JNCIP-SEC [ 5 – Advanced IPSEC ] Part 2

This post is a continuation of the first part of Advanced IPSEC topic. This post’s topic is HUB and SPOKE topology in SRX devices. I will use the following topology for this post;

Because I have only two srx210 deviceS, I am using a linux box as the second spoke instead of an srx in my hub and spoke ipsec vpn setup. I will also attach my linux setup as a reference.

Lets configure hub srx1
(The entire configuration of devices will be provided at the end of the post, to see how security policies are configured along with all supplementary configuration, you should take a look at the entire configuration as I only add ipsec related config here)

Hub and spoke vpn setup is almost similar to site-to-site but for the hub device extra configuration is needed. For example 10.11.11.2 is the srx2 device’s st0.0 interface and for junos-to-junos devices next-hop-tunnel under st0.0 interface isn’t necessary but for non-junos devices we should add them (this is what I know). Once this is in place you should route the remote protected network into this next-hop-tunnel address. This can be seen in “show routing-options” command. Don’t also forget to configure the multipoint option.

Now the srx2 spoke IPSEC configuration:

I have made “authentication-algorithm” bold here because default is sha, if you don’t set it. It really caused trouble for me during my linux side configuration.

Don’t forget “establish-tunnels immediately“, if this is forgotten, you don’t see any output in “show security ike security-associations” command until traffic is generated.

Lets ping linux IP from SRX2

Yep it works.

Here is the linux device config:

I want to note something here for linux side config which is somewhat different than srx. We route protected network 172.16.100.0/24 directly to 10.3.3.1 gateway. We don’t use any secure tunnel IP or something else. All is handled by the security policies registered in the kernel. In SRX config it seems linux tunnel address is 10.11.11.3 but this address is never configured in linux side. It isn’t needed. It has local significance in SRX. Let’s see these policies;

Here is the setkey.conf file containing security policies;

racoon.conf file for Auto-IKE etc;

In linux side, to initiate security policies and ike (in foreground in debug)

root@tux:/etc/ipsec# setkey -f /etc/ipsec/setkey.conf
root@tux:/etc/ipsec# racoon -F -f -d /etc/ipsec/racoon.conf

Let’s dump security association database;

Lets look at HUB security-associations output;

We can see the same SPI in linux SAD as well and the lines I marked as RED are the encryption keys. When I noticed that they are encryption keys, I was shocked! you can decrypt ipsec traffic by using these keys.

I have actually tested this setup and prepared this post. If you see any error, please don’t hesitate to contribute:)

Here are the promised configs of srx1 (hub) and srx2

You have a feedback?