RtoDto.net
Network/Security/Programming

IPSEC between SRX and VYOS

rtoodtoo ipsec July 3, 2014

I wasn’t aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this post, I will show how you can configure a simple site to site IPSEC VPN between an SRX security device and VYOS. Let’s dive right into the config

vyatta_vyos_srx_ipsec

First configure IKE and IPSEC on SRX side.

SRX IKE Config

{primary:node0}[edit]
root@SRX# show security ike 
proposal prop-basic {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 7200;
}

policy pol-basic {
    mode main;
    proposals prop-basic;
    pre-shared-key ascii-text "$9$7BNb24oGji.2gTz6/tp"; ## SECRET-DATA
}

gateway vyos2 {
    ike-policy pol-basic;
    address 76.1.1.2;
    external-interface reth1.953;
}

SRX IPSEC Config

{primary:node0}[edit]
root@SRX# show security ipsec 
proposal prop-basic {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    proposals prop-basic;
}
vpn vyos2-1 {
    bind-interface st0.5;
    ike {
        gateway vyos2;
        proxy-identity {
            local 20.1.1.0/24;
            remote 10.1.1.0/24;
        }
        ipsec-policy pol-basic;
    }
    establish-tunnels immediately;
}

Don’t forget the followings either i.e st tunnel family inet, zone assignment and allowing IKE service on external interface.

{primary:node0}[edit]
root@SRX# show interfaces st0.5 
family inet;

{primary:node0}[edit]
root@SRX# show security zones security-zone VPN 

interfaces {
    st0.5;
}

root@SRX# show security zones security-zone INTERNET 
host-inbound-traffic {
    system-services {
        ike;
        ssh;
        ping;
    }
  
}
interfaces {
    reth1.953;
}

SRX side of the IPSEC config is completed. Now VYOS side;

VYOS Phase 2

set vpn ipsec esp-group esp-co compression 'disable'
set vpn ipsec esp-group esp-co lifetime '3600'
set vpn ipsec esp-group esp-co mode 'tunnel'
set vpn ipsec esp-group esp-co pfs 'disable'
set vpn ipsec esp-group esp-co proposal 1 encryption '3des'
set vpn ipsec esp-group esp-co proposal 1 hash 'sha1'

VYOS Phase 1

set vpn ipsec ike-group co lifetime '7200'
set vpn ipsec ike-group co proposal 1 dh-group '2'
set vpn ipsec ike-group co proposal 1 encryption '3des'
set vpn ipsec ike-group co proposal 1 hash 'sha1'

Enable IPSEC on the interface

set vpn ipsec ipsec-interfaces interface 'eth1.1400'

Remote Peer Config

set vpn ipsec site-to-site peer 192.168.9.2 authentication id '76.1.1.2'
set vpn ipsec site-to-site peer 192.168.9.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.9.2 authentication pre-shared-secret 'lab123'
set vpn ipsec site-to-site peer 192.168.9.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.9.2 default-esp-group 'esp-co'
set vpn ipsec site-to-site peer 192.168.9.2 ike-group 'co'
set vpn ipsec site-to-site peer 192.168.9.2 local-address '76.1.1.2'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 local prefix '10.1.1.0/24'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 remote prefix '20.1.1.0/24'

Now verification time

SRX

{primary:node0}
root@SRX> show security ike sa 
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address        
2523228 UP     3db0cde4100411fb  0a816f43565434a3  Main           76.1.1.2        

{primary:node0}
root@SRX> show security ipsec sa  
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway        
  <131079 ESP:3des/sha1 8ba57ac1 2470/ unlim   -   root 500   76.1.1.2        
  >131079 ESP:3des/sha1 ca64d806 2470/ unlim   -   root 500   76.1.1.2

VYOS

vyos@vyos:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.9.2                             76.1.1.2                               

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     3des     sha1  2        no     2180    7200   

 
vyos@vyos:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.9.2                             76.1.1.2                               

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     0.0/0.0        3des     sha1  no     1943    3600    all

It seems everything is right. Both Phase1 and Phase2 SAs are installed. Now enjoy your tunnel:)

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

2 thoughts on “IPSEC between SRX and VYOS”

  1. tunnel is up but I cannot ping nor tracert between networks… Any idea what am I missing? While doing tracert it doesn’t seems to route through the tunnel. Is there a need to set some routes for this scenario?

    Reply

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading