SRX Services Gateway
Highlighted
SRX Services Gateway

Multiple VPN on multiples VR

[ Edited ]
‎03-09-2015 07:59 AM

Hello,

 

First of all, please note that i'm quite new to Juniper so I will be grateful if you could give as much details as possible in your answers Smiley Wink

 

So here is my test environement :

 

I have a SRX100 connected to SRX210. I have 2 VR on each SRX, you have to think of it as 2 separate services who are sharing the SRX but don't want to know each others. The goal is to mount 2 IPSEC tunnels :

- a tunnel between TEST20 and DMZ120

- a tunnel between TEST30 and DMZ130

 

Diagram :

diagram.jpg

 I'm facing an issue where only one IKE session is UP and one tunnel is active.

 

The current status of my investigations :

I'm using 2 different IKE configs in order to use different pre-shared-keys for my different services.

I got only one ike security-association, and one ipsec active tunnel.

root@SRX210> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3013755 UP     2640d457487fa293  17ca18ec091d99c8  IKEv2          57.0.2.1

root@SRX210> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131074 ESP:3des/sha1 a62a18c5 3592/ unlim   -   root 500   57.0.2.1
  >131074 ESP:3des/sha1 345f8c81 3592/ unlim   -   root 500   57.0.2.1

 

I tried to use the same ike and gateway config, just to isolate the probleme, but I don't like this because both tunnels use the same ike pre-shared-key and I suppose that I should avoid that, right ?

Now, both tunnels are active :

[edit]
root@SRX110# set security ipsec vpn VPN-3 ike gateway GW-2

[edit]
root@SRX110# commit
commit complete

[edit]
root@SRX110#

root@SRX210> edit
Entering configuration mode

[edit]
root@SRX210# set security ipsec vpn VPN-3 ike gateway GW-2

[edit]
root@SRX210# commit
commit complete

[edit]
root@SRX210# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
3013774 UP     691da38942a2cd84  095525e2ab82edb7  IKEv2          57.0.2.1

[edit]
root@SRX210# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 1d4c0e9  3538/ unlim   -   root 500   57.0.2.1
  >131073 ESP:3des/sha1 b1f5bce  3538/ unlim   -   root 500   57.0.2.1
  <131074 ESP:3des/sha1 dc763626 3578/ unlim   -   root 500   57.0.2.1
  >131074 ESP:3des/sha1 f1a71168 3578/ unlim   -   root 500   57.0.2.1

 

Could you please advise me :

Am I missing something on the configs in attachement ?

Is it possible to create 2 IKE sessions between the same peers ?

Does it seem right for you that I want to use different pre-shared-keys or is it a non-sense ? 

 

Any remarks and recommendations would be greatly appreciated !

 

Regards,

Narus.

 

Attachments

3 REPLIES 3
SRX Services Gateway

Re: Multiple VPN on multiples VR

[ Edited ]
‎03-10-2015 07:33 AM

You should be able to use a single gateway, then define separate VPNs that both use the same gateway.  The best way to enforce different zones would be to use interface-based VPNs, and assign those interfaces to the different zones.

 

Something like:

 

set interfaces st0 unit 1 family inet

set interfaces st0 unit 2 family inet

set security zones security-zone left-zone interface st0.1

set security zones security-zone right-zone interface st0.2

set security ike gateway remote-gateway address $WHATEVER

set security ipsec vpn left-vpn gateway remote-gateway

set security ipsec vpn left-vpn bind-interface st0.1

set security ipsec vpn right-vpn gateway remote-gateway

set security ipsec vpn right-vpn bind-interface st0.2

set security zones security-zone left-zone address-book address left-network $LEFTNETWORK

set security zones security-zone left-zone address-book address right-network $RIGHTNETWORK

set routing-options static route $LEFTNETWORK next-hop st0.1

set routing-options static route $RIGHTNETWORK next-hop st0.2

 

...etc

SRX Services Gateway

Re: Multiple VPN on multiples VR

‎03-11-2015 02:01 AM

Hello mackdav,

 

Thank you for your input Smiley Happy

 

If I use the same gateway "remote-gateway" , it's working, both tunnel are UP. But remote-gateway refers to an ike-policy were I define the pre-shared-key. So both tunnels will use the same pre-shared-key, right ?  

Is it secure ?

 

SRX Services Gateway

Re: Multiple VPN on multiples VR

‎12-29-2015 10:56 AM

Hi,

    Did any one configure IPSec VPN between SRX and MX???

 

Regards

Habib