Junos Cup 2014
Junos Cup 2014

Tournament 4: Australia Challenge & Solution: SRX IPSEC VPN #2

[ Edited ]
‎07-03-2014 07:15 AM

Country Flag: AUSTRALIA

 

Author: Xingxin Chen

 

Title: SRX IPSEC VPN #2

 

Type: Security

 

Difficulty: High (2 points)

 

Technical Description: Fix the following configuration so PC1 and PC2 can ping each other, making sure that the traffic goes through the IPSEC VPN tunnel.

 

Topology:

 

Australia-Topology

 

Challenge Instructions:

For this challenge, you need to start the topology called: “AUSTRALIA – IPSEC VPN #2”

 

For security reasons, PC1 and PC2 are required to communicate through an IPSEC VPN tunnel. The basic configuration is done, but the VPN tunnel still does not come up.

 

During this challenge, let the following command run from PC1:

User@PC1> ping 10.10.20.1

PING 10.10.20.1 (10.10.20.1): 56 data bytes

/* No reply */

 

Fix the tunnel by adding configurations only on the SRX-1, SRX-2, and SRX-3 devices under the following conditions:

-       Traffic from PC1 to PC2 must go through the IPSEC VPN tunnel.

-       You are not allowed to create more VPN tunnels.

-       The only allowed commands in configuration mode are edit, set, commit and quit.

-       You are not allowed to use the value “any” in security policies.

 

NOTE: If you see a license error upon commit (JNX_LICENSE_TMP), you can safely ignore it.

 

To solve this challenge submit the set commands issued at SRX-1, SRX-2, and SRX-3.

 

NOTE: If you have issues connecting to the Junosphere topology please check Junosphere Technical documentation, or request assistance in the Junosphere forum 

 

This challenge already reached its deadline.

 

 

OFFICIAL SOLUTION:

SRX-1 delta config:

 

set security ike gateway ike-gw local-identity hostname SRX-1

set security ike gateway ike-gw remote-identity hostname SRX-3

 

SRX-2 delta config:

 

set security policies from-zone trust to-zone untrust policy permit-vpn match application junos-ike-nat

 

SRX-3 delta config:

 

set security ike gateway ike-gw local-identity hostname SRX-3

set security ike gateway ike-gw remote-identity hostname SRX-1

 

 

Julie Wider
Advocacy Manager
Twitter: @JNetCommunity & @jawider