The main difference with a policy based VPN is that the tunnel action is defined within each security policy.
Note : For troubleshooting steps please see here
This VPN is configured with the following :
Remote Endpoint : 172.16.200.0/24
Local Endpoint : 172.16.100.0/24
Phase 1 : AES-256,SHA1, DH2
Phase 2 : ESP, SHA1, AES-256
Configure Proposals
set security ike proposal IKE-DH2-AES256-SHA1 authentication-method pre-shared-keys
set security ike proposal IKE-DH2-AES256-SHA1 dh-group group2
set security ike proposal IKE-DH2-AES256-SHA1 authentication-algorithm sha1
set security ike proposal IKE-DH2-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ike proposal IKE-DH2-AES256-SHA1 lifetime-seconds 86400
set security ipsec proposal IPSEC-ESP-AES256-SHA1 protocol esp
set security ipsec proposal IPSEC-ESP-AES256-SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-ESP-AES256-SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC-ESP-AES256-SHA1 lifetime-seconds 3600
Phase 1
set security ike policy IKE-POLICY-SITEA mode main
set security ike policy IKE-POLICY-SITEA proposals IKE-DH2-AES256-SHA1
set security ike policy IKE-POLICY-SITEA pre-shared-key ascii-text <PRESHARED KEY>
set security ike gateway IKE-PEER-SITEA IKE-POLICY-SITEA IKE-POLICY-SITEA
set security ike gateway IKE-PEER-SITEA address <PEER IP>
set security ike gateway IKE-PEER-SITEA external-interface fe-0/0/0.0
Phase 2
set security ipsec policy IPSEC-POLICY proposals IPSEC-ESP-AES256-SHA1
set security ipsec vpn VPN-SITEA ike gateway IKE-PEER-SITEA
set security ipsec vpn VPN-SITEA ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-SITEA establish-tunnels immediately
Security Policy
set security zones security-zone untrust address-book address 172.16.200.0/16 172.16.200.0/24
set security zones security-zone trust address-book address 172.16.100.0/16 172.16.100.0/24
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match source-address 172.16.100.0/24
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match destination-address 172.16.200.0/24
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn match application any
set security policies from-zone trust to-zone untrust policy trust-untrust-vpn then permit tunnel ipsec-vpn VPN-SITEA
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match source-address 172.16.200.0/24
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match destination-address 172.16.100.0/24
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn match application any
set security policies from-zone untrust to-zone trust policy untrust-trust-vpn then permit tunnel ipsec-vpn VPN-SITEA
NAT Exempt
To ensure that traffic is not NAT`d before hitting the VPN a NAT exempt is configured. Based on what NAT you already have configured you may need to ensure that this is positioned at the top of your source NAT rule base.
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule nonat match source-address 172.16.100.0/24
set security nat source rule-set trust-to-untrust rule nonat match destination-address 172.16.200.0/24
set security nat source rule-set trust-to-untrust rule nonat then source-nat off
MSS Clamping
To ensure that the packets do not exceed the MTU of the SRX interfaces (once the additional IPSEC headers are added) MSS clamping is configured.
set security flow tcp-mss ipsec-vpn mss 1350
Blogger Comment
Facebook Comment