Presenter John Baker

Similar documents
How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Network Configuration Example

Configuring Dynamic VPN

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring a Hub & Spoke VPN in AOS

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Network Configuration Example

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Network Configuration Example

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Case 1: VPN direction from Vigor2130 to Vigor2820

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Efficient SpeedStream 5861

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

JUNOS Enhanced Services Route-Based VPN Configuration and Troubleshooting

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

VPN Definition SonicWall:

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Manual Key Configuration for Two SonicWALLs

G806+H3C WSR realize VPN networking

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

HOW TO CONFIGURE AN IPSEC VPN

VPN Setup for CNet s CWR g Wireless Router

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

VPN Configuration Guide. Cisco ASA 5500 Series

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

M!DGE/MG102i - WAN Backup

Configuration of an IPSec VPN Server on RV130 and RV130W

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

FAQ about Communication

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

How To Forward GRE Traffic over IPSec VPN Tunnel

Implementing AutoVPN Network Design Using the SRX Series with ibgp as the Dynamic Routing Protocol

Connecting the DI-804V Broadband Router to your network

Configuration Summary

Gigabit SSL VPN Security Router

VPN Tracker for Mac OS X

Appendix B NETGEAR VPN Configuration

S2S VPN with Azure Route Based

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

Chapter 6 Virtual Private Networking

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Google Cloud VPN Interop Guide

VPN Auto Provisioning

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

VPN Configuration Guide. NETGEAR FVS318v3

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

Site-to-Site VPN with SonicWall Firewalls 6300-CX

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Virtual Private Networks

User Role Firewall Policy

The EN-4000 in Virtual Private Networks

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

VPN Tracker for Mac OS X

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information (GRE over IPSec with BGP)

Pre-Installation Recommendations... 1 Platform Compatibility... 1 New Features... 2 Known Issues... 2 Resolved Issues... 3 Troubleshooting...

CHAPTER 7 ADVANCED ADMINISTRATION PC

Junos OS. 2nd edition FOR. Walter Goralski, Cathy Gadecki, and Michael Bushong. John Wiley & Sons, Inc. WILEY

JN Juniper JNCIS-SEC. JN0-331 Dumps JN0-331 Braindumps JN0-331 Real Questions JN0-331 Practice Test JN0-331 dumps free

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

CCNA Security 1.0 Student Packet Tracer Manual

Abstract. Avaya Solution & Interoperability Test Lab

WLAN Handset 2212 Installation and Configuration for VPN

Use the IPSec VPN Wizard for Client and Gateway Configurations

Configuring LAN-to-LAN IPsec VPNs

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

LKR Port Broadband Router. User's Manual. Revision C

Sharing IPsec with Tunnel Protection

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

CCNA Security PT Practice SBA

Netscreen NS-5GT. TheGreenBow IPSec VPN Client. Configuration Guide.

Transcription:

Presenter John Baker docs@ilikeit.co.uk

Training Objectives and Overview Training Assumptions Why? Network design & Information Collation Endpoint Setup Troubleshooting Things to watch out for Review Q&A References and Links 2

After completing this short training course you should be able to setup a site-site vpn between a Juniper SRX UTM firewall and a 3 rd party VPN endpoint (Draytek) The example that will be used for this training will be from a Juniper SRX210H to a Draytek 2820 firewall VPN router. This course does not go into detail on how IPSEC/IKE works. Please refer to the reference section for links to more detailed information if needed. If you have any questions, please feel free to ask at anytime, or wait until the end. 3

You have administrative/root access to each endpoint. You will have a laptop/workstation/server connected at each LAN. You are familiar with the concepts of IKE and IPSEC. Both endpoints have no existing VPN endpoints configured. Both devices are full working and there is a route between each of the devices. That no ports/protocols are blocked between each router. 4

Both endpoints have public IP addresses on their respective WAN interfaces. Both of the endpoints have different, non overlapping, LAN IP subnets. The IKE/IPSEC will be setup with AES256/SH1 and using a PSK. The configuration of the Juniper SRX210H will be via CLI. You should be familiar with the CLI and Junos. 5

Even with cloud services, you still will need to have access to restricted information and assets across multiple sites. Central applications that make no commercial or financial sense to have duplicated in each location. Wireless, UTM, firewall, VPN and WAN (DSL/Cable) are all integrated into a single device and can save money and energy. Some of the larger VPN/Firewall vendors charge more for the WAN interface module(dsl) than a complete device from a smaller vendor. 6

Local Site Model Name: Juniper SRX-210H Firmware Version: 12.1R2.9 WAN IP Address 111.111.111.111/32 LAN IP Subnet 192.168.253.0/24 Internal ADSL2+ PIM installed Remote Site Model Name: Draytek Vigor2820VN Firmware Version: 3.3.7.2_232201 WAN IP Address 222.222.222.222/32 LAN IP Subnet 192.168.0.0/24 Inbuilt ADSL2+ modem 7

It is very important that you collate all of the information needed before you start any configuration. I have designed a cheat sheet document which I fill with all of the information before I start. By using a sheet like this, you will be able reduce the time taken to deploy and reduce the risk of making a mistake. Plus you can make this part of your documentation. 8

It does not matter which of the endpoints that you setup first, but I usually setup the remote endpoints first. This is because the setup is usually less complicated than the main/local site. You will need to be onsite to do this, unless you have allowed remote administration via the WAN connection. Connect to the Draytek 2820 using your Web browser. 9

Select the VPN and Remote Access menu option. Then select an unused LAN- LAN Profile. 10

Enter the profile name and optionally enable the profile. Select IPSEC as the dial-out tunnel type. The server IP/Hostname field need to have the SRX WAN IP details. Select the PSK option for the IKE Authentication method. And select High (ESP) AES with Auth for the IPSEC Security method Refer to the VPN Cheat sheet to fill in the fields as appropriate. 11

Click on the IKE Pre-Shared Key button and enter the PSK. Please remember that PSK needs to be exactly the same on both VPN endpoints. Next click on the Advanced button on the IPSEC Security Method. Make sure that you correctly select the IKE proposal details. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 12

Select IPSEC as the dial-in tunnel type. The Remove VPN Gateway field need to have the SRX WAN IP details. Select the PSK option for the IKE Authentication method. And select High (ESP) AES for the IPSEC Security method. Enter the PSK again. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 13

The remote network IP and mask is the LAN IP range behind the SRX. The local network IP is the Draytek local LAN range. This need to be correct as it is used to route traffic across the VPN tunnel and also use as the local/remote proxy id during the IKE setup process. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 14

Please recheck all of the configured fields to make sure that they are correct. Don t forget to enable the profile! 15

The Juniper SRX requires a number of commands to setup the VPN tunnel. You need to define the remote network and setup a route and configure the secure tunnel interface (st.0). You need to define the IKE and IPSEC policies. You also need to define a security policy to allow traffic to/from the VPN tunnel The easy way to do this configuration is to use customise the complete script, which is in the reference section at the end of this training course. 16

Lets define the Secure Tunnel Interface. From the config mode set interfaces st0.0 family inet set routing-options static route 192.168.0.0/24 next-hop st0.0 This will route any traffic for the remote LAN over the VPN tunnel. Now we need to setup a security zone for the VPN tunnel set security zones security-zone VPN interfaces st0.0 We need to setup the address book for the local and remote networks. On the Trusted and VPN Security Zones. set security zones security-zone trust address-book address net-cfgr_site1_lan 192.168.253.0/24 set security zones security-zone VPN address-book address net-cfgr_site2_lan 192.168.0.0/24 We need to make sure that the required service is enabled on the untrust Security Zones. set security zones security-zone untrust host-inbound-traffic system-services ike Refer to the VPN Cheat sheet to fill in the fields as appropriate. 17

Now the configuration of the PSK and IKE Mode policy. set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "PRESHARED KEY Please remember to enter the same PSK as the remote endpoint. Next we need to define the IKE Gateway setting and reference the IKE Policy. set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 222.222.222.222 set security ike gateway ike-gate-cfgr external-interface at-0/0/0 The gateway address, is the WAN IP address of the remote (Draytek) VPN appliance. The external interface used, must be associated with the untrust security zone. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 18

Now we need to configure the IKE Proposal and policy. set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm aes-256-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr lifetime-seconds 14400 Now the IPSEC Policy, and associate the policy with the security tunnel interface st0.0. set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 Now we need to define what the LAN IP addresses, for local and remote sites, which is used during the IKE setup. set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.253.0/24 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.0.0/24 Without this you may not be able to establish the tunnel. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 19

Now we need to configure the IPSEC Proposal. set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposal-cfgr lifetime-seconds 14400 Now we need to the define how the tunnel is established. If you only want the tunnel to establish when there is traffic from the local to remote site, then choose. set security ipsec vpn ipsec-vpn-cfgr establish-tunnels on-traffic If you only want to establish a permanent tunnel then choose. set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately Refer to the VPN Cheat sheet to fill in the fields as appropriate. 20

Now we need to configure the security policies to allow traffic to in and out of the trust and vpn security zones. set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match source-address netcfgr_site1_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match destination-address netcfgr_site2_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match application any set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr then permit set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match source-address netcfgr_site2_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match destination-address netcfgr_site1_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match application any set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr then permit Don t forget to commit your configuration changes. Assuming the commit worked, its now time to test. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 21

When you have configured both the DrayTek and the Juniper, it is time to test. A simple ping is the quickest way. From a networked machine on each tunnel endpoint, try pinging the remote endpoint router LAN interface. If you do not see a reply, then it is time to try a trace route to see where the problems is. Also re-check the config and then troubleshoot. 22

You can login to the Draytek web interface to see if the VPN tunnel is up. The Status should be online. And on the SRX you can run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-256/sha1 efc8876b 14212/unlim - root 500 222.222.222.222 >131073 ESP:aes-256/sha1 3ab26fd8 14212/unlim - root 500 222.222.222.222 If the tunnel is not up, then it could be a policy issue/order. 23

Lets check to see if the WAN interface that we will be using is working. type show interfaces at-1/0/0 terse You should see Interface Admin Link Proto Local Remote at-1/0/0 up up at-1/0/0.0 up up inet 111.111.111.111 --> 195.100.100.100 at-1/0/0.32767 up up The remote address is the ISP Next hop for the ADSL module. If you use an Ethernet for your WAN connection will see Interface Admin Link Proto Local Remote fe-0/0/7 up up fe-0/0/7.0 up up eth-switch 24

Lets check to see if the Secure tunnel interface is working. show interfaces st0.0 terse If you see this error then the secure tunnel is not configured. Check the Security tunnel setup (st0.0). error: device st0.0 not found You should see something like. root@router> show interfaces st0.0 Logical interface st0.0 (Index 69) (SNMP ifindex 533) Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets : 27149 Output packets: 32525 Security: Zone: vpn Protocol inet, MTU: 9192 Flags: Sendbcast-pkt-to-re 25

Here are some additional commands that should assist with troubleshooting on the SRX. show security ipsec security-associations show security ipsec security-associations detail show security ike security-associations show security ike security-associations detail show security ike active-peer The commands will show any IKE/IPSEC security associations if they are there and any active peers. 26

By setting up a syslog server and enabling the traceoptions or debug, you can examine the IKE/IPSEC logs to see where the problem may be. Common issues are: PSK not the same. IKE/IPSEC Authentication/Encryption methods are not matching Local/Remote proxy not set. Incorrect peer/endpoint IP addresses Router/firewall between sites is stopping traffic. NAT between the local and remote sites. 27

If any of the WAN IP addresses change, then the tunnel will not be able to establish. Some routers only support one IP subnet across the VPN tunnel. If you need additional subnets to be supported then you may need to make sure that you stick with the same vendor, as this will usually simply the setup. Some service providers may block IPSEC connections. Watch out for MTU issues as the IPSEC encapsulation reduces the max packet size and fragmentation can occur. If you are using 3G connection, be aware that the MTU is normally less than 1492 and may require additional configuration changes. 28

Some routers/vpn devices have a limited number of characters in the length of the PSK. Some routers/vpn devices may not allow NETBIOS, multicast or other network protocols to pass through the tunnel. This can cause issues with mapped network drives or other service. You can enable NETBIOS, WINS or map drives to IP Addresses to help mitigate this problem. Look out for devices with incorrect or mussing gateway IP addresses configured. 29

Setup NTP, or make sure that the system clocks are within a few minutes of each other. Try a lower level of encryption, if you have problems, as some devices cannot use AES 256bit. Setup logging. SYSLOG is your friend. Check for firmware updates, but read the release notes first. Sometimes it pays NOT to upgrade. Take vendor VPN throughput figures with a pinch of salt. 30

Remember to collate information first The Draytek 2820 endpoint configured The Juniper SRX endpoint configured Testing of tunnels Troubleshooting 31

Thank you for attending this training session. If you have any questions, I would be happy to answer them now. Alternatively, please contact me on john@ilikeit.co.uk 32

set interfaces st0.0 family inet set routing-options static route 192.168.0.0/24 next-hop st0.0 set security zones security-zone VPN interfaces st0.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust address-book address net-cfgr_site1_lan 192.168.253.0/24 set security zones security-zone VPN address-book address net-cfgr_site2_lan 192.168.0.0/24 set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "PRESHARED KEY" set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 222.222.222.222 set security ike gateway ike-gate-cfgr external-interface fe-0/0/0 set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm aes-256-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr lifetime-seconds 14400 set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.253.0/24 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.0.0/24 set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposal-cfgr lifetime-seconds 14400 set security ipsec vpn ipsec-vpn-cfgr establish-tunnels on-traffic set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match source-address net-cfgr_site1_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match destination-address net-cfgr_site2_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match application any set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr then permit set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match source-address net-cfgr_site2_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match destination-address net-cfgr_site1_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match application any set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr then permit 33

The VPN Cheat sheet can be downloaded from http://www.ilikeit.co.uk/juniper/vpn%20cheat%20sheet%20template.docx Putty can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://en.wikipedia.org/wiki/internet_key_exchange http://en.wikipedia.org/wiki/ipsec http://en.wikipedia.org/wiki/diffie%e2%80%93hellman_key_exchange http://en.wikipedia.org/wiki/perfect_forward_secrecy http://www.juniper.net http://www.draytek.com http://www.ilikeit.co.uk 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback