Hi,

I was exploring the possibilities of IPSEC Vpn on VSRX and wanted to checkout if that is even possible. Though a feature guide would have explained me what VSRX supports vs What VSRX would not, I am more of a DYIT sort of guy to verify things.

Anyone interested to know what VSRX does, they can have a overview from the below URL.

http://www.juniper.net/techpubs/software/junosphere/junosphere2.0/help/Junosphere_VSRX_Feature_Support_Guide.pdf

Now moving on, I gave IPSEC vpn a try, coming from the world of service provider where MPLS rules, IPSEC vpn was tough on me. Sure enough I have done IPSEC VPN previously as well, but when the goal is to dig down deep to see what is going on, you need some theory research in first place

I attempted a Rough Policy-Based VPN quickly to see where I stand and what should I know better in order to study.

The Below is the topology that i have used

IPSec topology (1)

In order to construct IPSEC-VPN you need to have a Basic IDEA, i have summarized into a picture

IPSec vpn steps

As with the SRX or Juniper, you need to identify for which segments you need Secure Tunnel and which zones would not, clearly from the below picture zone UNTRUST would not need any IPSEC tunnel as it faces internet , While INTERNALX zones would need to securely tunnel the traffic over internet. Lets see the below diagram to understand how it is split.

Zones

Let us quickly see the zone definitions

current_list_zones

Now, once we know the zones, we got to define parameters for IKE Phase

current_ike_policy

Now, next would be defining IPSEC VPN phase parameters

current_ipsec_vpn_policy

The entire [vpn ipsec-vpn1] is a reference to ike itself and then calling on set of ipsec variable policies from ipsec-policy keyword.

Now that we have configured required parameters for IKE and IPSEC, we need to know the way to give these as input parameters for the system to take them into effect. Here is how we write a policy, we need to make sure one thing, IPSEC is unidirectional, hence you need to account for flow which is coming in as well, don't be confused on how junos treats the flows.

policy_ipsec

As we can see there are policies for forward and return traffic as well, here itou or utoi meant (internal to untrust) and (untrust to internal)

Rest be Assured the other end of the SRX has also been configured on the same lines, and including it would bore you guys down :)

Lets check if there is any association formed

outputs_srx1

Looks like there are not much flows, do remember, i have a default route pointing to my internet, this is not a route-based vpn and you have to remember, you need to atleast have a route in routing-table to know where to send the traffic to in this case.

Let us generate some flow to see if this is successful

secutity_ping_response

 

security_flow_sesssion

This pretty much sums up my basic understanding of IPSEC site-to-site policy based Vpn, based on this understanding i will be exploring few more ways to build this more efficiently.

Thank You

Rakesh

 

 

Advertisements