cmdref.net - Cheat Sheet and Example

cmdref.net is command references/cheat sheets/examples for system engineers.

User Tools

Site Tools


Sidebar








Etc


Reference














.

hardware:junos:ipsec



How to configure IPSec VPN in Junos

Show Policy

Operation Command
Check ISAKMP SA(Phase 1) >show security ike security-associations
>show security ike security-associations detail | no-more
Check IPsec SA(Phase 2) >show security ipsec security-associations
>show security ipsec security-associations detail | no-more
check statistics >show security ipsec statics
> show security flow sesion
> show security flow session source-prefix x.x.x.x
Check Proxy ID with Policy-base VPN > show security policies from-zone trust to-zone untrust policy-name internal-net detail

Check Debug Log

> request security ike debug-enable local x.x.x.x remote x.x.x.x
> show log kmd |no-more
> request security ike debug-disable

Configuration of logging

set system syslog file kmd daemon info
set system syslog file kmd match KMD
set system syslog file kmd archive size 500k
commit check
commit

run show log kmd
or
run start shell
tail -f /var/log/kmd


How to Configure Route Base IPsec VPN

Route-Based IPsec VPNs - TechLibrary - Juniper Networks

# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Create Secure Tunnel (ST) interface

Crete secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

# set interfaces st0 unit 0 family inet address 10.10.10.1/24

Static Route

# set routing-options static route 192.168.2.0/24 next-hop st0.0

Phase1 (ike)

### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc

### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”

### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection

dead peer detection(DPD) for ike keepalive Options
Default interval: 10 seconds
Default threshold : 5 (Maximum number of DPD retransmissions.)

always-send : Send probes periodically regardless of incoming and outgoing data traffic.
optimized : Send probes only when there is outgoing and no incoming data traffic - RFC3706 (Default mode).

Example
# set security ike gateway Gateway-A dead-peer-detection always-send
# set security ike gateway Gateway-A dead-peer-detection interval 20
# set security ike gateway Gateway-A dead-peer-detection threshold 5

Phase2 (ipsec)

bind-interface is need in Route Base IPSec.

### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc

### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2

### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A bind-interface st0.0
# set security ipsec vpn VPN-A ike proxy-identity local x.x.x.x./24
# set security ipsec vpn VPN-A ike proxy-identity remote x.x.x.x./24

Security Policy

You must create VPN Zone with Virtual Interface like st0.x. .

# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24

# set security zones security-zone VPN interface st0.0
# set security zones security-zone VPN address-book address 192.168.2.0 192.168.2.0/24

# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike

# set security policies from-zone Trust to-zone VPN policy TtoV match source-address 192.168.1.0
# set security policies from-zone Trust to-zone VPN policy TtoV match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone VPN policy TtoV match application any
# set security policies from-zone Trust to-zone VPN policy TtoV then permit

# set security policies from-zone VPN to-zone Trust policy VtoT match source-address 192.168.2.0
# set security policies from-zone VPN to-zone Trust policy VtoT match destination-address 192.168.1.0
# set security policies from-zone VPN to-zone Trust policy VtoT match application any
# set security policies from-zone VPN to-zone Trust policy VtoT then permit

MSS

# set security flow tcp-mss ipsec-vpn mss 1350


How to Configure Policy Base IPsec VPN

Policy-Based IPsec VPNs - TechLibrary - Juniper Networks

# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.100/24
# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24

# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Phase1 (ike)

### proposal ###
# set security ike proposal P1 authentication-method pre-shared-keys
# set security ike proposal P1 dh-group group2
# set security ike proposal P1 authentication-algorithm sha1
# set security ike proposal P1 encryption-algorithm aes-128-cbc

### policy ###
# set security ike policy IKE-Policy mode main
# set security ike policy IKE-Policy proposals P1
# set security ike policy IKE-Policy pre-shared-key ascii-text “Junos123”

### gateway ###
# set security ike gateway Gateway-A external-interface ge-0/0/0.0
# set security ike gateway Gateway-A ike-policy IKE-Policy
# set security ike gateway Gateway-A address 10.1.2.100
# set security ike gateway Gateway-A dead-peer-detection #DPD(dead peer detection) for ike keepalive

Phase2 (ipsec)

### proposal ###
# set security ipsec proposal P2 protocol esp
# set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2 encryption-algorithm aes-128-cbc
# set security ipsec proposal P2 lifetime-seconds 3600

### policy ###
# set security ipsec policy IPsec-Policy proposals P2
# set security ipsec policy IPsec-Policy perfect-forward-secrecy keys group2

### vpn ###
# set security ipsec vpn VPN-A ike gateway Gateway-A
# set security ipsec vpn VPN-A ike ipsec-policy IPsec-Policy
# set security ipsec vpn VPN-A establish-tunnels immediately

Security Policy

# set security zones security-zone Trust interface ge-0/0/2.0
# set security zones security-zone Trust address-book address 192.168.1.0 192.168.1.0/24
# set security zones security-zone Untrust address-book address 192.168.2.0 192.168.2.0/24
# set security zones security-zone Untrust interface ge-0/0/0.0 host-inbound-traffic system-services ike

# set security policies from-zone Trust to-zone Untrust policy TtoU match source-address 192.168.1.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match destination-address 192.168.2.0
# set security policies from-zone Trust to-zone Untrust policy TtoU match application any
# set security policies from-zone Trust to-zone Untrust policy TtoU then permit tunnel ipsec-vpn VPN-A

# set security policies from-zone Untrust to-zone Trust policy UtoT match source-address 192.168.2.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match destination-address 192.168.1.0
# set security policies from-zone Untrust to-zone Trust policy UtoT match application any
# set security policies from-zone Untrust to-zone Trust policy UtoT then permit tunnel ipsec-vpn VPN-A

MSS



hardware/junos/ipsec.txt · Last modified: 2019/06/26 by admin

Page Tools