Example: Configuring the Hub in a Hub-and-Spoke VPN (CLI)

The following example describes how to configure a hub in a hub-and-spoke VPN. The hub has two spokes (First and Third) and the configuration is for route-based VPNs.

In this example, you configure a Phase 1 tunnel on the hub using the following settings:

• You create two proposals called first_ikeprop and third_ikeprop and specify that peers use preshared keys for encryption and decryption and that they use Diffie-Hellman (DH) group 2 to produce the shared secret for the keys. You specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption.
• You create two policies called first_ikepol and third_ikepol, specify that participants exchange proposals in aggressive mode, and reference the proposals called first_ikeprop and third_ikeprop. You specify that the preshared key be of type ASCII, and enter the key.
• You create IKE gateways called ike_gateway_first and ike_gateway_third, reference the policies first_ikepol and third_ikepol, and configure an IP address for the gateway.

Then, you configure a Phase 2 tunnel on the hub using the following settings:

• You create proposals called first_ipsecprop and third_ipsecprop, set hmac-md5-96 as the authentication algorithm, and set 3des-cbc as the encryption algorithm.
• You create two policies called first_ipsecpol and third_ipsecpol and reference the proposals first_ipsecprop and third_ipsecprop.
• You create VPN tunnels named first_vpn and third_vpn and bind them to interface st0.0, and you specify ike_gateway_first and ike_gateway_third as the gateways for the VPN tunnel and reference the IPsec policies first_ipsecpol and third_ipsecpol.

Finally, you configure a security policy and routing options and enable Next Hop Tunnel Binding (nhtb).

To configure the hub in a hub-and-spoke VPN:

1. Configure Phase 1 of the IPsec tunnel:

   1. Configure IKE Phase 1 proposals:
      user@host# set security ike proposal first_ikeprop authentication-method pre-shared-keysuser@host# set security ike proposal first_ikeprop dh-group group2user@host# set security ike proposal first_ikeprop authentication-algorithm md5user@host# set security ike proposal first_ikeprop encryption-algorithm 3des-cbc
      user@host# set security ike proposal third_ikeprop authentication-method pre-shared-keysuser@host# set security ike proposal third_ikeprop dh-group group2user@host# set security ike proposal third_ikeprop authentication-algorithm md5user@host# set security ike proposal third_ikeprop encryption-algorithm 3des-cbc
   2. Configure IKE policies (and reference the proposals):
      user@host# set security ike policy first_ikepol mode mainuser@host# set security ike policy first_ikepol proposals first_ikepropuser@host# set security ike policy first_ikepol pre-shared-key ascii-text "$9$xFU-b2ZUH5Qn4aQn/CB17-V"
      user@host# set security ike policy third_ikepol mode mainuser@host# set security ike policy third_ikepol proposals third_ikepropuser@host# set security ike policy third_ikepol pre-shared-key ascii-text "$9$GvjkPFnCBIc5QIcylLXUjH"
   3. Configure the IKE gateway (and reference the policy):
      user@host# set security ike gateway first ike-policy first_ikepoluser@host# set security ike gateway first address 4.4.4.2user@host# set security ike gateway first external-interface ge-0/0/0.0
      user@host# set security ike gateway third ike-policy third_ikepoluser@host# set security ike gateway third address 2.2.2.1user@host# set security ike gateway third external-interface ge-0/0/3.0

2. Configure Phase 2 of the IPsec tunnel:

   1. Configure Phase 2 proposals:
      user@host# set security ipsec proposal first_ipsecprop protocol espuser@host# set security ipsec proposal first_ipsecprop authentication-algorithm hmac-md5-96user@host# set security ipsec proposal first_ipsecprop encryption-algorithm 3des-cbc
      user@host# set security ipsec proposal third_ipsecprop protocol esp user@host# set security ipsec proposal third_ipsecprop authentication-algorithm hmac-md5-96user@host# set security ipsec proposal third_ipsecprop encryption-algorithm 3des-cbc
   2. Configure policies (and reference proposals):
      user@host# set security ipsec policy first_ipsecpol perfect-forward-secrecy keys group1user@host# set security ipsec policy first_ipsecpol proposals first_ipsecprop
      user@host# set security ipsec policy third_ipsecpol perfect-forward-secrecy keys group1user@host# set security ipsec policy third_ipsecpol proposals third_ipsecprop
   3. Configure AutoKey IKE (and reference the policy and gateway):
      user@host# set security ipsec vpn first_vpn bind-interface st0.0user@host# set security ipsec vpn first_vpn ike gateway firstuser@host# set security ipsec vpn first_vpn ike ipsec-policy first_ipsecpoluser@host# set security ipsec vpn first_vpn establish-tunnels immediately
      user@host# set security ipsec vpn third_vpn bind-interface st0.0user@host# set security ipsec vpn third_vpn ike gateway thirduser@host# set security ipsec vpn third_vpn ike ipsec-policy third_ipsecpoluser@host# set security ipsec vpn third_vpn establish-tunnels immediately
3. Configure the security policy:
   user@host# set security policies default-policy permit-all
4. Configure routing options:
   user@host# set routing-options static route 1.1.1.0/24 next-hop st0.0user@host# set routing-options static route 3.1.1.0/24 next-hop st0.0
5. Enable Next Hop Tunnel Binding (nhtb):
   user@host# set interfaces st0 unit 0 multipoint

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding Hub-and-Spoke VPNs
• Hub-and-Spoke VPN Configuration Overview
• Example: Configuring Spoke 1 in a Hub-and-Spoke VPN (CLI)
• Example: Configuring Spoke 2 in a Hub-and-Spoke VPN (CLI)