Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Size: px
Start display at page:

Download "Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web"

Transcription

1 Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web Last updated: 7/2013 This configuration example shows how to configure a route-based multi-point VPN, with a next-hop tunnel binding, between a Hub (Corporate office) and Spoke (Westford) using J-Web. This example includes: Topology Configuring the Hub (Corporate office) Configuring the spoke SRX (Westford Office) Verifying the IKE Phase 1 Status Verifying the IPsec Phase 2 Status Verifying Static Routes for Remote Peer Local LANs Reviewing Statistics and Errors for an IPsec Security Association Troubleshooting For this same example using the CLI, refer to For VPN configuration help, refer to Juniper Networks, Inc. 1

2 Topology The hierarchical steps and screen outputs in this document are based on the Junos 12.1X44 release. Juniper Networks, Inc. 2

3 Required Settings This example assumes the following settings: The internal LAN interface of the hub device (Corporate office) is ge-0/0/0.0 in zone trust and has a private IP subnet. The Internet interface of the hub device (Corporate office) is ge-0/0/3.0 in zone untrust and has a public IP subnet. The internal LAN interface of the spoke device (Westford office) is ge-0/0/3.0 in zone trust and has a private IP subnet. The Internet interface of the spoke device (Westford office) is ge-0/0/0.0 in zone untrust and has a public IP subnet. Note: This example shows the configuration and verification of a multipoint interface in a hub-and spoke topology with two spokes. This example uses the following spokes as shown in Figure 1: o o Spoke 1 - Device in Westford office, which is a SRX device running Junos OS Release 10.0 or later. Spoke 2 - Device in Sunnywale office, which is a SRX device running Junos OS Release 10.0 or later. You can easily include additional spokes by duplicating the configuration from any existing spokes, changing IP addresses as needed, and adding any additional static routes for the new local LANs. The secure tunnel interface is st0.0 for the devices in the Corporate office and in the Westford office. The tunnels are configured in the vpn zone. This setting allows you to configure unique policies specifically for tunnel (encrypted) traffic, while maintaining unique policies for clear (non-encrypted) traffic. All st0 interfaces of all peer devices have IP addresses configured within the same logical subnet. Configuring all peer tunnel interface IP addresses within the same logical subnet is recommended, but not mandatory. However, if you have configured OSPF with a point-to-multipoint link, then you must configure all peer tunnel interface IP addresses within the same logical subnet. Traffic is allowed in both directions from all remote offices (spokes) to the corporate LAN (hub). Traffic is also allowed from spoke to spoke. However, you can pass the traffic from one spoke to the other spoke only by first routing the traffic through the hub. A static NHTB entry is not required between the devices. Juniper Networks, Inc. 3

4 Configuration steps for Hub (Corporate Office) A. Configure LAN/WAN interface, static route, security zone, and address book information for the Hub: NOTE: This section is not the VPN configuration steps; however it is required to configure a VPN. If your LAN/WAN interfaces, static route, security zone, and local address book are already configured, then Section B for the VPN related configuration. 1. Configure LAN interface on Trust side. 1. Select Configure>Interfaces>Ports 2. Select ge-0/0/0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 2. Configure WAN interface on Untrust side (Internet side). 1. Select Configure>Interfaces>Ports 2. Select ge-0/0/3 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 3. Configure static route (default route). 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 b. Add the following attributes: IP address: Subnet mask: 0 c. under next-hop Click Add IP Address: d. Click OK 4. Click OK Juniper Networks, Inc. 4

5 4. Configure the untrust security zone. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: untrust Zone type : security 5. Assign an interface to the security zone. 1. In the Add Zone box, Under Interfaces in this zone section: Select the interface ge-0/0/3.0 from the Available list. 2. After selecting interface, you click the right arrow key to move the interface to the selected column. 6. Configure the trust security zone. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: trust Zone type : security 7. Assign an interface to the security zone. 1. In the Add Zone box, Under Interfaces in this zone section: Select the interface ge-0/0/0.0 from the Available list. 2. After selecting interface, you click the right arrow key to move the interface to the selected column. 8. Specify allowed system services for the trust security zone a. In the Add Zone box, a. Under Host Inbound traffic Zone tab, Select the services all from the list of Available services. Select the protocol all from the list of Available protocols. b. Click OK 9. Configure an address book and attach a zone to it. 1. select Configure>Security>Address Book 3. In the Add Address Book box, a. Add the following attributes: Address Book Name: book1 b. Click Address TAB and provide the following attributes : Address Name : local-net Address type : IP address Value : /24 c. Under Attach zone section, Select trust from the list of Available zones. d. Click OK Juniper Networks, Inc. 5

6 B. Configure VPN related interface, static route, security zone, and address book information for the Hub: 1. Specify ike to be allowed under interface ge-0/0/3.0 under security zone untrust. 1. In the Add Zone box, a. Select Security>Zones/Screens b. Select security zone untrust and click Edit c. Under Host Inbound traffic Zone tab, Select the services ike from the list of Available services. d. Click OK NOTE: This step is mandatory because if IKE is not enabled on the external interface, then the SRX will not accept inbound ike packets. Therefore they will be dropped, and IKE negotiations will not proceed further. 2. Configure the tunnel (st0) interface. 1. select Configure>Interfaces>Ports 2. select st0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 3. Configure a route for tunnel traffic by specifying the remote destination network ( /24 for Sunnyvale and /24 for Westford) and the next-hop as the st0 interface. For Sunnyvale: 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 b. Add the following attributes: IP address: Subnet mask: 24 c. under next-hop Click Add Interface: st0.0 d. Click OK 4. Click OK Juniper Networks, Inc. 6

7 For Westford: 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 b. Add the following attributes: IP address: Subnet mask: 24 c. under next-hop Click Add Interface: st0.0 d. Click OK 4. Click OK 4. Configure a security zone named vpn. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: vpn Zone type: security 5. Assign the tunnel interface to the security zone (vpn in this example). 1. In the Add Zone box, a. Under Interfaces in this zone section: Select the interface st0.0 from the Available list. b. After selecting interface must click the right arrow key to move interface to selected column 6. Configure address book entry for the remote network and attach a zone to it. 1. select Configure>Security>Address Book 3. In the Add Address Book box, a. Add the following attributes: Address Book Name: book2 b. Click Address TAB and provide the following attributes : Address Name : sunnyvale-net Address type : IP address Value : /24 Address Name : westford-net Address type : IP address Value : /24 c. Under Attach zone section, Select vpn from the list of Available zones. d. Click OK Juniper Networks, Inc. 7

8 C: Configure IKE for the Hub: The IKE Phase 1 proposal, IKE policy, and IKE gateway are created in this section. Select IPSec VPN>Auto Tunnel> Phase 1 1. Create the IKE Phase 1 proposal. b. Under Proposal TAB, click Add. name: ike-phase1-proposal authentication-method: pre-shared-keys dh-group: group2 authentication-algorithm: sha1 encryption-algorithm: aes-128-cbc c. Click OK 2. Create an IKE policy for main mode. Also specify the ike-phase1-proposal (created above) and preshared key auth method. a. Under Policy TAB, click Add. b. Under IKE Policy TAB name : ike-phase1-policy mode: main Specify a reference to the IKE proposal. Under proposal section, select User Defined. Select ike-phase1-proposal from the list of Available proposals. After selecting ike-phase1-proposal, you must click the right arrow key to move interface to selected column. c. Click OK d. Define the IKE Phase 1 policy authentication method. Under IKE Policy options TAB Select pre-shared-key. Select Ascii text and enter in password that will be used by both VPN endpoints for the preshared key. e. Click OK Juniper Networks, Inc. 8

9 3. Create an IKE Phase 1 gateway. Specify the IKE policy, and external (outgoing interface) (phase 1) and the peer IP address/fqdn: For the VPN to the Sunnyvale site: a. Under Gateway TAB, click Add. name : gw-sunnyvale policy: ike-phase1-policy external-interface: ge-0/0/3.0 Address/FQDN : For the VPN to the Westford site: a. Under Gateway TAB, click Add. name : gw-westford policy: ike-phase1-policy external-interface: ge-0/0/3.0 Address/FQDN : NOTE: The address/fqdn should be the remote peer s public IP address. It is important also to specify the correct external interface. If either the peer address or external interface is incorrect, then the IKE gateway is not identified during phase 1 negotiation. Juniper Networks, Inc. 9

10 D. Configure IPsec for the Hub: The IPsec Phase 2 proposal, IPsec policy, and IPsec VPN are created in this section. Select IPSec VPN>Auto Tunnel> Phase 2 1. Create the IPsec Phase 2 proposal. a. Under Proposal TAB, click Add. name: ipsec-phase2-proposal protocol: esp authentication-algorithm: hmac-sha1-96 encryption-algorithm: aes-128-cbc 2. Create an IPSec policy and specify the IPSec Phase 2 proposal created above and along with perfect-forwardsecrecy (pfs). a. Under IPSec Policy TAB, click Add. name: ipsec-phase2-policy perfect-forward-secrecy: group2 Specify a reference to the IPSec proposal. Under proposal section, select User Defined. Select ike-phase2-proposal from the list of Available proposals. After selecting ike-phase2-proposal, you must click the right arrow key to move interface to selected column. 3. Create the IPSec VPN specifying the Remote gateway, IPsec policy, and tunnel interface. For the VPN to the Sunnyvale site: a. Under Auto Key VPN TAB, click Add. Name: sunnyvale-vpn Remote Gateway: gw-sunnyvale Ipsec Policy: from the drop-down list select ipsec-phase2-policy Bind to tunnel interface: from the drop-down list select st0.0 b. Click OK Juniper Networks, Inc. 10

11 For the VPN to the Westford site: a. Under Auto Key VPN TAB, click Add. Name: westford-vpn Remote Gateway: gw-westford Ipsec Policy: from the drop-down list select ipsec-phase2-policy Bind to tunnel interface: from the drop-down list select st0.0 b. Click OK 4. Configure the st0 interface as multipoint interface, and optionally add NHTB entries. 1. Select Configure>Interfaces>Ports 2. Expand st0 and select st0.0 in the left pane 3. Click Edit. 4. In the Edit Interface st0.0 box, a. Since this is a hub and spoke topology, the st0 interface will be multipoint. Check the multipoint checkbox. b. Under st Interface Configuration options Select Automatic or Manual depending on the need. To ascertain if manual NHTB configuration is required, refer the note below. If using manual NHTB, select Manual radio button. Click on Add, and provide the NHTB attributes: Next hop tunnel address: VPN Name: vpn-westford 5. Click OK NOTE: NHTB or Next Hop Tunnel Binding is mandatory if the VPN is to a non-junos device. This is because non-junos devices are not capable of creating the next-hop-tunnel table dynamically, hence static entries are required. It not required when the vpn is between all Junos devices. This is because Junos is capable of building the NHTB table dynamically. However, optionally, you can add static entries even for Junos devices, if need be. For understanding NHTB refer to : Juniper Networks, Inc. 11

12 E. Configure Security Policies for the Hub: The security policies are configured for tunnel traffic in both directions in this section. In this example, a security policy permits traffic in one direction, but it also allows all reply traffic without the need for a reverse direction policy. However, since traffic can be initiated from either direction, bidirectional policies are required. NOTES: Policies include zone information from initial steps setup. If required, more granular policies can be created to permit/deny certain traffic. Because the policies are regular non-tunnel policies, they do not specify the IPsec profile. Source NAT rules can be enabled if desired, but that is beyond the scope of this example. If more spoke sites are added, you can add the additional source/destination match entries for the new spoke local LANs to permit the traffic. Select Security>Policy>Apply Policy 1. Create the security policy to permit traffic from the trust zone to the vpn zone. a. Click Add b. Under Add Policy Window, provide the following details : policy name: local-to-spokes c. Under policy context, From zone: from the drop-down list select trust To zone: from the drop-down list select vpn d. Under Source Address, Select local-net from the list of available Address-book entries. Under Destination Address, Select sunnyvale-net and westford-net from the list of available Address-book entries. e. Under Applications, Select any from the list of available Applications/Sets entries. f. Under Policy Action, select permit from the drop down list. g. Click OK 2. Create the security policy to permit traffic from the vpn zone to the trust zone. a. Click Add b. Under Add Policy Window, provide the following details : policy name: spokes-to-local c. Under policy context, From zone: from the drop-down list select vpn To zone: from the drop-down list select trust d. Under Source Address, Select sunnyvale-net and westford-net from the list of available Address-book entries. Under Destination Address, Select local-net from the list of available Address-book entries. Juniper Networks, Inc. 12

13 e. Under Applications, Select any from the list of available Applications/Sets entries. f. Under Policy Action, select permit from the drop down list. g. Click OK Configuration steps for Westford spoke SRX A. Configure LAN/WAN interface, static route, security zone, and address book information for Westford spoke: NOTE: This section is not the VPN configuration steps; however it is required to configure a VPN. If your LAN/WAN interfaces, static route, security zone, and local address book are already configured, then Section B for the VPN related configuration. 1. Configure LAN interface on Untrust side. 1. Select Configure>Interfaces>Ports 2. Select ge-0/0/0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 2. Configure LAN interface on Trust side. 1. Select Configure>Interfaces>Ports 2. Select ge-0/0/3 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 3. Configure static route (default route). 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 b. Add the following attributes: IP address: Juniper Networks, Inc. 13

14 Subnet mask: 0 c. under next-hop Click Add IP Address: d. Click OK 4. Click OK 4. Configure the untrust security zone. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: untrust Zone type : security 5. Assign an interface to the security zone. 1. In the Add Zone box, Under Interfaces in this zone section: Select the interface ge-0/0/3.0 from the Available list. 2. After selecting interface, you must click the right arrow key to move the interface to the selected column. i. 6. Specify allowed system services for the security zone. 1. In the Add Zone box, a. Under Host Inbound traffic Zone tab, Select the services ike from the list of Available services. b. Click OK 7. Configure the trust security zone. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: trust Zone type : security 8. Assign an interface to the trust security zone. 1. In the Add Zone box, a. Under Interfaces in this zone section: Select the interface ge-0/0/0.0 from the Available list. 9. Specify allowed system services for the trust security zone 1. In the Add Zone box, a. Under Host Inbound traffic Zone tab, Select the services all from the list of Available services. Select the protocol all from the list of Available protocols. b. Click OK 10. Configure an address book and attach a zone to it. 1. select Configure>Security>Address Book Juniper Networks, Inc. 14

15 3. In the Add Address Book box, a. Add the following attributes: Address Book Name: book1 b. Click Address TAB and provide the following attributes : Address Name : local-net Address type : IP address Value : /24 c. Under Attach zone section, Select trust from the list of Available zones. d. Click OK B. Configure VPN related interface, static route, security zone, and address book information for Westford spoke: 1. Specify ike to be allowed under interface ge-0/0/3.0 under security zone untrust. 1. In the Add Zone box, a. Select Security>Zones/Screens b. Select security zone untrust and click Edit c. Under Host Inbound traffic Zone tab, Select the services ike from the list of Available services. d. Click OK NOTE: This step is mandatory because if IKE is not enabled on the external interface, then the SRX will not accept inbound ike packets. Therefore they will be dropped, and IKE negotiations will not proceed further. 2. Configure the tunnel (st0) interface. 1. Select Configure>Interfaces>Ports 2. Select st0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box, a. Add the following attributes: Unit: 0 b. Check IPv4 Address box>enable address configuration Click Add. Provide the address attributes: IPv4 Address: Subnet: Click OK 3. Configure a route for tunnel traffic by specifying the remote destination network ( /24 for Corporate and /24 for Sunnyvale) and the next-hop as the st0 interface. For Corporate: 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 Juniper Networks, Inc. 15

16 b. Add the following attributes: IP address: Subnet mask: 24 c. Under next-hop Click Add Interface: st0.0 d. Click OK 4. Click OK For Sunnyvale: 1. Select Routing>Static Routing 3. In the Add Static Route box, a. Select IPv4 b. Add the following attributes: IP address: Subnet mask: 24 c. under next-hop Click Add Interface: st0.0 d. Click OK 4. Click OK 4. Configure a security zone named vpn. 1. Select Security>Zones/Screens 3. In the Add Zone box, a. Under Main TAB, provide the following details. Zone name: vpn Zone type: security 5. Assign the tunnel interface to the security zone (vpn in this example). 1. In the Add Zone box, a. Under Interfaces in this zone section: Select the interface st0.0 from the Available list. b. After selecting interface must click the right arrow key to move interface to selected column 6. Configure another address book entry for the remote network and attach a zone to it. 1. select Configure>Security>Address Book 3. In the Add Address Book box, a. Add the following attributes: Address Book Name: book2 b. Click Address TAB and provide the following attributes : Address Name : corp-net Address type : IP address Value : /24 Address Name : sunnyvale-net Juniper Networks, Inc. 16

17 Address type : IP address Value : /24 c. Under Attach zone section, Select vpn from the list of Available zones. d. Click OK C. Configure IKE for Westford spoke: The IKE Phase 1 proposal, IKE policy, and IKE gateway are created in this section. Select IPSec VPN>Auto Tunnel> Phase 1 1. Create the IKE Phase 1 proposal. a. Under Proposal TAB, click Add. name: ike-phase1-proposal authentication-method: pre-shared-keys dh-group: group2 authentication-algorithm: sha1 encryption-algorithm: aes-128-cbc b. Click OK 2. Create an IKE policy for main mode. Also specify the ike-phase1-proposal (created above) and preshared key auth method. a. Under Policy TAB, click Add. b. Under IKE Policy TAB name : ike-phase1-policy mode: main 3. Specify a reference to the IKE proposal. a. Under proposal section, select User Defined. b. Select ike-phase1-proposal from the list of Available proposals. After selecting ike-phase1-proposal must click the right arrow key to move interface to selected column. c. Click OK d. Define the IKE Phase 1 policy authentication method. Under IKE Policy options TAB Select pre-shared-key. Select Ascii text and enter in password that will be used by both VPN endpoints for the preshared key. e. Click OK Juniper Networks, Inc. 17

18 4. Create an IKE Phase 1 gateway. Specify the IKE policy, and external (outgoing interface) (phase 1) and the peer IP address/fqdn: For VPN to Corporate site: a. Under Gateway TAB, click Add. name : gw-corporate policy: ike-phase1-policy external-interface: ge-0/0/0.0 Address/FQDN : NOTE: The address/fqdn should be the remote peer s public IP address. It is important also to specify the correct external interface. If either the peer address or external interface is incorrect, then the IKE gateway is not identified during phase 1 negotiation. D. Configure IPsec for Westford spoke: The IPsec Phase 2 proposal, IPsec policy, and IPsec VPN are created in this section. Select IPSec VPN>Auto Tunnel> Phase 2 1. Create the IPsec Phase 2 proposal. a. Under Proposal TAB, click Add. name: ipsec-phase2-proposal protocol: esp authentication-algorithm: hmac-sha1-96 encryption-algorithm: aes-128-cbc 2. Create an IPSec policy and specify the IPSec Phase 2 proposal created above and along with perfect-forwardsecrecy (pfs). a. Under IPSec Policy TAB, click Add. name: ipsec-phase2-policy perfect-forward-secrecy: group2 b. Specify a reference to the IPSec proposal. Under proposal section, select User Defined. Select ike-phase2-proposal from the list of Available proposals. c. After selecting ike-phase2-proposal must click the right arrow key to move interface to selected column. Juniper Networks, Inc. 18

19 3. Create the IPSec VPN specifying the Remote gateway, IPsec policy, and tunnel interface. a. For vpn to Corporate: b. Under Auto Key VPN TAB, click Add. Name: vpn-corporate Remote Gateway: gw-corporate Ipsec Policy: from the drop-down list select ipsec-phase2-policy Bind to tunnel interface: from the drop-down list select st0.0 c. Click OK E. Configure Security Policies for Westford spoke: The security policies are configured for tunnel traffic in both directions in this section. In this example, a security policy permits traffic in one direction, but it also allows all reply traffic without the need for a reverse direction policy. However, since traffic can be initiated from either direction, bidirectional policies are required. NOTES: Policies includes zone information from initial steps setup. If required, more granular policies can be created to permit/deny certain traffic. Because the policies are regular non-tunnel policies, they do not specify the IPsec profile. Source NAT rules can be enabled if desired, but that is beyond the scope of this example. If more spoke sites are added, you can add the additional source/destination match entries for the new spoke local LANs to permit the traffic. Select Security>Policy>Apply Policy 1. Create the security policy to permit traffic from the trust zone to the vpn zone. a. Click Add b. Under Add Policy Window, provide the following details : policy name: to-corporate c. Under policy context, From zone: from the drop-down list select trust To zone: from the drop-down list select vpn d. Under Source Address, Select local-net from the list of available Address-book entries. Under Destination Address, Select corp-net and sunnywale-net from the list of available Address-book entries. e. Under Applications, Select any from the list of available Applications/Sets entries. f. Under Policy Action, select permit from the drop down list. g. Click OK Juniper Networks, Inc. 19

20 2. Create the security policy to permit traffic from the vpn zone to the trust zone. a. Click Add b. Under Add Policy Window, provide the following details : policy name: from-corporate c. Under policy context, From zone: from the drop-down list select vpn To zone: from the drop-down list select trust d. Under Source Address, Select corp-net and sunnyvale-net from the list of available Address-book entries. Under Destination Address, Select local-net from the list of available Address-book entries. e. Under Applications, Select any from the list of available Applications/Sets entries Under Policy Action, select permit from the drop down list. f. Click OK. Configuration steps for Sunnyvale spoke SRX To configure the Sunnyvale SRX, follow the configuration steps for the Westford SRX, replacing the parameters from the topology. Juniper Networks, Inc. 20

21 Verifying the IKE Phase 1 Status For CLI : From operational mode, enter the show security IPSec security-associations command. user@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode UP d77t81e85fe7e7e3 8bbae363d59cc85f Main UP 7fb608d592b38f1c 34eabfba5a363a6d Main For J-Web : The steps and tips to check the IKE Phase 1 status are below. (The steps to check the IPsec Phase 2 status are in the section that follows this.) 1. Click Monitor TAB 2. Select IPSec VPN>Phase 1 On the right hand side pane you will see the active IKE associations. This screen lists all the active IKE Phase 1 SAs. Each SA contains the following information: Index This value is unique for each IKE SA, which you can use the CLI command, show security ike securityassociations <index> detail, to get more information about the SA. Remote Address Verify that the remote IP address is correct. State Juniper Networks, Inc. 21

22 o UP The Phase 1 SA has been established. o DOWN There was a problem establishing the Phase 1 SA. Mode Verify that the correct mode is being used. Things to check: 1. In the show security ike security-associations command output, notice that the remote address is and the state is UP. If the State shows DOWN or if there are no IKE security associations present, then there is a problem with phase 1 establishment. Confirm that the remote IP address, IKE policy, and external interfaces are all correct. Common errors include incorrect IKE policy parameters such as wrong mode type (Aggressive or Main) or mismatched preshared keys or phase 1 proposals (all must match on both peers). An incorrect external interface is another common mis-configuration. This interface must be the correct interface that receives the IKE packets. 2. If the configurations have been checked, then check the kmd log for any errors or use the traceoptions option. Note: KMD Logs can be downloaded via J-Web for viewing by going to Maintain Tab->Files->Click on Log Files. Locate KMD line and click on Download. For information about traceoptions, see Troubleshooting. Verifying the IPsec Phase 2 Status For CLI: From operational mode, enter the show security ipsec security-associations command. user@host> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys < ESP:aes-128/sha1 f / unlim - 0 > ESP:aes-128/sha1 33d66aa 1154/ unlim - 0 < ESP:aes-128/sha1 e76e48f5 1153/ unlim - 0 > ESP:aes-128/sha bf 1153/ unlim - 0 For J-Web: The steps and tips to check the IPsec Phase 2 status are below. 1. Click Monitor TAB 2. Select IPSec VPN>Phase 2 On the right hand side pane, click IPSec SA TAB. Juniper Networks, Inc. 22

23 This screen contains the following information: The ID number is Use this value with the CLI command show security ipsec securityassociations <index> to get more information about this particular SA. There is one IPsec SA pair using port 500, which indicates that no NAT-traversal is implemented. (NATtraversal uses port 4500 or another random high-number port.) The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 1155/ unlim value indicates that the Phase 2 lifetime expires in 1155 seconds, and that no lifesize has been specified, which indicates that it is unlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is not dependent on Phase 1 after the VPN is up. Things to check: 1. If no IPsec SA is listed, confirm that the phase 2 proposals, including the proxy ID settings, are correct for both peers. Note that for route-based VPNs, the default local proxy ID is /0, the remote proxy ID is /0, and the service is any. This can cause issues if you have multiple route-based VPNs from the same peer IP. In this case, you need to specify unique proxy IDs for each IPsec SA. Also, for some third-party vendors, you may need to configure the proxy ID to match. 2. Another common reason for phase 2 failing to complete is the failure to specify ST interface binding. Juniper Networks, Inc. 23

24 3. If IPsec cannot complete, check the messages log, and look for any logs with the keyword KMD. This should typically show whether or not the SA came up or not. Example: Apr 19 11:47:54 rng kmd[1319]: IKE Phase-2: Completed negotiations, connection established with tunnel-id: and lifetime 2992 seconds/0 KB - Local gateway: , Remote gateway: , Local Proxy ID: ipv4_subnet(any:0,[0..7]= /0), Remote Proxy ID: ipv4_subnet(any:0,[0..7]= /0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction: inbound, SPI: 93eb6df3, AUX-SPI: 0, Type: dynamic Note: Message Logs can be downloaded via J-Web for viewing by going to maintain Tab->Files->Click on Log Files. Locate MESSAGES line and click on Download. If the tunnel still fails to come UP, jump to the Troubleshooting section. Juniper Networks, Inc. 24

25 Verifying Static Routes for Remote Peer Local LANs 1. Click Monitor TAB 2. Select Routing>Routing Information 3. To check the route to destination , a. Under Route Filter', set the destination address as b. Click Search. c. Route for the destination is seen as below : Juniper Networks, Inc. 25

26 Reviewing Statistics and Errors for an IPsec Security Association 1. Click Monitor TAB 2. Select IPSec VPN>Phase 2 On the right hand side pane, click Statistics TAB. If you see packet loss issues across a VPN, you can adjust the refresh interval and then monitor the statistics to confirm that the encrypted and decrypted packet counters are incrementing. You should also check whether the other error counters are incrementing. Troubleshooting For step-by-step troubleshooting, refer to: KB Resolution Guide - How to Troubleshoot a VPN Tunnel that won't come up on a SRX Series device For help with configuring traceoptions for debugging and trimming output, refer to: Juniper Networks, Inc. 26

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web Example: Configuring a Policy-Based Site-to-Site VPN using J-Web Last updated: 7/2013 This configuration example shows how to configure a policy-based IPsec VPN to allow data to be securely transferred

More information

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding Application Note J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding Version 1.2 Richard Kim Technical Support Engineer Advanced JTAC June 2009 Juniper Networks, Inc. 1194 North

More information

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router Summary This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between

More information

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved.  Worldwide Education Services Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will

More information

Presenter John Baker

Presenter John Baker Presenter John Baker docs@ilikeit.co.uk Training Objectives and Overview Training Assumptions Why? Network design & Information Collation Endpoint Setup Troubleshooting Things to watch out for Review Q&A

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring Route-Based VPNs Using J Series and SRX Series Devices Modified: 2017-01-17 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring Policy-Based VPNs Using J Series Routers and SRX Series Devices Modified: 2017-01-17 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA

More information

Configuring Dynamic VPN

Configuring Dynamic VPN Configuring Dynamic VPN Version 1.0 October 2009 JUNIPER NETWORKS Page 1 of 15 Table of Contents Introduction...3 Feature License...3 Platform support...3 Limitations...3 Dynamic VPN Example...3 Topology...4

More information

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring VPN from Proventia M Series Appliance to NetScreen Systems January 13, 2004 Overview This document describes how to configure a VPN tunnel from a Proventia M series appliance to NetScreen 208

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring a Single SRX Series Device in a Branch Office Modified: 2017-01-23 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

More information

JUNOS Enhanced Services Route-Based VPN Configuration and Troubleshooting

JUNOS Enhanced Services Route-Based VPN Configuration and Troubleshooting Application Note JUNOS Enhanced Services Route-Based VPN Configuration and Troubleshooting Version 1.3 Richard Kim Technical Support Engineer Advanced JTAC November 2007 Juniper Networks, Inc. 1194 North

More information

VPN Auto Provisioning

VPN Auto Provisioning VPN Auto Provisioning You can configure various types of IPsec VPN policies, such as site-to-site policies, including GroupVPN, and route-based policies. For specific details on the setting for these kinds

More information

Configuring a Hub & Spoke VPN in AOS

Configuring a Hub & Spoke VPN in AOS June 2008 Quick Configuration Guide Configuring a Hub & Spoke VPN in AOS Configuring a Hub & Spoke VPN in AOS Introduction The traditional VPN connection is used to connect two private subnets using a

More information

Configuration of an IPSec VPN Server on RV130 and RV130W

Configuration of an IPSec VPN Server on RV130 and RV130W Configuration of an IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote access to corporate resources by establishing an encrypted tunnel

More information

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from one Proventia M series

More information

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP How to Configure an IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks

More information

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both

More information

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions Cradlepoint to Palo Alto VPN Example Summary This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Palo Alto firewall. IPSec is customizable on both the Cradlepoint

More information

Case 1: VPN direction from Vigor2130 to Vigor2820

Case 1: VPN direction from Vigor2130 to Vigor2820 LAN to LAN IPSec VPN between Vigor2130 and Vigor2820 using Aggressive mode In this document we will introduce how to create a LAN to LAN IPSec VPN between Vigor2130 and a Vigor2820 using Aggressive mode.

More information

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router Objective Internet Protocol Security (IPSec) is used to protect communications through the encryption of IP packets during a communication

More information

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Configuring Dynamic VPN v2.0 Junos 10.4 and above Configuring Dynamic VPN v2.0 Junos 10.4 and above Configuring and deploying Dynamic VPNs (remote access VPNs) using SRX service gateways Juniper Networks, Inc. 1 Introduction Remote access VPNs, sometimes

More information

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol APPLICATION NOTE Introduction to AutoVPN Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Introduction...3

More information

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT Table of Contents TABLE OF CONTENTS 1 INTRODUCTION 2 AWS Configuration: 2 Forcepoint Configuration 3 APPENDIX 7 Troubleshooting

More information

Table of Contents 1 IKE 1-1

Table of Contents 1 IKE 1-1 Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration

More information

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks

More information

Firepower Threat Defense Site-to-site VPNs

Firepower Threat Defense Site-to-site VPNs About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec

More information

Virtual Private Networks

Virtual Private Networks EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,

More information

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel The Barracuda CloudGen Firewall can establish IPsec VPN tunnels to any standard-compliant, third-party IKEv1 IPsec VPN gateway. The Site-to-Site IPsec

More information

Virtual Tunnel Interface

Virtual Tunnel Interface This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative

More information

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers Objective A Virtual Private Network (VPN) is a private network that is used to virtually

More information

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks

More information

The EN-4000 in Virtual Private Networks

The EN-4000 in Virtual Private Networks EN-4000 Reference Manual Document 8 The EN-4000 in Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission

More information

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel The Barracuda NextGen Firewall F-Series can establish IPsec VPN tunnels to any standard-compliant third party IKEv1 IPsec VPN gateway. The Site-to-Site

More information

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from a Proventia M series appliance

More information

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0

More information

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview Configuration Guide How to connect to an IPSec VPN using an iphone in ios Overview Currently, users can conveniently use the built-in IPSec client on an iphone to connect to a VPN server. IPSec VPN can

More information

Chapter 6 Virtual Private Networking

Chapter 6 Virtual Private Networking Chapter 6 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the ADSL2+ Modem Wireless Router. VPN communications paths are called tunnels. VPN

More information

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS APPLICATION NOTE QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS Configuring Basic Security and Connectivity on Branch SRX Series Services Gateways Copyright 2009, Juniper Networks, Inc. Table

More information

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide SonicWALL 6.2.0.0 Addendum A Supplement to the SonicWALL Internet Security Appliance User's Guide Contents SonicWALL Addendum 6.2.0.0... 3 New Network Features... 3 NAT with L2TP Client... 3 New Tools

More information

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV This setup example uses the following network settings: In our example the IPSec VPN tunnel is established between two LANs: 192.168.0.x

More information

JN Juniper JNCIS-SEC. JN0-331 Dumps JN0-331 Braindumps JN0-331 Real Questions JN0-331 Practice Test JN0-331 dumps free

JN Juniper JNCIS-SEC. JN0-331 Dumps JN0-331 Braindumps JN0-331 Real Questions JN0-331 Practice Test JN0-331 dumps free JN0-331 Dumps JN0-331 Braindumps JN0-331 Real Questions JN0-331 Practice Test JN0-331 dumps free Juniper JN0-331 JNCIS-SEC http://killexams.com/pass4sure/exam-detail/jn0-331 QUESTION: 124 A route-based

More information

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE) Service Managed Gateway TM How to Configure and Debug Generic Routing Encapsulation (GRE) Issue 1.1 Date 14 August 2007 Table of Contents 1 About this document...3 1.1 Scope...3 1.2 Readership...3 2 Introduction...4

More information

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway To connect to the Google Cloud VPN gateway, create an IPsec IKEv2 site-to-site VPN tunnel on your F-Series Firewall

More information

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016 Quick Note Configure an IPSec VPN between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016 Contents 1 Introduction... 3 1.1 Outline... 3 1.2 Assumptions...

More information

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)

More information

VPNC Scenario for IPsec Interoperability

VPNC Scenario for IPsec Interoperability EN-4000 Reference Manual Document D VPNC Scenario for IPsec Interoperability EN-4000 Router T his document presents a configuration profile for IPsec interoperability. The configuration profile conforms

More information

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ] s@lm@n Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ] Question No : 1 Click the Exhibit button. 2 A customer has a problem connecting to an SRX Series

More information

HOW TO CONFIGURE AN IPSEC VPN

HOW TO CONFIGURE AN IPSEC VPN HOW TO CONFIGURE AN IPSEC VPN LAN to LAN connectivity over a VPN between a MRD-455 4G router and a central ADSL-350 broadband router with fixed IP address Introduction What is an IPSec VPN? IPSec VPN s

More information

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

A. Verify that the IKE gateway proposals on the initiator and responder are the same. Volume: 64 Questions Question: 1 You need to configure an IPsec tunnel between a remote site and a hub site. The SRX Series device at the remote site receives a dynamic IP address on the external interface

More information

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide VNS3 to Windows RRAS Instructions Windows 2012 R2 RRAS Configuration Guide 2018 Site-to-Site IPsec Tunnel IPsec protocol allows you to securely connect two sites together over the public internet using

More information

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Internet. SonicWALL IP Cisco IOS IP IP Network Mask Prepared by SonicWALL, Inc. 9/20/2001 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable

More information

Manual Key Configuration for Two SonicWALLs

Manual Key Configuration for Two SonicWALLs Manual Key Configuration for Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs

More information

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003 ZyWALL 70 Internet Security Appliance Quick Start Guide Version 3.62 December 2003 Introducing the ZyWALL The ZyWALL 70 is the ideal secure gateway for all data passing between the Internet and the LAN.

More information

Configuring LAN-to-LAN IPsec VPNs

Configuring LAN-to-LAN IPsec VPNs CHAPTER 28 A LAN-to-LAN VPN connects networks in different geographic locations. The ASA 1000V supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and

More information

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures Purpose The purpose of this paper is to help give an explanation on how to set up Windows 2000 for preshared IKE VPN. This paper is written for a

More information

Virtual Private Cloud. User Guide. Issue 03 Date

Virtual Private Cloud. User Guide. Issue 03 Date Issue 03 Date 2016-10-19 Change History Change History Release Date What's New 2016-10-19 This issue is the third official release. Modified the following content: Help Center URL 2016-07-15 This issue

More information

Abstract. Avaya Solution & Interoperability Test Lab

Abstract. Avaya Solution & Interoperability Test Lab Avaya Solution & Interoperability Test Lab Site-to-Site VPN Configuration between Avaya SG208 Security Gateway, Enterasys XSR-1805 Security Router, and Cisco VPN 3000 Concentrator using AES-128, Perfect

More information

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO Testpassport Q&A Exam : JN0-522 Title : FXV,Associate (JNCIA-FWV) Version : Demo 1 / 7 1.Address book entries identify hosts and networks by their location in relation to what? A. Network entries in the

More information

Sharing IPsec with Tunnel Protection

Sharing IPsec with Tunnel Protection The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces

More information

Configuration Example of ASA VPN with Overlapping Scenarios Contents

Configuration Example of ASA VPN with Overlapping Scenarios Contents Configuration Example of ASA VPN with Overlapping Scenarios Contents Introduction Prerequisites Requirements Components Used Background Information Translation on both VPN Endpoints ASA 1 Create the necessary

More information

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP CCNA Security Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces. 2015 Cisco and/or its affiliates.

More information

Use the IPSec VPN Wizard for Client and Gateway Configurations

Use the IPSec VPN Wizard for Client and Gateway Configurations Table 57. IP addressing for VPNs in dual WAN port systems (continued) Configuration and WAN IP address Rollover mode a Load balancing mode VPN Telecommuter (client to gateway through a NAT router) Fixed

More information

Configuring VPN Policies

Configuring VPN Policies VPN Configuring VPN Policies Configuring Advanced VPN Settings Configuring DHCP Over VPN Configuring L2TP Server Configuring VPN Policies VPN > Settings VPN Overview Configuring VPNs in SonicOS Configuring

More information

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Site-to-Site VPN with SonicWall Firewalls 6300-CX Site-to-Site VPN with SonicWall Firewalls 6300-CX Skill level: Expert (requires knowledge of IPSec tunnel setup) Goal To build an IPSec tunnel through the 63xx router's WAN internet connection, and use

More information

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway You can configure your local Barracuda NextGen Firewall F-Series to connect to the static IPsec VPN gateway service

More information

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights

More information

Google Cloud VPN Interop Guide

Google Cloud VPN Interop Guide Google Cloud VPN Interop Guide Using Cloud VPN With Cisco ASA Courtesy of Cisco Systems, Inc. Unauthorized use not permitted. Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or

More information

VPN Ports and LAN-to-LAN Tunnels

VPN Ports and LAN-to-LAN Tunnels CHAPTER 6 A VPN port is a virtual port which handles tunneled traffic. Tunnels are virtual point-to-point connections through a public network such as the Internet. All packets sent through a VPN tunnel

More information

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018 Quick Note 65 Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018 Contents 1 Introduction... 3 1.1 Outline... 3 1.2 Assumptions...

More information

Defining IPsec Networks and Customers

Defining IPsec Networks and Customers CHAPTER 4 Defining the IPsec Network Elements In this product, a VPN network is a unique group of targets; a target can be a member of only one network. Thus, a VPN network allows a provider to partition

More information

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2 VNS3 IPsec Configuration VNS3 to Cisco ASA ASDM 5.2 Site-to-Site IPsec Tunnel IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services.

More information

Proxicast IPSec VPN Client Example

Proxicast IPSec VPN Client Example Proxicast IPSec VPN Client Example Technote LCTN0013 Proxicast, LLC 312 Sunnyfield Drive Suite 200 Glenshaw, PA 15116 1-877-77PROXI 1-877-777-7694 1-412-213-2477 Fax: 1-412-492-9386 E-Mail: support@proxicast.com

More information

Configuring VPNs in the EN-1000

Configuring VPNs in the EN-1000 EN-1000 Reference Manual Document 5 Configuring VPNs in the EN-1000 O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses configuration

More information

Google Cloud VPN Interop Guide

Google Cloud VPN Interop Guide Google Cloud VPN Interop Guide Using Cloud VPN With VyOS Disclaimer: This interoperability guide is intended to be informational in nature and contains examples only. Customers should verify this information

More information

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure Proxy Protocol Support for Sophos UTM on AWS Sophos XG Firewall How to Configure VPN Connections for Azure Document date: April 2017 1 Contents 1 Overview... 3 2 Azure Virtual Network and VPN Gateway...

More information

VPN Overview. VPN Types

VPN Overview. VPN Types VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat

More information

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows Objective A Virtual Private Network (VPN) is a method for remote users to virtually connect to a private network

More information

Virtual Private Network. Network User Guide. Issue 05 Date

Virtual Private Network. Network User Guide. Issue 05 Date Issue 05 Date 2018-03-30 Contents Contents 1 Overview... 1 1.1 Concepts... 1 1.1.1 VPN... 1 1.1.2 IPsec VPN...1 1.2 Application Scenarios...2 1.3 Billing Standards... 3 1.4 VPN Reference Standards and

More information

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway To connect your on-premise Barracuda NG Firewall to the static VPN gateway service in the Windows Azure cloud create a IPsec tunnel

More information

Service Managed Gateway TM. Configuring IPSec VPN

Service Managed Gateway TM. Configuring IPSec VPN Service Managed Gateway TM Configuring IPSec VPN Issue 1.2 Date 12 November 2010 1: Introduction 1 Introduction... 3 1.1 What is a VPN?... 3 1.2 The benefits of an Internet-based VPN... 3 1.3 Tunnelling

More information

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration

More information

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series VPN Configuration Guide Juniper Networks NetScreen / SSG / ISG Series equinux AG and equinux USA, Inc. 2009 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied,

More information

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series VPN Configuration Guide NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright

More information

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER CHAPTER 23 You can configure Generic Routing Encapsulation (GRE) and Dynamic Multipoint (DM) VPNs that include GRE mode configurations. You can configure IPsec GRE VPNs for hub-and-spoke, point-to-point,

More information

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example Document ID: 113265 Contents Introduction Prerequisites Requirements Components Used Conventions Background

More information

IKE and Load Balancing

IKE and Load Balancing Configure IKE, page 1 Configure IPsec, page 9 Load Balancing, page 22 Configure IKE IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association.

More information

Netscreen Remote VPN To Netscreen Device With XAuth

Netscreen Remote VPN To Netscreen Device With XAuth Title: Netscreen Remote XAuth VPN Document Number: VPN-400-002 Version: 1.1 OS Ver. this Paper Applies to: 4.0 and above Remote Software: 5.0 and above HW Platforms this Paper Applies to: Netscreen 5xp,5xt,25,50,204,208,500,and

More information

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings. Chapter 12 VPN To obtain a private and secure network link, the NUS-MH2400G is capable of establishing VPN connections. When used in combination with remote client authentication, it links the business

More information

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator) Application Note 11 Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator) November 2015 Contents 1 Introduction... 5 1.1 Outline... 5 2 Assumptions... 6 2.1 Corrections...

More information

Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen

Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen Scenario Digi Connect family VPN router (for example ConnectPort WAN or Digi Connect WAN IA) is used for remote

More information

Configuring IPsec and ISAKMP

Configuring IPsec and ISAKMP CHAPTER 61 This chapter describes how to configure the IPsec and ISAKMP standards to build Virtual Private Networks. It includes the following sections: Tunneling Overview, page 61-1 IPsec Overview, page

More information

Integration Guide. Oracle Bare Metal BOVPN

Integration Guide. Oracle Bare Metal BOVPN Integration Guide Oracle Bare Metal BOVPN Revised: 17 November 2017 About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration

More information

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example Document ID: 26402 Contents Introduction Prerequisites Requirements Components Used Conventions Configure

More information

VPN Configuration Guide. NETGEAR FVS318v3

VPN Configuration Guide. NETGEAR FVS318v3 VPN Configuration Guide NETGEAR FVS318v3 equinux AG and equinux USA, Inc. 2009 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without

More information

IP Security II. Overview

IP Security II. Overview IP Security II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State University

More information

Cisco ASA 5500 LAB Guide

Cisco ASA 5500 LAB Guide INGRAM MICRO Cisco ASA 5500 LAB Guide Ingram Micro 4/1/2009 The following LAB Guide will provide you with the basic steps involved in performing some fundamental configurations on a Cisco ASA 5500 series

More information

How to create the IPSec VPN between 2 x RS-1200?

How to create the IPSec VPN between 2 x RS-1200? This example takes two RS-1200s as work platform. Suppose Company A 192.168.10.100 create a VPN connection with Company B 192.168.20.100 for downloading the sharing file. The Default Gateway of Company

More information

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall Document ID: 23786 Contents Introduction Prerequisites Requirements Components Used Conventions Network Diagram

More information

Abstract. Avaya Solution & Interoperability Test Lab

Abstract. Avaya Solution & Interoperability Test Lab Avaya Solution & Interoperability Test Lab Configuring VPN backup for Avaya S8700 Media Servers and Avaya G600 Media Gateways Controlling Avaya G350 Media Gateways, using the Avaya Security Gateway and

More information

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security

More information