Configuring VPN on a Device Running Junos OS
This section describes sample configurations of an IPsec VPN on a Junos OS device using the following IKE authentication methods:
Configuring an IPsec VPN with a Preshared Key for IKE Authentication
Configuring an IPsec VPN with an RSA Signature for IKE Authentication
Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication
Figure 1 illustrates the VPN topology used in all the examples described in this section. Here, H0 and H1 are the host PCs, R0 and R2 are the two endpoints of the IPsec VPN tunnel, and R1 is a router to route traffic between the two different networks.
The router R1 can be a Linux-based router, a Juniper Networks device, or any other vendor router.
Table 1 provides a complete list of the supported IKE protocols, tunnel modes, Phase 1 negotiation mode, authentication method or algorithm, encryption algorithm, DH groups supported for the IKE authentication and encryption (Phase1, IKE Proposal), and for IPsec authentication and encryption (Phase2, IPsec Proposal). The listed protocols, modes, and algorithms are supported and required for 20.2R1 Common Criteria.
Table 1: VPN Combination Matrix
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 1 Proposal (P1, IKE) | |||
|---|---|---|---|---|---|---|
Authentication Method | Authentication Algorithm | DH Group | Encryption Algorithm | |||
IKEv1 | Main | Route | pre-shared-keys | sha-256 | group14 | 3des-cbc |
IKEv2 | rsa-signatures-2048 | sha-384 | group19 | aes-128-cbc | ||
ecdsa-signatures-256 | group20 | aes-128-gcm | ||||
ecdsa-signatures-384 | group24 | aes-192-cbc | ||||
aes-256-cbc | ||||||
aes-256-gcm | ||||||
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 2 Proposal (P2, IPsec) | |||
|---|---|---|---|---|---|---|
Authentication Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm | |||
IKEv1 | Main | Route | hmac-sha1-96 | group14 | ESP | 3des-cbc |
IKEv2 | hmac-sha-256-128 | group19 | aes-128-cbc | |||
group20 | aes-128-gcm | |||||
group24 | aes-192-cbc | |||||
aes-192-gcm | ||||||
aes-256-cbc | ||||||
aes-256-gcm | ||||||
The following sections provide sample configurations of IKEv1 IPsec VPN examples for selected algorithms. Authentication algorithms can be replaced in the configurations to accomplish the user’s desired configurations. Use set security ike gateway <gw-name> version v2-only command for IKEv2 IPsec VPN.
Configuring an IPsec VPN with a Preshared Key for IKE Authentication
In this section, you configure devices running Junos OS for IPsec VPN using a preshared key as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption is shown in Table 2
Table 2: IKE or IPsec Authentication
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 1 Proposal (P1, IKE) | |||
|---|---|---|---|---|---|---|
Authentication Method | Authentication Algorithm | DH Group | Encryption Algorithm | |||
IKEv1 | Main | Route | pre-shared-keys | sha-256 | group14 | aes-256-cbc |
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 2 Proposal (P2, IPsec) | |||
|---|---|---|---|---|---|---|
Authentication Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm | |||
IKEv1 | Main | Route | hmac-sha-256-128 | group14 | ESP | aes-256-cbc |
A device running Junos OS uses certificate-based authentication or preshared keys for IPsec. TOE accepts ASCII preshared or bit-based keys up to 255 characters (and their binary equivalents) that contain uppercase and lowercase letters, numbers, and special characters such as !, @, #, $, %, ^, &, *, (, and ). The device accepts the preshared text keys and converts the text string into an authentication value as per RFC 2409 for IKEv1 or RFC 4306 for IKEv2, using the PRF that is configured as the hash algorithm for the IKE exchanges. The Junos OS does not impose minimum complexity requirements for preshared keys. Hence, users are advised to carefully choose long preshared keys of sufficient complexity.
Configuring IPsec VPN with Preshared Key as IKE Authentication on the Initiator
To configure the IPsec VPN with preshared key IKE authentication on the initiator:
- Configure the IKE proposal.[edit security ike]user@host# set proposal ike-proposal1 authentication-method pre-shared-keysuser@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha256user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc
Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.
- Configure the IKE policy.[edit]user@host# set security ike policy ike-policy1 mode mainuser@host# set security ike policy ike-policy1 proposals ike-proposal1Here, ike-policy1 is the IKE policy name and ike-proposal1 is the IKE proposal name given by the authorized administrator.user@host# prompt security ike policy ike-policy1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):You must enter and reenter the preshared key when prompted. For example, the preshared key can be CertSqa@jnpr2014.The preshared key can alternatively be entered in hexadecimal format. For example:[edit]root@host# prompt security ike policy ike-policy1 pre-shared-key hexadecimalNew hexadecimal (secret):Retype new hexadecimal (secret):Enter the hexadecimal preshared key value.
- Configure the IPsec proposal.[edit security ipsec]user@host# set security proposal ipsec-proposal1 protocol espuser@host# set security proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set security proposal ipsec-proposal1 encryption-algorithm aes-256-cbc
Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IPsec policy.[edit security ipsec]user@host# set security policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set security policy ipsec-policy1 proposals ipsec-proposal1
Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IKE.[edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 192.0.2.8user@host# set gateway gw1 local-identity inet 192.0.2.5user@host# set gateway gw1 external-interface ge-0/0/2
Here, gw1 is an IKE gateway name, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following additional configuration is also needed in the case of IKEv2
[edit security ike]user@host# set gateway gw1 version v2-only - Configure the VPN.[edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 preference 1
Here, vpn1 is the VPN tunnel name given by the authorized administrator.
- Configure the outbound flow policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Configure the inbound flow policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close
Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Commit your configuration.user@host# commit
Configuring IPsec VPN with Preshared Key as IKE Authentication on the Responder
To configure the IPsec VPN with preshared key IKE authentication on the responder:
- Configure the IKE proposal.[edit security ike]user@host# set proposal ike-proposal1 authentication-method pre-shared-keysuser@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha256user@host# set proposal ike-proposal1 encryption-algorithm 3des-cbc
Note Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.
- Configure the IKE policy.[edit]user@host# set security ike policy ike-policy1 mode mainuser@host# set security ike policy ike-policy1 proposals ike-proposal1Here, ike-policy1 is the IKE policy name and ike-proposal1 is the IKE proposal name given by the authorized administrator.user@host# prompt security ike policy ike-policy1 pre-shared-key ascii-textNew ascii-text (secret):Retype new ascii-text (secret):You must enter and reenter the preshared key when prompted. For example, the preshared key can be CertSqa@jnpr2014.The pre-share key could alternatively be entered in hexadecimal format. For example,user@host# prompt security ike policy ike-policy1 pre-shared-key hexadecimalNew hexadecimal (secret):Retype new hexadecimal (secret):Here, the hexadecimal preshared key can be cc2014bae9876543.
- Configure the IPsec proposal.[edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set proposal ipsec-proposal1 encryption-algorithm 3des-cbc
Note Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IPsec policy.[edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1
Note Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IKE.[edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 192.0.2.5user@host# set gateway gw1 local-identity inet 192.0.2.8user@host# set gateway gw1 external-interface ge-0/0/2
Note Here, gw1 is an IKE gateway name, 192.0.2.5 is the peer VPN endpoint IP, 192.0.2.8 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following additional configuration is also needed in the case of IKEv2.
[edit security ike]user@host# set gateway gw1 version v2-only - Configure the VPN.[edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 192.0.2.7/24 qualified-next-hop st0.0 preference 1
Note Here, vpn1 is the VPN tunnel name given by the authorized administrator.
- Configure the outbound flow policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Configure the inbound flow policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Commit your configuration.user@host# commit
Configuring an IPsec VPN with an RSA Signature for IKE Authentication
The following section provides an example to configure Junos OS devices for IPsec VPN using RSA Signature as IKE Authentication method, whereas, the algorithms used in IKE/IPsec authentication/encryption is as shown in the following table. In this section, you configure devices running Junos OS for IPsec VPN using an RSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption is shown in Table 3.
Table 3: IKE/IPsec Authentication and Encryption
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 1 Proposal (P1, IKE) | |||
|---|---|---|---|---|---|---|
Authentication Method | Authentication Algorithm | DH Group | Encryption Algorithm | |||
IKEv1 | Main | Route | rsa-signatures-2048 | sha-256 | group19 | aes-128-cbc |
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 2 Proposal (P2, IPsec) | |||
|---|---|---|---|---|---|---|
Authentication Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm | |||
IKEv1 | Main | Route | hmac-sha-256-128 | group19 | ESP | aes-128-cbc |
Configuring IPsec VPN with RSA Signature as IKE Authentication on the Initiator or Responder
To configure the IPsec VPN with RSA signature IKE authentication on the initiator:
- Configure the PKI. See Example: Configuring PKI.
- Generate the RSA key pair. See Example: Generating a Public-Private Key Pair.
- Generate and load the CA certificate. See Example: Loading CA and Local Certificates Manually.
- Load the CRL. See Example: Manually Loading a CRL onto the Device .
- Generate and load a local certificate. See Example: Loading CA and Local Certificates Manually.
- Configure the IKE proposal.[edit security ike]user@host# set proposal ike-proposal1 authentication-method rsa-signaturesuser@host# set proposal ike-proposal1 dh-group group19user@host# set proposal ike-proposal1 authentication-algorithm sha-256user@host# set proposal ike-proposal1 encryption-algorithm aes-128-cbc
Note Here, ike-proposal1 is the name given by the authorized administrator.
- Configure the IKE policy.[edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1
Note Here, ike-policy1 IKE policy name given by the authorized administrator.
- Configure the IPsec proposal.[edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set proposal ipsec-proposal1 encryption-algorithm aes-128-cbc
Note Here, ipsec-proposal1 is the name given by the authorized administrator.
- Configure the IPsec policy.[edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group19user@host# set policy ipsec-policy1 proposals ipsec-proposal1
Note Here, ipsec-policy1 is the name given by the authorized administrator.
- Configure the IKE.[edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 192.0.2.8user@host# set gateway gw1 local-identity inet 192.0.2.5user@host# set gateway gw1 external-interface fe-0/0/1
Note Here, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and fe-0/0/1 is the local outbound interface as VPN endpoint. The following configuration is also needed for IKEv2.
[edit security ike]user@host# set gateway gw1 version v2-only - Configure VPN.[edit security ipsec]user@host# set vpn vpn1 ike gateway gw1user@host# set vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set vpn vpn1 bind-interface st0.0
Note Here, vpn1 is the VPN tunnel name given by the authorized administrator.
[edit]user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 preference 1 - Configure the outbound flow policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zone and trustLan and untrustLan are preconfigured network addresses.
- Configure the inbound flow policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Commit the configuration.[edit]user@host# commit
Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication
In this section, you configure devices running Junos OS for IPsec VPN using an ECDSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption are shown in Table 4.
Table 4: IKE or IPsec Authentication and Encryption
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 1 Proposal (P1, IKE) | |||
|---|---|---|---|---|---|---|
Authentication Method | Authentication Algorithm | DH Group | Encryption Algorithm | |||
IKEv1 | Main | Route | ecdsa-signatures-256 | sha-384 | group14 | aes-256-cbc |
IKE Protocol | Tunnel Mode | Phase1 Negotiation Mode | Phase 2 Proposal (P2, IPsec) | |||
|---|---|---|---|---|---|---|
Authentication Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm | |||
IKEv1 | Main | Route | No Algorithm | group14 | ESP | aes-256-gcm |
Configuring IPsec VPN with ECDSA signature IKE authentication on the Initiator
To configure the IPsec VPN with ECDSA signature IKE authentication on the initiator:
- Configure the PKI. See, Example: Configuring PKI.
- Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair.
- Generate and load CA certificate. See Example: Loading CA and Local Certificates Manually.
- Load CRL. See Example: Manually Loading a CRL onto the Device .
- Generate and load a local certificate. See Example: Loading CA and Local Certificates Manually.
- Configure the IKE proposal.[edit security ike]user@host# set proposal ike-proposal1 authentication-method ecdsa-signatures-256user@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha-384user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc
Note Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.
- Configure the IKE policy.[edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1
- Configure the IPsec proposal.[edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 encryption-algorithm aes-256-gcm
Note Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IPsec policy.[edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1
Note Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure IKE.[edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 192.0.2.8user@host# set gateway gw1 local-identity inet 192.0.2.5user@host# set gateway gw1 external-interface ge-0/0/2
Note Here, gw1 is an IKE gateway name, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv2.
[edit security ike]user@host# set gateway gw1 version v2-only - Configure the VPN.[edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 192.0.2.10/24 qualified-next-hop st0.0 preference 1
Note Here, vpn1 is the VPN tunnel name given by the authorized administrator.
- Configure the outbound flow policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Configure the inbound flow policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Commit your configuration.user@host# commit
Configuring IPsec VPN with ECDSA signature IKE authentication on the Responder
To configure IPsec VPN with ECDSA signature IKE authentication on the responder:
- Configure the PKI. See, Example: Configuring PKI.
- Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair.
- Generate and load CA certificate. See Example: Loading CA and Local Certificates Manually.
- Load the CRL. See Example: Manually Loading a CRL onto the Device .
- Configure the IKE proposal.[edit security ike]user@host# set proposal ike-proposal1 authentication-method ecdsa-signatures-256user@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha-384user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc
Note Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.
- Configure the IKE policy.[edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1
- Configure the IPsec proposal.[edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 encryption-algorithm aes-256-gcm
Note Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IPsec policy.[edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1
Note Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.
- Configure the IKE.[edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 192.0.2.5user@host# set gateway gw1 local-identity inet 192.0.2.8user@host# set gateway gw1 external-interface ge-0/0/1
Note Here, gw1 is an IKE gateway name, 192.0.2.5 is the peer VPN endpoint IP, 192.0.2.8 is the local VPN endpoint IP, and ge-0/0/1 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv2.
[edit security ike]user@host# set gateway gw1 version v2-only - Configure the VPN.[edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 192.0.2.1/24 qualified-next-hop st0.0 preference 1
Note Here, vpn1 is the VPN tunnel name given by the authorized administrator.
- Configure the outbound flow policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Configure the inbound flow policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.
- Commit your configuration.user@host# commit