Scheme: How it works.
For detailed description of the tunnel parameters please refer to a separate article.
Data center side settings:
1. To configure the VPN connection on the Edge Gateway, hover over the Edge Gateway button and click on it with the right mouse button. Then, select "Edge Gateway Services" from the menu.
2. In the VPN tab, enable the "Enable VPN" option (IPsec VPN service status for advanced gateway).
3. Press "Add" to add a tunnel or use the "+" sign on the IPsec VPN Sites tab for advanced gateway.
4. Choose a name for the tunnel in the "Establish VPN To" field. Select the remote network in the "Remote Network" field, and specify the internal networks of your remote data center in "Peer Networks". Enter the Edge address in the "Local ID" field and the remote router address in "Peer ID/Peer IP". Finally, choose the encryption protocol.
Setting on Juniper SRX side:
- Creating a tunnel interface, security zone, and static route to the VDC network:
# set interfaces st0 unit 1 description CLOUD
# set security zones security-zone VPN interfaces st0.1
# set routing-options static route 192.168.3.0/24 next-hop st0.1 - IKE settings phase 1:
# set security ike proposal PRP-IKE-EDGE authentication-method pre-shared-keys
# set security ike proposal PRP-IKE-EDGE dh-group group14
# set security ike proposal PRP-IKE-EDGE authentication-algorithm sha1
# set security ike proposal PRP-IKE-EDGE encryption-algorithm aes-128-cbc
# set security ike proposal PRP-IKE-EDGE lifetime-seconds 28800
# set security ike policy POL-IKE-EDGE mode main
# set security ike policy POL-IKE-EDGE proposals PRP-IKE-EDGE
# set security ike policy POL-IKE-EDGE pre-shared-key ascii-text <pre-shared-key>
# set security ike gateway GWY-EDGE ike-policy POL-IKE-EDGE
# set security ike gateway GWY-EDGE address 178.170.172.165
# set security ike gateway GWY-EDGE external-interface ge0/0.1
# set security ike gateway GWY-EDGE local-address 212.232.58.14 - IKE settings phase 2:
# set security ipsec proposal PRP-IPS-EDGE protocol esp
# set security ipsec proposal PRP-IPS-EDGE authentication-algorithm hmac-sha1-96
# set security ipsec proposal PRP-IPS-EDGE encryption-algorithm aes-128-cbc
# set security ipsec proposal PRP-IPS-EDGE lifetime-seconds 3600
# set security ipsec policy POL-IPS-EDGE perfect-forward-secrecy keys group14
# set security ipsec policy POL-IPS-EDGE proposals PRP-IPS-EDGE
# set security ipsec vpn VPN-EDGE bind-interface st0.1
# set security ipsec vpn VPN-EDGE ike gateway GWY-EDGE;
# set security ipsec vpn VPN-EDGE ike proxy-identity local 192.168.1.0/24 remote 192.168.3.0/24 service any
# set security ipsec vpn VPN-EDGE ike ipsec-policy POL-IPS-EDGE
# set security ipsec vpn VPN-EDGE establish-tunnels immediately - Configuration of permission security rules and polices, and applying changes
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match source-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match destination-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY then permit
# set security policies from-zone LAN to-zone VPN policy Allow_ANY match source-address any
# set security policies from-zone LAN to-zone VPN policy Allow_ANY match destination-address any
# set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
# set security policies from-zone LAN to-zone VPN policy Allow_ANY then permit
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match source-address 178.170.172.165/32
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match destination-address any
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match application junos-ike
# set security policies from-zone WAN to-zone junos-host policy EDGE_IKE then permit
# commit - Checking up the configured tunnel :
> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2889938 UP cd87ba170d9fd401 978fbcb18f5feb82 Main 178.170.172.165
> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-128/sha1 b81ee807 258/ unlim - root 500 178.170.172.165
>131074 ESP:aes-cbc-128/sha1 c0bc14ab 258/ unlim - root 500 178.170.172.165
<131074 ESP:aes-cbc-128/sha1 5c13c32b 3124/ unlim - root 500 178.170.172.165
>131074 ESP:aes-cbc-128/sha1 c5d7bd1c 3124/ unlim - root 500 178.170.172.165
Note:
If it is necessary to create multiple security-associations between more than 2 networks, instead of the ipsec vpn ike proxy-identity directive use ipsec vpn traffic-selector according to the number of required SAs. Example: adding the subnet 192.168.4.0/24 on the virtual data center side:
deactivate set security ipsec vpn VPN-EDGE ike proxy-identity
set security ipsec vpn VPN-EDGE traffic-selector ts1 local-ip 192.168.1.0/24 remote-ip 192.168.3.0/24
set security ipsec vpn VPN-EDGE traffic-selector ts2 local-ip 192.168.1.0/24 remote-ip 192.168.4.0/24
