Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring a Hub-and-Spoke VPN

    This example shows how to configure a hub-and-spoke IPsec VPN for an enterprise-class deployment.

    Requirements

    This example uses the following hardware:

    • SRX240 device
    • SRX5800 device
    • SSG140 device

    Before you begin, read VPN Overview.

    Overview

    This example describes how to configure a hub-and-spoke VPN typically found in branch deployments. The hub is the corporate office, and there are two spokes—a branch office in Sunnyvale, California, and a branch office in Westford, Massachusetts. Users in the branch offices will use the VPN to securely transfer data with the corporate office.

    Figure 1 shows an example of a hub-and-spoke VPN topology. In this topology, an SRX5800 device is located at the corporate office. An SRX240 device is located at the Westford branch, and an SSG140 device is located at the Sunnyvale branch.

    Figure 1: Hub-and-Spoke VPN Topology

    Hub-and-Spoke VPN Topology

    In this example, you configure the corporate office hub, the Westford spoke, and the Sunnyvale spoke. First you configure interfaces, IPv4 static and default routes, security zones, and address books. Then you configure IKE Phase 1 and IPsec Phase 2 parameters, and bind the st0.0 interface to the IPsec VPN. On the hub, you configure st0.0 for multipoint and add a static NHTB table entry for the Sunnyvale spoke. Finally, you configure security policy and TCP-MSS parameters. See Table 1 through Table 5 for specific configuration parameters used in this example.

    Table 1: Interface, Security Zone, and Address Book Information

    Hub or Spoke

    Feature

    Name

    Configuration Parameters

    Hub

    Interfaces

    ge-0/0/0.0

    10.10.10.1/24

      

    ge-0/0/3.0

    1.1.1.2/30

      

    st0

    10.11.11.10/24

    Spoke

    Interfaces

    ge-0/0/0.0

    3.3.3.2/30

      

    ge-0/0/3.0

    192.168.178.1/24

      

    st0

    10.11.11.12/24

    Hub

    Security zones

    trust

    • All system services are allowed.
    • The ge-0/0/0.0 interface is bound to this zone.
      

    untrust

    • IKE is the only allowed system service.
    • The ge-0/0/3.0 interface is bound to this zone.
      

    vpn

    The st0.0 interface is bound to this zone.

    Spoke

    Security zones

    trust

    • All system services are allowed.
    • The ge-0/0/3.0 interface is bound to this zone.
      

    untrust

    • IKE is the only allowed system service.
    • The ge-0/0/0.0 interface is bound to this zone.
      

    vpn

    The st0.0 interface is bound to this zone.

    Hub

    Address book entries

    local-net

    • This address is for the trust zone’s address book.
    • The address for this address book entry is 10.10.10.0/24.
      

    sunnyvale-net

    • This address book is for the vpn zone’s address book.
    • The address for this address book entry is 192.168.168.0/24.
      

    westford-net

    • This address is for the vpn zone’s address book.
    • The address for this address book entry is 192.168.178.0/24.

    Spoke

    Address book entries

    local-net

    • This address is for the trust zone’s address book.
    • The address for this address book entry is 192.168.168.178.0/24.
      

    corp-net

    • This address is for the vpn zone’s address book.
    • The address for this address book entry is 10.10.10.0/24.
      

    sunnyvale-net

    • This address is for the vpn zone’s address book.
    • The address for this address book entry is 192.168.168.0/24.

    Table 2: IKE Phase 1 Configuration Parameters

    Hub or Spoke

    Feature

    Name

    Configuration Parameters

    Hub

    Proposal

    ike-phase1-proposal

    • Authentication method: pre-shared-keys
    • Diffie-Hellman group: group2
    • Authentication algorithm: sha1
    • Encryption algorithm: aes-128-cbc
     

    Policy

    ike-phase1-policy

    • Mode: main
    • Proposal reference: ike-phase1-proposal
    • IKE Phase 1 policy authentication method: pre-shared-key ascii-text
     

    Gateway

    gw-westford

    • IKE policy reference: ike-phase1-policy
    • External interface: ge-0/0/3.0
    • Gateway address: 3.3.3.2
      

    gw-sunnyvale

    • IKE policy reference: ike-phase1-policy
    • External interface: ge-0/0/3.0
    • Gateway address: 2.2.2.2

    Spoke

    Proposal

    ike-phase1-proposal

    • Authentication method: pre-shared-keys
    • Diffie-Hellman group: group2
    • Authentication algorithm: sha1
    • Encryption algorithm: aes-128-cbc
     

    Policy

    ike-phase1-policy

    • Mode: main
    • Proposal reference: ike-phase1-proposal
    • IKE Phase 1 policy authentication method: pre-shared-key ascii-text
     

    Gateway

    gw-corporate

    • IKE policy reference: ike-phase1-policy
    • External interface: ge-0/0/0.0
    • Gateway address: 1.1.1.2

    Table 3: IPsec Phase 2 Configuration Parameters

    Hub or Spoke

    Feature

    Name

    Configuration Parameters

    Hub

    Proposal

    ipsec-phase2-proposal

    • Protocol: esp
    • Authentication algorithm: hmac-sha1-96
    • Encryption algorithm: aes-128-cbc
     

    Policy

    ipsec-phase2-policy

    • Proposal reference: ipsec-phase2-proposal
    • PFS: Diffie-Hellman group2
     

    VPN

    vpn-sunnyvale

    • IKE gateway reference: gw-sunnyvale
    • IPsec policy reference: ipsec-phase2-policy
    • Bind to interface: st0.0
      

    vpn-westford

    • IKE gateway reference: gw-westford
    • IPsec policy reference: ipsec-phase2-policy
    • Bind to interface: st0.0

    Spoke

    Proposal

    ipsec-phase2-proposal

    • Protocol: esp
    • Authentication algorithm: hmac-sha1-96
    • Encryption algorithm: aes-128-cbc
     

    Policy

    ipsec-phase2-policy

    • Proposal reference: ipsec-phase2-proposal
    • PFS: Diffie-Hellman group2
     

    VPN

    vpn-corporate

    • IKE gateway reference: gw-corporate
    • IPsec policy reference: ipsec-phase2-policy
    • Bind to interface: st0.0

    Table 4: Security Policy Configuration Parameters

    Hub or Spoke

    Purpose

    Name

    Configuration Parameters

    Hub

    The security policy permits traffic from the trust zone to the vpn zone.

    local-to-spokes

    • Match criteria:
      • source-address local-net
      • destination-address sunnyvale-net
      • destination-address westford-net
      • application any
     

    The security policy permits traffic from the vpn zone to the trust zone.

    spokes-to-local

    Match criteria:

    • source-address sunnyvale-net
    • source-address westford-net
    • destination-address local-net
    • application any
     

    The security policy permits intrazone traffic.

    spoke-to-spoke

    Match criteria:

    • source-address any
    • destination-address any
    • application any

    Spoke

    The security policy permits traffic from the trust zone to the vpn zone.

    to-corp

    • Match criteria:
      • source-address local-net
      • destination-address corp-net
      • destination-address sunnyvale-net
      • application any
     

    The security policy permits traffic from the vpn zone to the trust zone.

    from-corp

    Match criteria:

    • source-address corp-net
    • source-address sunnyvale-net
    • destination-address local-net
    • application any
     

    The security policy permits traffic from the untrust zone to the trust zone.

    permit-any

    Match criteria:

    • source-address any
    • source-destination any
    • application any
    • Permit action: source-nat interface

      By specifying source-nat interface, the SRX Series device translates the source IP address and port for outgoing traffic, using the IP address of the egress interface as the source IP address and a random high-number port for the source port.

    Table 5: TCP-MSS Configuration Parameters

    Purpose

    Configuration Parameters

    TCC-MSS is negotiated as part of the TCP three-way handshake and limits the maximum size of a TCP segment to better fit the MTU limits on a network. For VPN traffic, the IPsec encapsulation overhead, along with the IP and frame overhead, can cause the resulting ESP packet to exceed the MTU of the physical interface, which causes fragmentation. Fragmentation results in increased use of bandwidth and device resources.

    Note: The value of 1350 is a recommended starting point for most Ethernet-based networks with an MTU of 1500 or greater. You might need to experiment with different TCP-MSS values to obtain optimal performance. For example, you might need to change the value if any device in the path has a lower MTU, or if there is any additional overhead such as PPP or Frame Relay.

    MSS value: 1350

    Configuration

    Configuring Basic Network, Security Zone, and Address Book Information for the Hub

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 set interfaces st0 unit 0 family inet address 10.11.11.10/24 set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1 set routing-options static route 192.168.168.0/24 next-hop 10.11.11.11 set routing-options static route 192.168.178.0/24 next-hop 10.11.11.12 set security zones security-zone untrust interfaces ge-0/0/3.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set security address-book book1 address local-net 10.10.10.0/24 set security address-book book1 attach zone trust set security address-book book2 address sunnyvale-net 192.168.168.0/24 set security address-book book2 address westford-net 192.168.178.0/24 set security address-book book2 attach zone vpn

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure basic network, security zone, and address book information for the hub:

    1. Configure Ethernet interface information.
      [edit]user@hub# set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24user@hub# set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30user@hub# set interfaces st0 unit 0 family inet address 10.11.11.10/24
    2. Configure static route information.
      [edit]user@hub# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1user@hub# set routing-options static route 192.168.168.0/24 next-hop 10.11.11.11user@hub# set routing-options static route 192.168.178.0/24 next-hop 10.11.11.12
    3. Configure the untrust security zone.
      [edit ]user@hub# set security zones security-zone untrust
    4. Assign an interface to the untrust security zone.
      [edit security zones security-zone untrust]user@hub# set interfaces ge-0/0/3.0
    5. Specify allowed system services for the untrust security zone.
      [edit security zones security-zone untrust]user@hub# set host-inbound-traffic system-services ike
    6. Configure the trust security zone.
      [edit]user@hub# edit security zones security-zone trust
    7. Assign an interface to the trust security zone.
      [edit security zones security-zone trust]user@hub# set interfaces ge-0/0/0.0
    8. Specify allowed system services for the trust security zone.
      [edit security zones security-zone trust]user@hub# set host-inbound-traffic system-services all
    9. Create an address book and attach a zone to it.
      [edit security address-book book1]user@hub# set address local-net 10.10.10.0/24 user@hub# set attach zone trust
    10. Configure the vpn security zone.
      [edit]user@hub# edit security zones security-zone vpn
    11. Assign an interface to the vpn security zone.
      [edit security zones security-zone vpn]user@hub# set interfaces st0.0
    12. Create another address book and attach a zone to it.
      [edit security address-book book2]user@hub# set address sunnyvale-net 192.168.168.0/24 user@hub# set address westford-net 192.168.178.0/24 user@hub# set attach zone vpn

    Results

    From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, show security zones, and show security address-book commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@hub# show interfacesge-0/0/0 {unit 0 {family inet {address 10.10.10.1/24;}}}ge-0/0/3 {unit 0 {family inet {address 1.1.1.2/30 }}}st0{unit 0 {family inet {address 10.11.11.10/24}}}
    [edit]user@hub# show routing-optionsstatic {route 0.0.0.0/0 next-hop 1.1.1.1;route 192.168.168.0/24 next-hop 10.11.11.11;route 192.168.178.0/24 next-hop 10.11.11.12;}
    [edit]user@hub# show security zonessecurity-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/3.0;}}security-zone trust {host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}security-zone vpn {host-inbound-traffic {}interfaces {st0.0;}}[edit]user@hub# show security address-bookbook1 {address local-net 10.10.10.0/24;attach {zone trust;}}book2 {address sunnyvale-net 192.168.168.0/24;address westford-net 192.168.178.0/24;attach {zone vpn;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring IKE for the Hub

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security ike proposal ike-phase1-proposal authentication-method pre-shared-keysset security ike proposal ike-phase1-proposal dh-group group2 set security ike proposal ike-phase1-proposal authentication-algorithm sha1 set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t set security ike gateway gw-westford external-interface ge-0/0/3.0 set security ike gateway gw-westford ike-policy ike-phase1-policy set security ike gateway gw-westford address 3.3.3.2 set security ike gateway gw-sunnyvale external-interface ge-0/0/3.0 set security ike gateway gw-sunnyvale ike-policy ike-phase1-policy set security ike gateway gw-sunnyvale address 2.2.2.2

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure IKE for the hub:

    1. Create the IKE Phase 1 proposal.
      [edit security ike]user@hub# set proposal ike-phase1-proposal
    2. Define the IKE proposal authentication method.
      [edit security ike proposal ike-phase1-proposal]user@hub# set authentication-method pre-shared-keys
    3. Define the IKE proposal Diffie-Hellman group.
      [edit security ike proposal ike-phase1-proposal]user@hub# set dh-group group2
    4. Define the IKE proposal authentication algorithm.
      [edit security ike proposal ike-phase1-proposal]user@hub# set authentication-algorithm sha1
    5. Define the IKE proposal encryption algorithm.
      [edit security ike proposal ike-phase1-proposal]user@hub# set encryption-algorithm aes-128-cbc
    6. Create an IKE Phase 1 policy.
      [edit security ike]user@hub# set policy ike-phase1-policy
    7. Set the IKE Phase 1 policy mode.
      [edit security ike policy ike-phase1-policy]user@hub# set mode main
    8. Specify a reference to the IKE proposal.
      [edit security ike policy ike-phase1-policy]user@hub# set proposals ike-phase1-proposal
    9. Define the IKE Phase 1 policy authentication method.
      [edit security ike policy ike-phase1-policy]user@hub# set pre-shared-key ascii-text 395psksecr3t
    10. Create an IKE Phase 1 gateway and define its external interface.
      [edit security ike]user@hub# set gateway gw-westford external-interface ge-0/0/3.0
    11. Define the IKE Phase 1 policy reference.
      [edit security ike]user@hub# set gateway gw-westford ike-policy ike-phase1-policy
    12. Define the IKE Phase 1 gateway address.
      [edit security ike]user@hub# set gateway gw-westford address 3.3.3.2
    13. Create an IKE Phase 1 gateway and define its external interface.
      [edit security ike]user@hub# set gateway gw-sunnyvale external-interface ge-0/0/3.0
    14. Define the IKE Phase 1 policy reference.
      [edit security ike gateway]user@hub# set gateway gw-sunnyvale ike-policy ike-phase1-policy
    15. Define the IKE Phase 1 gateway address.
      [edit security ike gateway]user@hub# set gateway gw-sunnyvale address 2.2.2.2

    Results

    From configuration mode, confirm your configuration by entering the show security ike command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@hub# show security ikeproposal ike-phase1-proposal {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;}policy ike-phase1-policy {mode main;proposals ike-phase1-proposal;pre-shared-key ascii-text "$9$9VMTp1RvWLdwYKMJDkmF3ylKM87Vb2oZjws5F"; ## SECRET-DATA}gateway gw-sunnyvale {ike-policy ike-phase1-policy;address 2.2.2.2;external-interface ge-0/0/3.0;}gateway gw-westford {ike-policy ike-phase1-policy;address 3.3.3.2;external-interface ge-0/0/3.0;}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring IPsec for the Hub

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security ipsec proposal ipsec-phase2-proposal protocol espset security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposalset security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2set security ipsec vpn vpn-westford ike gateway gw-westfordset security ipsec vpn vpn-westford ike ipsec-policy ipsec-phase2-policyset security ipsec vpn vpn-westford bind-interface st0.0set security ipsec vpn vpn-sunnyvale ike gateway gw-sunnyvaleset security ipsec vpn vpn-sunnyvale ike ipsec-policy ipsec-phase2-policyset security ipsec vpn vpn-sunnyvale bind-interface st0.0set interfaces st0 unit 0 multipointset interfaces st0 unit 0 family inet next-hop-tunnel 10.11.11.11 ipsec-vpn vpn-sunnyvale

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure IPsec for the hub:

    1. Create an IPsec Phase 2 proposal.
      [edit]user@hub# set security ipsec proposal ipsec-phase2-proposal
    2. Specify the IPsec Phase 2 proposal protocol.
      [edit security ipsec proposal ipsec-phase2-proposal]user@hub# set protocol esp
    3. Specify the IPsec Phase 2 proposal authentication algorithm.
      [edit security ipsec proposal ipsec-phase2-proposal]user@hub# set authentication-algorithm hmac-sha1-96
    4. Specify the IPsec Phase 2 proposal encryption algorithm.
      [edit security ipsec proposal ipsec-phase2-proposal]user@hub# set encryption-algorithm aes-128-cbc
    5. Create the IPsec Phase 2 policy.
      [edit security ipsec]user@hub# set policy ipsec-phase2-policy
    6. Specify the IPsec Phase 2 proposal reference.
      [edit security ipsec policy ipsec-phase2-policy]user@hub# set proposals ipsec-phase2-proposal
    7. Specify IPsec Phase 2 PFS to use Diffie-Hellman group 2.
      [edit security ipsec policy ipsec-phase2-policy]user@host# set perfect-forward-secrecy keys group2
    8. Specify the IKE gateways.
      [edit security ipsec]user@hub# set vpn vpn-westford ike gateway gw-westforduser@hub# set vpn vpn-sunnyvale ike gateway gw-sunnyvale
    9. Specify the IPsec Phase 2 policies.
      [edit security ipsec]user@hub# set vpn vpn-westford ike ipsec-policy ipsec-phase2-policyuser@hub# set vpn vpn-sunnyvale ike ipsec-policy ipsec-phase2-policy
    10. Specify the interface to bind.
      [edit security ipsec]user@hub# set vpn vpn-westford bind-interface st0.0user@hub# set vpn vpn-sunnyvale bind-interface st0.0
    11. Configure the st0 interface as multipoint.
      [edit]user@hub# set interfaces st0 unit 0 multipoint
    12. Add static NHTB table entries for the Sunnyvale and Westford offices.
      [edit]user@hub# set interfaces st0 unit 0 family inet next-hop-tunnel 10.11.11.11 ipsec-vpn vpn-sunnyvaleuser@hub# set interfaces st0 unit 0 family inet next-hop-tunnel 10.11.11.12 ipsec-vpn vpn-westford

    Results

    From configuration mode, confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@hub# show security ipsecproposal ipsec-phase2-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;}policy ipsec-phase2-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-phase2-proposal;}vpn vpn-sunnyvale {bind-interface st0.0;ike {gateway gw-sunnyvale;ipsec-policy ipsec-phase2-policy;}}vpn vpn-westford {bind-interface st0.0;ike {gateway gw-westford;ipsec-policy ipsec-phase2-policy;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring Security Policies for the Hub

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security policies from-zone trust to-zone vpn policy local-to-spokes match source-address local-netset security policies from-zone trust to-zone vpn policy local-to-spokes match destination-address sunnyvale-net set security policies from-zone trust to-zone vpn policy local-to-spokes match destination-address westford-net set security policies from-zone trust to-zone vpn policy local-to-spokes match application anyset security policies from-zone trust to-zone vpn policy local-to-spokes then permit set security policies from-zone vpn to-zone trust policy spokes-to-local match source-address sunnyvale-netset security policies from-zone vpn to-zone trust policy spokes-to-local match source-address westford-net set security policies from-zone vpn to-zone trust policy spokes-to-local match destination-address local-net set security policies from-zone vpn to-zone trust policy spokes-to-local match application anyset security policies from-zone vpn to-zone trust policy spokes-to-local then permit set security policies from-zone vpn to-zone vpn policy spoke-to-spoke match source-address anyset security policies from-zone vpn to-zone vpn policy spoke-to-spoke match destination-address anyset security policies from-zone vpn to-zone vpn policy spoke-to-spoke match application anyset security policies from-zone vpn to-zone vpn policy spoke-to-spoke then permit

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure security policies for the hub:

    1. Create the security policy to permit traffic from the trust zone to the vpn zone.
      [edit security policies from-zone trust to-zone vpn]user@hub# set policy local-to-spokes match source-address local-netuser@hub# set policy local-to-spokes match destination-address sunnyvale-netuser@hub# set policy local-to-spokes match destination-address westford-netuser@hub# set policy local-to-spokes match application anyuser@hub# set policy local-to-spokes then permit
    2. Create the security policy to permit traffic from the vpn zone to the trust zone.
      [edit security policies from-zone vpn to-zone trust]user@hub# set policy spokes-to-local match source-address sunnyvale-netuser@hub# set policy spokes-to-local match source-address westford-netuser@hub# set policy spokes-to-local match destination-address local-netuser@hub# set policy spokes-to-local match application anyuser@hub# set policy spokes-to-local then permit
    3. Create the security policy to permit intrazone traffic.
      [edit security policies from-zone vpn to-zone vpn]user@hub# set policy spoke-to-spoke match source-address anyuser@hub# set policy spoke-to-spoke match destination-address anyuser@hub# set policy spoke-to-spoke match application anyuser@hub# set policy spoke-to-spoke then permit

    Results

    From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@hub# show security policiesfrom-zone trust to-zone vpn {policy local-to-spokes {match {source-address local-net; destination-address [ sunnyvale-net westford-net ];application any;}then {permit;}}}from-zone vpn to-zone trust {policy spokes-to-local {match {source-address [ sunnyvale-net westford-net ];destination-address local-net;application any;}then {permit;}}}from-zone vpn to-zone vpn {policy spoke-to-spoke {match {source-address any;destination-address any;application any;}then {permit;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring TCP-MSS for the Hub

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the command into the CLI at the [edit] hierarchy level.

    set security flow tcp-mss ipsec-vpn mss 1350

    Step-by-Step Procedure

    To configure TCP-MSS information for the hub:

    1. Configure TCP-MSS information.
      [edit]user@hub# set security flow tcp-mss ipsec-vpn mss 1350

    Results

    From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@hub# show security flowtcp-mss {ipsec-vpn {mss 1350;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring Basic Network, Security Zone, and Address Book Information for the Westford Spoke

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.2/30set interfaces ge-0/0/3 unit 0 family inet address 192.168.178.1/24set interfaces st0 unit 0 family inet address 10.11.11.12/24set routing-options static route 0.0.0.0/0 next-hop 3.1.1.1set routing-options static route 10.10.10.0/24 next-hop 10.11.11.10set routing-options static route 192.168.168.0/24 next-hop 10.11.11.10set security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone trust interfaces ge-0/0/3.0set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone vpn interfaces st0.0set security address-book book1 address local-net 192.168.178.0/24set security address-book book1 attach zone trust set security address-book book2 address corp-net 10.10.10.0/24set security address-book book2 address sunnyvale-net 192.168.168.0/24 set security address-book book2 attach zone vpn

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure basic network, security zone, and address book information for the Westford spoke:

    1. Configure Ethernet interface information.
      [edit]user@spoke# set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.2/30user@spoke# set interfaces ge-0/0/3 unit 0 family inet address 192.168.178.1/24user@spoke# set interfaces st0 unit 0 family inet address 10.11.11.12/24
    2. Configure static route information.
      [edit]user@spoke# set routing-options static route 0.0.0.0/0 next-hop 3.1.1.1user@spoke# set routing-options static route 10.10.10.0/24 next-hop 10.11.11.10user@spoke# set routing-options static route 192.168.168.0/24 next-hop 10.11.11.10
    3. Configure the untrust security zone.
      [edit]user@spoke# set security zones security-zone untrust
    4. Assign an interface to the security zone.
      [edit security zones security-zone untrust]user@spoke# set interfaces ge-0/0/0.0
    5. Specify allowed system services for the untrust security zone.
      [edit security zones security-zone untrust]user@spoke# set host-inbound-traffic system-services ike
    6. Configure the trust security zone.
      [edit]user@spoke# edit security zones security-zone trust
    7. Assign an interface to the trust security zone.
      [edit security zones security-zone trust]user@spoke# set interfaces ge-0/0/3.0
    8. Specify allowed system services for the trust security zone.
      [edit security zones security-zone trust]user@spoke# set host-inbound-traffic system-services all
    9. Configure the vpn security zone.
      [edit]user@spoke# edit security zones security-zone vpn
    10. Assign an interface to the vpn security zone.
      [edit security zones security-zone vpn]user@spoke# set interfaces st0.0
    11. Create an address book and attach a zone to it.
      [edit security address-book book1]user@spoke# set address local-net 192.168.178.0/24 user@spoke# set attach zone trust
    12. Create another address book and attach a zone to it.
      [edit security address-book book2]user@spoke# set address corp-net 10.10.10.0/24 user@spoke# set address sunnyvale-net 192.168.168.0/24 user@spoke# set attach zone vpn

    Results

    From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, show security zones, and show security address-book commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@spoke# show interfacesge-0/0/0 {unit 0 {family inet {address 3.3.3.2/30;}}}ge-0/0/3 {unit 0 {family inet {address 192.168.178.1/24;}}}st0 {unit 0 {family inet {address 10.11.11.10/24;}}}
    [edit]user@spoke# show routing-optionsstatic {route 0.0.0.0/0 next-hop 1.1.1.1;route 192.168.168.0/24 next-hop 10.11.11.11;route 10.10.10.0/24 next-hop 10.11.11.10;}
    [edit]user@spoke# show security zonessecurity-zone untrust {host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/0.0;}}security-zone trust {host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/3.0;}}security-zone vpn {interfaces {st0.0;}}[edit]user@spoke# show security address-bookbook1 {address corp-net 10.10.10.0/24;attach {zone trust;}}book2 {address local-net 192.168.178.0/24;address sunnyvale-net 192.168.168.0/24;attach {zone vpn;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring IKE for the Westford Spoke

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security ike proposal ike-phase1-proposal authentication-method pre-shared-keysset security ike proposal ike-phase1-proposal dh-group group2 set security ike proposal ike-phase1-proposal authentication-algorithm sha1 set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc set security ike policy ike-phase1-policy mode main set security ike policy ike-phase1-policy proposals ike-phase1-proposal set security ike policy ike-phase1-policy pre-shared-key ascii-text 395psksecr3t set security ike gateway gw-corporate external-interface ge-0/0/0.0 set security ike gateway gw-corporate ike-policy ike-phase1-policy set security ike gateway gw-corporate address 1.1.1.2

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure IKE for the Westford spoke:

    1. Create the IKE Phase 1 proposal.
      [edit security ike]user@spoke# set proposal ike-phase1-proposal
    2. Define the IKE proposal authentication method.
      [edit security ike proposal ike-phase1-proposal]user@spoke# set authentication-method pre-shared-keys
    3. Define the IKE proposal Diffie-Hellman group.
      [edit security ike proposal ike-phase1-proposal]user@spoke# set dh-group group2
    4. Define the IKE proposal authentication algorithm.
      [edit security ike proposal ike-phase1-proposal]user@spoke# set authentication-algorithm sha1
    5. Define the IKE proposal encryption algorithm.
      [edit security ike proposal ike-phase1-proposal]user@spoke# set encryption-algorithm aes-128-cbc
    6. Create an IKE Phase 1 policy.
      [edit security ike]user@spoke# set policy ike-phase1-policy
    7. Set the IKE Phase 1 policy mode.
      [edit security ike policy ike-phase1-policy]user@spoke# set mode main
    8. Specify a reference to the IKE proposal.
      [edit security ike policy ike-phase1-policy]user@spoke# set proposals ike-phase1-proposal
    9. Define the IKE Phase 1 policy authentication method.
      [edit security ike policy ike-phase1-policy]user@spoke# set pre-shared-key ascii-text 395psksecr3t
    10. Create an IKE Phase 1 gateway and define its external interface.
      [edit security ike]user@spoke# set gateway gw-corporate external-interface ge-0/0/0.0
    11. Define the IKE Phase 1 policy reference.
      [edit security ike]user@spoke# set gateway gw-corporate ike-policy ike-phase1-policy
    12. Define the IKE Phase 1 gateway address.
      [edit security ike]user@spoke# set gateway gw-corporate address 1.1.1.2

    Results

    From configuration mode, confirm your configuration by entering the show security ike command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@spoke# show security ikeproposal ike-phase1-proposal {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;}policy ike-phase1-policy {mode main;proposals ike-phase1-proposal;pre-shared-key ascii-text "$9$9VMTp1RvWLdwYKMJDkmF3ylKM87Vb2oZjws5F"; ## SECRET-DATA}gateway gw-corporate {ike-policy ike-phase1-policy;address 1.1.1.2;external-interface ge-0/0/0.0;}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring IPsec for the Westford Spoke

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security ipsec proposal ipsec-phase2-proposal protocol espset security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposalset security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2set security ipsec vpn vpn-corporate ike gateway gw-corporateset security ipsec vpn vpn-corporate ike ipsec-policy ipsec-phase2-policyset security ipsec vpn vpn-corporate bind-interface st0.0

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure IPsec for the Westford spoke:

    1. Create an IPsec Phase 2 proposal.
      [edit]user@spoke# set security ipsec proposal ipsec-phase2-proposal
    2. Specify the IPsec Phase 2 proposal protocol.
      [edit security ipsec proposal ipsec-phase2-proposal]user@spoke# set protocol esp
    3. Specify the IPsec Phase 2 proposal authentication algorithm.
      [edit security ipsec proposal ipsec-phase2-proposal]user@spoke# set authentication-algorithm hmac-sha1-96
    4. Specify the IPsec Phase 2 proposal encryption algorithm.
      [edit security ipsec proposal ipsec-phase2-proposal]user@spoke# set encryption-algorithm aes-128-cbc
    5. Create the IPsec Phase 2 policy.
      [edit security ipsec]user@spoke# set policy ipsec-phase2-policy
    6. Specify the IPsec Phase 2 proposal reference.
      [edit security ipsec policy ipsec-phase2-policy]user@spoke# set proposals ipsec-phase2-proposal
    7. Specify IPsec Phase 2 PFS to use Diffie-Hellman group 2.
      [edit security ipsec policy ipsec-phase2-policy]user@host# set perfect-forward-secrecy keys group2
    8. Specify the IKE gateway.
      [edit security ipsec]user@spoke# set vpn vpn-corporate ike gateway gw-corporate
    9. Specify the IPsec Phase 2 policy.
      [edit security ipsec]user@spoke# set vpn vpn-corporate ike ipsec-policy ipsec-phase2-policy
    10. Specify the interface to bind.
      [edit security ipsec]user@spoke# set vpn vpn-corporate bind-interface st0.0

    Results

    From configuration mode, confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@spoke# show security ipsecproposal ipsec-phase2-proposal {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;}policy ipsec-phase2-policy {perfect-forward-secrecy {keys group2;}proposals ipsec-phase2-proposal;}vpn vpn-corporate {bind-interface st0.0;ike {gateway gw-corporate;ipsec-policy ipsec-phase2-policy;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring Security Policies for the Westford Spoke

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security policies from-zone trust to-zone vpn policy to-corporate match source-address local-netset security policies from-zone trust to-zone vpn policy to-corporate match destination-address corp-net set security policies from-zone trust to-zone vpn policy to-corporate match destination-address sunnyvale-net set security policies from-zone trust to-zone vpn policy to-corporate application anyset security policies from-zone trust to-zone vpn policy to-corporate then permit set security policies from-zone vpn to-zone trust policy from-corporate match source-address corp-netset security policies from-zone vpn to-zone trust policy from-corporate match source-address sunnyvale-net set security policies from-zone vpn to-zone trust policy from-corporate match destination-address local-net set security policies from-zone vpn to-zone trust policy from-corporate application anyset security policies from-zone vpn to-zone trust policy from-corporate then permit

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure security policies for the Westford spoke:

    1. Create the security policy to permit traffic from the trust zone to the vpn zone.
      [edit security policies from-zone trust to-zone vpn]user@spoke# set policy to-corp match source-address local-netuser@spoke# set policy to-corp match destination-address corp-netuser@spoke# set policy to-corp match destination-address sunnyvale-netuser@spoke# set policy to-corp match application anyuser@spoke# set policy to-corp then permit
    2. Create the security policy to permit traffic from the vpn zone to the trust zone.
      [edit security policies from-zone vpn to-zone trust]user@spoke# set policy spokes-to-local match source-address corp-netuser@spoke# set policy spokes-to-local match source-address sunnyvale-netuser@spoke# set policy spokes-to-local match destination-address local-netuser@spoke# set policy spokes-to-local match application anyuser@spoke# set policy spokes-to-local then permit

    Results

    From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@spoke# show security policiesfrom-zone trust to-zone vpn {policy to-corp {match {source-address local-net; destination-address [ sunnyvale-net westford-net ];application any;}then {permit;}}}from-zone vpn to-zone trust {policy spokes-to-local {match {source-address [ sunnyvale-net westford-net ];destination-address local-net;application any;}then {permit;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring TCP-MSS for the Westford Spoke

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the command into the CLI at the [edit] hierarchy level.

    set security flow tcp-mss ipsec-vpn mss 1350

    Step-by-Step Procedure

    To configure TCP-MSS for the Westford spoke:

    1. Configure TCP-MSS information.
      [edit]user@spoke# set security flow tcp-mss ipsec-vpn mss 1350

    Results

    From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@spoke# show security flowtcp-mss {ipsec-vpn {mss 1350;}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring the Sunnyvale Spoke

    CLI Quick Configuration

    This example uses an SSG Series device for the Sunnyvale spoke. For reference, the configuration for the SSG Series device is provided. For information about configuring SSG Series devices, see the Concepts and Examples ScreenOS Reference Guide, which is located at https://www.juniper.net/techpubs .

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI.

    set zone name "VPN"set interface ethernet0/6 zone "Trust"set interface "tunnel.1" zone "VPN"set interface ethernet0/6 ip 192.168.168.1/24set interface ethernet0/6 routeset interface ethernet0/0 ip 2.2.2.2/30set interface ethernet0/0 routeset interface tunnel.1 ip 10.11.11.11/24set flow tcp-mss 1350set address "Trust" "sunnyvale-net" 192.168.168.0 255.255.255.0set address "VPN" "corp-net" 10.10.10.0 255.255.255.0set address "VPN" "westford-net" 192.168.178.0 255.255.255.0set ike gateway "corp-ike" address 1.1.1.2 Main outgoing-interface ethernet0/0 preshare "395psksecr3t" sec-level standardset vpn corp-vpn monitor optimized rekey set vpn "corp-vpn" bind interface tunnel.1 set vpn "corp-vpn" gateway "corp-ike" replay tunnel idletime 0 sec-level standardset policy id 1 from "Trust" to "Untrust" "ANY" "ANY" "ANY" nat src permitset policy id 2 from "Trust" to "VPN" "sunnyvale-net" "corp-net" "ANY" permitset policy id 2exitset dst-address "westford-net"exitset policy id 3 from "VPN" to "Trust" "corp-net" "sunnyvale-net" "ANY" permitset policy id 3set src-address "westford-net"exitset route 10.10.10.0/24 interface tunnel.1set route 192.168.178.0/24 interface tunnel.1set route 0.0.0.0/0 interface ethernet0/0 gateway 2.2.2.1

    Step-by-Step Procedure

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying the IKE Phase 1 Status

    Purpose

    Verify the IKE Phase 1 status.

    Action

    Note: Before starting the verification process, you need to send traffic from a host in the 10.10.10/24 network to a host in the 192.168.168/24 and 192.168.178/24 networks to bring the tunnels up. For route-based VPNs, you can send traffic initiated from the SRX Series device through the tunnel. We recommend that when testing IPsec tunnels, you send test traffic from a separate device on one side of the VPN to a second device on the other side of the VPN. For example, initiate a ping from 10.10.10.10 to 192.168.168.10.

    From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.

    user@hub> show security ike security-associations
    Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
6       3.3.3.2         UP     94906ae2263bbd8e  1c35e4c3fc54d6d3  Main
7       2.2.2.2         UP     7e7a1c0367dfe73c  f284221c656a5fbc  Main
    user@hub> show security ike security-associations index 6 detail
    IKE peer 3.3.3.2, Index 6,
  Role: Responder, State: UP
  Initiator cookie: 94906ae2263bbd8e,, Responder cookie: 1c35e4c3fc54d6d3
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 1.1.1.2:500, Remote: 3.3.3.2:500
  Lifetime: Expires in 3571 seconds
  Algorithms:
   Authentication        : sha1
   Encryption            : aes-cbc (128 bits)
   Pseudo random function: hmac-sha1
  Traffic statistics:
   Input bytes    :                1128
   Output bytes   :                 988
   Input packets  :                   6
   Output packets :                   5
  Flags: Caller notification sent
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 1
    Negotiation type: Quick mode, Role: Responder, Message ID: 1350777248
    Local: 1.1.1.2:500, Remote: 3.3.3.2:500
    Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Flags: Caller notification sent, Waiting for done

    Meaning

    The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed, there was a problem with Phase 1 establishment. Check the IKE policy parameters and external interface settings in your configuration.

    If SAs are listed, review the following information:

    • Index—This value is unique for each IKE SA, which you can use in the show security ike security-associations index detail command to get more information about the SA.
    • Remote Address—Verify that the remote IP address is correct.
    • State
      • UP—The Phase 1 SA has been established.
      • DOWN—There was a problem establishing the Phase 1 SA.
    • Mode—Verify that the correct mode is being used.

    Verify that the following information is correct in your configuration:

    • External interfaces (the interface must be the one that receives IKE packets)
    • IKE policy parameters
    • Preshared key information
    • Phase 1 proposal parameters (must match on both peers)

    The show security ike security-associations index 1 detail command lists additional information about the security association with an index number of 1:

    • Authentication and encryption algorithms used
    • Phase 1 lifetime
    • Traffic statistics (can be used to verify that traffic is flowing properly in both directions)
    • Initiator and responder role information

      Note: Troubleshooting is best performed on the peer using the responder role.

    • Number of IPsec SAs created
    • Number of Phase 2 negotiations in progress

    Verifying the IPsec Phase 2 Status

    Purpose

    Verify the IPsec Phase 2 status.

    Action

    From operational mode, enter the show security ipsec security-associations command. After obtaining an index number from the command, use the show security ipsec security-associations index index_number detail command.

    user@hub> show security ipsec security-associations
      total configured sa: 4
  ID    Gateway          Port  Algorithm          SPI      Life:sec/kb  Mon vsys
  <16384 2.2.2.2         500   ESP:aes-128/sha1   b2fc36f8 3364/ unlim   -   0
  >16384 2.2.2.2         500   ESP:aes-128/sha1   5d73929e 3364/ unlim   -   0
  ID    Gateway          Port  Algorithm          SPI      Life:sec/kb  Mon vsys
  <16385 3.3.3.2         500   ESP:3des/sha1      70f789c6 28756/unlim   -   0
  >16385 3.3.3.2         500   ESP:3des/sha1      80f4126d 28756/unlim   -   0
    user@hub> show security ipsec security-associations index 16385 detail
      Virtual-system: Root
  Local Gateway: 1.1.1.2, Remote Gateway: 3.3.3.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    DF-bit: clear
    Direction: inbound, SPI: 1895270854, AUX-SPI: 0
    Hard lifetime: Expires in 28729 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 28136 seconds
    Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: -
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)    
    Anti-replay service: enabled, Replay window size: 32

    Direction: outbound, SPI: 2163479149, AUX-SPI: 0
    Hard lifetime: Expires in 28729 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 28136 seconds
    Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: -
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)    
    Anti-replay service: enabled, Replay window size: 32

    Meaning

    The output from the show security ipsec security-associations command lists the following information:

    • The ID number is 16385. Use this value with the show security ipsec security-associations index command to get more information about this particular SA.
    • There is one IPsec SA pair using port 500, which indicates that no NAT-traversal is implemented. (NAT-traversal uses port 4500 or another random high-number port.)
    • The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 28756/ unlim value indicates that the Phase 2 lifetime expires in 28756 seconds, and that no lifesize has been specified, which indicates that it is unlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is not dependent on Phase 1 after the VPN is up.
    • VPN monitoring is not enabled for this SA, as indicated by a hyphen in the Mon column. If VPN monitoring is enabled, U indicates that monitoring is up, and D indicates that monitoring is down.
    • The virtual system (vsys) is the root system, and it always lists 0.

    The output from the show security ipsec security-associations index 16385 detail command lists the following information:

    • The local identity and remote identity make up the proxy ID for the SA.

      A proxy ID mismatch is one of the most common causes for a Phase 2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.

    • Another common reason for Phase 2 failure is not specifying the ST interface binding. If IPsec cannot complete, check the kmd log or set traceoptions.

    Verifying Next-Hop Tunnel Bindings

    Purpose

    After Phase 2 is complete for all peers, verify the next-hop tunnel bindings.

    Action

    From operational mode, enter the show security ipsec next-hop-tunnels command.

    user@hub> show security ipsec next-hop-tunnels
    Next-hop gateway  interface    IPSec VPN name                Flag
10.11.11.11       st0.0        sunnyvale-vpn                 Static
10.11.11.12       st0.0        westford-vpn                  Auto

    Meaning

    The next-hop gateways are the IP addresses for the st0 interfaces of all remote spoke peers. The next hop should be associated with the correct IPsec VPN name. If no NHTB entry exists, there is no way for the hub device to differentiate which IPsec VPN is associated with which next hop.

    The Flag field has one of the following values:

    • Static— NHTB was manually configured in the st0.0 interface configurations, which is required if the peer is not an SRX Series device.
    • Auto— NHTB was not configured, but the entry was automatically populated into the NHTB table during Phase 2 negotiations between two SRX Series devices

    There is no NHTB table for any of the spoke sites in this example. From the spoke perspective, the st0 interface is still a point-to-point link with only one IPsec VPN binding.

    Verifying Static Routes for Remote Peer Local LANs

    Purpose

    Verify that the static route references the spoke peer’s st0 IP address.

    Action

    From operational mode, enter the show route command.

    user@hub> show route 192.168.168.10
    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.168.0/24   *[Static/5] 00:08:33
                    > to 10.11.11.11 via st0.0
    user@hub> show route 192.168.178.10
    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.178.0/24   *[Static/5] 00:04:04
                    > to 10.11.11.12 via st0.0

    The next hop is the remote peer’s st0 IP address, and both routes point to st0.0 as the outgoing interface.

    Reviewing Statistics and Errors for an IPsec Security Association

    Purpose

    Review ESP and authentication header counters and errors for an IPsec security association.

    Action

    From operational mode, enter the show security ipsec statistics index command.

    user@hub> show security ipsec statistics index 16385
    ESP Statistics:
  Encrypted bytes:              920
  Decrypted bytes:             6208
  Encrypted packets:              5
  Decrypted packets:             87
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

    You can also use the show security ipsec statistics command to review statistics and errors for all SAs.

    To clear all IPsec statistics, use the clear security ipsec statistics command.

    Meaning

    If you see packet loss issues across a VPN, you can run the show security ipsec statistics or show security ipsec statistics detail command several times to confirm that the encrypted and decrypted packet counters are incrementing. You should also check whether the other error counters are incrementing.

    Testing Traffic Flow Across the VPN

    Purpose

    Verify the traffic flow across the VPN.

    Action

    You can use the ping command from the SRX Series device to test traffic flow to a remote host PC. Make sure that you specify the source interface so that the route lookup is correct and the appropriate security zones are referenced during policy lookup.

    From operational mode, enter the ping command.

    user@hub> ping 192.168.168.10 interface ge-0/0/0 count 5
    PING 192.168.168.10 (192.168.168.10): 56 data bytes
64 bytes from 192.168.168.10: icmp_seq=0 ttl=127 time=8.287 ms
64 bytes from 192.168.168.10: icmp_seq=1 ttl=127 time=4.119 ms
64 bytes from 192.168.168.10: icmp_seq=2 ttl=127 time=5.399 ms
64 bytes from 192.168.168.10: icmp_seq=3 ttl=127 time=4.361 ms
64 bytes from 192.168.168.10: icmp_seq=4 ttl=127 time=5.137 ms

--- 192.168.168.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.119/5.461/8.287/1.490 ms

    You can also use the ping command from the SSG Series device.

    user@hub> ping 10.10.10.10 from ethernet0/6
    Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 1 seconds from ethernet0/6
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=4/4/5 ms
    ssg-> ping 192.168.178.10 from ethernet0/6 
    Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.178.10, timeout is 1 seconds from
ethernet0/6
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=8/8/10 ms

    Meaning

    If the ping command fails from the SRX Series or SSG Series device, there might be a problem with the routing, security policies, end host, or encryption and decryption of ESP packets.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page