[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Hub-and-Spoke VPNs

If you create two VPN tunnels that terminate at a device, you can set up a pair of routes so that the device directs traffic exiting one tunnel to the other tunnel. If both tunnels are contained within a single zone, you do not need to create a policy to permit the traffic to pass from one tunnel to the other. You only need to define the routes. Such an arrangement is known as hub-and-spoke VPN.

You can also configure multiple VPNs and route traffic between any two tunnels. For more information on IPsec tunnels and global VPNs, see Understanding IKE and IPsec Packet Processing and Virtual Private Networks (VPNs) Overview.

Note: SRX Series devices support only the route-based hub-and-spoke feature.

Figure 65: Multiple Tunnels in a Hub-and-Spoke VPN Configuration

Image g030651.gif

This topic covers:

Creating Hub-and-Spoke VPNs

For the hub router to be able to distinguish between packets going to and coming from the spoke routers, you must configure it with two routing instances.

In this example, there are two spokes (First and Third) and the configuration is for route-based VPNs. Use the following to configure:

Configuring the IPSec Tunnel on the Hub

The following procedure lists the order in which you must configure an IPsec tunnel by using the CLI configuration editor:

  1. Phase 1

    1. When configuring Phase 1 of an IPsec tunnel using IKE, you must first configure proposals. In Phase 1 proposal configuration, set the authentication method and authentication and encryption algorithms that will be used to open a secure channel between participants. In this example, you create two proposals, first_ikeprop and third_ikeprop and specify that peers use preshared keys for encryption and decryption, and that they use Diffie-Helman group 2 to produce the shared secret for the keys. You specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption.

      Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the authentication method to preshared keys.

      Configure IKE Phase 1 proposals:

      user@host# set security ike proposal first_ikeprop authentication-method pre-shared-keys
      user@host# set security ike proposal first_ikeprop dh-group group2
      user@host# set security ike proposal first_ikeprop authentication-algorithm md5
      user@host# set security ike proposal first_ikeprop encryption-algorithm 3des-cbc
      user@host# set security ike proposal third_ikeprop authentication-method pre-shared-keys
      user@host# set security ike proposal third_ikeprop dh-group group2
      user@host# set security ike proposal third_ikeprop authentication-algorithm md5
      user@host# set security ike proposal third_ikeprop encryption-algorithm 3des-cbc
    2. When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies. During policy configuration, you must set the mode in which the Phase 1 channel will be negotiated, specify the type of key exchange to be used, and reference the Phase 1 proposal. In this example, you create two policies called first_ikepol and third_ikepol, specify that participants exchange proposals in aggressive mode, and reference the proposals called first_ikeprop and third_ikeprop. You specifiy that the preshared key be of type ASCII, and enter the key.

      Configure IKE policies (and reference the proposals):

      user@host# set security ike policy first_ikepol mode main
      user@host# set security ike policy first_ikepol proposals first_ikeprop
      user@host# set security ike policy first_ikepol pre-shared-key ascii-text "$9$xFU-b2ZUH5Qn4aQn/CB17-V"
      user@host# set security ike policy third_ikepol mode main
      user@host# set security ike policy third_ikepol proposals third_ikeprop
      user@host# set security ike policy third_ikepol pre-shared-key ascii-text "$9$GvjkPFnCBIc5QIcylLXUjH"
    3. When configuring Phase 1 of an IPsec tunnel using IKE, you first configure proposals, then policies, and finally you configure the gateway. When creating the gateway, you must reference the Phase 1 policies. In this example, you create IKE gateways called ike_gateway_first and ike_gateway_third, reference the policies first_ikepol and third_ikepol, and configure an IP address for the gateway.

      Configure IKE gateway (and reference the policy):

      user@host# set security ike gateway first ike-policy first_ikepol
      user@host# set security ike gateway first address 4.4.4.2
      user@host# set security ike gateway first external-interface ge-0/0/0.0
      user@host# set security ike gateway third ike-policy third_ikepol
      user@host# set security ike gateway third address 2.2.2.1
      user@host# set security ike gateway third external-interface ge-0/0/3.0

  2. Phase 2

    1. When configuring Phase 2 of an IPsec tunnel, you first configure proposals. In Phase 2 proposal configuration, you must create proposals for the two spokes, specify a security protocol, and select authentication and encryption algorithms for the traffic that will flow through the tunnel. In this example, you create proposals called first_ipsecprop and third_ipsecprop, set hmac-md5-96 as the authentication algorithm, and 3des-cbc as the encryption algorithm.

      Configure Phase 2 proposals:

      user@host# set security ipsec proposal first_ipsecprop protocol esp
      user@host# set security ipsec proposal first_ipsecprop authentication-algorithm hmac-md5-96
      user@host# set security ipsec proposal first_ipsecprop encryption-algorithm 3des-cbc
      user@host# set security ipsec proposal third_ipsecprop protocol esp
      user@host# set security ipsec proposal third_ipsecprop authentication-algorithm hmac-md5-96
      user@host# set security ipsec proposal third_ipsecprop encryption-algorithm 3des-cbc
    2. When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies. In Phase 2 IPsec policy configuration, you must create policies and reference the Phase 2 proposals. In this example, you create two policies called first_ipsecpol and third_ipsecpol and reference the proposals first_ipsecprop and third_ipsecprop.

      Configure policies (and reference proposals):

      user@host# set security ipsec policy first_ipsecpol perfect-forward-secrecy keys group1
      user@host# set security ipsec policy first_ipsecpol proposals first_ipsecprop
      user@host# set security ipsec policy third_ipsecpol perfect-forward-secrecy keys group1
      user@host# set security ipsec policy third_ipsecpol proposals third_ipsecprop
    3. When configuring Phase 2 of an IPsec tunnel, you first configure proposals, then policies, and finally you configure IPsec AutoKey (IKE). In Phase 2 IPsec AutoKey configuration, you must create a VPN tunnel name, specify a gateway, and reference a Phase 2 policy. For Route mode, you must bind the tunnel to an interface. In this example, you create VPN tunnels named first_vpn and third_vpn and bind them to interface st0.0, and you specify ike_gateway_first and ike_gateway_third as the gateways for the VPN tunnel and reference the IPsec policies first_ipsecpol and third_ipsecpol.

      Configure IPsec Autokey IKE (and reference the policy and gateway):

      user@host# set security ipsec vpn first_vpn bind-interface st0.0
      user@host# set security ipsec vpn first_vpn ike gateway first
      user@host# set security ipsec vpn first_vpn ike ipsec-policy first_ipsecpol
      user@host# set security ipsec vpn first_vpn establish-tunnels immediately
      user@host# set security ipsec vpn third_vpn bind-interface st0.0
      user@host# set security ipsec vpn third_vpn ike gateway third
      user@host# set security ipsec vpn third_vpn ike ipsec-policy third_ipsecpol
      user@host# set security ipsec vpn third_vpn establish-tunnels immediately

In addition to configuring tunnel settings, you also need to configure global policy, routing options and enable Next Hop Tunnel Binding (nhtb).

Configuring Spoke 1

After you have configured the hub, you configure the spokes. Follow the same process to configure spoke First. When configuring Phase 1, you first configure proposals, then policies, and finally you configure the gateway.

  1. Phase 1

    1. Configure IKE Phase 1 proposals:
      user@host# set security ike proposal ike_prop authentication-method pre-shared-keys
      user@host# set security ike proposal ike_prop dh-group group2
      user@host# set security ike proposal ike_prop authentication-algorithm md5
      user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc
    2. Configure IKE policies (and reference the proposals):
      user@host# set security ike policy ike_pol mode main
      user@host# set security ike policy ike_pol proposals ike_prop
      user@host# set security ike policy ike_pol pre-shared-key ascii-text "$9$vA38xd24Zk.5bs.5QFAtM8X"
    3. Configure IKE gateway (and reference the policy):
      user@host# set security ike gateway first ike-policy ike_pol
      user@host# set security ike gateway first address 4.4.4.1
      user@host# set security ike gateway first external-interface fe-2/0/0.0

  2. Phase 2

    1. Configure Phase 2 proposals:
      user@host# set security ipsec proposal ipsec_prop protocol esp
      user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96
      user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc
    2. Configure policies (and reference proposals):
      user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1
      user@host# set security ipsec policy ipsec_pol proposals ipsec_prop
    3. Configure IPsec Autokey IKE (and reference the policy and gateway):
      user@host# set security ipsec vpn first_vpn bind-interface st0.0
      user@host# set security ipsec vpn first_vpn ike gateway gate
      user@host# set security ipsec vpn first_vpn ike ipsec-policy ipsec_pol
  3. Configure Security Policy
    user@host# set security policies default-policy permit-all
  4. Configure Routing Options
    user@host# set routing-options static route 1.1.1.0/24 next-hop 7.7.7.1

Configuring Spoke 2

  1. Phase 1

    1. Configure IKE Phase 1 proposals:
      user@host# set security ike proposal ike_prop authentication-method pre-shared-keys
      user@host# set security ike proposal ike_prop dh-group group2
      user@host# set security ike proposal ike_prop authentication-algorithm md5
      user@host# set security ike proposal ike_prop encryption-algorithm 3des-cbc
    2. Configure IKE policies (and reference the proposals):
      user@host# set security ike policy ike_pol mode main
      user@host# set security ike policy ike_pol proposals ike_prop
      user@host# set security ike policy ike_pol pre-shared-key ascii-text "$9$JrUi.QF/0BEP5BEcyW8ZUj"
      user@host# set security ike gateway gate ike-policy ike_pol
    3. Configure IKE gateway (and reference the policy):
      user@host# set security ike gateway third address 2.2.2.2
      user@host# set security ike gateway third external-interface ge-0/0/3.0

  2. Phase 2

    1. Configure Phase 2 proposals:
      user@host# set security ipsec proposal ipsec_prop protocol esp
      user@host# set security ipsec proposal ipsec_prop authentication-algorithm hmac-md5-96
      user@host# set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbc
    2. Configure policies (and reference proposals):
      user@host# set security ipsec policy ipsec_pol perfect-forward-secrecy keys group1
      user@host# set security ipsec policy ipsec_pol proposals ipsec_prop
    3. Configure IPsec Autokey IKE (and reference the policy and gateway):
      user@host# set security ipsec vpn first_vpn bind-interface st0.0
      user@host# set security ipsec vpn first_vpn ike gateway gate
      user@host# set security ipsec vpn first_vpn ike ipsec-policy ipsec_pol
  3. Configure Security Policy
    user@host# set security policies default-policy permit-all
  4. Configure Routing Options
    user@host# set routing-options static route3.1.1.0/24 next-hop 7.7.7.1
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]