This example uses the following hardware:
- SRX240 device
- SSG140 device
Figure 1 shows an example of
a route-based VPN topology. In this topology, the SRX Series device
is located in Sunnyvale, and an SSG Series device (or a third-party
device) is located in Chicago.
In this example, you configure interfaces, an IPv4 default route,
security zones, and address books. Then you configure IKE Phase 1,
IPsec Phase 2, security policy, and TCP-MSS parameters. See
Table 1 through
Table 5 for specific configuration
parameters used in this example.
Table 1: Interface, Static
Route, Security Zone, and Address Book Information
Feature
|
Name
|
Configuration Parameters
|
|---|
Interfaces
|
ge-0/0/0.0
|
10.10.10.1/24
|
| |
ge-0/0/3.0
|
1.1.1.2/30
|
| |
st0.0 (tunnel interface)
|
10.11.11.10/24
|
Static routes
|
0.0.0.0/0 (default route)
|
The next hop is 1.1.1.1.
|
| |
192.168.168.0/24
|
The next hop is st0.0.
|
Security zones
|
trust
|
- All system services are allowed.
- The ge-0/0/0.0 interface is bound to this zone.
|
| |
untrust
|
- IKE is the only allowed system service.
- The ge-0/0/3.0 interface is bound to this zone.
|
| |
vpn-chicago
|
The st0.0 interface is bound to this zone.
|
Address book entries
|
sunnyvale
|
- This address is an entry in the address book book1, which is attached to a zone called trust.
- The address for this address book entry is 10.10.10.0/24.
|
| |
chicago
|
- This address is an entry in the address book book2, which is attached to a zone called vpn-chicago.
- The address for this address book entry is 192.168.168.0/24.
|
Table 2: IKE Phase 1 Configuration
Parameters
Feature
|
Name
|
Configuration Parameters
|
|---|
Proposal
|
ike-phase1-proposal
|
- Authentication method: pre-shared-keys
- Diffie-Hellman group: group2
- Authentication algorithm: sha1
- Encryption algorithm: aes-128-cbc
|
Policy
|
ike-phase1-policy
|
- Mode: main
- Proposal reference: ike-phase1-proposal
- IKE Phase 1 policy authentication method: pre-shared-key
ascii-text
|
Gateway
|
gw-chicago
|
- IKE policy reference: ike-phase1-policy
- External interface: ge-0/0/3.0
- Gateway address: 2.2.2.2
|
Table 3: IPsec Phase 2 Configuration
Parameters
Feature
|
Name
|
Configuration Parameters
|
|---|
Proposal
|
ipsec-phase2-proposal
|
- Protocol: esp
- Authentication algorithm: hmac-sha1-96
- Encryption algorithm: aes-128-cbc
|
Policy
|
ipsec-phase2-policy
|
- Proposal reference: ipsec-phase2-proposal
- PFS: Diffie-Hellman group2
|
VPN
|
ike-vpn-chicago
|
- IKE gateway reference: gw-chicago
- IPsec policy reference: ipsec-phase2-policy
- Bind to interface: st0.0
|
Table 4: Security Policy
Configuration Parameters
Purpose
|
Name
|
Configuration Parameters
|
|---|
The security policy permits traffic from the trust zone
to the vpn-chicago zone.
|
vpn-tr-chi
|
- Match criteria:
- source-address sunnyvale
- destination-address chicago
- application any
- Action: permit
|
The security policy permits traffic from the vpn-chicago
zone to the trust zone.
|
vpn-chi-tr
|
- Match criteria:
- source-address chicago
- destination-address sunnyvale
- application any
|
Table 5: TCP-MSS
Configuration Parameters
Purpose
|
Configuration Parameters
|
|---|
TCP-MSS is negotiated as part of the TCP three-way handshake
and limits the maximum size of a TCP segment to better fit the MTU
limits on a network. For VPN traffic, the IPsec encapsulation overhead,
along with the IP and frame overhead, can cause the resulting ESP
packet to exceed the MTU of the physical interface, which causes fragmentation.
Fragmentation increases bandwidth and device resources.
Note:
We recommend a value of 1350 as the starting point for
most Ethernet-based networks with an MTU of 1500 or greater. You might
need to experiment with different TCP-MSS values to obtain optimal
performance. For example, you might need to change the value if any
device in the path has a lower MTU, or if there is any additional
overhead such as PPP or Frame Relay.
|
MSS value: 1350
|
Configuration
Configuring Interface, Static Route, Security Zone, and Address
Book Information
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set interfaces ge-0/0/0 unit 0 family inet
address 10.10.10.1/24set interfaces ge-0/0/3 unit 0 family inet
address 1.1.1.2/30set interfaces st0 unit 0 family inet address
10.11.11.10/24 set routing-options static route 0.0.0.0/0
next-hop 1.1.1.1set routing-options static route 192.168.168.0/24
next-hop st0.0set security zones security-zone untrust interfaces
ge-0/0/3.0set security zones security-zone untrust host-inbound-traffic
system-services ike set security zones security-zone trust interfaces
ge-0/0/0.0set security zones security-zone trust host-inbound-traffic
system-services all set security zones security-zone vpn-chicago
interfaces st0.0set security address-book book1 address sunnyvale
10.10.10.0/24 set security address-book book1 attach zone
trust set security address-book book2 address chicago
192.168.168.0/24 set security address-book book2 attach zone
untrust
Step-by-Step Procedure
To configure interface, static route, security zone, and address
book information:
- Configure Ethernet interface information.
[edit]user@host# set interfaces ge-0/0/0 unit 0
family inet address 10.10.10.1/24user@host# set interfaces ge-0/0/3 unit 0
family inet address 1.1.1.2/30user@host# set interfaces st0 unit 0 family
inet address 10.11.11.10/24
- Configure static route information.
[edit]user@host# set routing-options static route
0.0.0.0/0 next-hop 1.1.1.1user@host# set routing-options static route
192.168.168.0/24 next-hop st0.0
- Configure the untrust security zone.
[edit ]user@host# edit security zones security-zone
untrust
- Assign an interface to the security zone.
[edit security zones security-zone untrust]user@host# set interfaces ge-0/0/3.0
- Specify allowed system services for the security zone.
[edit security zones security-zone untrust]user@host# set host-inbound-traffic system-services
ike
- Configure the trust security zone.
[edit]user@host# edit security zones security-zone
trust
- Assign an interface to the trust security zone.
[edit security zones security-zone trust]user@host# set interfaces ge-0/0/0.0
- Specify allowed system services for the trust security
zone.
[edit security zones security-zone trust]user@host# set host-inbound-traffic system-services
all
- Configure an address book and attach a zone to it.
[edit security address-book book1]user@host# set address sunnyvale 10.10.10.0/24 user@host# set attach zone trust
- Configure the vpn-chicago security zone.
[edit]user@host# edit security zones security-zone
vpn-chicago
- Assign an interface to the security zone.
[edit security zones security-zone vpn-chicago]user@host# set interfaces st0.0
- Configure another address book and attach a zone to it.
[edit security address-book book2]user@host# set address chicago 192.168.168.0/24user@host# set attach zone vpn-chicago
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show routing-options, show security zones, and show security address-book commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]user@host# show interfaces
ge-0/0/0 {unit 0 {family inet {address 10.10.10.1/24;}}}
ge-0/0/3 {unit 0 {family inet {address 1.1.1.2/30 }}}
st0{unit 0 {family inet {address 10.11.11.10/24}}}
[edit]user@host# show routing-options
static {route 0.0.0.0/0 next-hop 1.1.1.1;route 192.168.168.0/24 next-hop st0.0;}
[edit]user@host# show security zones
security-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/3.0;}}
security-zone trust {host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}
security-zone vpn-chicago {host-inbound-traffic {}interfaces {st0.0;}}
[edit]user@host# show security address-book
book1 {address sunnyvale 10.10.10.0/24;attach {zone trust;}}book2 {address chicago 192.168.168.0/24;attach {zone untrust;}}
If you are done configuring the device, enter commit from configuration mode.
Configuring IKE
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security ike proposal ike-phase1-proposal
authentication-method pre-shared-keysset security ike proposal ike-phase1-proposal
dh-group group2 set security ike proposal ike-phase1-proposal
authentication-algorithm sha1 set security ike proposal ike-phase1-proposal
encryption-algorithm aes-128-cbc set security ike policy ike-phase1-policy
mode main set security ike policy ike-phase1-policy
proposals ike-phase1-proposal set security ike policy ike-phase1-policy
pre-shared-key ascii-text 395psksecr3t set security ike gateway gw-chicago external-interface
ge-0/0/3.0 set security ike gateway gw-chicago ike-policy
ike-phase1-policy set security ike gateway gw-chicago address
2.2.2.2
Step-by-Step Procedure
- Create the IKE Phase 1 proposal.
[edit security ike]user@host# set proposal ike-phase1-proposal
- Define the IKE proposal authentication method.
[edit security ike proposal ike-phase1-proposal]user@host# set authentication-method pre-shared-keys
- Define the IKE proposal Diffie-Hellman group.
[edit security ike proposal ike-phase1-proposal]user@host# set dh-group group2
- Define the IKE proposal authentication algorithm.
[edit security ike proposal ike-phase1-proposal]user@host# set authentication-algorithm sha1
- Define the IKE proposal encryption algorithm.
[edit security ike proposal ike-phase1-proposal]user@host# set encryption-algorithm aes-128-cbc
- Create an IKE Phase 1 policy.
[edit security ike]user@host# set policy ike-phase1-policy
- Set the IKE Phase 1 policy mode.
[edit security ike policy ike-phase1-policy]user@host# set mode main
- Specify a reference to the IKE proposal.
[edit security ike policy ike-phase1-policy]user@host# set proposals ike-phase1-proposal
- Define the IKE Phase 1 policy authentication method.
[edit security ike policy ike-phase1-policy]user@host# set pre-shared-key ascii-text 395psksecr3t
- Create an IKE Phase 1 gateway and define its external
interface.
[edit security ike]user@host# set gateway gw-chicago external-interface
ge-0/0/3.0
- Define the IKE Phase 1 policy reference.
[edit security ike gateway gw-chicago]user@host# set ike-policy ike-phase1-policy
- Define the IKE Phase 1 gateway address.
[edit security ike gateway gw-chicago]user@host# set address 2.2.2.2
Results
From configuration mode, confirm your configuration
by entering the show security ike command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]user@host# show security ike
proposal ike-phase1-proposal {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;}
policy ike-phase1-policy {mode main;proposals ike-phase1-proposal;pre-shared-key ascii-text "$9$9VMTp1RvWLdwYKMJDkmF3ylKM87Vb2oZjws5F";
## SECRET-DATA}
gateway gw-chicago {ike-policy ike-phase1-policy;address 2.2.2.2;external-interface ge-0/0/3.0;}
If you are done configuring the device, enter commit from configuration mode.
Configuring IPsec
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security ipsec proposal ipsec-phase2-proposal
protocol espset security ipsec proposal ipsec-phase2-proposal
authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-proposal
encryption-algorithm aes-128-cbc set security ipsec policy ipsec-phase2-policy
proposals ipsec-phase2-proposalset security ipsec policy ipsec-phase2-policy
perfect-forward-secrecy keys group2set security ipsec vpn ike-vpn-chicago ike
gateway gw-chicagoset security ipsec vpn ike-vpn-chicago ike
ipsec-policy ipsec-phase2-policyset security ipsec vpn ike-vpn-chicago bind-interface
st0.0
Step-by-Step Procedure
- Create an IPsec Phase 2 proposal.
[edit]user@host# set security ipsec proposal ipsec-phase2-proposal
- Specify the IPsec Phase 2 proposal protocol.
[edit security ipsec proposal ipsec-phase2-proposal]user@host# set protocol esp
- Specify the IPsec Phase 2 proposal authentication algorithm.
[edit security ipsec proposal ipsec-phase2-proposal]user@host# set authentication-algorithm hmac-sha1-96
- Specify the IPsec Phase 2 proposal encryption algorithm.
[edit security ipsec proposal ipsec-phase2-proposal]user@host# set encryption-algorithm aes-128-cbc
- Create the IPsec Phase 2 policy.
[edit security ipsec]user@host# set policy ipsec-phase2-policy
- Specify the IPsec Phase 2 proposal reference.
[edit security ipsec policy ipsec-phase2-policy]user@host# set proposals ipsec-phase2-proposal
- Specify IPsec Phase 2 PFS to use Diffie-Hellman group
2.
[edit security ipsec policy ipsec-phase2-policy]user@host# set perfect-forward-secrecy keys
group2
- Specify the IKE gateway.
[edit security ipsec]user@host# set vpn ike-vpn-chicago ike gateway
gw-chicago
- Specify the IPsec Phase 2 policy.
[edit security ipsec]user@host# set vpn ike-vpn-chicago ike ipsec-policy
ipsec-phase2-policy
- Specify the interface to bind.
[edit security ipsec]user@host# set vpn ike-vpn-chicago bind-interface
st0.0
Results
From configuration mode, confirm your configuration
by entering the show security ipsec command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]user@host# show security ipsec
proposal ipsec-phase2-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;}
policy ipsec-phase2-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-phase2-proposal;}
vpn ike-vpn-chicago {bind-interface st0.0;ike {gateway gw-chicago;ipsec-policy ipsec-phase2-policy;}}
If you are done configuring the device, enter commit from configuration mode.
Configuring Security Policies
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security policies from-zone trust to-zone
vpn-chicago policy vpn-tr-chi match source-address sunnyvaleset security policies from-zone trust to-zone
vpn-chicago policy vpn-tr-chi match destination-address chicago set security policies from-zone trust to-zone
vpn-chicago policy vpn-tr-chi match application any set security policies from-zone trust to-zone
vpn-chicago policy vpn-tr-chi then permit set security policies from-zone vpn-chicago
to-zone trust policy vpn-chi-tr match source-address chicagoset security policies from-zone vpn-chicago
to-zone trust policy vpn-chi-tr match destination-address sunnyvale set security policies from-zone vpn-chicago
to-zone trust policy vpn-chi-tr match application any set security policies from-zone vpn-chicago
to-zone trust policy vpn-chi-tr then permit
Step-by-Step Procedure
To configure security policies:
- Create the security policy to permit traffic from the
trust zone to the vpn-chicago zone.
[edit security policies from-zone trust to-zone vpn-chicago]user@host# set policy vpn-tr-chi match source-address
sunnyvaleuser@host# set policy vpn-tr-chi match destination-address
chicagouser@host# set policy vpn-tr-chi match application
anyuser@host# set policy vpn-tr-chi then permit
- Create the security policy to permit traffic from the
vpn-chicago zone to the trust zone.
[edit security policies from-zone vpn-chicago to-zone trust]user@host# set policy vpn-chi-tr match source-address
sunnyvaleuser@host# set policy vpn-chi-tr match destination-address
chicagouser@host# set policy vpn-chi-tr match application
anyuser@host# set policy vpn-chi-tr then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]user@host# show security policies
from-zone trust to-zone vpn-chicago {policy vpn-tr-vpn {match {source-address sunnyvale; destination-address chicago;application any;}then {permit;}}}
from-zone vpn-chicago to-zone trust {policy vpn-tr-vpn {match {source-address chicago;destination-address sunnyvale;application any;}then {permit;}}}
If you are done configuring the device, enter commit from configuration mode.
Configuring TCP-MSS
CLI Quick Configuration
To quickly configure this section of the example,
copy the following command, paste it into a text file, remove any
line breaks, change any details necessary to match your network configuration,
and then copy and paste the command into the CLI at the [edit] hierarchy level.
set security flow tcp-mss ipsec-vpn mss 1350
Step-by-Step Procedure
To configure TCP-MSS information:
- Configure TCP-MSS information.
[edit]user@host# set security flow tcp-mss ipsec-vpn
mss 1350
Results
From configuration mode, confirm your configuration
by entering the show security flow command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]user@host# show security flow
tcp-mss {ipsec-vpn {mss 1350;}}
If you are done configuring the device, enter commit from configuration mode.
Configuring the SSG Series Device
CLI Quick Configuration
To quickly configure this section of the example, copy the following
commands, paste them into a text file, remove any line breaks, change
any details necessary to match your network configuration, and then
copy and paste the commands into the CLI.
set zone name vpn-chicagoset interface ethernet0/6 zone Trustset interface ethernet0/0 zone Untrustset interface tunnel.1 zone vpn-chicagoset interface ethernet0/6 ip 192.168.168.1/24set interface ethernet0/6 routeset interface ethernet0/0 ip 2.2.2.2/30set interface ethernet0/0 routeset interface tunnel.1 ip 10.11.11.11/24set flow tcp-mss 1350set address Trust “192.168.168-net”
192.168.168.0 255.255.255.0set address vpn-chicago "10.10.10-net" 10.10.10.0
255.255.255.0set ike gateway corp-ike address 1.1.1.2 Main
outgoing-interface ethernet0/0 preshare 395psksecr3t sec-level standardset vpn corp-vpn gateway corp-ike replay tunnel
idletime 0 sec-level standardset vpn corp-vpn monitor optimized rekeyset vpn corp-vpn bind interface tunnel.1set policy from Trust to Untrust “ANY”
“ANY” “ANY” nat src permitset policy from Trust to vpn-chicago “192.168.168-net”
“10.10.10-net” “ANY” permitset policy from vpn-chicago to Trust “10.10.10-net”
“192.168.168-net” “ANY” permitset route 10.10.10.0/24 interface tunnel.1set route 0.0.0.0/0 interface ethernet0/0
gateway 2.2.2.1
