09-06-2008 06:58 AM - edited 09-06-2008 07:16 AM
ScreenOS to JUNOS-Enhanced Services VPN configuration
Device Ns-50, OS 5.4r4, VPN-type: route-based
Device J4350, OS 8.5x, VPN-type:L3 route-basedIPSEC vpn
JUNOS 8.5 Enhanced Services (hereafter referred to as JUNOS-ES). will use dynamic IKE to automatically generate keys and negotiate SAs. JUNOS-ES is very similar in configuration to ScreenOS. However, although the workflow is similar, the commands have changed.
1) Start by creating a tunnel interface.
set interface tunnel.1 zone untrust
set interface tunnel.1 ip 10.0.2.2/24
2) Create a Phase 1 IKE gateway.
set ike gateway gw-to-voyager address 192.168.20.2 Main outgoing-interface ethernet3 preshare netscreen sec-level standard
For this example, the IP address is the remote gateway's IP and the outgoing-interface is that of the WAN port.
3) Create a Phase 2 VPN referencing your Phase 1 gateway.
set ike gateway gw-to-voyager address 192.168.20.2 Main outgoing-interface ethernet3 preshare netscreen proposal pre-g2-aes128-sha
4) Bind the tunnel interface to your Phase 2 VPN
set vpn vpn-to-voyager bind interface tunnel.1
5) Set proxy-id on Phase 2 VPN (optional)
set vpn vpn-to-voyager proxy-id local-ip 10.2.0.0/24 remote-ip 10.1.0.0/24 any
Here you specify the local and remote networks involved in the VPN. At the end you can specify services as well, however in this example we chose ANY service for simplicity.
6) Create address book entries for resources
set address Trust 10.2.0.0/24 10.2.0.0 255.255.255.0
set address Untrust 10.1.0.0/24 10.1.0.0 255.255.255.0
7) Create outbound/inbound policies for connectivity.
set policy from untrust to trust 10.1.0.0/24 10.2.0.0/24 any permit
set policy from trust to untrust 10.2.0.0/24 10.1.0.0/24 any permit
No NAT is used in this example. IPSEC will tunnel the private IP address across publicly addressed space.
8) Finish by setting a static route for the destination network(s) pointing towards the tunnel interface.
set route 10.1.0.0/24 int tunnel.1
1) Allow IKE traffic on inbound VPN physical interface.
set security zones security-zone untrust interfaces t1-1/0/0.0 host-inbound-traffic system-services ike
Unlike ScreenOS, JUNOS-ES requires you to allow IKE traffic to the physical inbound port of your VPN otherwise the SA will not be established.
2) Next, create a secure-tunnel interface and associate this with a Security zone. Best practice is to create a new security zone for the VPN.
set interfaces st0 description "Tunnel Int to Site A"
set interfaces st0 unit 0 family inet
set security zones security-zone VPN interfaces st0.0
Tunnel interfaces in JUNOS-ES are called Secure-Tunnel and have a default MTU of 9192. In this example, no IP address is given to the tunnel interface which makes it "unnumbered."
3) Create a Phase 1 IKE proposal list. (optional)
set security ike proposal to-NS-ike authentication-method pre-shared-keys
set security ike proposal to-NS-ike dh-group group2
set security ike proposal to-NS-ike authentication-algorithm sha1
set security ike proposal to-NS-ike encryption-algorithm aes-128-cbc
This example shows the creation of a single proposal list called "to-NS-ike" with specfics like pre-shared keys, Diffie-Hellman, sha1 and aes-128 bit encryption. This proposal should match the one specified on the NetScreen platform.
In JUNOS-ES, VPN, zones and other "NetScreen-esque" features are all located under the [Edit Security] hierarchy.
4) Next, create a Phase 1 IKE policy referencing your proposal choice(s).
set security ike policy pre-share mode main
set security ike policy pre-share proposal-set standard
set security ike policy pre-share pre-shared-key ascii-text netscreen
Proposal-set options include: Basic, Compatible and Standard.
5) Create a Phase 1 IKE Gateway.
set security ike gateway to-NS-gw ike-policy pre-share
set security ike gateway to-NS-gw address 192.168.21.2
set security ike gateway to-NS-gw external-interface t1-1/0/0.0
This gateway references your pre-share ike-policy, the remote gateway address and the outbound physical interface. Since the secure-tunnel interface we created in the beginning was unnumbered, the local-interface set here will give the source IP to the VPN just as in ScreenOS.
By default, JUNOS-ES has NAT traversal enabled. If you want this turned off, use the command: set security ike gateway gw-name no-nat-traversal
6) Create a Phase 2 IPSEC proposal list. (optional)
set security ipsec proposal to-NS-proposal1 protocol esp
set security ipsec proposal to-NS-proposal1 authentication-algorithm hmac-sha1-96
set security ipsec proposal to-NS-proposal1 encryption-algorithm aes-128-cbc
One Phase 2 IPSEC proposal list was created here called "to-NS-proposal1." Multiple lists can be created here and referenced within your IPSEC policy.
7) Then create a Phase 2 IPSEC policy referencing your IPSEC proposal choice(s).
set security ipsec policy to-NS-pol1 proposal-set standard
8) Create a Phase 2 IPSEC VPN.
set security ipsec vpn vpn-to-NS ike gateway to-NS-gw
set security ipsec vpn vpn-to-NS ike proxy-identity local 10.1.0.0/24 (optional)
set security ipsec vpn vpn-to-NS ike proxy-identity remote 10.2.0.0/24 (optional)
set security ipsec vpn vpn-to-NS ike ipsec-policy to-NS-pol1
set security ipsec vpn vpn-to-NS establish-tunnels immediately
VPN Monitoring can also be setup here if required. VPN monitor acts just as it does in ScreenOS.
9) Bind the secure-tunnel interface to the VPN.
set security ipsec vpn vpn-to-NS bind-interface st0.0
Make sure you specify the exact unit # for the interface. Example: specifying interface only st0 will not work. You need to specify int st0.0.
10) Create address book entries in each zone for use in the security policies.
set security zones security-zone untrust address-book address net10-2-0-0--24 10.2.0.0/24
set security zones security-zone trust address-book address net10-1-0-0--24 10.1.0.0/24
Setting address book entries is different than in ScreenOS. An address or address-set (aka group) name must be a string beginning with a letter and consisting of letters, numbers, dashes and underscores. Currently other symbols are not supported.
11) Create inbound/outbound policies for connectivity.
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match source-address net10-2-0-0--24
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match destination-address net10-1-0-0--24
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match application any
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets then permit
set security policies from-zone trust to-zone untrust policy Out-to-WAN match source-address net10-1-0-0--24
set security policies from-zone trust to-zone untrust policy Out-to-WAN match destination-address net10-2-0-0--24
set security policies from-zone trust to-zone untrust policy Out-to-WAN match application any
set security policies from-zone trust to-zone untrust policy Out-to-WAN then permit
Like JUNOS routing policies, JUNOS-ES has a default security policy that can be edited under the *[Edit Security Policies] hierarchy. By default it is set to deny-all traffic.
12) Set route for destination network with next-hop of secure-tunnel interface.
set routing-options static route 10.2.0.0/24 next-hop st0
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
09-06-2008 02:10 PM
Good post Raheel, very useful.
If you Private Message AC admin then they can add it as a Sticky thread to keep it at the top.
10-06-2008 11:25 PM
Incidentally we have some application notes which shows similar scenario on Juniper KB.
Check out these useful links.