PSK IPSec VPN – SRX to ASA

Comment

In this video, we’re going to configure an IPSec VPN between Juniper SRX and Cisco ASA using pre-shared key for authentication. We’re going use IKEv2 for phase 1, and for phase 2, we’re going to use the ASA’s relatively new static virtual tunnel interface, or SVTI.

Video
https://youtu.be/OF6CuYOFQSM
Topology & Final Configs
TopologySRX0ASA0

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoASAlab
set security ike gateway ASA0 ike-policy IKE_POLI
set security ike gateway ASA0 address 208.105.102.30
set security ike gateway ASA0 local-identity hostname SRX0
set security ike gateway ASA0 remote-identity hostname ASA0
set security ike gateway ASA0 external-interface ge-0/0/0.0
set security ike gateway ASA0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn ASA0 bind-interface st0.0
set security ipsec vpn ASA0 ike gateway ASA0
set security ipsec vpn ASA0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.0
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 0 description ASA0
set interfaces st0 unit 0 family inet address 172.16.0.0/31
set protocols bgp group ASA0 export Export_to_ASA0
set protocols bgp group ASA0 peer-as 10
set protocols bgp group ASA0 local-as 10
set protocols bgp group ASA0 neighbor 172.16.0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
set policy-options policy-statement Export_to_ASA0 term Loopback from protocol direct
set policy-options policy-statement Export_to_ASA0 term Loopback from route-filter 10.0.0.0/32 exact
set policy-options policy-statement Export_to_ASA0 term Loopback then accept
set policy-options policy-statement Export_to_ASA0 term Reject then reject
#
!
hostname ASA0
!
interface GigabitEthernet0/0
nameif WWW
security-level 0
ip address 208.105.102.30 255.255.255.224
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
icmp permit any WWW
!
route WWW 0.0.0.0 0.0.0.0 208.105.102.1 1
!
crypto ikev2 enable WWW
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
tunnel-group SRX0 type ipsec-l2l
tunnel-group SRX0 ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key thisisanSRXtoASAlab
ikev2 local-authentication pre-shared-key thisisanSRXtoASAlab
!
crypto isakmp identity hostname
!
crypto ipsec ikev2 ipsec-proposal IPSEC_PROP
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile SRX0
set ikev2 ipsec-proposal IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
!
interface Tunnel0
nameif SRX0
ip address 172.16.0.1 255.255.255.254
tunnel source interface WWW
tunnel destination 107.22.138.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile SRX0
!
router bgp 10
bgp log-neighbor-changes
bgp router-id 192.168.0.1
address-family ipv4 unicast
neighbor 172.16.0.0 remote-as 10
neighbor 172.16.0.0 activate
network 192.168.0.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
management-access LAN
!

PSK IPSec VPN – SRX to RouterOS

Comment

In this writeup, we’re going to set up an IPSec VPN between Juniper SRX and MikroTik RouterOS. To keep the Phase 1 tunnel simple, we’ll use IKE version 2 with pre-shared keys for authentication. RouterOS doesn’t yet support route-based Phase 2 tunnels, so we’ll configure policy-based on the RouterOS side, but keep the SRX side route-based so we can see how they interplay. If there’s enough interest in this content, I can turn this writeup into a video.

Continue reading »

PKI IPSec VPN – SRX to IOS

Comment

In this video, we’re going to update an existing IPSec VPN between Juniper SRX and Cisco IOS from pre-shared key to certificate authentication. We’re going to be looking at how IOS certificate configuration differs from SRX.

Video
https://youtu.be/JaZ7iBqK4bk
Topology & Final Configs
TopologySRX0 PKI StepsSRX0IOS1 PKI StepsIOS1

  • At the configuration prompt (#), do the following:
  • If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
  • Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
  • Commit both
  • At the operational prompt (>), do the following:
  • Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
  • Make PKI directory: “file make-directory /var/tmp/PKI/”
  • Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
  • Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
  • Verify CA cert: “show security pki ca-certificate detail”
  • Verify CRL, if applicable: “show security pki crl detail”
  • Generate keypair: “request security pki generate-key-pair certificate-id SRX0_CERT size 2048 type rsa”
  • Generate CSR: “request security pki generate-certificate-request certificate-id SRX0_CERT digest sha-256 domain-name SRX0.node9.lab filename /var/tmp/PKI/SRX0.csr subject “CN=SRX0.node9.lab,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US” “
  • Have CA sign CSR which generates local cert.
  • Copy local cert to PKI directory: “file copy http://X.X.X.X/SRX0.crt /var/tmp/PKI/”
  • Load local cert: “request security pki local-certificate load certificate-id SRX0_CERT filename /var/tmp/PKI/SRX0.crt”
  • Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity distinguished-name
set security ike gateway IOS1 remote-identity distinguished-name container CN=IOS1.node9.tech
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
  • At the configuration prompt (config)#, do the following:
  • If using a CRL, configure a DNS server: “ip name-server X.X.X.X”.
  • Configure the trustpoint:
    crypto pki trustpoint CA
    enrollment terminal pem
    subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
    revocation-check none
    rsakeypair IOS1 2048
    hash sha256
  • At the operational prompt (#), do the following:
  • Verify accurate date/time: “show clock”. If not accurate: “clock set X”.
  • Load CA cert into CA profile: “crypto pki authenticate CA”
  • Generate CSR: “crypto pki enroll CA”
  • Load local cert: “crypto pki import CA certificate”
  • Verify trustpoint: “show crypto pki trustpoints CA status”
  • Verify certificates: “show crypto pki certificates CA”
!
hostname IOS1
!
ip name-server 35.15.173.8
!
crypto pki trustpoint CA
enrollment terminal pem
subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
revocation-check none
rsakeypair IOS1 2048
hash sha256
!
crypto pki certificate map SRX0 10
subject-name co cn = SRX0.node9.tech
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match certificate SRX0
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!

PSK IPSec VPN – SRX to IOS

Comment

In this video, we’re going to set up an IPSec VPN between Juniper SRX and Cisco IOS. Our Phase 1 tunnel will be IKE version 2 with pre-shared keys for authentication. Our Phase 2 tunnel will be route-based with tunnel interfaces. We’re going to be looking at the IOS configuration and how it differs from the SRX, plus looking at how to do a dynamic peer on IOS.

Video
https://youtu.be/8ecRCktYZtU
Topology & Final Configs
TopologySRX0 Static PeerSRX0 Dynamic PeerIOS1 Static VTIIOS1 Dynamic VTI

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 remote-identity hostname IOS1
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisanSRXtoIOSlab
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 dynamic hostname IOS1
set security ike gateway IOS1 local-identity hostname SRX0
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!
!
hostname IOS1
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match identity remote fqdn SRX0
identity local fqdn IOS1
authentication remote pre-share key thisisanSRXtoIOSlab
authentication local pre-share key thisisanSRXtoIOSlab
lifetime 86400
virtual-template 1
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface Loopback1
description DVTI
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
interface Virtual-Template1 type tunnel
description SRX0
ip unnumbered Loopback1
ip mtu 1400
tunnel source 208.105.102.30
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!

PSK IPSec VPN – SRX to SRX – Thru NAT

Comment

In this video, we’re going overcome the challenges in setting up an IPSec VPN thru a NAT. We’ll be using Juniper SRXs as our VPN peers, IKEv2 for the Phase 1 tunnel with pre-shared keys for authentication, and our Phase 2 tunnel with be route-based. We’re also going to look at what NAT Keepalive and NAT Traversal do for us.

Video
https://youtu.be/gUOKOUhJY1o
Static NAT - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 208.105.102.61
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 address 208.105.102.62
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 remote-identity hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity inet 208.105.102.61
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
Dynamic NAT - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 no-nat-traversal
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 no-nat-traversal
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 no-nat-traversal
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#
NAT Overload - Topology & Final Configs
TopologySRX0SRX1SRX2

#
set system host-name SRX0
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 dynamic hostname SRX1
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX2 ike-policy IKE_POLI
set security ike gateway SRX2 dynamic hostname SRX2
set security ike gateway SRX2 external-interface ge-0/0/0.0
set security ike gateway SRX2 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.1
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX2 bind-interface st0.2
set security ipsec vpn SRX2 df-bit copy
set security ipsec vpn SRX2 ike gateway SRX2
set security ipsec vpn SRX2 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description SRX1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.0/31
set interfaces st0 unit 2 description SRX2
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
#
set system host-name SRX1
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX1
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.1
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.101/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces st0 unit 1 description SRX0
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.1.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.1
#
#
set system host-name SRX2
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text thisisaNATlab
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 local-identity hostname SRX2
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.2
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.2
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.102/24
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces st0 unit 2 description SRX0
set interfaces st0 unit 2 family inet mtu 1400
set interfaces st0 unit 2 family inet address 172.16.2.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.2
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.2
#

PKI IPSec VPN – SRX to SRX – Multi SA

Comment

In this video, I configure a route-based IPSec VPN between two Juniper SRXs, this time using PKI certificates for authentication. I also demonstrate configuring IKE Dead Peer Detection(DPD) and multiple child IPSec SAs sharing a single IKE SA by using IKE Proxy Identity.

Video
https://youtu.be/v5gjdJzQaL4
Topology & Final Configs
TopologyPKI StepsSRX0SRX1

  • At the configuration prompt (#), do the following:
  • If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
  • Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
  • Commit both
  • At the operational prompt (>), do the following:
  • Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
  • Make PKI directory: “file make-directory /var/tmp/PKI/”
  • Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
  • Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
  • Verify CA cert: “show security pki ca-certificate detail”
  • Verify CRL, if applicable: “show security pki crl detail”
  • Generate keypair: “request security pki generate-key-pair certificate-id SRX0_CERT size 2048 type rsa”
  • Generate CSR: “request security pki generate-certificate-request certificate-id SRX0_CERT digest sha-256 subject “CN=SRX0.node9.lab,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US” domain-name SRX0.node9.lab filename /var/tmp/PKI/SRX0.csr”
  • Have CA sign CSR which generates local cert.
  • Copy local cert to PKI directory: “file copy http://X.X.X.X/SRX0.crt /var/tmp/PKI/”
  • Load local cert: “request security pki local-certificate load certificate-id SRX0_CERT filename /var/tmp/PKI/SRX0.crt”
  • Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX1 local-identity distinguished-name
set security ike gateway SRX1 remote-identity distinguished-name container CN=SRX1.node9.lab
set security ike gateway SRX1 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX1 dead-peer-detection interval 5
set security ike gateway SRX1 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1_21 bind-interface st0.21
set security ipsec vpn SRX1_21 df-bit copy
set security ipsec vpn SRX1_21 ike gateway SRX1
set security ipsec vpn SRX1_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX1_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX1_121 bind-interface st0.121
set security ipsec vpn SRX1_121 df-bit copy
set security ipsec vpn SRX1_121 ike gateway SRX1
set security ipsec vpn SRX1_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX1_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set interfaces st0 unit 121 description SRX1
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX1_CERT
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ike gateway SRX0 local-identity distinguished-name
set security ike gateway SRX0 remote-identity distinguished-name container CN=SRX0.node9.lab
set security ike gateway SRX0 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX0 dead-peer-detection interval 5
set security ike gateway SRX0 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0_21 bind-interface st0.21
set security ipsec vpn SRX0_21 df-bit copy
set security ipsec vpn SRX0_21 ike gateway SRX0
set security ipsec vpn SRX0_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX0_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX0_121 bind-interface st0.121
set security ipsec vpn SRX0_121 df-bit copy
set security ipsec vpn SRX0_121 ike gateway SRX0
set security ipsec vpn SRX0_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX0_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set interfaces st0 unit 121 description SRX0
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#

PSK IPSec VPN – SRX to SRX – Long & Short

Comment

In these videos, we configure an IPSec VPN between two Juniper SRXs using pre-shared key for authentication.

Long Video
https://youtu.be/pPEgFtgNJUs
Short Video
https://youtu.be/F-803rcKFYQ
Topology & Final Configs
TopologySRX0SRX1

#
set system host-name SRX0
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1 bind-interface st0.21
set security ipsec vpn SRX1 df-bit copy
set security ipsec vpn SRX1 ike gateway SRX1
set security ipsec vpn SRX1 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method pre-shared-keys
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI pre-shared-key ascii-text $RX1k3y!
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0 bind-interface st0.21
set security ipsec vpn SRX0 df-bit copy
set security ipsec vpn SRX0 ike gateway SRX0
set security ipsec vpn SRX0 ike ipsec-policy IPSEC_POLI
set security policies default-policy permit-all
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#