IPSEC

From Juniper JSRX Wiki

Jump to: navigation, search

Contents

Overview

IPSEC gives us the ability to transfer data between 2 networks separated by a single or multiple public networks securely and privately.

Site to Site

Phase 1 (ike)

VPN's have two phases. The first phase is what sets up the ability to transfer traffic in an encrypted format. We can either use predefined proposals that include the following settings

Basic

Proposal #1: preshared key, DH g1, DES, and SHA1
Proposal #2: preshared key, DH g1, DES, and MD5

Compatible

Proposal #1: preshared key, DH g2, 3DES, and SHA1
Proposal #2: preshared key, DH g2, 3DES, and MD5
Proposal #3: preshared key, DH g2, DES, and SHA1
Proposal #4: preshared key, DH g2, DES, and MD5

standard

Proposal #1: preshared key, DH g2, 3DES, and SHA1
Proposal #2: preshared key, DH g2, AES128, and SHA1

or we can use custom proposals

security {
    ike {
        proposal Netherspite_Proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
    }
}
set security ike proposal Netherspite_Proposal authentication-method pre-shared-keys
set security ike proposal Netherspite_Proposal dh-group group5
set security ike proposal Netherspite_Proposal authentication-algorithm sha-256
set security ike proposal Netherspite_Proposal encryption-algorithm aes-256-cbc


After the proposals are set up, we need to set up the phase 1 policy.

security {
    ike {
        proposal Netherspite_Proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            mode main;
            proposals Netherspite_Proposal;
            pre-shared-key ascii-text "$9$Tz6COBRyeM8X-b2aDjCApuRcKv8LNV"; ## SECRET-DATA
        }           
    }
}
set security ike policy Netherspite_Policy mode main
set security ike policy Netherspite_Policy proposals BlueBeam_Proposal
set security ike policy Netherspite_Policy pre-shared-key ascii-text METACORTEX
  • NOTE: You can also use the predefined proposals basic, compatible, and standard instead of using a custom proposal as defined in the previous step

The last step of the phase 1 is to configure the gateway.

security {
    ike {
        proposal Netherspite_Proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            mode main;
            proposals Netherspite_Proposal;
            pre-shared-key ascii-text "$9$Tz6COBRyeM8X-b2aDjCApuRcKv8LNV"; ## SECRET-DATA
        }           
        gateway Netherspite {
            ike-policy Netherspite_Policy;
            address 1.1.1.2;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/1;
        }
    }
}
set security ike gateway Netherspite ike-policy neccoPOL
set security ike gateway Netherspite address 1.1.1.2
set security ike gateway Netherspite dead-peer-detection interval 10
set security ike gateway Netherspite dead-peer-detection threshold 3
set security ike gateway Netherspite external-interface ge-0/0/1

Phase 2 (IPSEC)

Once, we have phase 1 set up, we need to set up phase 2. Phase 2 is where we actually pass the traffic encrypted. First step of phase 2 is to set up the phase 2 proposals. You can use predefined proposals that are listed below

Basic

Proposal #1: no PFS, ESP, DES, and SHA1
Proposal #2: no PFS, DH g1, DES, and MD5

Compatible

Proposal #1: no PFS, ESP, 3DES, and SHA1
Proposal #2: no PFS, ESP, 3DES, and MD5
Proposal #3: no PFS, ESP, DES, and SHA1
Proposal #4: no PFS, ESP, DES, and MD5

standard

Proposal #1: ESP, DH g2, 3DES, and SHA1
Proposal #2: ESP, DH g2, AES128, and SHA1

or we can define our own custom proposals

security {
    ipsec {
        proposal Netherspite_Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
        }
    }
}
set security ipsec proposal Netherspite_Proposal protocol esp
set security ipsec proposal Netherspite_Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Netherspite_Proposal encryption-algorithm aes-256-cbc

And as like phase 1, we need to set up the policy for phase 2

security {
    ipsec {
        proposal Netherspite_Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Netherspite_Proposal;
        }
    }
}
set security ipsec policy Netherspite_Policy perfect-forward-secrecy keys group5
set security ipsec policy Netherspite_Policy proposals Netherspite_Proposal
  • NOTE: You can also use the predefined proposals basic, compatible, and standard instead of using a custom proposal as defined in the previous step

And finally, next we set up the actual VPN settings

security {
    ipsec {
        proposal Netherspite_Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Netherspite_Proposal;
        }
        vpn Netherspite {
            ike {
                gateway Netherspite;
                ipsec-policy Netherspite_Policy;
            }
            establish-tunnels immediately;
        }
    }
}
set security ipsec vpn Netherspite ike gateway Netherspite
set security ipsec vpn Netherspite ike ipsec-policy Netherspite_Policy
set security ipsec vpn Netherspite establish-tunnels immediately

Applying the VPN

Policy Based

There are two different ways of applying site to site IPSEC VPN's from this point on. The first one we will cover are policy based VPN's. These VPN's use the policy match criteria to match traffic and establish a tunnel based on that. For each flow that matches the policy, a separate tunnel is created. From here, we do not need to do anything else other than create the policy that tells the device to tunnel specific traffic.

security {
    policies {
        from-zone trust to-zone untrust {
            policy tunnel {
                match {
                    source-address 10.10/16;
                    destination-address 192.168.50/24;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Netherspite;
                        }
                    }
                }
            }
        }
    }
}
set security policies from-zone trust to-zone untrust policy tunnel match source-address 10.10/16
set security policies from-zone trust to-zone untrust policy tunnel match destination-address 192.168.50/24
set security policies from-zone trust to-zone untrust policy tunnel match application any
set security policies from-zone trust to-zone untrust policy tunnel then permit tunnel ipsec-vpn Netherspite

Now, any traffic matching the match criteria will then be tunneled through the tunnel specified. We are now done for policy based VPN's and you should be passing traffic through it just fine.

Route Based

The second way of applying VPN's is route based. This method only creates one tunnel and uses a route to determine when to send traffic through the tunnel. The first step of a route based VPN is to create a tunnel interface.

interfaces {                
    st0 {           
        unit 0 {    
            family inet;
        }           
    }               
} 
set interfaces st0 unit 0 family inet

Next, we need to apply the tunnel interface to a zone.

security {
    zones {
        security-zone untrust {
            interfaces {
                st0.0;
            }
        }
    }
}
set security zones security-zone untrust interfaces st0.0

After, applying the interface to a zone, we also need to let the VPN know that it exists.

security {
    ipsec {
        vpn Netherspite {
            bind-interface st0.0;
            ike {
                gateway Netherspite;
                ipsec-policy Netherspite_Policy;
            }
            establish-tunnels immediately;
        }
    }
}
set security ipsec vpn Netherspite bind-interface st0.0

And the last step to get this VPN up and running is to create a route for the destination address and use the tunnel interface as the next-hop

routing-options {   
    static {        
        route 192.168.50.0/24 next-hop st0.0;
    }               
}
set routing-options static route 192.168.50.0/24 next-hop st0.0

You're VPN should now be up and passing traffic (pending the commit of course).

Sample Configs

Site to Site

Policy Based

security {
    ike {
        proposal Netherspite_Proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            mode main;
            proposals Netherspite_Proposal;
            pre-shared-key ascii-text "$9$Tz6COBRyeM8X-b2aDjCApuRcKv8LNV"; ## SECRET-DATA
        }           
        gateway Netherspite {
            ike-policy Netherspite_Policy;
            address 1.1.1.2;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/1;
        }
    }
    ipsec {
        proposal Netherspite_Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Netherspite_Proposal;
        }
        vpn Netherspite {
            ike {
                gateway Netherspite;
                ipsec-policy Netherspite_Policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy tunnel {
                match {
                    source-address 10.10/16;
                    destination-address 192.168.50/24;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Netherspite;
                        }
                    }
                }
            }
        }
    }
}
set security ike proposal Netherspite_Proposal authentication-method pre-shared-keys
set security ike proposal Netherspite_Proposal dh-group group5
set security ike proposal Netherspite_Proposal authentication-algorithm sha-256
set security ike proposal Netherspite_Proposal encryption-algorithm aes-256-cbc
set security ike policy Netherspite_Policy mode main
set security ike policy Netherspite_Policy proposals BlueBeam_Proposal
set security ike policy Netherspite_Policy pre-shared-key ascii-text METACORTEX
set security ike gateway Netherspite ike-policy neccoPOL
set security ike gateway Netherspite address 1.1.1.2
set security ike gateway Netherspite dead-peer-detection interval 10
set security ike gateway Netherspite dead-peer-detection threshold 3
set security ike gateway Netherspite external-interface ge-0/0/1
set security ipsec proposal Netherspite_Proposal protocol esp
set security ipsec proposal Netherspite_Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Netherspite_Proposal encryption-algorithm aes-256-cbc
set security ipsec policy Netherspite_Policy perfect-forward-secrecy keys group5
set security ipsec policy Netherspite_Policy proposals Netherspite_Proposal
set security ipsec vpn Netherspite ike gateway Netherspite
set security ipsec vpn Netherspite ike ipsec-policy Netherspite_Policy
set security ipsec vpn Netherspite establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy tunnel match source-address 10.10/16
set security policies from-zone trust to-zone untrust policy tunnel match destination-address 192.168.50/24
set security policies from-zone trust to-zone untrust policy tunnel match application any
set security policies from-zone trust to-zone untrust policy tunnel then permit tunnel ipsec-vpn Netherspite

Route Based

interfaces {                
    st0 {           
        unit 0 {    
            family inet;
        }           
    }               
} 
routing-options {   
    static {        
        route 192.168.50.0/24 next-hop st0.0;
    }               
}
security {
    ike {
        proposal Netherspite_Proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            mode main;
            proposals Netherspite_Proposal;
            pre-shared-key ascii-text "$9$ZTUH.QznAuBIEyeWxVb.mf5n90OIRSl"; ## SECRET-DATA
        }
        gateway Netherspite {
            ike-policy Netherspite_Policy;
            address 1.1.1.2;            
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/1;
        }
    }
    ipsec {
        proposal Netherspite_Proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
        }
        policy Netherspite_Policy {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals Netherspite_Proposal;
        }
        vpn Netherspite {
            bind-interface st0.0;
            ike {
                gateway Netherspite;
                ipsec-policy Netherspite_Policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                st0.0;
            }
        }
    }
}
set interfaces st0 unit 0 family inet
set routing-options static route 192.168.50.0/24 next-hop st0.0
set security ike proposal Netherspite_Proposal authentication-method pre-shared-keys
set security ike proposal Netherspite_Proposal dh-group group5
set security ike proposal Netherspite_Proposal authentication-algorithm sha-256
set security ike proposal Netherspite_Proposal encryption-algorithm aes-256-cbc
set security ike policy Netherspite_Policy mode main
set security ike policy Netherspite_Policy proposals Netherspite_Proposal
set security ike policy Netherspite_Policy pre-shared-key ascii-text "$9$ZTUH.QznAuBIEyeWxVb.mf5n90OIRSl"
set security ike gateway Netherspite ike-policy Netherspite_Policy
set security ike gateway Netherspite address 1.1.1.2
set security ike gateway Netherspite dead-peer-detection interval 10
set security ike gateway Netherspite dead-peer-detection threshold 3
set security ike gateway Netherspite external-interface ge-0/0/1
set security zones security-zone untrust interfaces st0.0

Manual IPSec

  • NOTE: You will notice phase 1 is not necessary as you are taking care of the key exchange manually
security {
    ipsec {
        vpn first_vpn {
            bind-interface st0.0;
            manual {
                gateway 4.4.4.2;
                external-interface reth0.0;
                protocol esp;
                spi 16639;
                authentication {
                    algorithm hmac-md5-96;
                    key ascii-text "$9$7v-s24aZUiksYP5Qz6/reKMxNdbs2oJx7Dikqf51REcevWLx"; ## SECRET-DATA
                }
                encryption {
                    algorithm 3des-cbc;
                    key ascii-text "$9$9rb9AO1RhSrKMOBX7-dsYP5Tz/CtuO1Ec/9lKMWx7DiHq5QFn/Cp05TIEcSeKgoaZik.P5Q36"; ## SECRET-DATA
                }
            }
        }
    }
}
set security ipsec vpn first_vpn bind-interface st0.0
set security ipsec vpn first_vpn manual gateway 4.4.4.2
set security ipsec vpn first_vpn manual external-interface reth0.0
set security ipsec vpn first_vpn manual protocol esp
set security ipsec vpn first_vpn manual spi 16639
set security ipsec vpn first_vpn manual authentication algorithm hmac-md5-96
set security ipsec vpn first_vpn manual authentication key ascii-text 1111111111111111
set security ipsec vpn first_vpn manual encryption algorithm 3des-cbc
set security ipsec vpn first_vpn manual encryption key ascii-text 111111111111111111111111

Multipoint

If you are looking to make a hub and spoke vpn, you will only need to make additional configurations on the hub device. You will need to make the st0.0 interface multipoint and then if one of the spoke devices is not Junos or ScreenOS then you will need to manually define the next hop tunnel bindings to associate a tunnel that matches the other sides tunnel interface.

interfaces {
    st0 {
        unit 0 {
            multipoint;
            family inet {
                next-hop-tunnel 192.168.1.2 ipsec-vpn first_vpn;
                next-hop-tunnel 192.168.1.3 ipsec-vpn second_vpn;
                next-hop-tunnel 192.168.1.4 ipsec-vpn third_vpn;
                address 192.168.1.1/24;
            }           
        }
    }
}
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet next-hop-tunnel 192.168.1.2 ipsec-vpn first_vpn
set interfaces st0 unit 0 family inet next-hop-tunnel 192.168.1.3 ipsec-vpn second_vpn
set interfaces st0 unit 0 family inet next-hop-tunnel 192.168.1.4 ipsec-vpn third_vpn
set interfaces st0 unit 0 family inet adddress 192.168.1.1/24

Troubleshooting

Phase 1 (IKE)

[edit]
metacortex@Netherspite# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
6       172.18.68.45    UP     82144d59fcd362f9  97b1df85d4867565  Main
3       172.18.68.43    UP     a969ae45c01deeba  418d302d2f6417ad  Main


Phase 2 (IPSEC)

[edit]
metacortex@Netherspite# run show security ipsec security-associations
  Total active tunnels: 2
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131074 172.18.68.45   500   ESP:3des/sha1   b68bea32 1825/ unlim   U   0
  >131074 172.18.68.45   500   ESP:3des/sha1   6b3ab29  1825/ unlim   U   0
  <131073 172.18.68.43   500   ESP:3des/sha1   5a533174 1455/ unlim   U   0
  >131073 172.18.68.43   500   ESP:3des/sha1   220def72 1455/ unlim   U   0
metacortex@Netherspite# run show security ipsec inactive-tunnels
  Total inactive tunnels: 1
  Total inactive tunnels with establish immediately: 0
  ID         Gateway      Port    Nego#   Nego Fail  Def-Del#   Flag
  131073    192.168.1.1   500    29       0         0        600a29   
  • NOTE: This is a hidden command

Traceoptions

There is a hidden command that allows you to turn on tracing without configuring it and committing but you will only be able to use it for one peering device at a time

metacortex@Netherspite> request security ike debug-enable local 1.1.1.1 remote 2.2.2.2 level 15

This will start traceoptions and send them to the kmd log

To turn this trace off run

metacortex@Netherspite> request security ike debug-disable

Performance

Since there are more headers being put on each packet (ESP/AH), you may run into some excessive fragmentation issues on traffic traversing your IPSEC tunnel. To eliminate these fragmentation issues, we can lower the Maximum Segment Size to make up for it.

security {
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
set security flow tcp-mss ipsec-vpn mss 1350

1350 is generally the recommended value for Ethernet networks with 1500 MTU's but your results may vary so tune appropriately.

Personal tools