Example:ConfiguringaPolicyBasedVPN

ThisexampleshowshowtoconfigureapolicybasedIPsecVPNtoallowdatatobesecurelytransferredbetweenabranchofficeandthecorporateoffice. Requirements Overview Configuration Verification

Requirements
Thisexampleusesthefollowinghardware: SRX240device SSG140device Beforeyoubegin,readVPNOverview.

Overview
Inthisexample,youconfigureapolicybasedVPNforabranchofficeinChicago,Illinois,becauseyoudonotneedtoconservetunnelresourcesorconfiguremanysecurity policiestofiltertrafficthroughthetunnel.UsersintheChicagoofficewillusetheVPNtoconnecttotheircorporateheadquartersinSunnyvale,California. Figure1showsanexampleofapolicybasedVPNtopology.Inthistopology,theSRXSeriesdeviceislocatedinSunnyvale,andanSSGSeriesdevice(oritcanbeanother thirdpartydevice)islocatedinChicago. Figure1:PolicyBasedVPNTopology

IKEIPsectunnelnegotiationoccursintwophases.InPhase1,participantsestablishasecurechannelinwhichtonegotiatetheIPsecsecurityassociation(SA).InPhase2, participantsnegotiatetheIPsecSAforauthenticatingtrafficthatwillflowthroughthetunnel.Justastherearetwophasesintunnelnegotiation,therearetwophasesin tunnelconfiguration. Inthisexample,youconfigureinterfaces,anIPv4defaultroute,securityzones,andaddressbooks.ThenyouconfigureIKEPhase1,IPsecPhase2,securitypolicy,and TCPMSSparameters.SeeTable1throughTable5.

Table1:Interface,SecurityZone,andAddressBookInformation Feature Interfaces Securityzones Name ge0/0/0.0 ge0/0/3.0 trust ConfigurationParameters 10.10.10.1/24 1.1.1.2/30 Allsystemservicesareallowed. Thege0/0/0.0interfaceisboundtothiszone. untrust IKEistheonlyallowedsystemservice. Thege0/0/3.0interfaceisboundtothiszone. Addressbookentries sunnyvale Thisaddressisforthetrustzonesaddressbook. Theaddressforthisaddressbookentryis10.10.10.0/24. chicago Thisaddressisfortheuntrustzonesaddressbook. Theaddressforthisaddressbookentryis192.168.168.0/24. Table2:IKEPhase1ConfigurationParameters Feature Proposal Name ikephase1proposal ConfigurationParameters Authenticationmethod:presharedkeys DiffieHellmangroup:group2 Authenticationalgorithm:sha1 Encryptionalgorithm:aes128cbc Policy ikephase1policy Mode:main Proposalreference:ikephase1proposal IKEPhase1policyauthenticationmethod:presharedkeyasciitext Gateway gwchicago IKEpolicyreference:ikephase1policy Externalinterface:ge0/0/3.0 Gatewayaddress:2.2.2.2 Table3:IPsecPhase2ConfigurationParameters Feature Proposal Name ipsecphase2proposal ConfigurationParameters Protocol:esp Authenticationalgorithm:hmacsha196 Encryptionalgorithm:aes128cbc Policy ipsecphase2policy Proposalreference:ipsecphase2proposal

PFS:DiffieHellmangroup2 IKEgatewayreference:gwchicago IPsecpolicyreference:ipsecphase2policy Table4:SecurityPolicyConfigurationParameters Configuration Parameters Matchcriteria: source address sunnyvale destination address chicago application any Permitaction: tunnelipsec vpnikevpn chicago Permitaction: tunnelpair policyvpnuntr tr Thissecuritypolicypermitstrafficfromtheuntrustzonetothetrustzone. vpn untrtr Matchcriteria: source address chicago destination address sunnyvale application any Permitaction: tunnelipsec vpnikevpn chicago Permitaction: tunnelpair policyvpntr untr Thissecuritypolicypermitsalltrafficfromthetrustzonetotheuntrustzone. permit any Matchcriteria: source

VPN

ikevpnchicago

Purpose Thissecuritypolicypermitstrafficfromthetrustzonetotheuntrustzone.

Name vpntr untr

Note:Youmustputthevpntruntrpolicybeforethepermitanysecuritypolicy.JunosOSperformsasecuritypolicylookupstartingat thetopofthelist.Ifthepermitanypolicycomesbeforethevpntruntrpolicy,alltrafficfromthetrustzonewillmatchthepermitany policyandbepermitted.Thus,notrafficwillevermatchthevpntruntrpolicy.

address any source destination any application any Action:permit

Table5:TCPMSSConfigurationParameters Configuration Parameters MSSvalue: 1350

Purpose TCPMSSisnegotiatedaspartoftheTCPthreewayhandshakeandlimitsthemaximumsizeofaTCPsegmenttobetterfitthemaximum transmissionunit(MTU)limitsonanetwork.ThisisespeciallyimportantforVPNtraffic,astheIPsecencapsulationoverhead,alongwiththeIPand frameoverhead,cancausetheresultingEncapsulatingSecurityPayload(ESP)packettoexceedtheMTUofthephysicalinterface,thuscausing fragmentation.Fragmentationresultsinincreaseduseofbandwidthanddeviceresources. Note:Werecommendavalueof1350asthestartingpointformostEthernetbasednetworkswithanMTUof1500orgreater.Youmightneedto experimentwithdifferentTCPMSSvaluestoobtainoptimalperformance.Forexample,youmightneedtochangethevalueifanydeviceinthepath hasalowerMTU,orifthereisanyadditionaloverheadsuchasPPPorFrameRelay.

Configuration
ConfiguringBasicNetwork,SecurityZone,andAddressBookInformation CLIQuickConfiguration
Toquicklyconfigurebasicnetwork,securityzone,andaddressbookinformation,copythefollowingcommandsandpastethemintotheCLI: [ e d i t ] s e t i n t e r f a c e s g e 0 / 0 / 0 u n i t 0 f a m i l y i n e t a d d r e s s 1 0 . 1 0 . 1 0 . 1 / 2 4 s e t i n t e r f a c e s g e 0 / 0 / 3 u n i t 0 f a m i l y i n e t a d d r e s s 1 . 1 . 1 . 2 / 3 0 s e t r o u t i n g o p t i o n s s t a t i c r o u t e 0 . 0 . 0 . 0 / 0 n e x t h o p 1 . 1 . 1 . 1 s e t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t i n t e r f a c e s g e 0 / 0 / 3 . 0 s e t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t h o s t i n b o u n d t r a f f i c s y s t e m s e r v i c e s i k e s e t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t a d d r e s s b o o k a d d r e s s c h i c a g o 1 9 2 . 1 6 8 . 1 6 8 . 0 / 2 4 s e t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t i n t e r f a c e s g e 0 / 0 / 0 . 0 s e t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t h o s t i n b o u n d t r a f f i c s y s t e m s e r v i c e s a l l s e t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t a d d r e s s b o o k a d d r e s s s u n n y v a l e 1 0 . 1 0 . 1 0 . 0 / 2 4

StepbyStepProcedure
Thefollowingexamplerequiresyoutonavigatevariouslevelsintheconfigurationhierarchy.Forinstructionsonhowtodothat,seeUsingtheCLIEditorinConfiguration Mode. Toconfigurebasicnetwork,securityzone,andaddressbookinformation: 1. ConfigureEthernetinterfaceinformation. [ e d i t ]

u s e r @ h o s t # s e t i n t e r f a c e s g e 0 / 0 / 0 u n i t 0 f a m i l y i n e t a d d r e s s 1 0 . 1 0 . 1 0 . 1 / 2 4 u s e r @ h o s t # s e t i n t e r f a c e s g e 0 / 0 / 3 u n i t 0 f a m i l y i n e t a d d r e s s 1 . 1 . 1 . 2 / 3 0 2. Configurestaticrouteinformation. [ e d i t ] u s e r @ h o s t # s e t r o u t i n g o p t i o n s s t a t i c r o u t e 0 . 0 . 0 . 0 / 0 n e x t h o p 1 . 1 . 1 . 1 3. Configuretheuntrustsecurityzone. [ e d i t ] u s e r @ h o s t # e d i t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t 4. Assignaninterfacetothesecurityzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t ] u s e r @ h o s t # s e t i n t e r f a c e s g e 0 / 0 / 3 . 0 5. Specifyallowedsystemservicesforthesecurityzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t ] u s e r @ h o s t # s e t h o s t i n b o u n d t r a f f i c s y s t e m s e r v i c e s i k e 6. Configuretheaddressbookentryfortheuntrustzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t ] u s e r @ h o s t # s e t a d d r e s s b o o k a d d r e s s c h i c a g o 1 9 2 . 1 6 8 . 1 6 8 . 0 / 2 4 7. Configurethetrustsecurityzone. [ e d i t ] u s e r @ h o s t # e d i t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t 8. Assignaninterfacetothesecurityzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t ] u s e r @ h o s t # s e t i n t e r f a c e s g e 0 / 0 / 0 . 0 9. Specifyallowedsystemservicesforthesecurityzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t ] u s e r @ h o s t # s e t h o s t i n b o u n d t r a f f i c s y s t e m s e r v i c e s a l l 10. Configuretheaddressbookentryforthetrustzone. [ e d i t s e c u r i t y z o n e s s e c u r i t y z o n e t r u s t ] u s e r @ h o s t # s e t a d d r e s s b o o k a d d r e s s s u n n y v a l e 1 0 . 1 0 . 1 0 . 0 / 2 4

Results
Fromconfigurationmode,confirmyourconfigurationbyenteringthes h o w i n t e r f a c e s ,s h o w r o u t i n g o p t i o n s ,ands h o w s e c u r i t y z o n e s commands.Iftheoutput doesnotdisplaytheintendedconfiguration,repeattheconfigurationinstructionsinthisexampletocorrectit. [ e d i t ] u s e r @ h o s t # s h o w i n t e r f a c e s g e 0 / 0 / 0 { u n i t 0 { f a m i l y i n e t { a d d r e s s 1 0 . 1 0 . 1 0 . 1 / 2 4 } } } g e 0 / 0 / 3 { u n i t 0 { f a m i l y i n e t { a d d r e s s 1 . 1 . 1 . 2 / 3 0 } }

} [ e d i t ] u s e r @ h o s t # s h o w r o u t i n g o p t i o n s s t a t i c { r o u t e 0 . 0 . 0 . 0 / 0 n e x t h o p 1 . 1 . 1 . 1 } [ e d i t ] u s e r @ h o s t # s h o w s e c u r i t y z o n e s s e c u r i t y z o n e u n t r u s t { a d d r e s s b o o k { a d d r e s s c h i c a g o 1 9 2 . 1 6 8 . 1 6 8 . 0 / 2 4 { } h o s t i n b o u n d t r a f f i c { s y s t e m s e r v i c e s { i k e } } i n t e r f a c e s { g e 0 / 0 / 3 . 0 } } s e c u r i t y z o n e t r u s t { a d d r e s s b o o k { a d d r e s s s u n n y v a l e 1 0 . 1 0 . 1 0 . 0 / 2 4 { } h o s t i n b o u n d t r a f f i c { s y s t e m s e r v i c e s { a l l } } i n t e r f a c e s { g e 0 / 0 / 0 . 0 } } Ifyouaredoneconfiguringthedevice,enterc o m m i t fromconfigurationmode.

ConfiguringIKE CLIQuickConfiguration
ToquicklyconfigureIKE,copythefollowingcommandsandpastethemintotheCLI: [ e d i t ] s e t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y s s e t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l d h g r o u p g r o u p 2 s e t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l a u t h e n t i c a t i o n a l g o r i t h m s h a 1 s e t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c s e t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y m o d e m a i n s e t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y p r o p o s a l s i k e p h a s e 1 p r o p o s a l s e t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y p r e s h a r e d k e y a s c i i t e x t 3 9 5 p s k s e c r 3 t s e t s e c u r i t y i k e g a t e w a y g w c h i c a g o e x t e r n a l i n t e r f a c e g e 0 / 0 / 3 . 0 s e t s e c u r i t y i k e g a t e w a y g w c h i c a g o i k e p o l i c y i k e p h a s e 1 p o l i c y s e t s e c u r i t y i k e g a t e w a y g w c h i c a g o a d d r e s s 2 . 2 . 2 . 2

StepbyStepProcedure

Thefollowingexamplerequiresyoutonavigatevariouslevelsintheconfigurationhierarchy.Forinstructionsonhowtodothat,seeUsingtheCLIEditorinConfiguration Mode. ToconfigureIKE: 1. CreatetheIKEPhase1proposal. [ e d i t s e c u r i t y i k e ] u s e r @ h o s t # s e t p r o p o s a l i k e p h a s e 1 p r o p o s a l 2. DefinetheIKEproposalauthenticationmethod. [ e d i t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l ] u s e r @ h o s t # s e t a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y s 3. DefinetheIKEproposalDiffieHellmangroup. [ e d i t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l ] u s e r @ h o s t # s e t d h g r o u p g r o u p 2 4. DefinetheIKEproposalauthenticationalgorithm. [ e d i t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l ] u s e r @ h o s t # s e t a u t h e n t i c a t i o n a l g o r i t h m s h a 1 5. DefinetheIKEproposalencryptionalgorithm. [ e d i t s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l ] u s e r @ h o s t # s e t e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c 6. CreateanIKEPhase1policy. [ e d i t s e c u r i t y i k e ] u s e r @ h o s t # s e t p o l i c y i k e p h a s e 1 p o l i c y 7. SettheIKEPhase1policymode. [ e d i t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y ] u s e r @ h o s t # s e t m o d e m a i n 8. SpecifyareferencetotheIKEproposal. [ e d i t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y ] u s e r @ h o s t # s e t p r o p o s a l s i k e p h a s e 1 p r o p o s a l 9. DefinetheIKEPhase1policyauthenticationmethod. [ e d i t s e c u r i t y i k e p o l i c y i k e p h a s e 1 p o l i c y ] u s e r @ h o s t # s e t p r e s h a r e d k e y a s c i i t e x t 3 9 5 p s k s e c r 3 t 10. CreateanIKEPhase1gatewayanddefineitsexternalinterface. [ e d i t s e c u r i t y i k e ] u s e r @ h o s t # s e t g a t e w a y g w c h i c a g o e x t e r n a l i n t e r f a c e g e 0 / 0 / 3 . 0 11. DefinetheIKEPhase1policyreference. [ e d i t s e c u r i t y i k e g a t e w a y g w c h i c a g o ] u s e r @ h o s t # s e t i k e p o l i c y i k e p h a s e 1 p o l i c y 12. CreateanIKEPhase1gatewayanddefineitsexternalinterface. [ e d i t s e c u r i t y i k e g a t e w a y g w c h i c a g o ] u s e r @ h o s t # s e t g a t e w a y g w c h i c a g o e x t e r n a l i n t e r f a c e g e 0 / 0 / 3 . 0 13. DefinetheIKEPhase1policyreference. [ e d i t s e c u r i t y i k e g a t e w a y g w c h i c a g o ] u s e r @ h o s t # s e t i k e p o l i c y i k e p h a s e 1 p o l i c y

Results

Fromconfigurationmode,confirmyourconfigurationbyenteringthes h o w s e c u r i t y i k e command.Iftheoutputdoesnotdisplaytheintendedconfiguration,repeatthe configurationinstructionsinthisexampletocorrectit. [ e d i t ] u s e r @ h o s t # s h o w s e c u r i t y i k e p r o p o s a l i k e p h a s e 1 p r o p o s a l { a u t h e n t i c a t i o n m e t h o d p r e s h a r e d k e y s d h g r o u p g r o u p 2 a u t h e n t i c a t i o n a l g o r i t h m s h a 1 e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c } p o l i c y i k e p h a s e 1 p o l i c y { m o d e m a i n p r o p o s a l s i k e p h a s e 1 p r o p o s a l p r e s h a r e d k e y a s c i i t e x t " $ 9 $ 9 V M T p 1 R v W L d w Y K M J D k m F 3 y l K M 8 7 V b 2 o Z j w s 5 F " # # S E C R E T D A T A } g a t e w a y g w c h i c a g o { i k e p o l i c y i k e p h a s e 1 p o l i c y a d d r e s s 2 . 2 . 2 . 2 e x t e r n a l i n t e r f a c e g e 0 / 0 / 3 . 0 } Ifyouaredoneconfiguringthedevice,enterc o m m i t fromconfigurationmode.

ConfiguringIPsec CLIQuickConfiguration
ToquicklyconfigureIPsec,copythefollowingcommandsandpastethemintotheCLI: [ e d i t ] s e t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l p r o t o c o l e s p s e t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l a u t h e n t i c a t i o n a l g o r i t h m h m a c s h a 1 9 6 s e t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c s e t s e c u r i t y i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y p r o p o s a l s i p s e c p h a s e 2 p r o p o s a l s e t s e c u r i t y i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y p e r f e c t f o r w a r d s e c r e c y k e y s g r o u p 2 s e t s e c u r i t y i p s e c v p n i k e v p n c h i c a g o i k e g a t e w a y g w c h i c a g o s e t s e c u r i t y i p s e c v p n i k e v p n c h i c a g o i k e i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y

StepbyStepProcedure
Thefollowingexamplerequiresyoutonavigatevariouslevelsintheconfigurationhierarchy.Forinstructionsonhowtodothat,seeUsingtheCLIEditorinConfiguration Mode. ToconfigureIPsec: 1. CreateanIPsecPhase2proposal. [ e d i t ] u s e r @ h o s t # s e t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l 2. SpecifytheIPsecPhase2proposalprotocol. [ e d i t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l ] u s e r @ h o s t # s e t p r o t o c o l e s p 3. SpecifytheIPsecPhase2proposalauthenticationalgorithm. [ e d i t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l ] u s e r @ h o s t # s e t a u t h e n t i c a t i o n a l g o r i t h m h m a c s h a 1 9 6

4. SpecifytheIPsecPhase2proposalencryptionalgorithm. [ e d i t s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l ] u s e r @ h o s t # s e t e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c 5. CreatetheIPsecPhase2policy. [ e d i t s e c u r i t y i p s e c ] u s e r @ h o s t # s e t p o l i c y i p s e c p h a s e 2 p o l i c y 6. SpecifytheIPsecPhase2proposalreference. [ e d i t s e c u r i t y i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y ] u s e r @ h o s t # s e t p r o p o s a l s i p s e c p h a s e 2 p r o p o s a l 7. SpecifyIPsecPhase2PFStouseDiffieHellmangroup2. [ e d i t s e c u r i t y i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y ] u s e r @ h o s t # s e t p e r f e c t f o r w a r d s e c r e c y k e y s g r o u p 2 8. SpecifytheIKEgateway. [ e d i t s e c u r i t y i p s e c ] u s e r @ h o s t # s e t v p n i k e v p n c h i c a g o i k e g a t e w a y g w c h i c a g o 9. SpecifytheIPsecPhase2policy. [ e d i t s e c u r i t y i p s e c ] u s e r @ h o s t # s e t v p n i k e v p n c h i c a g o i k e i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y

Results
Fromconfigurationmode,confirmyourconfigurationbyenteringthes h o w s e c u r i t y i p s e c command.Iftheoutputdoesnotdisplaytheintendedconfiguration,repeatthe configurationinstructionsinthisexampletocorrectit. [ e d i t ] u s e r @ h o s t # s h o w s e c u r i t y i p s e c p r o p o s a l i p s e c p h a s e 2 p r o p o s a l { p r o t o c o l e s p a u t h e n t i c a t i o n a l g o r i t h m h m a c s h a 1 9 6 e n c r y p t i o n a l g o r i t h m a e s 1 2 8 c b c } p o l i c y i p s e c p h a s e 2 p o l i c y { p e r f e c t f o r w a r d s e c r e c y { k e y s g r o u p 2 } p r o p o s a l s i p s e c p h a s e 2 p r o p o s a l } v p n i k e v p n c h i c a g o { i k e { g a t e w a y g w c h i c a g o i p s e c p o l i c y i p s e c p h a s e 2 p o l i c y } } Ifyouaredoneconfiguringthedevice,enterc o m m i t fromconfigurationmode.

ConfiguringSecurityPolicies CLIQuickConfiguration
Toquicklyconfiguresecuritypolicies,copythefollowingcommandsandpastethemintotheCLI: [ e d i t ]

s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r m a t c h s o u r c e a d d r e s s s u n n y v a l e s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r m a t c h d e s t i n a t i o n a d d r e s s c h i c a g o s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r m a t c h a p p l i c a t i o n a n y s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r t h e n p e r m i t t u n n e l i p s e c v p n i k e v p n c h i c a g o s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r t h e n p e r m i t t u n n e l p a i r p o l i c y v p n u n t r t r s e t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t p o l i c y v p n u n t r t r m a t c h s o u r c e a d d r e s s c h i c a g o s e t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t p o l i c y v p n u n t r t r m a t c h d e s t i n a t i o n a d d r e s s s u n n y v a l e s e t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t p o l i c y v p n u n t r t r m a t c h a p p l i c a t i o n a n y s e t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t p o l i c y v p n u n t r t r t h e n p e r m i t t u n n e l i p s e c v p n i k e v p n c h i c a g o s e t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t p o l i c y v p n u n t r t r t h e n p e r m i t t u n n e l p a i r p o l i c y v p n t r u n t r s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y p e r m i t a n y m a t c h s o u r c e a d d r e s s a n y s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y p e r m i t a n y m a t c h d e s t i n a t i o n a d d r e s s a n y s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y p e r m i t a n y m a t c h a p p l i c a t i o n a n y s e t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y p e r m i t a n y t h e n p e r m i t i n s e r t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t p o l i c y v p n t r u n t r b e f o r e p o l i c y p e r m i t a n y

StepbyStepProcedure
Thefollowingexamplerequiresyoutonavigatevariouslevelsintheconfigurationhierarchy.Forinstructionsonhowtodothat,seeUsingtheCLIEditorinConfiguration Mode. Toconfiguresecuritypolicies: 1. Createthesecuritypolicytopermittrafficfromthetrustzonetotheuntrustzone. [ e d i t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t ] u s e r @ h o s t # s e t p o l i c y v p n t r u n t r m a t c h s o u r c e a d d r e s s s u n n y v a l e u s e r @ h o s t # s e t p o l i c y v p n t r u n t r m a t c h d e s t i n a t i o n a d d r e s s c h i c a g o u s e r @ h o s t # s e t p o l i c y v p n t r u n t r m a t c h a p p l i c a t i o n a n y u s e r @ h o s t # s e t p o l i c y v p n t r u n t r t h e n p e r m i t t u n n e l i p s e c v p n i k e v p n c h i c a g o u s e r @ h o s t # s e t p o l i c y v p n t r u n t r t h e n p e r m i t t u n n e l p a i r p o l i c y v p n u n t r t r 2. Createthesecuritypolicytopermittrafficfromtheuntrustzonetothetrustzone. [ e d i t s e c u r i t y p o l i c i e s f r o m z o n e u n t r u s t t o z o n e t r u s t ] u s e r @ h o s t # s e t p o l i c y v p n u n t r t r m a t c h s o u r c e a d d r e s s s u n n y v a l e u s e r @ h o s t # s e t p o l i c y v p n u n t r t r m a t c h d e s t i n a t i o n a d d r e s s c h i c a g o u s e r @ h o s t # s e t p o l i c y v p n u n t r t r m a t c h a p p l i c a t i o n a n y u s e r @ h o s t # s e t p o l i c y v p n u n t r t r t h e n p e r m i t t u n n e l i p s e c v p n i k e v p n c h i c a g o u s e r @ h o s t # s e t p o l i c y v p n u n t r t r t h e n p e r m i t t u n n e l p a i r p o l i c y v p n t r u n t r 3. Createthesecuritypolicytopermittrafficfromthetrustzonetotheuntrustzone. [ e d i t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t ] u s e r @ h o s t # s e t p o l i c y p e r m i t a n y m a t c h s o u r c e a d d r e s s a n y u s e r @ h o s t # s e t p o l i c y v p n u n t r t r m a t c h d e s t i n a t i o n a d d r e s s a n y u s e r @ h o s t # s e t p o l i c y v p n u n t r t r m a t c h a p p l i c a t i o n a n y u s e r @ h o s t # s e t p o l i c y v p n u n t r t r t h e n p e r m i t 4. Reorderthesecuritypoliciessothatthevpntruntrsecuritypolicyisplacedabovethepermitanysecuritypolicy. [ e d i t s e c u r i t y p o l i c i e s f r o m z o n e t r u s t t o z o n e u n t r u s t ] u s e r @ h o s t # i n s e r t p o l i c y v p n t r u n t r b e f o r e p o l i c y p e r m i t a n y

Results
Fromconfigurationmode,confirmyourconfigurationbyenteringthes h o w s e c u r i t y p o l i c i e s command.Iftheoutputdoesnotdisplaytheintendedconfiguration,repeat theconfigurationinstructionsinthisexampletocorrectit. [ e d i t ] u s e r @ h o s t # s h o w s e c u r i t y p o l i c i e s

f r o m z o n e t r u s t t o z o n e u n t r u s t { p o l i c y v p n t r u n t r { m a t c h { s o u r c e a d d r e s s s u n n y v a l e d e s t i n a t i o n a d d r e s s c h i c a g o a p p l i c a t i o n a n y } t h e n { p e r m i t { t u n n e l { i p s e c v p n i k e v p n c h i c a g o p a i r p o l i c y v p n u n t r t r } } } } p o l i c y p e r m i t a n y { m a t c h { s o u r c e a d d r e s s a n y d e s t i n a t i o n a d d r e s s a n y a p p l i c a t i o n a n y } t h e n { p e r m i t } } } f r o m z o n e u n t r u s t t o z o n e t r u s t { p o l i c y v p n u n t r t r { m a t c h { s o u r c e a d d r e s s c h i c a g o d e s t i n a t i o n a d d r e s s s u n n y v a l e a p p l i c a t i o n a n y } t h e n { p e r m i t { t u n n e l { i p s e c v p n i k e v p n c h i c a g o p a i r p o l i c y v p n t r u n t r } } } } } Ifyouaredoneconfiguringthedevice,enterc o m m i t fromconfigurationmode.

ConfiguringTCPMSS CLIQuickConfiguration
ToquicklyconfigureTCPMSSinformation,copythefollowingcommandsandpastethemintotheCLI: [ e d i t ] s e t s e c u r i t y f l o w t c p m s s i p s e c v p n m s s 1 3 5 0

StepbyStepProcedure
ToconfigureTCPMSSinformation: 1. ConfigureTCPMSSinformation. [ e d i t ] u s e r @ h o s t # s e t s e c u r i t y f l o w t c p m s s i p s e c v p n m s s 1 3 5 0

Results
Fromconfigurationmode,confirmyourconfigurationbyenteringthes h o w s e c u r i t y f l o w command.Iftheoutputdoesnotdisplaytheintendedconfiguration,repeatthe configurationinstructionsinthisexampletocorrectit. [ e d i t ] u s e r @ h o s t # s h o w s e c u r i t y f l o w t c p m s s { i p s e c v p n { m s s 1 3 5 0 } } Ifyouaredoneconfiguringthedevice,enterc o m m i t fromconfigurationmode.

ConfiguringtheSSGSeriesDevice CLIQuickConfiguration
Forreference,theconfigurationfortheSSGSeriesdeviceisprovided.ForinformationaboutconfiguringSSGSeriesdevices,seetheConceptsandExamplesScreenOS ReferenceGuide,whichislocatedathttp://www.juniper.net/techpubs. ToquicklyconfiguretheSSGSeriesdevice,copythefollowingcommandsandpastethemintotheCLI: s e t i n t e r f a c e e t h e r n e t 0 / 6 z o n e T r u s t s e t i n t e r f a c e e t h e r n e t 0 / 0 z o n e U n t r u s t s e t i n t e r f a c e e t h e r n e t 0 / 6 i p 1 9 2 . 1 6 8 . 1 6 8 . 1 / 2 4 s e t i n t e r f a c e e t h e r n e t 0 / 6 r o u t e s e t i n t e r f a c e e t h e r n e t 0 / 0 i p 2 . 2 . 2 . 2 / 3 0 s e t i n t e r f a c e e t h e r n e t 0 / 0 r o u t e s e t f l o w t c p m s s 1 3 5 0 s e t a d d r e s s T r u s t l o c a l n e t 1 9 2 . 1 6 8 . 1 6 8 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 s e t a d d r e s s U n t r u s t " c o r p n e t " 1 0 . 1 0 . 1 0 . 0 2 5 5 . 2 5 5 . 2 5 5 . 0 s e t i k e g a t e w a y c o r p i k e a d d r e s s 1 . 1 . 1 . 2 M a i n o u t g o i n g i n t e r f a c e e t h e r n e t 0 / 0 p r e s h a r e 3 9 5 p s k s e c r 3 t s e c l e v e l s t a n d a r d s e t v p n c o r p v p n g a t e w a y c o r p i k e r e p l a y t u n n e l i d l e t i m e 0 s e c l e v e l s t a n d a r d s e t p o l i c y i d 1 1 f r o m T r u s t t o U n t r u s t l o c a l n e t c o r p n e t A N Y t u n n e l v p n c o r p v p n p a i r p o l i c y 1 0 s e t p o l i c y i d 1 0 f r o m U n t r u s t t o T r u s t c o r p n e t l o c a l n e t A N Y t u n n e l v p n c o r p v p n p a i r p o l i c y 1 1 s e t p o l i c y i d 1 f r o m T r u s t t o U n t r u s t A N Y A N Y A N Y n a t s r c p e r m i t s e t r o u t e 0 . 0 . 0 . 0 / 0 i n t e r f a c e e t h e r n e t 0 / 0 g a t e w a y 2 . 2 . 2 . 1

StepbyStepProcedure

Verification
Toconfirmthattheconfigurationisworkingproperly,performthesetasks: VerifyingtheIKEPhase1Status VerifyingtheIPsecPhase2Status

ReviewingStatisticsandErrorsforanIPsecSecurityAssociation

VerifyingtheIKEPhase1Status Purpose
VerifytheIKEPhase1status.

Action
Note:Beforestartingtheverificationprocess,youneedtosendtrafficfromahostinthe10.10.10/24networktoahostinthe192.168.168/24network.For policybasedVPNs,aseparatehostmustgeneratethetraffictrafficinitiatedfromtheSRXSeriesdevicewillnotmatchtheVPNpolicy.Werecommendthat thetesttrafficbefromaseparatedeviceononesideoftheVPNtoaseconddeviceontheothersideoftheVPN.Forexample,initiatepingfrom10.10.10.10 to192.168.168.10.

Fromoperationalmode,enterthes h o w s e c u r i t y i k e s e c u r i t y a s s o c i a t i o n s command.Afterobtaininganindexnumberfromthecommand,usethes h o w s e c u r i t y i k e s e c u r i t y a s s o c i a t i o n s i n d e x i n d e x _ n u m b e r d e t a i l command. u s e r @ h o s t >s h o ws e c u r i t yi k es e c u r i t y a s s o c i a t i o n s I n d e x R e m o t eA d d r e s s S t a t e I n i t i a t o rc o o k i e R e s p o n d e rc o o k i e M o d e 4 2 . 2 . 2 . 2 U P 5 e 1 d b 3 f 9 d 5 0 b 0 d e 6 e 5 0 8 6 5 d 9 e b f 1 3 4 f 8 M a i n u s e r @ h o s t >s h o ws e c u r i t yi k es e c u r i t y a s s o c i a t i o n si n d e x4d e t a i l I K Ep e e r2 . 2 . 2 . 2 ,I n d e x4 , R o l e :R e s p o n d e r ,S t a t e :U P I n i t i a t o rc o o k i e :5 e 1 d b 3 f 9 d 5 0 b 0 d e 6 ,R e s p o n d e rc o o k i e :e 5 0 8 6 5 d 9 e b f 1 3 4 f 8 E x c h a n g et y p e :M a i n ,A u t h e n t i c a t i o nm e t h o d :P r e s h a r e d k e y s L o c a l :1 . 1 . 1 . 2 : 5 0 0 ,R e m o t e :2 . 2 . 2 . 2 : 5 0 0 L i f e t i m e :E x p i r e si n2 8 7 7 0s e c o n d s A l g o r i t h m s : A u t h e n t i c a t i o n :s h a 1 E n c r y p t i o n :a e s 1 2 8 c b c P s e u d or a n d o mf u n c t i o n :h m a c s h a 1 T r a f f i cs t a t i s t i c s : I n p u tb y t e s : 8 5 2 O u t p u tb y t e s : 8 5 6 I n p u tp a c k e t s : 5 O u t p u tp a c k e t s: 4 F l a g s :C a l l e rn o t i f i c a t i o ns e n t I P S e cs e c u r i t ya s s o c i a t i o n s :1c r e a t e d ,0d e l e t e d P h a s e2n e g o t i a t i o n si np r o g r e s s :0

Meaning
Thes h o w s e c u r i t y i k e s e c u r i t y a s s o c i a t i o n s commandlistsallactiveIKEPhase1securityassociations(SAs).IfnoSAsarelisted,therewasaproblemwith Phase1establishment.ChecktheIKEpolicyparametersandexternalinterfacesettingsinyourconfiguration. IfSAsarelisted,reviewthefollowinginformation: IndexThisvalueisuniqueforeachIKESA,whichyoucanuseinthes h o w s e c u r i t y i k e s e c u r i t y a s s o c i a t i o n s i n d e x d e t a i l commandtogetmore informationabouttheSA.

RemoteAddressVerifythattheremoteIPaddressiscorrect. State UPThePhase1SAhasbeenestablished. DOWNTherewasaproblemestablishingthePhase1SA. ModeVerifythatthecorrectmodeisbeingused. Verifythatthefollowingarecorrectinyourconfiguration: Externalinterfaces(theinterfacemustbetheonethatreceivesIKEpackets) IKEpolicyparameters Presharedkeyinformation Phase1proposalparameters(mustmatchonbothpeers) Thes h o w s e c u r i t y i k e s e c u r i t y a s s o c i a t i o n s i n d e x 1 d e t a i l commandlistsadditionalinformationaboutthesecurityassociationwithanindexnumberof1: Authenticationandencryptionalgorithmsused Phase1lifetime Trafficstatistics(canbeusedtoverifythattrafficisflowingproperlyinbothdirections) Initiatorandresponderroleinformation Note:Troubleshootingisbestperformedonthepeerusingtheresponderrole.

NumberofIPsecSAscreated NumberofPhase2negotiationsinprogress

VerifyingtheIPsecPhase2Status Purpose
VerifytheIPsecPhase2status.

Action
Fromoperationalmode,enterthes h o w s e c u r i t y i p s e c s e c u r i t y a s s o c i a t i o n s command.Afterobtaininganindexnumberfromthecommand,usethes h o w s e c u r i t y i p s e c s e c u r i t y a s s o c i a t i o n s i n d e x i n d e x _ n u m b e r d e t a i l command. u s e r @ h o s t >s h o ws e c u r i t yi p s e cs e c u r i t y a s s o c i a t i o n s t o t a lc o n f i g u r e ds a :2 I D G a t e w a y P o r t A l g o r i t h m S P I L i f e : s e c / k b M o nv s y s < 2 2 . 2 . 2 . 2 5 0 0 E S P : a e s 1 2 8 / s h a 1 a 6 3 e b 2 6 f3 5 6 5 /u n l i m - 0 > 2 2 . 2 . 2 . 2 5 0 0 E S P : a e s 1 2 8 / s h a 1 a 1 0 2 4 e d 93 5 6 5 /u n l i m - 0 u s e r @ h o s t >s h o ws e c u r i t yi p s e cs e c u r i t y a s s o c i a t i o n si n d e x2d e t a i l V i r t u a l s y s t e m :R o o t L o c a lG a t e w a y :1 . 1 . 1 . 2 ,R e m o t eG a t e w a y :2 . 2 . 2 . 2 L o c a lI d e n t i t y :i p v 4 _ s u b n e t ( a n y : 0 , [ 0 . . 7 ] = 1 0 . 1 0 . 1 0 . 0 / 2 4 ) R e m o t eI d e n t i t y :i p v 4 _ s u b n e t ( a n y : 0 , [ 0 . . 7 ] = 1 9 2 . 1 6 8 . 1 6 8 . 0 / 2 4 ) D F b i t :c l e a r P o l i c y n a m e :v p n p o l i c y u n t t r

D i r e c t i o n :i n b o u n d ,S P I :2 7 8 9 1 2 6 7 6 7 ,A U X S P I :0 H a r dl i f e t i m e :E x p i r e si n3 5 5 8s e c o n d s L i f e s i z eR e m a i n i n g :U n l i m i t e d S o f tl i f e t i m e :E x p i r e si n2 9 8 6s e c o n d s M o d e :t u n n e l ,T y p e :d y n a m i c ,S t a t e :i n s t a l l e d ,V P NM o n i t o r i n g :P r o t o c o l :E S P ,A u t h e n t i c a t i o n :h m a c s h a 1 9 6 ,E n c r y p t i o n :a e s c b c( 1 2 8b i t s ) A n t i r e p l a ys e r v i c e :e n a b l e d ,R e p l a yw i n d o ws i z e :3 2 D i r e c t i o n :o u t b o u n d ,S P I :2 7 0 1 2 8 3 0 3 3 , ,A U X S P I :0 H a r dl i f e t i m e :E x p i r e si n3 5 5 8s e c o n d s L i f e s i z eR e m a i n i n g :U n l i m i t e d S o f tl i f e t i m e :E x p i r e si n2 9 8 6s e c o n d s M o d e :t u n n e l ,T y p e :d y n a m i c ,S t a t e :i n s t a l l e d ,V P NM o n i t o r i n g :P r o t o c o l :E S P ,A u t h e n t i c a t i o n :h m a c s h a 1 9 6 ,E n c r y p t i o n :a e s c b c A n t i r e p l a ys e r v i c e :e n a b l e d ,R e p l a yw i n d o ws i z e :3 2

Meaning
Theoutputfromthes h o w s e c u r i t y i p s e c s e c u r i t y a s s o c i a t i o n s commandliststhefollowinginformation: TheIDnumberis2.Usethisvaluewiththes h o w s e c u r i t y i p s e c s e c u r i t y a s s o c i a t i o n s i n d e x commandtogetmoreinformationaboutthisparticularSA. ThereisoneIPsecSApairusingport500,whichindicatesthatnoNATtraversalisimplemented.(NATtraversalusesport4500oranotherrandomhighnumberport.) TheSPIs,lifetime(inseconds),andusagelimits(orlifesizeinKB)areshownforbothdirections.The3565/unlimvalueindicatesthatthePhase2lifetimeexpiresin 3565seconds,andthatnolifesizehasbeenspecified,whichindicatesthatitisunlimited.Phase2lifetimecandifferfromPhase1lifetime,asPhase2isnotdependent onPhase1aftertheVPNisup. VPNmonitoringisnotenabledforthisSA,asindicatedbyahyphenintheMoncolumn.IfVPNmonitoringisenabled,U(up)orD(down)islisted. Thevirtualsystem(vsys)istherootsystem,anditalwayslists0. Theoutputfromthes h o w s e c u r i t y i p s e c s e c u r i t y a s s o c i a t i o n s i n d e x 1 6 3 8 4 d e t a i l commandliststhefollowinginformation: ThelocalidentityandremoteidentitymakeuptheproxyIDfortheSA. AproxyIDmismatchisoneofthemostcommonreasonsforaPhase2failure.ForpolicybasedVPNs,theproxyIDisderivedfromthesecuritypolicy.Thelocaladdress andremoteaddressarederivedfromtheaddressbookentries,andtheserviceisderivedfromtheapplicationconfiguredforthepolicy.IfPhase2failsbecauseofa proxyIDmismatch,youcanusethepolicytoconfirmwhichaddressbookentriesareconfigured.Verifythattheaddressesmatchtheinformationbeingsent.Checkthe servicetoensurethattheportsmatchtheinformationbeingsent. Note:Forsomethirdpartyvendors,theproxyIDmustbemanuallyenteredtomatch.

ReviewingStatisticsandErrorsforanIPsecSecurityAssociation Purpose
ReviewESPandauthenticationheadercountersanderrorsforanIPsecsecurityassociation.

Action
Fromoperationalmode,enterthes h o w s e c u r i t y i p s e c s t a t i s t i c s i n d e x i n d e x _ n u m b e r command,usingtheindexnumberoftheVPNforwhichyouwanttosee statistics. u s e r @ h o s t >s h o ws e c u r i t yi p s e cs t a t i s t i c si n d e x2

E S PS t a t i s t i c s : E n c r y p t e db y t e s : 9 2 0 D e c r y p t e db y t e s : 6 2 0 8 E n c r y p t e dp a c k e t s : 5 D e c r y p t e dp a c k e t s : 8 7 A HS t a t i s t i c s : I n p u tb y t e s : 0 O u t p u tb y t e s : 0 I n p u tp a c k e t s : 0 O u t p u tp a c k e t s : 0 E r r o r s : A Ha u t h e n t i c a t i o nf a i l u r e s :0 ,R e p l a ye r r o r s :0 E S Pa u t h e n t i c a t i o nf a i l u r e s :0 ,E S Pd e c r y p t i o nf a i l u r e s :0 B a dh e a d e r s :0 ,B a dt r a i l e r s :0 Youcanalsousethes h o w s e c u r i t y i p s e c s t a t i s t i c s commandtoreviewstatisticsanderrorsforallSAs. ToclearallIPsecstatistics,usethec l e a r s e c u r i t y i p s e c s t a t i s t i c s command.

Meaning
IfyouseepacketlossissuesacrossaVPN,youcanrunthes h o w s e c u r i t y i p s e c s t a t i s t i c s ors h o w s e c u r i t y i p s e c s t a t i s t i c s d e t a i l commandseveral timestoconfirmthattheencryptedanddecryptedpacketcountersareincrementing.Youshouldalsocheckiftheothererrorcountersareincrementing.

RelatedDocumentation
JunosOSFeatureSupportReferenceforSRXSeriesandJSeriesDevices VPNOverview Example:ConfiguringaRouteBasedVPN Example:ConfiguringaHubandSpokeVPN

Published:20101118
SiteMap / RSSFeeds / Careers / Accessibility / Feedback / Privacy&Policy / LegalNotices Copyright19992013JuniperNetworks,Inc.Allrightsreserved.