Example: Configuring a Route-Based VPN Tunnel in a User Logical System

Requirements

• Log in to the user logical system as the logical system administrator. See User Logical System Configuration Overview.
• Ensure that an st0 interface is assigned to the user logical system and IKE and IPsec SAs are configured at the root level by the master administrator. See Example: Configuring IKE and IPsec SAs for a VPN Tunnel.

Overview

In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You configure the route-based VPN parameters described in Table 1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Log in to the user logical system as the logical system administrator and enter configuration mode.
   [edit]lsdesignadmin1@host:ls-product-design>configurelsdesignadmin1@host:ls-product-design#
2. Configure the VPN tunnel interface.
   [edit interfaces]lsdesignadmin1@host:ls-product-design# set st0 unit 1 family inet address 10.11.11.150/24
3. Create a static route to the remote destination.
   [edit routing-options]lsdesignadmin1@host:ls-product-design# set static route 192.168.168.0/24 next-hop st0.1
4. Configure a security policy to permit traffic to the remote destination.
   [edit security policies from-zone ls-product-design-trust to-zone ls-product-design-untrust]lsdesignadmin1@host:ls-product-design# set policy through-vpn match source-address anylsdesignadmin1@host:ls-product-design# set policy through-vpn match destination-address 192.168.168.0/24lsdesignadmin1@host:ls-product-design# set policy through-vpn match application anylsdesignadmin1@host:ls-product-design# set policy through-vpn then permit

Results

From configuration mode, confirm your configuration by entering the show interfaces st0, show routing-options, and show security policies commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Note: Before starting the verification process, you need to send traffic from a host in the user logical system to a host in the 192.168.168.0/24 network. For example, initiate a ping from a host in the 12.1.1.1/24 subnet in the ls-product-design user logical system to the host 192.168.168.10.

• Verifying the IKE Phase 1 Status
• Verifying the IPsec Phase 2 Status

Verifying the IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN in the Junos OS Security Configuration Guide .

Verifying the IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ipsec security-associations command. After obtaining an index number from the command, use the show security ipsec security-associations index index_number detail command..

For sample outputs and meanings, see the “Verification” section of Example: Configuring a Route-Based VPN in the Junos OS Security Configuration Guide .