Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

VPNs in Logical Systems

 

A VPN is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. VPN prevents unauthorized access eavesdropping on the traffic, and allows the user to conduct work remotely. For more information, see the following topics:

Understanding Route-Based VPN Tunnels in Logical Systems

A VPN connection can secure traffic that passes between a logical system and a remote site across a WAN. With route-based VPNs, you configure one or more security policies in a logical system to regulate the traffic flowing through a single IP Security (IPsec) tunnel. For each IPsec tunnel, there is one set of IKE and IPsec security associations (SAs) that must be configured at the root level by the master administrator.

Note

The external interface configured under the gateway configuration can only be a part of the root logical system.

Note

Only route-based VPNs are supported in logical systems. Policy-based VPNs are not supported.

In addition to configuring IKE and IPsec SAs for each VPN, the master administrator must also assign a secure tunnel (st0) interface to a user logical system. An st0 interface can only be assigned to a single user logical system. However, multiple user logical systems can each be assigned their own st0 interface.

Note

The st0 unit 0 interface should not be assigned to a logical system, as an SA cannot be set up for this interface.

The user logical system administrator can configure the IP address and other attributes of the st0 interface assigned to the user logical system. The user logical system administrator cannot delete an st0 interface assigned to their user logical system.

For route-based VPNs, a security policy refers to a destination address and not a specific VPN tunnel. For cleartext traffic in a user logical system to be sent to the VPN tunnel for encapsulation, the user logical system administrator must make the following configurations:

  • Security policy that permits traffic to a specified destination.

  • Static route to the destination with the st0 interface as the next hop.

When Junos OS looks up routes in the user logical system to find the interface to use to send traffic to the destination address, it finds a static route through the st0 interface. Traffic is routed to the VPN tunnel as long as the security policy action is permit.

Note

Traffic selectors are not supported in logical systems.

The master logical system and a user logical system can share a route-based VPN tunnel. An st0 interface assigned to a user logical system can also be used by the master logical system. For the master logical system, the master administrator configures a security policy that permits traffic to the remote destination and a static route to the remote destination with the st0 interface as the next hop.

VPN monitoring is configured by the master administrator in the master logical system. For the VPN monitor source interface, the master administrator must specify the st0 interface; a physical interface for a user logical system cannot be specified.

Example: Configuring IKE and IPsec SAs for a VPN Tunnel (Master Administrators Only)

The master administrator is responsible for assigning an st0 interface to a user logical system and configuring IKE and IPsec SAs at the root level for each VPN tunnel. This example shows how to assign an st0 interface to a user logical system and configure IKE and IPsec SA parameters.

Requirements

Before you begin:

Overview

In this example you configure a VPN tunnel for the ls-product-design user logical system. This example configures the VPN tunnel parameters described in Table 1.

Table 1: Logical System VPN Tunnel Configuration

Feature

Name

Configuration Parameters

Tunnel interface

st0 unit 1

Assigned to ls-product-design logical system

IKE proposal

ike-phase1-proposal

  • Preshared keys authentication

  • Diffie-Hellman group 2

  • sha1 authentication algorithm

  • aes-128-cbc encryption algorithm

IKE policy

  • Main mode

  • References IKE proposal ike-phase1-proposal

  • ASCII preshared key 395psksecr3t

IKE gateway

ike-gw

  • External interface ge-0/0/3.0

  • References IKE policy ike-phase1-policy

  • Address 2.2.2.2

IPsec proposal

ipsec-phase2-proposal

  • ESP protocol

  • hmac-sha1-96 authentication algorithm

  • aes-128-cbc encryption algorithm

IPsec policy

vpn-policy1

  • References ipsec-phase2-proposal

  • perfect-forward-secrecy keys group2

VPN

ike-vpn

  • bind-interface st0.1

  • References ike-gw gateway

  • References vpn-policy1 policy

VPN monitoring

For ike-vpn VPN:

  • source-interface st0.1

  • destination-ip 4.0.0.1

Figure 1 shows the topology for logical systems VPN tunnel.

Figure 1: Logical systems VPN tunnel
Logical systems
VPN tunnel

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To assign a VPN tunnel interface to a user logical system and configure IKE and IPsec SAs:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Assign a VPN tunnel interface.
  3. Configure an IKE proposal.
  4. Configure an IKE policy.
  5. Configure an IKE gateway.
  6. Configure an IPsec proposal.
  7. Configure an IPsec policy.
  8. Configure the VPN.
  9. Configure VPN monitoring.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the IKE on Logical System

Purpose

Verify that the IKE support on Logical Systems.

Action

From operational mode, enter the show security ike sa detail command.

user@host> show security ike sa detail

Meaning

The output displays summary information about ike details.

Verifying the IPsec on Logical System

Purpose

Verify that the IPsec SA support on Logical Systems.

Action

From operational mode, enter the show security ipsec sa detail command.

user@host> show security ipsec sa detail

Meaning

The output displays summary information about ipsec details.

Example: Configuring a Route-Based VPN Tunnel in a User Logical Systems

This example shows how to configure a route-based VPN tunnel in a user logical system.

Requirements

Before you begin:

Overview

In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You configure the route-based VPN parameters described in Table 2.

Table 2: User Logical System Route-Based VPN Configuration

Feature

Name

Configuration Parameters

Tunnel interface

st0 unit 1

  • IPv4 protocol family (inet)

  • IP address 10.11.11.150/24

Static route

  • Destination 192.168.168.0/24

  • Next hop st0.1

Security policy

through-vpn

Permit the following traffic:

  • From zone: ls-product-design-trust

  • To zone: ls-product-design-untrust

  • Source address: any

  • Destination address: 192.168.168.0/24

  • Application: any

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a route-based VPN tunnel in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.
  2. Configure the VPN tunnel interface.
  3. Create a static route to the remote destination.
  4. Configure a security policy to permit traffic to the remote destination.

Results

From configuration mode, confirm your configuration by entering the show interfaces st0, show routing-options, and show security policies commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Note

Before starting the verification process, you need to send traffic from a host in the user logical system to a host in the 192.168.168.0/24 network. For example, initiate a ping from a host in the 12.1.1.0/24 subnet in the ls-product-design user logical system to the host 192.168.168.10.

Verifying the IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN.

Verifying the IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ipsec security-associations command. After obtaining an index number from the command, use the show security ipsec security-associations index index_number detail command.

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN.