IPSec VPN ( Route-based-VPN )

  


## Hub Firewall

set system host-name vSRX-1-HUB-FW
set system root-authentication encrypted-password "$1$Ck/1H8ol$.wgjY7Q54JDYLt.8uJcKX0"
set system syslog user * any emergency
set system syslog file messages any any
set interfaces ge-0/0/3 unit 0 family inet address 2.2.2.1/30
set interfaces ge-0/0/2 unit 0 family inet address 10.1.2.1/24

### Step-2: Create security-zones and assign interface(s). Create address-book for Spoke & Hub LAN subnets.

set security zones security-zone LAN interfaces ge-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone WAN interfaces ge-0/0/3.0 host-inbound-traffic system-services all

set security address-book global address WAN-1 10.1.0.0/23
set security address-book global address LAN-1 10.1.2.0/23
set security address-book global address-set SPOKE-LAN address WAN-1
set security address-book global address-set HUB-LAN address LAN-1

### Step-3: Configuring IKE Phase-1 Parameters

set security ike proposal IKE-PHASE-1-PROPOSAL description HUB-IKE-P1-PROPOSAL
set security ike proposal IKE-PHASE-1-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PHASE-1-PROPOSAL dh-group group5
set security ike proposal IKE-PHASE-1-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PHASE-1-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PHASE-1-PROPOSAL lifetime-seconds 86400

set security ike policy IKE-P1-POLICY mode main
set security ike policy IKE-P1-POLICY proposals IKE-PHASE-1-PROPOSAL
set security ike policy IKE-P1-POLICY pre-shared-key ascii-text cisco12345

set security ike gateway IKE-P1-GW ike-policy IKE-P1-POLICY
set security ike gateway IKE-P1-GW address 1.1.1.2
set security ike gateway IKE-P1-GW dead-peer-detection interval 10
set security ike gateway IKE-P1-GW dead-peer-detection threshold 3
set security ike gateway IKE-P1-GW external-interface ge-0/0/3

set routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
set routing-options static route 10.1.3.0/24 next-hop 10.1.2.2

### Step-4: Configuring IKE Phase-2 Parameters

set security ipsec proposal IKE-P2-PROPOSAL description IKE-P2-PROPOSAL
set security ipsec proposal IKE-P2-PROPOSAL protocol esp
set security ipsec proposal IKE-P2-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IKE-P2-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IKE-P2-PROPOSAL lifetime-seconds 3600

set security ipsec policy IKE-P2-POLICY description IKE-P2-IPSEC-POLICY
set security ipsec policy IKE-P2-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IKE-P2-POLICY proposals IKE-P2-PROPOSAL

set security ipsec vpn IPSEC-VPN ike gateway IKE-P1-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IKE-P2-POLICY

### Step-5 Configuring Policy-based VPN
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY match source-address HUB-LAN
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY match destination-address SPOKE-LAN
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY match application any
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY then permit tunnel ipsec-vpn IPSEC-VPN
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY then permit tunnel pair-policy S2H-VPN-POLICY
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY then log session-init
set security policies from-zone LAN to-zone WAN policy H2S-VPN-POLICY then log session-close

set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY match source-address SPOKE-LAN
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY match destination-address HUB-LAN
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY then permit tunnel ipsec-vpn IPSEC-VPN
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY then permit tunnel pair-policy H2S-VPN-POLICY
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY then log session-init
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY then log session-close
set security policies from-zone WAN to-zone LAN policy S2H-VPN-POLICY match application any

### Route
set interfaces st0 unit 0 family inet address 3.3.3.2/30
set security zones security-zone VPN interfaces st0.0

set security ipsec vpn IPSEC-VPN ike proxy-identity local 10.1.2.0/23
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 10.1.0.0/23
set security ipsec vpn IPSEC-VPN ike proxy-identity service any

set routing-options static route 10.1.0.0/23 next-hop st0.0
set security ipsec vpn IPSEC-VPN bind-interface st0.0

set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match source-address HUB-LAN
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match destination-address SPOKE-LAN
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match application any
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then permit
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then log session-init
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then log session-close

set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match source-address SPOKE-LAN
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match destination-address HUB-LAN
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match application any
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then permit
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then log session-init
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then log session-close

### Spoke Firewall

set system host-name SPOKE-FW
set system root-authentication encrypted-password "$1$J3wcxg8E$lQg42BgTl/9sEO8KybJ550"
set system syslog user * any emergency
set system syslog file messages any any
set interfaces ge-0/0/2 unit 0 family inet address 10.1.0.1/24
set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30

### Step-2: Create security-zones and assign interface(s). Create address-book for Spoke & Hub LAN subnets.

set security zones security-zone LAN interfaces ge-0/0/2.0 host-inbound-traffic system-services all
set security zones security-zone WAN interfaces ge-0/0/3.0 host-inbound-traffic system-services all

set security address-book global address LAN-1 10.1.0.0/23
set security address-book global address WAN-1 10.1.2.0/23
set security address-book global address-set SPOKE-LAN address LAN-1
set security address-book global address-set HUB-LAN address WAN-1

### Step-3: Configuring IKE Phase-1 Parameters
set security ike proposal IKE-PHASE-1-PROPOSAL description SPOKE-IKE-P1-PROPOSAL
set security ike proposal IKE-PHASE-1-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PHASE-1-PROPOSAL dh-group group5
set security ike proposal IKE-PHASE-1-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PHASE-1-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PHASE-1-PROPOSAL lifetime-seconds 86400

set security ike policy IKE-P1-POLICY mode main
set security ike policy IKE-P1-POLICY proposals IKE-PHASE-1-PROPOSAL
set security ike policy IKE-P1-POLICY pre-shared-key ascii-text cisco12345

set security ike gateway IKE-P1-GW ike-policy IKE-P1-POLICY
set security ike gateway IKE-P1-GW address 2.2.2.1
set security ike gateway IKE-P1-GW dead-peer-detection interval 10
set security ike gateway IKE-P1-GW dead-peer-detection threshold 3
set security ike gateway IKE-P1-GW external-interface ge-0/0/3

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set routing-options static route 10.1.1.0/24 next-hop 10.1.0.2

### Step-4: Configuring IKE Phase-2 Parameters
set security ipsec proposal IKE-P2-PROPOSAL description IKE-P2-PROPOSAL
set security ipsec proposal IKE-P2-PROPOSAL protocol esp
set security ipsec proposal IKE-P2-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IKE-P2-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal IKE-P2-PROPOSAL lifetime-seconds 3600

set security ipsec policy IKE-P2-POLICY description IKE-P2-IPSEC-POLICY
set security ipsec policy IKE-P2-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IKE-P2-POLICY proposals IKE-P2-PROPOSAL

set security ipsec vpn IPSEC-VPN ike gateway IKE-P1-GW
set security ipsec vpn IPSEC-VPN ike ipsec-policy IKE-P2-POLICY

### Step-5 Configuring Policy-based VPN
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY match source-address SPOKE-LAN
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY match destination-address HUB-LAN
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY then permit tunnel ipsec-vpn IPSEC-VPN
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY then permit tunnel pair-policy H2S-VPN-POLICY
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY then log session-init
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY then log session-close
set security policies from-zone LAN to-zone WAN policy S2H-VPN-POLICY match application any

set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY match source-address HUB-LAN
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY match destination-address SPOKE-LAN
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY then permit tunnel ipsec-vpn IPSEC-VPN
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY then permit tunnel pair-policy S2H-VPN-POLICY
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY then log session-init
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY then log session-close
set security policies from-zone WAN to-zone LAN policy H2S-VPN-POLICY match application any

### Routed VPN
set interfaces st0 unit 0 family inet address 3.3.3.1/30
set security zones security-zone VPN interfaces st0.0

set security ipsec vpn IPSEC-VPN ike proxy-identity local 10.1.0.0/23
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 10.1.2.0/23
set security ipsec vpn IPSEC-VPN ike proxy-identity service any

set routing-options static route 10.1.2.0/23 next-hop st0.0
set security ipsec vpn IPSEC-VPN bind-interface st0.0

set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match source-address SPOKE-LAN
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match destination-address HUB-LAN
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY match application any
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then permit
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then log session-init
set security policies from-zone LAN to-zone VPN policy LAN-TO-VPN-POLICY then log session-close

set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match source-address HUB-LAN
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match destination-address SPOKE-LAN
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY match application any
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then permit
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then log session-init
set security policies from-zone VPN to-zone LAN policy VPN-TO-LAN-POLICY then log session-close

### Verification

show security ipsec security-associations
show security ike security-associations
show security ike security-associations detail
show security ipsec statistics

Comments

Post a Comment

Popular posts from this blog

Config UTM Sophos Anti-Virus - Juniper

show system license usage ### License Installation request system license add terminal ### Configuring the type of engine set security utm feature-profile anti-virus type sophos-engine Note:  Beginning in 18.4R1, where to configure this feature has changed set security utm default-configuration anti-virus type sophos-engine  ### Configure the UTM policies for the desired protocols set security utm utm-policy sophos-utm-policy anti-virus http-profile junos-sophos-av-defaults set security utm utm-policy sophos-utm-policy anti-virus ftp upload-profile junos-sophos-av-defaults set security utm utm-policy sophos-utm-policy anti-virus ftp download-profile junos-sophos-av-defaults set security utm utm-policy sophos-utm-policy anti-virus smtp-profile junos-sophos-av-defaults ### Apply this UTM policy in a security policy  set security policies from-zone trust to-zone untrust policy utm-security-policy match source-address any set security policies from-zone trust to-zone untrust ...
Read more