Juniper Routed IPSec VPN

By | October 8, 2013

In this post we will talk about setting a routed site to site vpn on juniper SRX.

VPN-1

To begin with we need to set the IKE proposal set

security {
    ike {
        proposal Site-To-Site {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;

For this set we used the diffie hellman group 2 and the hash of sha with the encryption of AES. We have also set the tunnel life time and the authentication method to be a pre shared key.

Our next step is to set up the policy for the vpn under “edit security ike”.

 policy Site-To-Site-VPN {
            mode main;
            proposals Site-To-Site;
            pre-shared-key ascii-text "juniper"

We have selected the mode as main mode and added the correct proposal set and added the pre-shared key in. We now need to define a gateway.

gateway IKE-GW {
 ike-policy Site-To-Site-VPN;
 address 98.188.188.210;
 external-interface ge-0/0/0.0;
 version v2-only

Now we have setup the IKE part of the VPN we now need to set up the IPSec part. We first begain with the IPSec proposal set. This is set under the “edit security ipsec”

ipsec {
 proposal Site-To-Site {
 protocol esp;
 authentication-algorithm hmac-sha1-96;
 encryption-algorithm aes-256-cbc;
 lifetime-seconds 3600;
 }

We now create an ip sec Policy

 policy Site-to-Site-IPSec {
 proposals Site-To-Site;

We add the IPSec proposal set to the policy. We now set up the vpn.

 vpn Site-to-site-vpn {
 bind-interface st0.0;
 ike {
 gateway IKE-GW;
 ipsec-policy Site-to-Site-IPSec;

Now we have complete the vpn config. We now need to do 4 things set up the interface, set the security zone, set the tcp-mss and the routing.

We set the interface first.

   st0 {
        unit 0 {
            point-to-point;
            family inet {
                address 172.16.1.1/30;

Now we need to set up the  security Zone.

zones {
        security-zone VPN{
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;

We then set the security policy this is done under “edit security policy”

from-zone VPN to-zone trust {
            policy default {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;

Once this is done we thing need to add route to go over our vpn.

routing-options {
    static {
        route 172.16.10.0/24 next-hop st0.0;

We finaly need to set the tcp-mss under “edit security flow”

 flow {
 tcp-mss {
 ipsec-vpn {
 mss 1350;

Once this is done we can now test our vpn.

admin@srx> show security ike security-associations
Index  State  Initiator cookie  Responder cookie  Mode   Remote Address         
947309 UP     ae140fccdd2b724c  71654357c48047dc  IKEv2   98.188.188.210
admin@srx> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  <131073 ESP:aes-256/sha1 87098745 2892/ unlim -  root 500  98.188.188.210
  >131073 ESP:aes-256/sha1 cd0f0359 2892/ unlim -  root 500  98.188.188.210
admin@srx> ping 172.16.10.1 rapid
PING 172.16.10.1 (172.16.10.1): 56 data bytes
!!!!!
--- 172.16.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 7.170/11.228/17.923/4.087 ms

If you are using NAT you need to disable it for address over the vpn.