IPSEC between StrongSwan and SRX

In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX firewall and Linux with racoon. In this post, I will explain how you can set up a route based IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is below;

strong_swan

Tunnel Peers: debian1 and j41
Tunnel End point addresses: debian1(192.168.3.11) — j41(212.45.64.2)
Protected Networks: debian1(10.33.1.0/24) — j41(10.34.1.0/24)
SRX Junos Release: 12.1X46-D15.3
StrongSwan Release: 4.5.2-1.5+deb7u2

LINUX

Create your strongswan configuration files as below;

/etc/ipsec.conf

config setup
        charonstart=yes
        plutostart=yes

conn j41-srx
     authby=secret
     auto=start     
     esp=aes128-sha1,3des-sha1!
     ike=aes128-sha1-modp2048,3des-sha1-modp1536!
     ikelifetime=28800
     keyexchange=ikev1
     leftid=@debian1.example.com
     rightid=@j41.example.com
     left=192.168.3.11
     right=212.45.64.2
     leftsubnet=10.33.1.0/24
     rightsubnet=10.34.1.0/24

/etc/ipsec.secrets

@debian1.example.com @j41.example.com : PSK "lab123"

Strongswan config is this much, now SRX config.

IKE

lab@J41-Amsterdam# show security ike proposal strongswan 
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;

[edit]
lab@J41-Amsterdam# show security ike policy strongswan       
mode main;
description "Debian1 PSK strongswan";
proposals strongswan;
pre-shared-key ascii-text "$9$uN.70Icyrv8LNcSwYoaUD"; ## SECRET-DATA

[edit]
lab@J41-Amsterdam# show security ike gateway gw-debian1-strongswan       
ike-policy strongswan;
address 192.168.3.11;
local-identity hostname j41.example.com;
remote-identity hostname debian1.example.com;
external-interface ge-0/0/0.64;

As I have several configuration for different peers, you can see IKE proposal,policy and gateway configuration in order.

IPSEC

[edit]
lab@J41-Amsterdam# show security ipsec proposal strongswan            
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;

[edit]
lab@J41-Amsterdam# show security ipsec policy strongswan      
perfect-forward-secrecy {
    keys group14;
}
proposals strongswan;

[edit]
lab@J41-Amsterdam# show security ipsec vpn vpn-debian1-strongswan 
bind-interface st0.0;
ike {
    gateway gw-debian1-strongswan;
    proxy-identity {
        local 10.34.1.0/24;
        remote 10.33.1.0/24;
    }
    ipsec-policy strongswan;
}
establish-tunnels immediately;

IPSEC config is also in the same order proposal,policy and vpn.

Let’s verify this setup on two sides;

SRX

root@J41-Amsterdam> show security ike sa  
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address     
5695104 UP     bd883616bc2937de  35dea150eee8edc6  Main           192.168.3.11    

root@J41-Amsterdam> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131082 ESP:aes-cbc-128/sha1 80677dc 2893/ unlim - root 500 192.168.3.11    
  >131082 ESP:aes-cbc-128/sha1 ce787e8c 2893/ unlim - root 500 192.168.3.11   

Strongswan

root@debian1:~# ipsec status j41-srx
000 "j41-srx": 10.33.1.0/24===192.168.3.11[debian1.example.com]...212.45.64.2[j41.example.com]===10.34.1.0/24; erouted; eroute owner: #4
000 "j41-srx":   newest ISAKMP SA: #3; newest IPsec SA: #4; 
000 
000 #4: "j41-srx" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2602s; newest IPSEC; eroute owner
000 #4: "j41-srx" esp.80677dc@212.45.64.2 (0 bytes) esp.ce787e8c@192.168.3.11 (0 bytes); tunnel
000 #3: "j41-srx" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27802s; newest ISAKMP
000 #2: "j41-srx" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2106s
000 #2: "j41-srx" esp.f09e63ad@212.45.64.2 (0 bytes) esp.c3a90cd4@192.168.3.11 (0 bytes); tunnel
000 #1: "j41-srx" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27065s
000 
Security Associations:
  no match

root@debian1:~# ip -s xfrm policy list src 10.33.1.0/24
src 10.33.1.0/24 dst 10.34.1.0/24 uid 0
        dir out action allow index 521 priority 1859 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2014-04-15 21:15:05 use -
        tmpl src 192.168.3.11 dst 212.45.64.2
                proto esp spi 0x00000000(0) reqid 16384(0x00004000) mode tunnel
                level required share any 
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

As you can see tunnel is established properly. I have tested this config two times on these releases. I hope there isn’t any mistake so far. I haven’t passed traffic on this setup as my purpose was to see how the configuration is done but I don’t think there should be a problem. Should you have any feedback, please feel free to comment!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


5 thoughts on “IPSEC between StrongSwan and SRX”

  1. I am trying to do the same task and succeful in making th tunnel but traffic is not passing through..please do some favor for me

    1. Yes you are right, I missed that but it should be an easy one as it is just an interface config and a static route towards the st0.0 interface.

Leave a Reply to Mikhail Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.