ScreenOS Firewalls (NOT SRX)
Reply
Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008

ScreenOS to JUNOS-Enhanced Services VPN configuration

[ Edited ]

ScreenOS to JUNOS-Enhanced Services VPN configuration

 

Device Ns-50, OS 5.4r4, VPN-type: route-based

Device J4350, OS 8.5x, VPN-type:L3 route-basedIPSEC vpn


JUNOS 8.5 Enhanced Services (hereafter referred to as JUNOS-ES). will use dynamic IKE to automatically generate keys and negotiate SAs.  JUNOS-ES is very similar in configuration to ScreenOS.  However, although the workflow is similar, the commands have changed.

 

ScreenOS Config

1) Start by creating a tunnel interface.

set interface tunnel.1 zone untrust
set interface tunnel.1 ip 10.0.2.2/24

2) Create a Phase 1 IKE gateway.

set ike gateway gw-to-voyager address 192.168.20.2 Main outgoing-interface ethernet3 preshare netscreen sec-level standard

For this example, the IP address is the remote gateway's IP and the outgoing-interface is that of the WAN port.

3) Create a Phase 2 VPN referencing your Phase 1 gateway.

set ike gateway gw-to-voyager address 192.168.20.2 Main outgoing-interface ethernet3 preshare netscreen proposal pre-g2-aes128-sha

4) Bind the tunnel interface to your Phase 2 VPN

set vpn vpn-to-voyager bind interface tunnel.1

5) Set proxy-id on Phase 2 VPN (optional)

set vpn vpn-to-voyager proxy-id local-ip 10.2.0.0/24 remote-ip 10.1.0.0/24 any

Here you specify the local and remote networks involved in the VPN. At the end you can specify services as well, however in this example we chose ANY service for simplicity.

6) Create address book entries for resources

set address Trust 10.2.0.0/24 10.2.0.0 255.255.255.0
set address Untrust 10.1.0.0/24 10.1.0.0 255.255.255.0

7) Create outbound/inbound policies for connectivity.

set policy from untrust to trust 10.1.0.0/24 10.2.0.0/24 any permit
set policy from trust to untrust 10.2.0.0/24 10.1.0.0/24 any permit
Useful Information

No NAT is used in this example. IPSEC will tunnel the private IP address across publicly addressed space.

8) Finish by setting a static route for the destination network(s) pointing towards the tunnel interface.

set route 10.1.0.0/24 int tunnel.1

 

 

 

JUNOS-ES Config

1) Allow IKE traffic on inbound VPN physical interface.

set security zones security-zone untrust interfaces t1-1/0/0.0 host-inbound-traffic system-services ike
Warning

Unlike ScreenOS, JUNOS-ES requires you to allow IKE traffic to the physical inbound port of your VPN otherwise the SA will not be established.

2) Next, create a secure-tunnel interface and associate this with a Security zone. Best practice is to create a new security zone for the VPN.
set interfaces st0 description "Tunnel Int to Site A"
set interfaces st0 unit 0 family inet
set security zones security-zone VPN interfaces st0.0

Tunnel interfaces in JUNOS-ES are called Secure-Tunnel and have a default MTU of 9192. In this example, no IP address is given to the tunnel interface which makes it "unnumbered."

3) Create a Phase 1 IKE proposal list. (optional)

set security ike proposal to-NS-ike authentication-method pre-shared-keys
set security ike proposal to-NS-ike dh-group group2
set security ike proposal to-NS-ike authentication-algorithm sha1
set security ike proposal to-NS-ike encryption-algorithm aes-128-cbc

This example shows the creation of a single proposal list called "to-NS-ike" with specfics like pre-shared keys, Diffie-Hellman, sha1 and aes-128 bit encryption. This proposal should match the one specified on the NetScreen platform.

Useful Information

In JUNOS-ES, VPN, zones and other "NetScreen-esque" features are all located under the [Edit Security] hierarchy.

4) Next, create a Phase 1 IKE policy referencing your proposal choice(s).

set security ike policy pre-share mode main
set security ike policy pre-share proposal-set standard
set security ike policy pre-share pre-shared-key ascii-text netscreen

Proposal-set options include: Basic, Compatible and Standard.

5) Create a Phase 1 IKE Gateway.

set security ike gateway to-NS-gw ike-policy pre-share
set security ike gateway to-NS-gw address 192.168.21.2
set security ike gateway to-NS-gw external-interface t1-1/0/0.0

This gateway references your pre-share ike-policy, the remote gateway address and the outbound physical interface. Since the secure-tunnel interface we created in the beginning was unnumbered, the local-interface set here will give the source IP to the VPN just as in ScreenOS.

Be Careful
By default, JUNOS-ES has NAT traversal enabled. If you want this turned off, use the command: set security ike gateway gw-name no-nat-traversal

6) Create a Phase 2 IPSEC proposal list. (optional)
set security ipsec proposal to-NS-proposal1 protocol esp
set security ipsec proposal to-NS-proposal1 authentication-algorithm hmac-sha1-96
set security ipsec proposal to-NS-proposal1 encryption-algorithm aes-128-cbc

One Phase 2 IPSEC proposal list was created here called "to-NS-proposal1." Multiple lists can be created here and referenced within your IPSEC policy.

7) Then create a Phase 2 IPSEC policy referencing your IPSEC proposal choice(s).

set security ipsec policy to-NS-pol1 proposal-set standard

8) Create a Phase 2 IPSEC VPN.

set security ipsec vpn vpn-to-NS ike gateway to-NS-gw
set security ipsec vpn vpn-to-NS ike proxy-identity local 10.1.0.0/24 (optional)
set security ipsec vpn vpn-to-NS ike proxy-identity remote 10.2.0.0/24 (optional)
set security ipsec vpn vpn-to-NS ike ipsec-policy to-NS-pol1
set security ipsec vpn vpn-to-NS establish-tunnels immediately

VPN Monitoring can also be setup here if required. VPN monitor acts just as it does in ScreenOS.

9) Bind the secure-tunnel interface to the VPN.

set security ipsec vpn vpn-to-NS bind-interface st0.0
Be Careful
Make sure you specify the exact unit # for the interface. Example: specifying interface only st0 will not work. You need to specify int st0.0.

10) Create address book entries in each zone for use in the security policies.

set security zones security-zone untrust address-book address net10-2-0-0--24 10.2.0.0/24
set security zones security-zone trust address-book address net10-1-0-0--24 10.1.0.0/24
Useful Information

Setting address book entries is different than in ScreenOS. An address or address-set (aka group) name must be a string beginning with a letter and consisting of letters, numbers, dashes and underscores. Currently other symbols are not supported.

11) Create inbound/outbound policies for connectivity.

set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match source-address net10-2-0-0--24
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match destination-address net10-1-0-0--24
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets match application any
set security policies from-zone untrust to-zone trust policy Allow-from-WAN-pc-nets then permit
set security policies from-zone trust to-zone untrust policy Out-to-WAN match source-address net10-1-0-0--24
set security policies from-zone trust to-zone untrust policy Out-to-WAN match destination-address net10-2-0-0--24
set security policies from-zone trust to-zone untrust policy Out-to-WAN match application any
set security policies from-zone trust to-zone untrust policy Out-to-WAN then permit
Useful Information

Like JUNOS routing policies, JUNOS-ES has a default security policy that can be edited under the *[Edit Security Policies] hierarchy. By default it is set to deny-all traffic.

12) Set route for destination network with next-hop of secure-tunnel interface.

set routing-options static route 10.2.0.0/24 next-hop st0

 

thanks,

Raheel Anwar

Message Edited by Raheel on 09-06-2008 07:16 AM
Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: ScreenOS to JUNOS-Enhanced Services VPN configuration

Good post Raheel, very useful.

 

If you Private Message AC admin then they can add it as a Sticky thread to keep it at the top.

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
JUNOS_damon
Posts: 18
Registered: ‎10-06-2008
0

Re: ScreenOS to JUNOS-Enhanced Services VPN configuration

Outstanding, easy to follow! I hope JUNOS + ES solves a lot of the problems with enterprise networking today!

 

 

 -damon

 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

Re: ScreenOS to JUNOS-Enhanced Services VPN configuration

Incidentally we have some application notes which shows similar scenario on Juniper KB.

 

Check out these useful links.

 

Application Notes for JUNOS with Enhanced Services

 

JUNOS with Enhanced Services VPN Troubleshooting Resolution Guides

 

-Richard

Visitor
Intelligent
Posts: 5
Registered: ‎08-25-2008
0

Re: ScreenOS to JUNOS-Enhanced Services VPN configuration

gr8 help Raheel and Richard.

 

keep it up.

 

sapna

Contributor
nhnam
Posts: 10
Registered: ‎03-06-2008
0

GRE over IPSec Junos-ES

Any one who know how to configure GRE over IPSec on Junos-ES please help me.

Thank a lot

Contributor
haas
Posts: 110
Registered: ‎06-27-2008
0

Re: ScreenOS to JUNOS-Enhanced Services VPN configuration

Very nice! Thank you for sharing! :smileywink:

Jason J. Wald
Juniper Networks Certified
Internet Associate - FWV
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.