JNCIP-SEC [ 5 – Advanced IPSEC ] Part 2

This post is a continuation of the first part of Advanced IPSEC topic. This post’s topic is HUB and SPOKE topology in SRX devices. I will use the following topology for this post;

Because I have only two srx210 deviceS, I am using a linux box as the second spoke instead of an srx in my hub and spoke ipsec vpn setup. I will also attach my linux setup as a reference.

Lets configure hub srx1
(The entire configuration of devices will be provided at the end of the post, to see how security policies are configured along with all supplementary configuration, you should take a look at the entire configuration as I only add ipsec related config here)

[edit security]
root@srx1# show ike
proposal prop-basic {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    mode main;
    proposals prop-basic;
    pre-shared-key ascii-text "$9$iqPQ/CuEclFnclKMN-HqmfFn9ApBRh";
}
gateway srx2 {
    ike-policy pol-basic;
    address 10.2.2.2;
    dead-peer-detection {
        interval 10;
        threshold 5;
    }
    external-interface ge-0/0/0.0;
}
gateway linux {
    ike-policy pol-basic;
    address 10.3.3.2;
    external-interface ge-0/0/0.0;
}
[edit security]
root@srx1# show ipsec
proposal prop-basic {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    proposals prop-basic;
}
vpn vpn-srx2 {
    bind-interface st0.0;
    ike {
        gateway srx2;
        ipsec-policy pol-basic;
    }
    establish-tunnels immediately;
}
vpn vpn-linux {
    bind-interface st0.0;
    ike {
        gateway linux;
        proxy-identity {
 local 172.16.100.0/24;
 remote 192.168.200.0/24; 
 }
        ipsec-policy pol-basic;
    }
    establish-tunnels immediately;
}

[edit]
root@srx1# show routing-options
static {
    route 10.2.2.0/24 next-hop 10.1.1.1;
    route 172.16.200.0/24 next-hop 10.11.11.2;
    route 10.3.3.0/24 next-hop 10.1.1.1;
    route 192.168.200.0/24 next-hop 10.11.11.3;
}

root@srx1> show security ipsec next-hop-tunnels
Next-hop gateway  interface   IPSec VPN name                    Flag
0.0.0.0           st0.0       vpn-linux                         Auto
10.11.11.2        st0.0       vpn-srx2                          Static
10.11.11.3        st0.0       vpn-linux                         Static
[edit]
root@srx1# show interfaces st0
unit 0 {
    multipoint;
    family inet {
        mtu 1490;
        next-hop-tunnel 10.11.11.2 ipsec-vpn vpn-srx2;
        next-hop-tunnel 10.11.11.3 ipsec-vpn vpn-linux;
        address 10.11.11.1/24;
    }
}

Hub and spoke vpn setup is almost similar to site-to-site but for the hub device extra configuration is needed. For example 10.11.11.2 is the srx2 device’s st0.0 interface and for junos-to-junos devices next-hop-tunnel under st0.0 interface isn’t necessary but for non-junos devices we should add them (this is what I know). Once this is in place you should route the remote protected network into this next-hop-tunnel address. This can be seen in “show routing-options” command. Don’t also forget to configure the multipoint option.

Now the srx2 spoke IPSEC configuration:

[edit security]
root@srx2# show ike
proposal prop-basic {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    mode main;
    proposals prop-basic;
    pre-shared-key ascii-text "$9$RGQcrvxNboJDWLJDikTQEcylWL7-VY4a";
}
gateway srx1 {
    ike-policy pol-basic;
    address 10.1.1.2;
    dead-peer-detection {
        interval 10;
        threshold 5;
    }
    external-interface ge-0/0/0.0;
}

I have made “authentication-algorithm” bold here because default is sha, if you don’t set it. It really caused trouble for me during my linux side configuration.

[edit security]
root@srx2# show ipsec
proposal prop-basic {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    proposals prop-basic;
}
vpn p2p-srx1 {
    bind-interface st0.0;
    ike {
        gateway srx1;
        ipsec-policy pol-basic;
    }
    establish-tunnels immediately;
}

Don’t forget “establish-tunnels immediately“, if this is forgotten, you don’t see any output in “show security ike security-associations” command until traffic is generated.

[edit]
root@srx2# show routing-options
static {
    route 10.1.1.0/24 next-hop 10.2.2.1;
    route 172.16.100.0/24 next-hop 10.11.11.1;
    route 192.168.200.0/24 next-hop 10.11.11.1;
}
[edit]
root@srx2# show interfaces st0
unit 0 {
    family inet {
        mtu 1490;
        address 10.11.11.2/24;
    }
}

Lets ping linux IP from SRX2

root@srx2> ping 192.168.200.1 source 172.16.200.1
PING 192.168.200.1 (192.168.200.1): 56 data bytes
64 bytes from 192.168.200.1: icmp_seq=0 ttl=63 time=4.316 ms
64 bytes from 192.168.200.1: icmp_seq=1 ttl=63 time=3.088 ms
64 bytes from 192.168.200.1: icmp_seq=2 ttl=63 time=3.538 ms
64 bytes from 192.168.200.1: icmp_seq=3 ttl=63 time=3.440 ms
^C
--- 192.168.200.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.088/3.595/4.316/0.448 ms

Yep it works.

Here is the linux device config:

root@tux:/etc/ipsec# ip addr
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:e6:32:ab:bd brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1
    inet 192.168.200.1/24 scope global eth1
    inet6 fe80::216:e6ff:fe32:abbd/64 scope link
       valid_lft forever preferred_lft forever
3: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:02:44:af:ce:1b brd ff:ff:ff:ff:ff:ff
    inet 10.3.3.2/24 brd 10.3.3.255 scope global eth0
    inet6 fe80::202:44ff:feaf:ce1b/64 scope link
       valid_lft forever preferred_lft forever


root@tux:/etc/ipsec# ip route
172.16.100.0/24 via 10.3.3.1 dev eth0
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.100  metric 1
172.16.200.0/24 via 10.3.3.1 dev eth0
192.168.200.0/24 dev eth1  proto kernel  scope link  src 192.168.200.1
10.1.1.0/24 via 10.3.3.1 dev eth0
10.3.3.0/24 dev eth0  proto kernel  scope link  src 10.3.3.2
169.254.0.0/16 dev eth1  scope link  metric 1000
default via 192.168.0.1 dev eth1  proto static

I want to note something here for linux side config which is somewhat different than srx. We route protected network 172.16.100.0/24 directly to 10.3.3.1 gateway. We don’t use any secure tunnel IP or something else. All is handled by the security policies registered in the kernel. In SRX config it seems linux tunnel address is 10.11.11.3 but this address is never configured in linux side. It isn’t needed. It has local significance in SRX. Let’s see these policies;

root@tux:/etc/ipsec# setkey -DP
172.16.200.0/24[any] 192.168.200.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/10.1.1.2-10.3.3.2/require
        created: Sep 19 22:18:01 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1026 seq=1 pid=1727
        refcnt=1
172.16.200.0/24[any] 192.168.200.0/24[any] any
        in prio def ipsec
        esp/tunnel/10.1.1.2-10.3.3.2/require
        created: Sep 19 22:18:01 2011  lastused: Sep 20 00:07:46 2011
        lifetime: 0(s) validtime: 0(s)
        spid=1016 seq=2 pid=1727
        refcnt=1
192.168.200.0/24[any] 172.16.200.0/24[any] any
        out prio def ipsec
        esp/tunnel/10.3.3.2-10.1.1.2/require
        created: Sep 19 22:18:01 2011  lastused: Sep 20 00:07:46 2011
        lifetime: 0(s) validtime: 0(s)
        spid=1009 seq=3 pid=1727
        refcnt=1
172.16.100.0/24[any] 192.168.200.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/10.1.1.2-10.3.3.2/require
        created: Sep 19 22:18:01 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1002 seq=4 pid=1727
        refcnt=1
172.16.100.0/24[any] 192.168.200.0/24[any] any
        in prio def ipsec
        esp/tunnel/10.1.1.2-10.3.3.2/require
        created: Sep 19 22:18:01 2011  lastused: Sep 19 23:20:37 2011
        lifetime: 0(s) validtime: 0(s)
        spid=992 seq=5 pid=1727
        refcnt=1
192.168.200.0/24[any] 172.16.100.0/24[any] any
        out prio def ipsec
        esp/tunnel/10.3.3.2-10.1.1.2/require
        created: Sep 19 22:18:01 2011  lastused: Sep 19 23:20:37 2011
        lifetime: 0(s) validtime: 0(s)
        spid=985 seq=6 pid=1727
        refcnt=1

Here is the setkey.conf file containing security policies;

#!/usr/sbin/setkey -f
flush;
spdflush;

#Security Policy for srx1(HUB)
spdadd 192.168.200.0/24 172.16.100.0/24 any -P out ipsec
           esp/tunnel/10.3.3.2-10.1.1.2/require;
spdadd 172.16.100.0/24 192.168.200.0/24 any -P in ipsec
           esp/tunnel/10.1.1.2-10.3.3.2/require;

#Security Policy for srx2
spdadd 192.168.200.0/24 172.16.200.0/24 any -P out ipsec
           esp/tunnel/10.3.3.2-10.1.1.2/require;
spdadd 172.16.200.0/24 192.168.200.0/24 any -P in ipsec
           esp/tunnel/10.1.1.2-10.3.3.2/require;

racoon.conf file for Auto-IKE etc;

path pre_shared_key "/etc/ipsec/psk.txt";
remote 10.1.1.2 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address 192.168.200.0/24 any address 172.16.100.0/24 any {
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
root@tux:/etc/ipsec# cat psk.txt
10.1.1.2 juniper123

In linux side, to initiate security policies and ike (in foreground in debug)

root@tux:/etc/ipsec# setkey -f /etc/ipsec/setkey.conf
root@tux:/etc/ipsec# racoon -F -f -d /etc/ipsec/racoon.conf

Let’s dump security association database;

root@tux:/etc/ipsec# setkey -D
10.3.3.2 10.1.1.2
        esp mode=tunnel spi=459734408(0x1b66fd88) reqid=0(0x00000000)
        E: 3des-cbc  482caa56 1b9ccce6 849efab9 7e29bd86 49625b14 840a4ee1
        A: hmac-md5  b75c86fd 48359a62 f4b3e589 48643e75
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 20 00:20:02 2011   current: Sep 20 00:22:13 2011
        diff: 131(s)    hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=1803 refcnt=0
10.1.1.2 10.3.3.2
        esp mode=tunnel spi=185588892(0x0b0fdc9c) reqid=0(0x00000000)
        E: 3des-cbc  52a9f4ee 166257c4 45661f7a 313b7261 7d1a7c75 4828f08d
        A: hmac-md5  605c4dc4 0f1ebb37 f1c90b06 61bc9591
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 20 00:20:02 2011   current: Sep 20 00:22:13 2011
        diff: 131(s)    hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=1803 refcnt=0

Lets look at HUB security-associations output;

root@srx1> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
4958363 10.3.3.2        UP     2bcfd4e9e3c9f15b  b3c0a0ff327fec03  Main
4958364 10.2.2.2        UP     361595c98cbb4d21  f2c0b9509392938e  Main

root@srx1> show security ipsec security-associations
  Total active tunnels: 2
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131074 10.3.3.2       500   ESP:3des/md5    1b66fd88 3352/ unlim   -   root
  >131074 10.3.3.2       500   ESP:3des/md5    b0fdc9c  3352/ unlim   -   root
  <131073 10.2.2.2       500   ESP:3des/md5    47d19850 2033/ unlim   -   root
  >131073 10.2.2.2       500   ESP:3des/md5    632bf063 2033/ unlim   -   root

We can see the same SPI in linux SAD as well and the lines I marked as RED are the encryption keys. When I noticed that they are encryption keys, I was shocked! you can decrypt ipsec traffic by using these keys.

I have actually tested this setup and prepared this post. If you see any error, please don’t hesitate to contribute:)

Here are the promised configs of srx1 (hub) and srx2

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.