IPSEC VPN between SRX and Netscreen
Below you will find my ipsec vpn configuration between an SRX100 device and Netscreen 5GT. Here is the topology;
Protected Networks on Netscreen: 10.10.10.0/24
Protected Network on SRX : 192.168.0.0/24
ns5gt-> get sys | inc Software Software Version: 5.4.0r3.0, Type: Firewall+VPN
root@hub> show version Hostname: hub Model: srx100h JUNOS Software Release [11.1R4.4]
This is a hub and spoke topology indeed. I have two more SRX devices connected to the same hub but for simplicity of this post, I will only include config for these two nodes.
[edit]
root@hub# show security ike
policy sos-pol {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$NBVs4UjqQF/aZF/CtIR-VwYaZDikPTz"; ## SECRET-DA
}
gateway sos-gw {
ike-policy sos-pol;
address 172.16.3.2;
external-interface fe-0/0/3.0;
}
[edit]
root@hub# show security ipsec
policy sos-pol {
proposal-set standard;
}
vpn vpn-sos {
bind-interface st0.0;
vpn-monitor;
ike {
gateway sos-gw;
ipsec-policy sos-pol;
}
establish-tunnels immediately;
}
Tunnel Interface and physical interface config
[edit]
root@hub# show interfaces st0.0
multipoint;
family inet {
address 192.168.100.5/24;
}
[edit]
root@hub# show interfaces fe-0/0/3.0
description "Netscreen device";
family inet {
address 172.16.3.1/24;
}
Zone Configuration
[edit]
root@hub# show security zones security-zone vpn
address-book {
address sos-local 10.10.10.0/24;
}
}
interfaces {
st0.0;
}
[edit]
root@hub# show security zones security-zone non-junos
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
fe-0/0/3.0;
}
One of the most important thing that we shouldn’t forget is to enable ike on the external interface.
[edit]
root@hub# show security policies from-zone vpn to-zone home-pcs
policy sos-to-internal {
match {
source-address sos-local;
destination-address pcs;
application any;
}
then {
permit;
}
}
Another important point which from time to time I miss is policy should be from the vpn zone to the zone you need i.e from zone having st0.0 interface to any zone you want.
[edit]
root@hub# show routing-options
static {
route 10.10.10.0/24 next-hop 192.168.100.100;
}
Netscreen Side CONFIGURATION
set address Trust local_lan 10.10.10.0/24 set zone name vpn set address vpn hub_lan 192.168.0.0/24 set interface tun.1 zone vpn set int tun.1 ip 192.168.100.100/24 set route 192.168.0.0/24 interface tun.1 set ike gateway gw-hub address 172.16.3.1 main outgoing-interface Untrust preshare juniper123 sec-level standard set vpn vpn-hub gateway gw-hub sec-level standard set vpn vpn-hub bind interface tun.1 set vpn vpn-hub monitor rekey set policy from trust to vpn local_lan hub_lan any permit set policy from vpn to trust hub_lan local_lan any permit
ns5gt-> get int A - Active, I - Inactive, U - Up, D - Down, R - Ready Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD trust 10.10.10.1/24 Trust 0010.db4a.4042 - D - untrust 172.16.3.2/24 Untrust 0010.db4a.4041 - U - serial 0.0.0.0/0 Null 0010.db4a.4046 - D - tun.1 192.168.100.100/24 vpn N/A - U - vlan1 0.0.0.0/0 VLAN 0010.db4a.404f 1 D - null 0.0.0.0/0 Null N/A - U 0
ns5gt-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- ---------- vpn-hub gw-hub tunl No g2-esp-3des-sha on 0 untrust Total Auto VPN: 1
and here is the ping from that works well!
ns5gt-> ping 192.168.0.1 from trust Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 1 seconds from trust !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=7/9/13 ms
As both devices work well together we didn’t need to play with NHTB configuration. In the next post I will try to do an srx-cisco VPN and see how the configuration changes.
Hi rtoo. I am just about to follow what looks like an excellent description of exactly what I am trying to do (except the NS5GT is an NS50 in our case). I would like to ask though, in your diagram showing the SRX and the NS5GT, should the untrust interface not be 172.16.3.2/24? If not, I am misunderstanding something 🙂
Hi Simon,
You aren’t misunderstanding. I made a mistake and thank you for this, good catch. I have corrected the image, I think you meant the topology image as I didn’t notice an error in the config. If you think there is another mistake, don’t hesitate to tell me.
cheers
Genco.
Your drawing has another error, or your config does. The drawing on the NS side identifies 192.168.100.10/24 as the IP, but your config shows 192.168.100.100/24.
Thanks for pointing the mistake Mike. I have updated the topology image as the config looks correct but image was showing the wrong tunnel IP.
Can you clarify what zone home-pcs is and pcs address?