Presenter John Baker docs@ilikeit.co.uk
Training Objectives and Overview Training Assumptions Why? Network design & Information Collation Endpoint Setup Troubleshooting Things to watch out for Review Q&A References and Links 2
After completing this short training course you should be able to setup a site-site vpn between a Juniper SRX UTM firewall and a 3 rd party VPN endpoint (Draytek) The example that will be used for this training will be from a Juniper SRX210H to a Draytek 2820 firewall VPN router. This course does not go into detail on how IPSEC/IKE works. Please refer to the reference section for links to more detailed information if needed. If you have any questions, please feel free to ask at anytime, or wait until the end. 3
You have administrative/root access to each endpoint. You will have a laptop/workstation/server connected at each LAN. You are familiar with the concepts of IKE and IPSEC. Both endpoints have no existing VPN endpoints configured. Both devices are full working and there is a route between each of the devices. That no ports/protocols are blocked between each router. 4
Both endpoints have public IP addresses on their respective WAN interfaces. Both of the endpoints have different, non overlapping, LAN IP subnets. The IKE/IPSEC will be setup with AES256/SH1 and using a PSK. The configuration of the Juniper SRX210H will be via CLI. You should be familiar with the CLI and Junos. 5
Even with cloud services, you still will need to have access to restricted information and assets across multiple sites. Central applications that make no commercial or financial sense to have duplicated in each location. Wireless, UTM, firewall, VPN and WAN (DSL/Cable) are all integrated into a single device and can save money and energy. Some of the larger VPN/Firewall vendors charge more for the WAN interface module(dsl) than a complete device from a smaller vendor. 6
Local Site Model Name: Juniper SRX-210H Firmware Version: 12.1R2.9 WAN IP Address 111.111.111.111/32 LAN IP Subnet 192.168.253.0/24 Internal ADSL2+ PIM installed Remote Site Model Name: Draytek Vigor2820VN Firmware Version: 3.3.7.2_232201 WAN IP Address 222.222.222.222/32 LAN IP Subnet 192.168.0.0/24 Inbuilt ADSL2+ modem 7
It is very important that you collate all of the information needed before you start any configuration. I have designed a cheat sheet document which I fill with all of the information before I start. By using a sheet like this, you will be able reduce the time taken to deploy and reduce the risk of making a mistake. Plus you can make this part of your documentation. 8
It does not matter which of the endpoints that you setup first, but I usually setup the remote endpoints first. This is because the setup is usually less complicated than the main/local site. You will need to be onsite to do this, unless you have allowed remote administration via the WAN connection. Connect to the Draytek 2820 using your Web browser. 9
Select the VPN and Remote Access menu option. Then select an unused LAN- LAN Profile. 10
Enter the profile name and optionally enable the profile. Select IPSEC as the dial-out tunnel type. The server IP/Hostname field need to have the SRX WAN IP details. Select the PSK option for the IKE Authentication method. And select High (ESP) AES with Auth for the IPSEC Security method Refer to the VPN Cheat sheet to fill in the fields as appropriate. 11
Click on the IKE Pre-Shared Key button and enter the PSK. Please remember that PSK needs to be exactly the same on both VPN endpoints. Next click on the Advanced button on the IPSEC Security Method. Make sure that you correctly select the IKE proposal details. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 12
Select IPSEC as the dial-in tunnel type. The Remove VPN Gateway field need to have the SRX WAN IP details. Select the PSK option for the IKE Authentication method. And select High (ESP) AES for the IPSEC Security method. Enter the PSK again. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 13
The remote network IP and mask is the LAN IP range behind the SRX. The local network IP is the Draytek local LAN range. This need to be correct as it is used to route traffic across the VPN tunnel and also use as the local/remote proxy id during the IKE setup process. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 14
Please recheck all of the configured fields to make sure that they are correct. Don t forget to enable the profile! 15
The Juniper SRX requires a number of commands to setup the VPN tunnel. You need to define the remote network and setup a route and configure the secure tunnel interface (st.0). You need to define the IKE and IPSEC policies. You also need to define a security policy to allow traffic to/from the VPN tunnel The easy way to do this configuration is to use customise the complete script, which is in the reference section at the end of this training course. 16
Lets define the Secure Tunnel Interface. From the config mode set interfaces st0.0 family inet set routing-options static route 192.168.0.0/24 next-hop st0.0 This will route any traffic for the remote LAN over the VPN tunnel. Now we need to setup a security zone for the VPN tunnel set security zones security-zone VPN interfaces st0.0 We need to setup the address book for the local and remote networks. On the Trusted and VPN Security Zones. set security zones security-zone trust address-book address net-cfgr_site1_lan 192.168.253.0/24 set security zones security-zone VPN address-book address net-cfgr_site2_lan 192.168.0.0/24 We need to make sure that the required service is enabled on the untrust Security Zones. set security zones security-zone untrust host-inbound-traffic system-services ike Refer to the VPN Cheat sheet to fill in the fields as appropriate. 17
Now the configuration of the PSK and IKE Mode policy. set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "PRESHARED KEY Please remember to enter the same PSK as the remote endpoint. Next we need to define the IKE Gateway setting and reference the IKE Policy. set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 222.222.222.222 set security ike gateway ike-gate-cfgr external-interface at-0/0/0 The gateway address, is the WAN IP address of the remote (Draytek) VPN appliance. The external interface used, must be associated with the untrust security zone. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 18
Now we need to configure the IKE Proposal and policy. set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm aes-256-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr lifetime-seconds 14400 Now the IPSEC Policy, and associate the policy with the security tunnel interface st0.0. set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 Now we need to define what the LAN IP addresses, for local and remote sites, which is used during the IKE setup. set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.253.0/24 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.0.0/24 Without this you may not be able to establish the tunnel. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 19
Now we need to configure the IPSEC Proposal. set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposal-cfgr lifetime-seconds 14400 Now we need to the define how the tunnel is established. If you only want the tunnel to establish when there is traffic from the local to remote site, then choose. set security ipsec vpn ipsec-vpn-cfgr establish-tunnels on-traffic If you only want to establish a permanent tunnel then choose. set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately Refer to the VPN Cheat sheet to fill in the fields as appropriate. 20
Now we need to configure the security policies to allow traffic to in and out of the trust and vpn security zones. set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match source-address netcfgr_site1_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match destination-address netcfgr_site2_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match application any set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr then permit set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match source-address netcfgr_site2_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match destination-address netcfgr_site1_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match application any set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr then permit Don t forget to commit your configuration changes. Assuming the commit worked, its now time to test. Refer to the VPN Cheat sheet to fill in the fields as appropriate. 21
When you have configured both the DrayTek and the Juniper, it is time to test. A simple ping is the quickest way. From a networked machine on each tunnel endpoint, try pinging the remote endpoint router LAN interface. If you do not see a reply, then it is time to try a trace route to see where the problems is. Also re-check the config and then troubleshoot. 22
You can login to the Draytek web interface to see if the VPN tunnel is up. The Status should be online. And on the SRX you can run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:aes-256/sha1 efc8876b 14212/unlim - root 500 222.222.222.222 >131073 ESP:aes-256/sha1 3ab26fd8 14212/unlim - root 500 222.222.222.222 If the tunnel is not up, then it could be a policy issue/order. 23
Lets check to see if the WAN interface that we will be using is working. type show interfaces at-1/0/0 terse You should see Interface Admin Link Proto Local Remote at-1/0/0 up up at-1/0/0.0 up up inet 111.111.111.111 --> 195.100.100.100 at-1/0/0.32767 up up The remote address is the ISP Next hop for the ADSL module. If you use an Ethernet for your WAN connection will see Interface Admin Link Proto Local Remote fe-0/0/7 up up fe-0/0/7.0 up up eth-switch 24
Lets check to see if the Secure tunnel interface is working. show interfaces st0.0 terse If you see this error then the secure tunnel is not configured. Check the Security tunnel setup (st0.0). error: device st0.0 not found You should see something like. root@router> show interfaces st0.0 Logical interface st0.0 (Index 69) (SNMP ifindex 533) Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets : 27149 Output packets: 32525 Security: Zone: vpn Protocol inet, MTU: 9192 Flags: Sendbcast-pkt-to-re 25
Here are some additional commands that should assist with troubleshooting on the SRX. show security ipsec security-associations show security ipsec security-associations detail show security ike security-associations show security ike security-associations detail show security ike active-peer The commands will show any IKE/IPSEC security associations if they are there and any active peers. 26
By setting up a syslog server and enabling the traceoptions or debug, you can examine the IKE/IPSEC logs to see where the problem may be. Common issues are: PSK not the same. IKE/IPSEC Authentication/Encryption methods are not matching Local/Remote proxy not set. Incorrect peer/endpoint IP addresses Router/firewall between sites is stopping traffic. NAT between the local and remote sites. 27
If any of the WAN IP addresses change, then the tunnel will not be able to establish. Some routers only support one IP subnet across the VPN tunnel. If you need additional subnets to be supported then you may need to make sure that you stick with the same vendor, as this will usually simply the setup. Some service providers may block IPSEC connections. Watch out for MTU issues as the IPSEC encapsulation reduces the max packet size and fragmentation can occur. If you are using 3G connection, be aware that the MTU is normally less than 1492 and may require additional configuration changes. 28
Some routers/vpn devices have a limited number of characters in the length of the PSK. Some routers/vpn devices may not allow NETBIOS, multicast or other network protocols to pass through the tunnel. This can cause issues with mapped network drives or other service. You can enable NETBIOS, WINS or map drives to IP Addresses to help mitigate this problem. Look out for devices with incorrect or mussing gateway IP addresses configured. 29
Setup NTP, or make sure that the system clocks are within a few minutes of each other. Try a lower level of encryption, if you have problems, as some devices cannot use AES 256bit. Setup logging. SYSLOG is your friend. Check for firmware updates, but read the release notes first. Sometimes it pays NOT to upgrade. Take vendor VPN throughput figures with a pinch of salt. 30
Remember to collate information first The Draytek 2820 endpoint configured The Juniper SRX endpoint configured Testing of tunnels Troubleshooting 31
Thank you for attending this training session. If you have any questions, I would be happy to answer them now. Alternatively, please contact me on john@ilikeit.co.uk 32
set interfaces st0.0 family inet set routing-options static route 192.168.0.0/24 next-hop st0.0 set security zones security-zone VPN interfaces st0.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust address-book address net-cfgr_site1_lan 192.168.253.0/24 set security zones security-zone VPN address-book address net-cfgr_site2_lan 192.168.0.0/24 set security ike policy ike-policy-cfgr mode main set security ike policy ike-policy-cfgr pre-shared-key ascii-text "PRESHARED KEY" set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr set security ike gateway ike-gate-cfgr address 222.222.222.222 set security ike gateway ike-gate-cfgr external-interface fe-0/0/0 set security ike proposal ike-proposal-cfgr authentication-method pre-shared-keys set security ike policy ike-policy-cfgr proposals ike-proposal-cfgr set security ike proposal ike-proposal-cfgr encryption-algorithm aes-256-cbc set security ike proposal ike-proposal-cfgr authentication-algorithm sha1 set security ike proposal ike-proposal-cfgr lifetime-seconds 14400 set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.253.0/24 set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.0.0/24 set security ipsec proposal ipsec-proposal-cfgr protocol esp set security ipsec policy ipsec-policy-cfgr proposals ipsec-proposal-cfgr set security ipsec proposal ipsec-proposal-cfgr encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposal-cfgr authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposal-cfgr lifetime-seconds 14400 set security ipsec vpn ipsec-vpn-cfgr establish-tunnels on-traffic set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match source-address net-cfgr_site1_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match destination-address net-cfgr_site2_lan set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr match application any set security policies from-zone trust to-zone VPN policy trust-vpn-cfgr then permit set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match source-address net-cfgr_site2_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match destination-address net-cfgr_site1_lan set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr match application any set security policies from-zone VPN to-zone trust policy VPN-trust-cfgr then permit 33
The VPN Cheat sheet can be downloaded from http://www.ilikeit.co.uk/juniper/vpn%20cheat%20sheet%20template.docx Putty can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://en.wikipedia.org/wiki/internet_key_exchange http://en.wikipedia.org/wiki/ipsec http://en.wikipedia.org/wiki/diffie%e2%80%93hellman_key_exchange http://en.wikipedia.org/wiki/perfect_forward_secrecy http://www.juniper.net http://www.draytek.com http://www.ilikeit.co.uk 34