Example: Configure an IPsec VPN Between Two vSRX Virtual Firewall Instances
This example shows how to configure an IPsec VPN between two instances of vSRX Virtual Firewall in Microsoft Azure.
Before You Begin
Ensure that you have installed and launched a vSRX Virtual Firewall instance in Microsoft Azure virtual network.
See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel that is down or not active for additional information.
Overview
You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure using two vSRX Virtual Firewall instances.
vSRX Virtual Firewall IPsec VPN Configuration
vSRX1 VPN Configuration
Step-by-Step Procedure
To configure IPsec VPN on vSRX1:
Log in to the vSRX1 in configuration edit mode (see Configure vSRX Using the CLI).
Set the IP addresses for vSRX1 interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24 set interfaces st0 unit 1 family inet address 10.0.250.10/24
Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Set up the trust security zone.
set security zone trust host-inbound-traffic system-services https set security zone trust host-inbound-traffic system-services ssh set security zone trust host-inbound-traffic system-services ping set security security-zone trust interfaces ge-0/0/1.0
Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text <preshared-key> set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 198.51.100.10 set security ike gateway gw-siteB local-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Be sure to replace
198.51.100.10in this example with the correct public IP address.Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure routing.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
vSRX2 VPN Configuration
Step-by-Step Procedure
To configure IPsec VPN on vSRX2:
Log in to the vSRX2 in configuration edit mode (See Configure vSRX Using the CLI.
Set the IP addresses for the vSRX2 interfaces.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.20.20.10/24 set interfaces st0 unit 1 family inet address 10.0.250.20/24
Set up the untrust security zone.
set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces st0.1
Set up the trust security zone.
set security zones security-zone trust host-inbound-traffic system-services https set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
Configure IKE.
set security ike proposal ike-phase1-proposalA authentication-method pre-shared-keys set security ike proposal ike-phase1-proposalA dh-group group2 set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256 set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbc set security ike proposal ike-phase1-proposalA lifetime-seconds 1800 set security ike policy ike-phase1-policyA mode aggressive set security ike policy ike-phase1-policyA proposals ike-phase1-proposalA set security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-key set security ike gateway gw-siteB ike-policy ike-phase1-policyA set security ike gateway gw-siteB address 203.0.113.10 set security ike gateway gw-siteB local-identity user-at-hostname "dest@example.net" set security ike gateway gw-siteB remote-identity user-at-hostname "source@example.net" set security ike gateway gw-siteB external-interface ge-0/0/0.0
Note:Be sure to replace
203.0.113.10in this example with the correct public IP address. Also note that the SiteB local-identity and remote-identity should be in contrast with the SiteA local-identity and remote-identity.Configure IPsec.
set security ipsec proposal ipsec-proposalA protocol esp set security ipsec proposal ipsec-proposalA authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbc set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalA set security ipsec vpn ike-vpn-siteB bind-interface st0.1 set security ipsec vpn ike-vpn-siteB ike gateway gw-siteB set security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyA set security ipsec vpn ike-vpn-siteB establish-tunnels immediately
Configure routing.
set routing-instances siteA-vr1 instance-type virtual-router set routing-instances siteA-vr1 interface ge-0/0/0.0 set routing-instances siteA-vr1 interface ge-0/0/1.0 set routing-instances siteA-vr1 interface st0.1 set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24 next-hop st0.1 commit
Verification
Verify Active VPN Tunnels
Purpose
Verify that the tunnel is up on both vSRX Virtual Firewall instances.
Action
root@> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-‐cbc-‐256/sha1 de836105 1504/ unlim -‐ root 4500 52.200.89.XXX >131074 ESP:aes-‐cbc-‐256/sha1 b349bc84 1504/ unlim -‐ root 4500 52.200.89.XXX