Vyatta VTI IPSec to Juniper SRX Firewall

On By insidepacketIn Vyatta

Today, I will show how to build site to site IPSec VPN between Vyatta and Juniper SRX firewall by use of Vyatta Virtual tunnel interface.

Below is the network topology for our configuration. NOTE: we will use router-based VPN on Juniper SRX end.

Vyatta VTI IPSec

yatta Juniper SRX
Ethernet Interface

set interfaces ethernet eth0 address ‘192.168.107.88/24’

set interfaces ethernet eth1 address ‘10.1.1.53/24’

 Ethernet Interface

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.52/24

set interfaces ge-0/0/1 unit 0 family inet address 10.10.91.52/24
Virtual Tunnel Interface

set interfaces vti vti0 address ‘172.16.31.1/30’

 Virtual Tunnel Interface

set interfaces st0 unit 0 family inet

set security zones security-zone vpn interfaces st0.0
IPSec

set vpn ipsec esp-group ESP-1W compression ‘disable’

set vpn ipsec esp-group ESP-1W lifetime ‘3600’

set vpn ipsec esp-group ESP-1W mode ‘tunnel’

set vpn ipsec esp-group ESP-1W pfs ‘enable’

set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’

set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’

set vpn ipsec ike-group IKE-1W lifetime ‘14400’

set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’

set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’

set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’

set vpn ipsec ipsec-interfaces interface ‘eth1’

set vpn ipsec site-to-site peer 10.1.1.52 authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer 10.1.1.52 authentication pre-shared-secret ‘test_key_1’

set vpn ipsec site-to-site peer 10.1.1.52 connection-type ‘initiate’

set vpn ipsec site-to-site peer 10.1.1.52 ike-group ‘IKE-1W’

set vpn ipsec site-to-site peer 10.1.1.52 local-address ‘10.1.1.53’

set vpn ipsec site-to-site peer 10.1.1.52 vti bind ‘vti0’

set vpn ipsec site-to-site peer 10.1.1.52 vti esp-group ‘ESP-1W’

 IPSec

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys

set security ike proposal ike-phase1-proposal dh-group group2

set security ike proposal ike-phase1-proposal authentication-algorithm md5

set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc

set security ike proposal ike-phase1-proposal lifetime-seconds 14400

set security ike policy sandpit-p1 mode main

set security ike policy sandpit-p1 proposals ike-phase1-proposal

set security ike policy sandpit-p1 pre-shared-key ascii-text “$9$uONO0EyMWxdwgX7F6AuEhevWLVY.PTzn/”

set security ike gateway VTI ike-policy sandpit-p1

set security ike gateway VTI address 10.1.1.53

set security ike gateway VTI external-interface ge-0/0/0.0

set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96

set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc

set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

set security ipsec vpn VTI bind-interface st0.0

set security ipsec vpn VTI ike gateway VTI

set security ipsec vpn VTI ike ipsec-policy ipsec-phase2-policy
Routing

set protocols static interface-route 10.10.91.0/24 next-hop-interface vti0

 Routing

set routing-options static route 192.168.107.0/24 next-hop st0.0
IPSec Status

vyatta@vyatta:~$ show vpn ike sa

Peer ID / IP                            Local ID / IP

————                            ————-

10.1.1.52                               10.1.1.53

 

State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time

—–  ——-  —-  ——-  —–  ——  ——

 

up     3des     md5   2        no     2042    14400

vyatta@vyatta:~$ show vpn ipsec sa detail

——————————————————————

Peer IP:                10.1.1.52

Peer ID:                10.1.1.52

Local IP:               10.1.1.53

Local ID:               10.1.1.53

NAT Traversal:          no

NAT Source Port:        n/a

NAT Dest Port:          n/a

Tunnel vti:

State:                  up

Inbound SPI:            c5ae54df

Outbound SPI:           b9222e

Encryption:             3des

Hash:                   md5

PFS Group:              <Phase1>

Local Net:              0.0.0.0/0

Local Protocol:         all

Local Port:             all

Remote Net:             0.0.0.0/0

Remote Protocol:        all

Remote Port:            all

Inbound Bytes:          0.0

Outbound Bytes:         0.0

Active Time (s):        1088

Lifetime (s):           3600

 

vyatta@vyatta:~$ show vpn ipsec sa statistics

Peer ID / IP                            Local ID / IP

————                            ————-

10.1.1.52                               10.1.1.53

 

Tunnel Dir Source Network               Destination Network          Bytes

—— — ————–               ——————-          —–

vti    in  0.0.0.0/0                    0.0.0.0/0                    2016

 

vti    out 0.0.0.0/0                    0.0.0.0/0                    2016

 

 IPSec Status

root@srx2> show security ike sa

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address

6447227 UP     8b6a396203c2986b  a9386fb0329d418a  Main           10.1.1.53

 

root@srx2> show security ipsec sa

Total active tunnels: 1

ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway

<131073 ESP:3des/md5  dde7cc0b 2694/ unlim   –   root 500   10.1.1.53

>131073 ESP:3des/md5  c4b99e4d 2694/ unlim   –   root 500   10.1.1.53

root@srx2> show security ipsec statistics

ESP Statistics:

Encrypted bytes:             1632

Decrypted bytes:             1120

Encrypted packets:             12

Decrypted packets:             12

AH Statistics:

Input bytes:                    0

Output bytes:                   0

Input packets:                  0

Output packets:                 0

Errors:

AH authentication failures: 0, Replay errors: 0

ESP authentication failures: 0, ESP decryption failures: 0

Bad headers: 0, Bad trailers: 0

root@srx2> show security ipsec security-associations detail | no-more

ID: 131073 Virtual-system: root, VPN Name: VTI

Local Gateway: 10.1.1.52, Remote Gateway: 10.1.1.53

Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

Version: IKEv1

DF-bit: clear

Bind-interface: st0.0

Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29

Tunnel Down Reason: SA not initiated

Direction: inbound, SPI: dde7cc0b, AUX-SPI: 0

, VPN Monitoring: –

Hard lifetime: Expires in 2609 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 2032 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: c4b99e4d, AUX-SPI: 0

, VPN Monitoring: –

Hard lifetime: Expires in 2609 seconds

Lifesize Remaining:  Unlimited

Soft lifetime: Expires in 2032 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc

Anti-replay service: counter-based enabled, Replay window size: 64
NOTE: VTI will show as “Admin Down A/D” before VPN is up.

vyatta@vyatta:~$    show interfaces

Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down

Interface        IP Address                        S/L  Description

———        ———-                        —  ———–

eth1             10.1.1.53/24                      u/u

eth2             192.168.107.88/24                 u/u

lo               127.0.0.1/8                       u/u

::1/128

vti0             172.16.31.1/30                    A/D  

One thought on “Vyatta VTI IPSec to Juniper SRX Firewall

  1. Pingback: Vyatta Virtuanl Tunnel Interface for Site to Site IPSec – InsidePacket

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s