PKI IPSec VPN – SRX to SRX – Multi SA

In this video, I configure a route-based IPSec VPN between two Juniper SRXs, this time using PKI certificates for authentication. I also demonstrate configuring IKE Dead Peer Detection(DPD) and multiple child IPSec SAs sharing a single IKE SA by using IKE Proxy Identity.

Topology & Final Configs
TopologyPKI StepsSRX0SRX1

  • At the configuration prompt (#), do the following:
  • If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
  • Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
  • Commit both
  • At the operational prompt (>), do the following:
  • Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
  • Make PKI directory: “file make-directory /var/tmp/PKI/”
  • Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
  • Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
  • Verify CA cert: “show security pki ca-certificate detail”
  • Verify CRL, if applicable: “show security pki crl detail”
  • Generate keypair: “request security pki generate-key-pair certificate-id SRX0_CERT size 2048 type rsa”
  • Generate CSR: “request security pki generate-certificate-request certificate-id SRX0_CERT digest sha-256 subject “CN=SRX0.node9.lab,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US” domain-name SRX0.node9.lab filename /var/tmp/PKI/SRX0.csr”
  • Have CA sign CSR which generates local cert.
  • Copy local cert to PKI directory: “file copy http://X.X.X.X/SRX0.crt /var/tmp/PKI/”
  • Load local cert: “request security pki local-certificate load certificate-id SRX0_CERT filename /var/tmp/PKI/SRX0.crt”
  • Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway SRX1 ike-policy IKE_POLI
set security ike gateway SRX1 address 43.164.20.254
set security ike gateway SRX1 external-interface ge-0/0/0.0
set security ike gateway SRX1 version v2-only
set security ike gateway SRX1 local-identity distinguished-name
set security ike gateway SRX1 remote-identity distinguished-name container CN=SRX1.node9.lab
set security ike gateway SRX1 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX1 dead-peer-detection interval 5
set security ike gateway SRX1 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX1_21 bind-interface st0.21
set security ipsec vpn SRX1_21 df-bit copy
set security ipsec vpn SRX1_21 ike gateway SRX1
set security ipsec vpn SRX1_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX1_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX1_121 bind-interface st0.121
set security ipsec vpn SRX1_121 df-bit copy
set security ipsec vpn SRX1_121 ike gateway SRX1
set security ipsec vpn SRX1_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX1_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX1_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.20/32
set interfaces st0 unit 21 description SRX1
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.0/31
set interfaces st0 unit 121 description SRX1
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.20
#
#
set system host-name SRX1
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX1_CERT
set security ike gateway SRX0 ike-policy IKE_POLI
set security ike gateway SRX0 address 107.22.138.98
set security ike gateway SRX0 external-interface ge-0/0/0.0
set security ike gateway SRX0 version v2-only
set security ike gateway SRX0 local-identity distinguished-name
set security ike gateway SRX0 remote-identity distinguished-name container CN=SRX0.node9.lab
set security ike gateway SRX0 dead-peer-detection probe-idle-tunnel
set security ike gateway SRX0 dead-peer-detection interval 5
set security ike gateway SRX0 dead-peer-detection threshold 2
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn SRX0_21 bind-interface st0.21
set security ipsec vpn SRX0_21 df-bit copy
set security ipsec vpn SRX0_21 ike gateway SRX0
set security ipsec vpn SRX0_21 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_21 ike proxy-identity local 1.1.1.1/32
set security ipsec vpn SRX0_21 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn SRX0_121 bind-interface st0.121
set security ipsec vpn SRX0_121 df-bit copy
set security ipsec vpn SRX0_121 ike gateway SRX0
set security ipsec vpn SRX0_121 ike ipsec-policy IPSEC_POLI
set security ipsec vpn SRX0_121 ike proxy-identity local 2.2.2.2/32
set security ipsec vpn SRX0_121 ike proxy-identity remote 2.2.2.2/32
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.21
set security zones security-zone CORP interfaces st0.121
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 43.164.20.254/30
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.21/32
set interfaces st0 unit 21 description SRX0
set interfaces st0 unit 21 family inet mtu 1400
set interfaces st0 unit 21 family inet address 172.16.21.1/31
set interfaces st0 unit 121 description SRX0
set interfaces st0 unit 121 family inet mtu 1400
set interfaces st0 unit 121 family inet address 172.16.121.1/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.21
set protocols ospf area 0.0.0.0 interface st0.121
set routing-options static route 0.0.0.0/0 next-hop 43.164.20.253
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.21
#

Leave a Comment

Your email address will not be published. Required fields are marked *