SRX

Hello!

I have a lot of srx 240 and srx 100 with Site-to-Site VPN between it, and I'd used STS VPN Wizard  at https://www.juniper.net/customers/support/configtools/vpnconfig.html

now, after update to 11.2R2.4 I've found that VPN wizard is now builtin.

so, I've  tried to use it and get some misunderstanind with Security Zones for st0.x interfaces.

Wizard on support site makes new security zone with %STS_Name% and bind st0.x interface to it like this:

----

Security zone: vpntoauto
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
st0.0 

-----

but builtin wizard offer to add st0.x interface only to trust or untrust zone and make this config:

-----

Security zone: trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
st0.1
vlan.0

------- 

anyway I have no paranoya and allow all traffic to pass between trust (internal network) and all other st0.x interfaces (branch sites).

and I see three variants:

1. make new zone for each STS and bind correlating st0.x to it 

2. add all st0.x to trust

3. made a new zone like STS_Zone and add all st0.x interfaces to it.

what is the most correct way?

thanks for advice!

You can add the Secure Tunnel interface directly to the zone which terminates the VPN, which in your case would be the Trust Zone i think.

The recommended best practice method I think is to create a new zone for the VPN.  However I don't see anything wrong with the first method.

MMcD @i-conX

thanks for your post, but my question was about "most correct way".

As you can see all three variants are correct and anyone can be made.

You can seperate the VPN traffic into its own Security zone, which will allow you to create unique policies for VPN/Encrypted traffic.  This is the recommended approach, but a new Zone for each STS is not incorrect, just depends on what exactly you want to accomplish

I have used 2 in situations where i need to allow a simple FTP outbound to 3 Remote VPN sites, added the st0.x interfaces to the untrust interface, was a very simple policy for a very simple configuration.

Well, as I understand there no any advice for all situations.

thanks.

will use third variant, I think.

The third is the method described in most of Junipers Documentation.

As I see it:

Option 1 may cause scaling issues down the track - the SRX240 only allows a total of 32 security zones, and the SRX100 only supports 10, so you would eventually run out of zones.

Option 2 means you need to configure intra-zone (from trust to trust) policies in order to get traffic from the st0 interfaces to your LAN, which may allow spoke-to-spoke traffic if you're not careful.  It also means that you'll be stuck with the same screens and host-inbound-traffic settings for your LAN and remote offices which isn't always ideal.

Option 3 is the best way in my opinion - you'll still need intra-zone policies for spoke-to-spoke traffic, but everything else is nice and clean (security policy, zone definitions etc.)

As discussed though, there is no "proper" way, just different outcomes.