Configuring IPSec between Softlayer Vyatta and Juniper SRX

Note: Juniper SRX is behind of the WAN router. Public IP is @WAN router

Below is an example of Configuring IPSec between Softlayer Vyatta and Juniper SRX.

Network topology

juniper SRX

Vyatta@Softlayer configuration

set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘enable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘14400’
set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network ‘10.1.1.0/24’
set vpn ipsec nat-networks allowed-network ‘192.168.109.0/24’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret ‘juniper’
set vpn ipsec site-to-site peer 0.0.0.0 connection-type ‘initiate’
set vpn ipsec site-to-site peer 0.0.0.0 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 0.0.0.0 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 0.0.0.0 local-address ‘119.81.x.x’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix ‘10.66.24.0/26’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix ‘192.168.109.0/24’

 

Juniper SRX (policy based)

Phase 1:

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm md5
set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike policy ike-sl2 mode main
set security ike policy ike-sl2 proposals ike-phase1-proposal
set security ike policy ike-sl2 pre-shared-key ascii-text “$9$1xOhcl7Nb2oGSrb2”

set security ike gateway SL2-ikegw ike-policy ike-sl2
set security ike gateway SL2-ikegw address 119.81.xx.x
set security ike gateway SL2-ikegw external-interface ge-0/0/0.0

Phase 2:

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec vpn SLVPN2 ike gateway SL2-ikegw
set security ipsec vpn SLVPN2 ike proxy-identity local 192.168.109.0/24
set security ipsec vpn SLVPN2 ike proxy-identity remote 10.66.24.0/26
set security ipsec vpn SLVPN2 ike proxy-identity service any
set security ipsec vpn SLVPN2 ike ipsec-policy ipsec-phase2-policy

 

Security Policy

set security address-book Untrust address SL-net 10.66.24.0/26
set security address-book Untrust attach zone untrust
set security address-book Trust address local_network 192.168.109.0/24
set security address-book Trust attach zone trust

set security policies from-zone trust to-zone untrust policy outbound_vpn match source-address local_network
set security policies from-zone trust to-zone untrust policy outbound_vpn match destination-address SL-net
set security policies from-zone trust to-zone untrust policy outbound_vpn match application any
set security policies from-zone trust to-zone untrust policy outbound_vpn then permit tunnel ipsec-vpn SLVPN2
set security policies from-zone trust to-zone untrust policy outbound_vpn then count

set security policies from-zone untrust to-zone trust policy inbound_vpn match source-address SL-net
set security policies from-zone untrust to-zone trust policy inbound_vpn match destination-address local_network
set security policies from-zone untrust to-zone trust policy inbound_vpn match application any
set security policies from-zone untrust to-zone trust policy inbound_vpn then permit tunnel ipsec-vpn SLVPN2
set security policies from-zone untrust to-zone trust policy inbound_vpn then count

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s