IKE policies J-Web Configuration
To configure an IKE policy in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the Name box, type Ike_pol_1.
6. In the Description box, type new Ike policy.
7. From the Mode box, select aggressive.
8. Next to Pre shared key, click Configure.
9. From the key choice list, select Ascii text.
10. In the Ascii textbox, type $9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI and click OK.
11. Next to Proposals, click Add new entry.
12. In the Value keyword box, type Ike_prop_1 and click OK.
13. To save and commit the configuration, click Commit.
IKE policies CLI Configuration
To configure and IKE policy using the CLI Editor:
user@host# set security ike policy ike_pol_1 mode aggressive
user@host# set security ike policy ike_pol_1 description "new ike policy"
user@host# set security ike policy ike_pol_1 proposals ike_prop_1
user@host# set security ike policy ike_pol_1 pre-shared-key ascii-text "$9$UQiqf36A1RSTzRSreXxDik.Tzn/CuBI"
Use the following command to display information about this IKE policy:
user@host# show security ike policy ike_pol_1
Configure IKE gateway (and reference the policy)
When creating the gateway, you must reference the Phase 1 policy. In this example, you create an IKE gateway called ike_gateway_1, reference the policy ike_pol_1, and configure an IP address for the gateway. You configure dead peer detection (DPD) to send a DPD request packet when the device has not received traffic from a peer for 10 seconds, and to consider the peer unavailable after five sequences of waiting 10 seconds and sending a DPD request packet. You also specify ge-0/0/0 as the outgoing interface.
IKE gateway J-Web Configuration
To configure an IKE gateway in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ike, click Configure or Edit.
4. Next to Gateway, click Add new entry.
5. In the Gateway name box, type Ike_gateway_1.
6. Next to Dead peer detection, select the check box and click Configure.
7. In the Interval box, type 10.
8. In the Threshold box, type 5 and click OK.
9. In the External interface box, type ge-0/0/0.
10. In the Ike policy box, type ike_pol_1.
11. From the Remote identifier list, select Address.
12. Next to Address, click Add new entry.
13. In the Value box, type 1.1.1.2.
14. To save and commit the configuration, click Commit.
IKE gateway CLI Configuration
To configure an IKE gateway using the CLI editor:
user@host# set security ike gateway ike_gateway_1 ike-policy ike_pol_1
user@host# set security ike gateway ike_gateway_1 address 1.1.1.2
user@host# set security ike gateway ike_gateway_1 dead-peer-detection interval 10
user@host# set security ike gateway ike_gateway_1 dead-peer-detection threshold 5
user@host# set security ike gateway ike_gateway_1 external-interface ge-0/0/0
Use the following command to display information about this IKE gateway:
user@host# show security ike gateway ike_gateway_1
Now Phase 2 Configuration
Configure Phase 2 proposals.
In Phase 2 proposal configuration, you must create a proposal, specify a security protocol, and select authentication and encryption algorithms for the traffic that will flow through the tunnel. In this example, you create a proposal called ipsec_prop_1, specify ESP as the security protocol, and set hmac-md5-96 as the authentication algorithm and 3des-cbc as the encryption algorithm. You also specify that the security association (SA) terminate after 1,800 KB of data pass through it.
Phase 2 proposals using J-Web Configuration
To configure an IPsec Phase 2 proposal in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Proposal, click Add new entry.
5. In the Name box, type Ipsec_prop_1.
6. From the Authentication algorithm, select hmac-md5-96.
7. In the Description box, type new ipsec proposal.
8. From the Encryption algorithm, select 3des-cbc.
9. In the Lifetime seconds box, type 1800 and click OK.
10. From the Protocol list, select esp.
11. To save and commit the configuration, click Commit.
Phase 2 proposals using CLI Configuration
To configure an IPsec Phase 2 proposal using the CLI editor:
user@host# set security ipsec proposal ipsec_prop_1 description "new ipsec proposal"
user@host# set security ipsec proposal ipsec_prop_1 protocol esp
user@host# set security ipsec proposal ipsec_prop_1 authentication-algorithm hmac-md5-96
user@host# set security ipsec proposal ipsec_prop_1 encryption-algorithm 3des-cbc
user@host# set security ipsec proposal ipsec_prop_1 lifetime-seconds 1800
Use the following command to display information about this IKE proposal:
user@host# show security ipsec proposal ipsec_prop_1
Configure policies (and reference proposals).
In Phase 2 IPsec policy configuration, you must create a policy and reference a Phase 2 proposal. In this example, you create a policy called ipsec_pol_1 and reference the proposal ipsec_prop_1. You also configure Perfect Forward Secrecy to use Diffie-Hellman Group 2 as the method the device uses to generate the encryption key.
policies (and reference proposals). Using J-Web Configuration
To configure an IPsec policy in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Policy, click Add new entry.
5. In the Name box, type Ipsec_pol_1.
6. In the Description box, type new Ipsec policy.
7. Next to Perfect forward secrecy, click Configure.
8. From the Keys list, select group2 and click OK.
9. Next to Proposals, click Add new entry.
10. In the Value keyword box, type Ipsec_prop_1 and click OK.
11. To save and commit the configuration, click Commit.
policies (and reference proposals). Using CLI Configuration
To configure an IPsec policy using the CLI editor:
user@host# set security ipsec policy ipsec_pol_1 description "new ipsec policy"
user@host# set security ipsec policy ipsec_pol_1 perfect-forward-secrecy keys group2
user@host# set security ipsec policy ipsec_pol_1 proposals ipsec_prop_1
Use the following command to display information about this IKE proposal:
user@host# show security ipsec policy ipsec_pol_1
Configure IPsec Autokey IKE (and reference the policy and gateway).
In Phase 2 IPsec AutoKey configuration, you must create a VPN tunnel name, specify a gateway, and reference a Phase 2 policy. If you are using Route mode, you must bind the tunnel to an interface. In this example, you create a VPN tunnel named vpn_1 and bind it to interface st0.0, and you specify ike_gateway_1 as the gateway for the VPN tunnel and reference the IPsec policy ipsec_pol_1.
IPsec Autokey IKE (and reference the policy and gateway). Using J-Web Configuration
To configure an IPsec Autokey in J-Web:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Ipsec, click Configure or Edit.
4. Next to Vpn, click Add new entry.
5. In the Name box, type vpn_1.
6. In the Bind interface box, type st0.0.
7. From the Negotiation list, select Ike.
8. Next to Ike, click Configure.
9. In the Gateway box, type Ike_gateway_1.
10. In the Ipsec policy box, type Ipsec_pol_1 and click OK.
11. To save and commit the configuration, click Commit.
IPsec Autokey IKE using CLI Configuration
To configure an IPsec Autokey using the CLI editor:
user@host# set security ipsec vpn vpn_1 bind-interface st0.0
user@host# set security ipsec vpn vpn_1 ike gateway ike_gateway_1
user@host# set security ipsec vpn vpn_1 ike ipsec-policy ipsec_pol_1
Use the following command to display information about this IKE proposal:
user@host# show security ipsec vpn vpn_1
Thanks,
By David.K
Tags: A VPN HowTo
Previous Article