fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Juniper SRX - How to configure a policy based VPN

Below shows the necessary steps/commands to create a policy based VPN on a Juniper SRX series gateway.
The main difference with a policy based VPN is that the tunnel action is defined within each security policy. 

Note : For troubleshooting steps please see here

This VPN is configured with the following :

Remote Endpoint : 172.16.200.0/24
Local Endpoint    : 172.16.100.0/24
Phase 1               : AES-256,SHA1, DH2
Phase 2               : ESP, SHA1, AES-256

Configure Proposals

set security ike proposal IKE-DH2-AES256-SHA1 authentication-method pre-shared-keys
set security ike proposal IKE-DH2-AES256-SHA1 dh-group group2
set security ike proposal IKE-DH2-AES256-SHA1 authentication-algorithm sha1
set security ike proposal IKE-DH2-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-DH2-AES256-SHA1 lifetime-seconds 86400

set security ipsec proposal IPSEC-ESP-AES256-SHA1 protocol esp
set security ipsec proposal IPSEC-ESP-AES256-SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-ESP-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-ESP-AES256-SHA1 lifetime-seconds 3600

Phase 1

set security ike policy IKE-POLICY-SITEA mode main
set security ike policy IKE-POLICY-SITEA proposals IKE-DH2-AES256-SHA1
set security ike policy IKE-POLICY-SITEA pre-shared-key ascii-text  <PRESHARED KEY>

set security ike gateway IKE-PEER-SITEA IKE-POLICY-SITEA IKE-POLICY-SITEA
set security ike gateway IKE-PEER-SITEA address <PEER IP>
set security ike gateway IKE-PEER-SITEA external-interface fe-0/0/0.0

Phase 2

set security ipsec policy IPSEC-POLICY proposals IPSEC-ESP-AES256-SHA1

set security ipsec vpn VPN-SITEA ike gateway IKE-PEER-SITEA
set security ipsec vpn VPN-SITEA ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-SITEA establish-tunnels immediately

Security Policy

set security zones security-zone untrust address-book address 172.16.200.0/16 172.16.200.0/24
set security zones security-zone trust address-book address 172.16.100.0/16 172.16.100.0/24

set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match source-address 172.16.100.0/24
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match destination-address 172.16.200.0/24
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match application any
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn then permit tunnel ipsec-vpn VPN-SITEA
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match source-address 172.16.200.0/24
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match destination-address 172.16.100.0/24
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match application any
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn then permit tunnel ipsec-vpn VPN-SITEA

NAT Exempt

To ensure that traffic is not NAT`d before hitting the VPN a NAT exempt is configured. Based on what NAT you already have configured you may need to ensure that this is positioned at the top of your source NAT rule base.

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule nonat match source-address 172.16.100.0/24
set security nat source rule-set trust-to-untrust rule nonat match destination-address 172.16.200.0/24
set security nat source rule-set trust-to-untrust rule nonat then source-nat off

MSS Clamping

To ensure that the packets do not exceed the MTU of the SRX interfaces (once the additional IPSEC headers are added) MSS clamping is configured.

set security flow tcp-mss ipsec-vpn mss 1350

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001