SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Full mesh VPN on Internet

    Posted 01-03-2014 10:53

    Hi,

     

    I just need a sugetion how to handle this case:

     

    • 6 SRX'es
    • Each of them have a standalone Internet connection
    • Each of them have a static IP

    There are 3 zones (vlan) behind of them. I just want to make a full mesh VPN to connect each subnet of each SRX to each subnet of each SRX. How to handle it?

     

    I just need what to looking for, I looked on the Group VPN but "Understanding Group VPN Limitations - Public Internet-based deployment" is still valid?

     

    So I need a lot standalone tunnels for each subnet what I want to pass the traffic thru VPN? it will be (if I calculated correctly a 6*3*6=108 tunnels).

     

    Regards,

     

     



  • 2.  RE: Full mesh VPN on Internet

    Posted 01-03-2014 11:38

    Hi

     

    Group VPN limitations still apply, so unless all your networks behind SRXs have

    public IPs, you can safely forget about group VPN.

     

    To do full mesh, simplest setup will be to just create tunnels from every to

    every SRX. So 6 SRXs, 5 tunnels on each, 5*6=30 tunnels. You do not need

    a tunnel for every network behind SRX if you are doing route-based VPN

    (recommended approach). You will need to create a unit on secure tunnel 

    (st0) interface for every VPN tunnel, for example st0.0, st0.1, .. , st0.5 - on

    every SRX, and bind the configured VPNs to these interfaces. Don't

    forget routes (static or you can use OSPF for example). Also don't

    forget to put st0.x into zone and write an appropriate security policy.

     

    You can do hub-and spoke topology as well, if you like. Then there

    will be less tunnels and all traffic will go through one site (hub).



  • 3.  RE: Full mesh VPN on Internet

    Posted 01-03-2014 12:11

    Hi,

     

    First of all, thank for reply. But to understand correctly:

     

    Group VPN - all networks behind SRX have a private address scope, only SRX itself have a public IP and doing some NAT's, then still Group VPN is not available for that case?

     

    Refferering to the "st", currently I using a "st" with unit and on each unit and I configured the proxy-id for each subnet for IPSEC (each pair). As far I understand you in this case the proxy-id is not needed and will generated as it needed?

     

    My current setup, not between SRXes (SRX between Mikrotik) but:

     

            route 192.168.3.0/24 {
            next-hop st0.3;
            retain;
        }
        route 192.168.4.0/24 {
            next-hop st0.4;
            retain;
        }
...
        proposal IPsec-IKE-Proposal-arkom {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
...
        policy IPsec-IKE-Policy-arkom {
            mode main;
            proposals IPsec-IKE-Proposal-arkom;
            pre-shared-key ascii-text [CUTTED]
        }
...
        gateway IPsec-IKE-Gateway-arkom {
            ike-policy IPsec-IKE-Policy-arkom;
            address x.x.x.x;
            external-interface lo0;
        }
...        
        proposal IPsec-Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy IPsec-Policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPsec-Proposal;
        }
...
        vpn ARKOM_2 {
            bind-interface st0.3;
            ike {
                gateway IPsec-IKE-Gateway-arkom;
                proxy-identity {
                    local 172.22.165.0/24;
                    remote 192.168.3.0/24;
                }
                ipsec-policy IPsec-Policy;
            }
            establish-tunnels immediately;
        }
        vpn ARKOM_3 {
            bind-interface st0.4;
            ike {
                gateway IPsec-IKE-Gateway-arkom;
                proxy-identity {
                    local 172.22.165.0/24;
                    remote 192.168.4.0/24;
                }
                ipsec-policy IPsec-Policy;
            }
            establish-tunnels immediately;
        }

     

     

    Can be this done as one unit? without proxy-id? If so, how? of course if another side is SRX also 🙂

     

    Thanks in advance.



  • 4.  RE: Full mesh VPN on Internet
    Best Answer

    Posted 01-03-2014 13:11

    Hi

     

    Group VPN and NAT are just incompatible. This feature was not designed for "public internet deployments", as Cisco says, and that is true. 

     

    You WILL need several (5) units on st0 interface for every SRX in a full mesh scenario.

    Multipoint is not going to work, I believe. 

     

    You do NOT need to mess with proxy-ids. Leave default setting (all zeros). You will need

    just 1 tunnel for every pair of SRXs, so no way to confuse the tunnels, no need for

    specifying custom proxy-id.

     

    You config in general looks good.



  • 5.  RE: Full mesh VPN on Internet

    Posted 01-03-2014 13:13

    Hi,

     

    Thank you for your reply.

     

    I'll try it in my lab between two SRX'es.

     

    Regards,