| Operation | Command |
|---|---|
| Check ISAKMP SA(Phase 1) | >show security ike security-associations >show security ike security-associations detail | no-more |
| Check IPsec SA(Phase 2) | >show security ipsec security-associations >show security ipsec security-associations detail | no-more |
| check statistics | >show security ipsec statistics |
| > show security flow sesion > show security flow session source-prefix x.x.x.x |
|
| Check Proxy ID with Policy-base VPN | > show security policies from-zone trust to-zone untrust policy-name internal-net detail |
clear security ipsec security-associations clear security ike security-associations
clear security ipsec security-associations 11.11.11.11 clear security ike security-associations 11.11.11.11
> show security ike debug-status
> request security ike debug-enable local x.x.x.x remote x.x.x.x ← Public IP
> show log kmd |no-more
> request security ike debug-disable
> show security ike debug-status
> clear log kmd
# set system syslog file kmd daemon info
# set system syslog file kmd match KMD
# set system syslog file kmd archive size 500k
# commit check
# commit confirmed 1
# run show log ← check log file's name and size
# run show log kmd
or
# run start shell
# tail -f /var/log/kmd
> set security flow traceoptions file flow-trace
> set security flow traceoptions file size 10m
> set security flow traceoptions file files 2
> set security flow traceoptions flag all
> set security flow traceoptions file packet-filter F1 source-prefix 11.11.11.11/32
> set security flow traceoptions file packet-filter F1 destination-prefix 22.22.22.22/32
> set security flow traceoptions file packet-filter F2 source-prefix 22.22.22.22/32
> set security flow traceoptions file packet-filter F2 destination-prefix 11.11.11.11/32
> commit confirmed 1
> run show log flow-trace
> run clear log flow-trace
Route-Based IPsec VPNs - TechLibrary - Juniper Networks
# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
Crete secure tunnel (ST) interface, which is bound to a specific VPN tunnel.
# set interfaces st0 unit 0 family inet address 10.10.10.1/24
# set routing-options static route 192.168.2.0/24 next-hop st0.0
### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc
### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”
### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection
dead peer detection(DPD) for ike keepalive Options
Default interval: 10 seconds
Default threshold : 5 (Maximum number of DPD retransmissions.)
always-send : Send probes periodically regardless of incoming and outgoing data traffic.
optimized : Send probes only when there is outgoing and no incoming data traffic - RFC3706 (Default mode).
Example
# set security ike gateway Gateway-A dead-peer-detection always-send
# set security ike gateway Gateway-A dead-peer-detection interval 20
# set security ike gateway Gateway-A dead-peer-detection threshold 5
bind-interface is need in Route Base IPSec.
### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc
### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2
### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A bind-interface st0.0
# set security ipsec vpn VPN-A ike proxy-identity local x.x.x.x./24
# set security ipsec vpn VPN-A ike proxy-identity remote x.x.x.x./24
You must create VPN Zone with Virtual Interface like st0.x. .
# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24
# set security zones security-zone VPN interface st0.0
# set security zones security-zone VPN address-book address 192.168.2.0 192.168.2.0/24
# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike
# set security policies from-zone Trust to-zone VPN policy TtoV match source-address 192.168.1.0
# set security policies from-zone Trust to-zone VPN policy TtoV match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone VPN policy TtoV match application any
# set security policies from-zone Trust to-zone VPN policy TtoV then permit
# set security policies from-zone VPN to-zone Trust policy VtoT match source-address 192.168.2.0
# set security policies from-zone VPN to-zone Trust policy VtoT match destination-address 192.168.1.0
# set security policies from-zone VPN to-zone Trust policy VtoT match application any
# set security policies from-zone VPN to-zone Trust policy VtoT then permit
# set security flow tcp-mss ipsec-vpn mss 1350
Policy-Based IPsec VPNs - TechLibrary - Juniper Networks
# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc
### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”
### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection #DPD(dead peer detection) for ike keepalive
### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc
# set security ipsec proposal P2 lifetime-seconds 3600
### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2
### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A establish-tunnels immediately
# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24
# set security zones security-zone Untrust address-book address 192.168.2.0 192.168.2.0/24
# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike
# set security policies from-zone Trust to-zone Untrust policy TtoU match source-address 192.168.1.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match application any
# set security policies from-zone Trust to-zone Untrust policy TtoU then permit tunnel ipsec-vpn VPN-A
# set security policies from-zone Untrust to-zone Trust policy UtoT match source-address 192.168.2.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match destination-address 192.168.1.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match application any
# set security policies from-zone Untrust to-zone Trust policy UtoT then permit tunnel ipsec-vpn VPN-A
# set security flow tcp-mss ipsec-vpn mss 1350
Juniper Junos CLI Commands(SRX/QFX/EX)