Scribd Logo
Upload

Welcome to Scribd!

  • How To Configure IPSec VPN On SRX

    Uploaded by

    asifq142
    128 views7 pages
    IPSec vpn on SRX interface configuration. Define tunnel interface st0 unnumbered with untrust interface. Define sub interface and bind ip address from customer pool of live ip address.

    Original Description:

    Original Title

    How to Configure IPSec VPN on SRX

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IPSec vpn on SRX interface configuration. Define tunnel interface st0 unnumbered with untrust interface. Define sub interface and bind ip address from customer pool of live ip address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    128 views7 pages

    How To Configure IPSec VPN On SRX

    Uploaded by

    asifq142
    IPSec vpn on SRX interface configuration. Define tunnel interface st0 unnumbered with untrust interface. Define sub interface and bind ip address from customer pool of live ip address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    How to configure IPSec VPN on SRX

    Interface Configuration: 1. First define tunnel interface st0 unnumbered in our case in Karachi we define st0 and its unnumbered with untrust interface 2. second define sub interface and bind IP address from customer pool of live IP address in our case in Karachi we define sub interface on trust interface like reth1 in Karachi region . This interface is defined as external interface of phase 1 gateway external interface. . Sample Interface configuration on live Equipment set interfaces st0 unit 0 family inet set interfaces reth1 unit 101 vlan-id 101 set interfaces reth1 unit 101 family inet address 202.125.133.46/32

    Defining Phase 1 configuration


    # edit security ike Defining custom proposal for customer set proposal "test coustmer " dh group2 set proposal "test coustomer" authentication-algorithm md5 set proposal " test customer" encryption-algorithm 3des-cbc Define phase1 policy SRX-01#edit security ike set policy customerpl1 mode main set policy customerpl1 proposals "test" set policy customerpl1 preshared key ascii-txt "define key" Define gateway set gateway customer ike-policy customerpl1 set gateway customer address " remote ip address of device for which you want to establish vpn " set gateway customer external-interface " your outgoing interface" Phase 1 sample configuration on live Equipment set security ike proposal test authentication-method pre-shared-keys

    set security ike proposal test dh-group group2 set security ike proposal test authentication-algorithm md5 set security ike proposal test encryption-algorithm 3des-cbc set security ike policy psl mode main set security ike policy psl proposals test set security ike policy psl pre-shared-key ascii-text "$9$Oo2F1IceK8-VYhS-wY2aJ36/tBI" set security ike gateway psl ike-policy psl set security ike gateway psl address 58.65.194.242 set security ike gateway psl external-interface reth1.101

    Define IPSEC phase 2


    first we will define custom proposal as per customer need set proposal vpn authentication-algorithim hmac-md5-96 set proposal vpn encrption-algorithm 3des-cbc set proposal vpn life time 3600 Define phase2 policy set policy cust-vpn proposal vpn Bind vpn with tunnel set vpn test-cust bind-interface st0.0 set vpn test-cust ike gateway customer (here we call phase 1 gateway name) set vpn test-cust ipsec-policy cust-vpn set vpn test-cust establish-tunnel on traffic Sample configuration for phase-II on live equipment set security ipsec proposal vpn authentication-algorithm hmac-md5-96 set security ipsec proposal vpn encryption-algorithm 3des-cbc set security ipsec proposal vpn lifetime-seconds 3600

    set security ipsec policy psl proposal-set basic set security ipsec vpn psl bind-interface st0.0 set security ipsec vpn psl ike gateway psl set security ipsec vpn psl ike ipsec-policy psl set security ipsec vpn psl establish-tunnels on-traffic

    Define customer self define zone for security purpose


    SRX-01# edit security zone set security-zone test-customer interface "name of interface which you define as subinterface " host inbound-traffic system service all set security-zone test-customer interface "name of interface which you define as subinterface " host inbound-traffic system protocol all SRX-01# edit security zone trust Define tunnel interface in trust zone same as define above and allow services and protocol on it

    Sample Configuration for Zone on live Equipment


    set security zones security-zone test-cust interfaces reth1.101 host-inbound-traffic system-services all set security zones security-zone test-cust interfaces reth1.101 host-inbound-traffic protocols all

    Define Policies for traffic flow


    first define policy from self define zone to test-customer and untrust to self define zone . SRX-01#edit security policies from-zone test-customer to untrust policy " name " match source-address any SRX-01#edit security policies from-zone test-customer to untrust policy " name " match destinationaddress any SRX-01#edit security policies from-zone test-customer to untrust policy " name " match application any edit security policies from-zone test-customer to untrust policy " name " then permit Policy from untrust to self define zone test-customer edit security policies from-zone untrust to test-customer policy " name " match source-address any

    edit security policies from-zone untrust to test-customer policy " name " match destination-address any edit security policies from-zone untrust to test-customer policy " name " match application any edit security policies from-zone untrust to test-customer policy " name " then permit

    more polices will need if customer servers are in trust zone we need to allow from trust to self define zone and vis versa Policy from trust to self define zone edit security policies from-zone trust to test-customer policy " name " match source-address any edit security policies from-zone trust to test-customer policy " name " match destination-address any edit security policies from-zone trust to test-customer policy " name " match application any edit security policies from-zone trust to test-customer policy " name " then permit Policy from Self define zone to trust edit security policies from-zone test-customer to trust policy " name " match source-address any edit security policies from-zone test-customer to trust policy " name " match destination-address any edit security policies from-zone test-customer to trust policy " name " match application any edit security policies from-zone test-customer to trust policy " name " then permit

    Sample Configuration on live Equipment


    Polices from self define zone to untrust and vise versa set security policies from-zone untrust to-zone test-cust policy testvpn1 match source-address any set security policies from-zone untrust to-zone test-cust policy testvpn1 match destination-address any set security policies from-zone untrust to-zone test-cust policy testvpn1 match application any set security policies from-zone untrust to-zone test-cust policy testvpn1 then permit set security policies from-zone test-cust to-zone untrust policy testvpn1 match source-address any set security policies from-zone test-cust to-zone untrust policy testvpn1 match destination-address any set security policies from-zone test-cust to-zone untrust policy testvpn1 match application any set security policies from-zone test-cust to-zone untrust policy testvpn1 then permit

    Policies from trust to predefine zone vise versa set security policies from-zone test-cust to-zone trust policy testvpn match source-address any set security policies from-zone test-cust to-zone trust policy testvpn match destination-address any set security policies from-zone test-cust to-zone trust policy testvpn match application any set security policies from-zone test-cust to-zone trust policy testvpn then permit set security policies from-zone trust to-zone test-cust policy testvpn match source-address any set security policies from-zone trust to-zone test-cust policy testvpn match destination-address any set security policies from-zone trust to-zone test-cust policy testvpn match application any set security policies from-zone trust to-zone test-cust policy testvpn then permit

    Define default route for remote Lan VPN SRX-01# edit routing-option Set static route 192.168.0.0/16 nex-hop st0.0

    consideration for above configuration

    if we have live IP address pools we and we are using IP address for sub interface and servers are in trust zone also have live IP address we need some source Nat rule to off netting for particular server ip address

    Configuration for source netting off

    edit security nat source rule-set test from zone test-customer to zone untrust match source address (which will be server on live IP) edit security nat source rule-set test from zone test-customer to zone untrust match destination address 0/0

    edit security nat source rule-set test from zone test-customer to zone untrust then source-nat off

    Configuration for Source netting on Live Equipment


    set security nat source rule-set test-customer from zone test-cust set security nat source rule-set test-customer to zone untrust set security nat source rule-set test-customer rule noo-nat match source-address 202.125.133.46/32 set security nat source rule-set test-customer rule noo-nat match destination-address 0.0.0.0/0 set security nat source rule-set test-customer rule noo-nat then source-nat of

    You might also like