Table of Contents

How to configure IPSec VPN in Junos



Show Policy

Operation Command
Check ISAKMP SA(Phase 1) >show security ike security-associations
>show security ike security-associations detail | no-more
Check IPsec SA(Phase 2) >show security ipsec security-associations
>show security ipsec security-associations detail | no-more
check statistics >show security ipsec statistics
> show security flow sesion
> show security flow session source-prefix x.x.x.x
Check Proxy ID with Policy-base VPN > show security policies from-zone trust to-zone untrust policy-name internal-net detail


Reset Connection

clear security ipsec security-associations
clear security ike security-associations
clear security ipsec security-associations 11.11.11.11
clear security ike security-associations 11.11.11.11


Debug

Check Debug Log

> show security ike debug-status
> request security ike debug-enable local x.x.x.x remote x.x.x.x ← Public IP
> show log kmd |no-more
> request security ike debug-disable
> show security ike debug-status

> clear log kmd

Configuration of logging

# set system syslog file kmd daemon info
# set system syslog file kmd match KMD
# set system syslog file kmd archive size 500k
# commit check
# commit confirmed 1

# run show log ← check log file's name and size

# run show log kmd
or
# run start shell
# tail -f /var/log/kmd

Check Flow Trace

> set security flow traceoptions file flow-trace
> set security flow traceoptions file size 10m
> set security flow traceoptions file files 2
> set security flow traceoptions flag all
> set security flow traceoptions file packet-filter F1 source-prefix 11.11.11.11/32
> set security flow traceoptions file packet-filter F1 destination-prefix 22.22.22.22/32
> set security flow traceoptions file packet-filter F2 source-prefix 22.22.22.22/32
> set security flow traceoptions file packet-filter F2 destination-prefix 11.11.11.11/32

> commit confirmed 1

> run show log flow-trace
> run clear log flow-trace


How to Configure Route Base IPsec VPN

Route-Based IPsec VPNs - TechLibrary - Juniper Networks

# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Create Secure Tunnel (ST) interface

Crete secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

# set interfaces st0 unit 0 family inet address 10.10.10.1/24

Static Route

# set routing-options static route 192.168.2.0/24 next-hop st0.0

Phase1 (ike)

### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc

### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”

### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection

dead peer detection(DPD) for ike keepalive Options
Default interval: 10 seconds
Default threshold : 5 (Maximum number of DPD retransmissions.)

always-send : Send probes periodically regardless of incoming and outgoing data traffic.
optimized : Send probes only when there is outgoing and no incoming data traffic - RFC3706 (Default mode).

Example
# set security ike gateway Gateway-A dead-peer-detection always-send
# set security ike gateway Gateway-A dead-peer-detection interval 20
# set security ike gateway Gateway-A dead-peer-detection threshold 5

Phase2 (ipsec)

bind-interface is need in Route Base IPSec.

### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc

### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2

### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A bind-interface st0.0
# set security ipsec vpn VPN-A ike proxy-identity local x.x.x.x./24
# set security ipsec vpn VPN-A ike proxy-identity remote x.x.x.x./24

Security Policy

You must create VPN Zone with Virtual Interface like st0.x. .

# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24

# set security zones security-zone VPN interface st0.0
# set security zones security-zone VPN address-book address 192.168.2.0 192.168.2.0/24

# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike

# set security policies from-zone Trust to-zone VPN policy TtoV match source-address 192.168.1.0
# set security policies from-zone Trust to-zone VPN policy TtoV match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone VPN policy TtoV match application any
# set security policies from-zone Trust to-zone VPN policy TtoV then permit

# set security policies from-zone VPN to-zone Trust policy VtoT match source-address 192.168.2.0
# set security policies from-zone VPN to-zone Trust policy VtoT match destination-address 192.168.1.0
# set security policies from-zone VPN to-zone Trust policy VtoT match application any
# set security policies from-zone VPN to-zone Trust policy VtoT then permit

MSS

# set security flow tcp-mss ipsec-vpn mss 1350


How to Configure Policy Base IPsec VPN

Policy-Based IPsec VPNs - TechLibrary - Juniper Networks

# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24

# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Phase1 (ike)

### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc

### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”

### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection #DPD(dead peer detection) for ike keepalive

Phase2 (ipsec)

### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc
# set security ipsec proposal P2 lifetime-seconds 3600

### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2

### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A establish-tunnels immediately

Security Policy

# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24
# set security zones security-zone Untrust address-book address 192.168.2.0 192.168.2.0/24
# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike

# set security policies from-zone Trust to-zone Untrust policy TtoU match source-address 192.168.1.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match application any
# set security policies from-zone Trust to-zone Untrust policy TtoU then permit tunnel ipsec-vpn VPN-A

# set security policies from-zone Untrust to-zone Trust policy UtoT match source-address 192.168.2.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match destination-address 192.168.1.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match application any
# set security policies from-zone Untrust to-zone Trust policy UtoT then permit tunnel ipsec-vpn VPN-A

MSS

# set security flow tcp-mss ipsec-vpn mss 1350