Sometimes you need to setup a tunnel between different kinds of endpoints.
This article walks through the setup between a Juniper SRX and a pfSense appliance. The only part that is complicated is that the pfSense (StrongSwan ) is a policy-based tunnel, and on JunOS, I wanted to use a route-based tunnel. This works from JunOS 12.3 up through 15.1 (Haven’t tested further, but I would expect it would continue working).
NOTE: StrongSwan can be somewhat CPU intensive. I’ve seen it consume multiple E5 cores just pushing 300Mbit. Depending on your requirements, you may want to skip an embedded type platform and simply deploy pfSense on a traditional server platform.
Requirements
- route-based tunnel on Junos, policy-based tunnel on pfSense
- IKEv2
- Suite-B(ish) crypto: JunOS requires certificates for Suite-B on phase-1, I’m not doing that. I am still using SHA256, AES-128-CBC for phase1, and SHA256 and AES-128-GCM (Suite-B) for phase2.
JunOS config
Interface:
1louisk@srx.cmhome> show configuration interfaces st0
2description "FK Office IPSec";
3unit 0 {
4 family inet;
5}
6
7louisk@srx.cmhome>
IKE (phase 1):
1louisk@srx.cmhome> show configuration security ike
2proposal ike-proposal-fk {
3 authentication-method pre-shared-keys;
4 dh-group group19;
5 authentication-algorithm sha-256;
6 encryption-algorithm aes-128-cbc;
7 lifetime-seconds 28800;
8}
9policy ike-policy-fk {
10 mode main;
11 proposals ike-proposal-fk;
12 pre-shared-key ascii-text "secret key"
13}
14gateway ike-gate-fk {
15 ike-policy ike-policy-fk;
16 address 172.16.16.15;
17 dead-peer-detection {
18 optimized;
19 interval 10;
20 threshold 5;
21 }
22 local-identity inet 172.16.15.14;
23 remote-identity inet 172.16.16.15;
24 external-interface ge-0/0/15;
25 version v2-only;
26}
27
28louisk@srx.cmhome>
IPSec (phase 2):
1louisk@srx.cmhome> show configuration security ipsec
2vpn-monitor-options {
3 interval 10;
4 threshold 10;
5}
6policy ipsec-policy-fk {
7 perfect-forward-secrecy {
8 keys group19;
9 }
10 proposal-set suiteb-gcm-128;
11}
12vpn ipsec-vpn-fk {
13 bind-interface st0.0;
14 vpn-monitor {
15 optimized;
16 }
17 ike {
18 gateway ike-gate-fk;
19 proxy-identity {
20 local 198.18.0.0/20;
21 remote 198.18.17.0/24;
22 }
23 ipsec-policy ipsec-policy-fk;
24 }
25 establish-tunnels immediately;
26}
27
28louisk@srx.cmhome>
The proxy-identity parts are required when the other side is policy-based.
Security policies:
1louisk@srx.cmhome> show configuration security policies
2from-zone trust to-zone fk-vpn {
3 policy trust-fk-vpn-fk {
4 match {
5 source-address net-fk_198-18-0-0--20;
6 destination-address net-fk_198-18-17-0--24;
7 application any;
8 }
9 then {
10 permit;
11 count;
12 }
13 }
14}
15from-zone fk-vpn to-zone trust {
16 policy fk-vpn-trust-fk {
17 match {
18 source-address net-fk_198-18-17-0--24;
19 destination-address net-fk_198-18-0-0--20;
20 application any;
21 }
22 then {
23 permit;
24 count;
25 }
26 }
27}
28
29louisk@srx.cmhome>
If you want to be more granular about what kind of traffic you allow through, You would want to create more policy statements, and/or provide a list of applications, ports, and protocols that you wish to allow.
Security zones:
1louisk@srx.cmhome> show configuration security zones
2security-zone fk-vpn {
3 interfaces {
4 st0.0;
5 }
6}
Addressbook:
1louisk@srx.cmhome> show configuration security address-book
2global {
3 address net-fk_198-18-3-0--24 198.18.3.0/24;
4 address net-fk_198-18-11-0--24 198.18.11.0/24;
5 address net-fk_198-18-17-0--24 198.18.17.0/24;
6}
7
8louisk@srx.cmhome>
pfSense config
Overview: SHA256, AES128 CBC/GCM
Phase 1: 2 screenshots because its too long for 1
Phase 2: 2 screenshots because its too long for 1
NOTE: Ensure you allow traffic in/out the IPSec interface. With out this, you won’t get traffic to go where you want.
You can be granular, or not, up to you. Probably best to use the same applications, ports, and protocols that were defined in the SRX policy, just to keep things from being more confusing when it comes time to debug things.
Verification and testing
Tunnel is up:
1louisk@srx.cmhome> show security ike sa
2Index State Initiator cookie Responder cookie Mode Remote Address
3417185 UP b35611b7c5d04a6a cb74bf662dc263f3 IKEv2 172.16.16.15
4417186 UP bee74097383365d5 cf4087031dccc692 IKEv2 172.16.16.15
5
6louisk@srx.cmhome> show security ipsec sa
7 Total active tunnels: 1
8 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
9 <131073 ESP:aes-gcm-128/None 6c94a774 2625/ unlim U root 500 172.16.16.15
10 >131073 ESP:aes-gcm-128/None c76b1272 2625/ unlim U root 500 172.16.16.15
11
12louisk@srx.cmhome> ping count 1 198.18.17.6
13PING 198.18.17.6 (198.18.17.6): 56 data bytes
1464 bytes from 198.18.17.6: icmp_seq=0 ttl=63 time=131.445 ms
15
16--- 198.18.17.6 ping statistics ---
171 packets transmitted, 1 packets received, 0% packet loss
18round-trip min/avg/max/stddev = 131.445/131.445/131.445/0.000 ms
19
20louisk@srx.cmhome>
Showing policy counters/statistics after the tunnel has been up for a little bit. You should see numbers > 0 for almost everything here.
1louisk@srx.cmhome> show security policies from-zone trust to-zone fk-vpn detail
2Policy: trust-fk-vpn-fk, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
3 Policy Type: Configured
4 Sequence number: 1
5 From zone: trust, To zone: fk-vpn
6 Source addresses:
7 net-fk_198-18-0-0--20(global): 198.18.0.0/20
8 Destination addresses:
9 net-fk_198-18-17-0--24(global): 198.18.17.0/24
10 Application: any
11 IP protocol: 0, ALG: 0, Inactivity timeout: 0
12 Source port range: [0-0]
13 Destination port range: [0-0]
14 Per policy TCP Options: SYN check: No, SEQ check: No
15 Policy statistics:
16 Input bytes : 3012203789 150186 bps
17 Initial direction: 58949928 3970 bps
18 Reply direction : 2953253861 146215 bps
19 Output bytes : 3012138137 149984 bps
20 Initial direction: 58949096 3970 bps
21 Reply direction : 2953189041 146013 bps
22 Input packets : 3266500 176 pps
23 Initial direction: 1109665 69 bps
24 Reply direction : 2156835 106 bps
25 Output packets : 3266415 176 pps
26 Initial direction: 1109649 69 bps
27 Reply direction : 2156766 106 bps
28 Session rate : 197 0 sps
29 Active sessions : 1
30 Session deletions : 196
31 Policy lookups : 197
32
33louisk@srx.cmhome>
pfSense ICMP test:
pfSense should also show traffic flowing across the tunnel
Comments