How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router Summary This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between a Series 3 Cradlepoint router and a SRX or J series Juniper router. Assumptions Cradlepoint model AER2100, MBR1400, IBR6x0, CBR4x0. SRX or J series router running software 11.4 or newer. Static publicly routable IP addresses on both the Cradlepoint and Juniper router. Network Topology 1
Configuration Configuration Difficulty: Intermediate CradlePoint Configuration: - Step 1: Log into NCOS. For help with logging in please click here. - Step 2: Click on Networking and select Tunnels and then IPSec VPN. - Step 3: Under VPN Tunnels click Add. - Step 4: Enter a Tunnel Name. - Step 5: Enter a Pre-Shared Key. - Step 6: Click Next. - Step 7: Under Local Networks click Add and enter the Cradlepoint's LAN that you want to be accessible across the tunnel. - Step 8: Click Next. 2
- Step 9: Enter the Remote Gateway which is the WAN IP of the Juniper. - Step 10: Under Remote Networks click Add and enter the Juniper's LAN that you want to be accessible across the tunnel. - Step 11: Click Next. - Step 12: Select the desired IKE Phase 1 parameters. o Cradlepoint recommends AES-256 encryption, SHA1 hash, DH Group 1, and IKE Phase 1 key lifetime of 86400. - Step 13: Click Next. - Step 14: Select the desired IKE Phase 2 parameters. 3
o CradlePoint recommends AES-256 encryption, SHA1 hash, and DH Group 1, and Phase 2 key lifetime of 3600. - Step 15: Click Next. - Step 16: Configure Dead Peer Detection to your preferences. - Step 17: Cradlepoint recommends keeping this setting enabled. - Step 18: Click Finish. 4
Juniper Configuration: To quickly configure sections of the example: copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. Configuring Interface, Static Route, Security Zone, and Address Book Information: set interfaces ge-0/0/0 unit 0 family inet address 192.168.30.254/24 set interfaces ge-0/0/3 unit 0 family inet address 75.160.178.210/30 set routing-options static route 0.0.0.0/0 next-hop 75.160.178.211 set security zones security-zone untrust interfaces ge-0/0/3.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services all set security address-book book1 address juniper 192.168.30.0/24 set security address-book book1 attach zone trust set security address-book book2 address cradlepoint 192.168.100.0/24 set security address-book book2 attach zone untrust Configuring IKE: set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys set security ike proposal ike-phase1-proposal dh-group group1 set security ike proposal ike-phase1-proposal authentication-algorithm sha1 set security ike proposal ike-phase1-proposal encryption-algorithm aes-256-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t set security ike gateway gw-cradlepoint external-interface ge-0/0/3.0 set security ike gateway gw-cradlepoint ike-policy ike-phase1-policy 5
set security ike gateway gw-cradlepoint address 166.154.4.196 Configuring IPsec: set security ipsec proposal ipsec-phase2-proposal protocol esp set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-256-cbc set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group1 set security ipsec vpn ike-vpn-cradlepoint ike gateway gw-cradlepoint set security ipsec vpn ike-vpn-cradlepoint ike ipsec-policy ipsec-phase2-policy Configuring Security Policies: set security policies from-zone trust to-zone untrust policy vpn-tr-untr match source-address juniper set security policies from-zone trust to-zone untrust policy vpn-tr-untr match destination-address cradlepoint set security policies from-zone trust to-zone untrust policy vpn-tr-untr match application any set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel ipsec-vpn ike-vpncradlepoint set security policies from-zone trust to-zone untrust policy vpn-tr-untr then permit tunnel pair-policy vpn-untr-tr set security policies from-zone untrust to-zone trust policy vpn-untr-tr match source-address cradlepoint set security policies from-zone untrust to-zone trust policy vpn-untr-tr match destination-address juniper set security policies from-zone untrust to-zone trust policy vpn-untr-tr match application any set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel ipsec-vpn ike-vpncradlepoint set security policies from-zone untrust to-zone trust policy vpn-untr-tr then permit tunnel pair-policy vpn-tr-untr set security policies from-zone trust to-zone untrust policy permit-any match source-address any set security policies from-zone trust to-zone untrust policy permit-any match destination-address any set security policies from-zone trust to-zone untrust policy permit-any match application any set security policies from-zone trust to-zone untrust policy permit-any then permit insert security policies from-zone trust to-zone untrust policy vpn-tr-untr before policy permit-any 6
Configuring TCP-MSS: set security flow tcp-mss ipsec-vpn mss 1350 7