IPsec VPN Configuration Example: Juniper SRX


IPsec VPN Configuration Example: Juniper SRX

This example illustrates how to configure IPsec VPN tunnels from a Juniper SRX 220 router running version 10.4 to two ZENs in the Zscaler service.

As shown in the figure, the corporate office sends its internal traffic on interfacesweb ge-0/0/1 through ge-0/0/7 in the Trust Zone. The device forwards outbound traffic through ge-0-0-1. It sends Internet-bound traffic through the tunnel interface st0, which has two sub interfaces unit0 and unit1.

In this example, the peers are using a pre-shared key for authentication and the FQDN of the peer.

DPD and VPN monitoring must be enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the other VPN. We are also configuring a route-based VPN where we are creating two tunnels and inserting them as the default routes in the routing table.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

Prerequisites

Before you start configuring the Zscaler service and the router, ensure that you send Zscaler the following information:

  • The FQDN of the peer. In this example, it is abc@test.net.
  • The PSK. In this example, the PSK is abc.

Additionally, ensure you have the IP addresses of the ZENs. Learn how to locate ZEN IP addresses for your tunnels.

Configuring the Zscaler Service

Log in to the admin portal and do the following:

A, Enter VPN credentials.

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose FQDN and enter the FQDN abc@test.net. This is the FQDN that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.

B. Create a new location and link it to the VPN credentials.

  1. Go to Administration > Resources > Locations.
  2. Click Add.
  3. In the Add Location page, do the following:
    • Enter the location name NW Branch.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.

Configuring the Juniper SRX

This section provides sample commands for configuring an IPsec VPN tunnel interface on a Juniper SRX 220 router running version 10.4. Refer to the Juniper documentation for additional information about the commands.

Configure Interfaces

Configure the following interfaces on the router:

  • Interface ge-0/0/0 in the Untrust zone. It obtains its IP address from a DHCP server.
  • Interfaces ge-0/0/1 through ge-0/0/07 are in the Trust Zone. They are all in the Trust VLAN 0.
  • Interface st0 is the tunnel interface. The sub-interfaces unit0 and unit1 are configured in st0. Two default routes are configured using st0.0 and st0.1.
interfaces {
 	ge-0/0/0 {
 		unit 0 {
 			family inet {
 				dhcp;
 			}
 		}
 	}
  	ge-0/0/1 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
				}
 			}
 		}
 	}
 	ge-0/0/2 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/3 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/4 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/5 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/6 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	ge-0/0/7 {
 		unit 0 {
 			family ethernet-switching {
 				vlan {
 					members vlan-trust;
 				}
 			}
 		}
 	}
 	st0 {
 		unit 0 {
 			family inet;
 		}
 		unit 1 {
 			family inet;
 		}
 	}
 	st1 {
 		unit 0 {
 			family inet;
 		}
 	}
 	vlan {
 		unit 0 {
 			family inet {
 				address 192.168.1.1/24;
 			}
 		}
 	}
}
routing-options {
 	static {
 		route 0.0.0.0/0 next-hop [ st0.0 st0.1 ];
 		route 10.10.104.0/24 next-hop 10.10.120.1;
 	}
}

Configure Security Parameters

Configure the following security parameters:

  • IKE Phase 1 proposal test with the following attributes:
    • Authentication method: PSK
    • Diffie-Hellman group: 2
    • Encryption Algorithm: AES-128-CBC
    • Authentication algorithm: SHA1
    • SA lifetime: 86400 seconds
    • IKE policy ike-policy1:
    • Mode: Aggressive
    • Pre-shared key: abc
    • Proposal: test
  • Two IKE gateways ike-gate and ike-gate-secondary with the following attributes:
    • IKE policy: ike-policy1
    • Destination addresses: 10.10.104.71 and 10.10.104.235 (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.)
    • Enable DPD
    • External interface: ge-0/0/0
ike {
 	proposal test {
 		authentication-method pre-shared-keys;
 		dh-group group2;
 		authentication-algorithm sha1;
 		encryption-algorithm aes-128-cbc;
 		lifetime-seconds 86400;
 	}
 	policy ike-policy1 {
 		mode aggressive;
 		proposals test;
 		pre-shared-key ascii-text "$9$rYllMXdVYoZj"; ## SECRET-DATA
 	}
 	policy test {
 		mode aggressive;
 		proposals test;
 		pre-shared-key ascii-text "$9$iHfz9Cu1Eyp0"; ## SECRET-DATA
 	}
 	gateway ike-gate {
 		ike-policy ike-policy1;
 		address 10.10.104.71;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 20;
 		external-interface ge-0/0/0;
 	}
 	gateway ike-gate-secondary {
 		ike-policy ike-policy1;
 		address 10.10.104.235;
 		dead-peer-detection {
 			always-send;
 			interval 20;
 			threshold 5;
 		}
 		nat-keepalive 20;
 		external-interface ge-0/0/0;
 	}
}

Define Additional IPsec Parameters

  • Enable VPN monitoring with an interval of 30 seconds and threshold of 4.
  • Create an IPsec proposal test with the attributes below. Note that Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in this example, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and configure the Phase 2 proposal accordingly.:
    • IPsec protocol: ESP
    • Encryption: Null 
      Because null encryption is used, an encryption algorithm is not specified in the example commands.
    • Authentication algorithm: HMAC-SHA1-96
    • SA lifetime: 28800
  • Create two VPNs, ike-vpn and ike-vpn-secondary with the following attributes:
    • Bind-interface st0.0 and st0.1 respectively
    • Set the df bit
    • Enable VPN monitoring with the source interface set to ge-0/0/0 and the destination interface is an IP address that is always available through the security service, such as the ZEN IP address, which is 10.10.104.70 in this example.
    • establish-tunnels: immediately
    • IKE gateway: ike-gate and ike-gate-secondary respectively
    • Idle time: 4000
ipsec {
 	vpn-monitor-options {
 		interval 30;
 		threshold 4;
 	}
 	proposal test {
 		protocol esp;
 		authentication-algorithm hmac-sha1-96;
 		lifetime-seconds 28800;
 	}
 	policy vpn-policy1 {
 		proposal-set test;
 	}
 	vpn ike-vpn {
 		bind-interface st0.0;
 		df-bit set;
 		vpn-monitor {
 			optimized;
 			source-interface ge-0/0/0;
 			destination-ip 10.10.104.70;
 		}
 		ike {
 			gateway ike-gate;
 			idle-time 4000;
 			ipsec-policy vpn-policy1;
 		}
 		establish-tunnels immediately;
 	}
 	vpn ike-vpn-secondary {
 	bind-interface st0.1;
 	df-bit set;
 	vpn-monitor {
 		optimized;
 		source-interface ge-0/0/0;
 		destination-ip 10.10.104.246;
 	}
 	ike {
 		gateway ike-gate-secondary;
 		idle-time 4000;
 		ipsec-policy vpn-policy1;
 	}
 	establish-tunnels immediately;
 	}
}

Configure NAT Parameters

Configure NAT parameters to ensure that the router performs NAT on the traffic and does not send it through the tunnel interface.

nat {
 	source {
 		rule-set nat-out {
 			from zone trust;
 			to zone untrust;
 			rule interface-nat {
 				match {
 					source-address 192.168.0.0/16;
 					destination-address 0.0.0.0/0;
 				}
 				then {
 					source-nat {
 						interface;
               } 
 				}
 			}
 		}
 	}
}

Troubleshooting

Following are some sample commands that you can use to monitor and troubleshoot the VPNs.

View the Routing Table

Ensure that st0.0 and st0.1 routes are in the routing table.

show route
inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:28:59
                      via st0.0
                    > via st0.1
                    [Access-internal/12] 00:28:33
                    > to 10.10.120.1 via ge-0/0/0.0
10.10.104.0/24     *[Static/5] 00:28:33
                    > to 10.10.120.1 via ge-0/0/0.0
10.10.120.0/24     *[Direct/0] 00:28:33
                    > via ge-0/0/0.0
10.10.120.43/32    *[Local/0] 00:28:33
                      Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:28:45
                    > via vlan.0
192.168.1.1/32     *[Local/0] 00:28:59
                      Local via vlan.0

View the Phase 1 SA

show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie Mode
762537  10.10.104.71    UP     d4fe08bb5caa5236  8c2e7176846414f6 Aggressive
762540  10.10.104.235   UP     16c40476f1b054b9  a3fba378716129fa Aggressive

View the Phase 2 SA

show security ipsec security-associations
 Total active tunnels: 2
 ID       Gateway       Port  Algorithm       SPI      Life:sec/kb Mon vsys
 <131073  10.10.104.71  500   ESP:null/sha1 1a39db6d 1763/ unlim U root
 >131073  10.10.104.71  500   ESP:null/sha1 c362105  1763/ unlim U root
 <131074  10.10.104.235 500   ESP:null/sha1 7d034970 3241/ unlim U root
 >131074  10.10.104.235 500   ESP:null/sha1 933e2cd  3241/ unlim U root

Clear the Phase 2 SA

root> show security ipsec security-associations
 Total active tunnels: 1
 ID       Gateway       Port  Algorithm       SPI       Life:sec/kb Mon vsys
 <131073  10.10.104.71  500   ESP:null/sha1 3491a9ba  2758/ unlim U root
 >131073  10.10.104.71  500   ESP:null/sha1 6840028   2758/ unlim U root

root> clear security ipsec security-associations index 131073

root> show security ipsec security-associations
 Total active tunnels: 1
 ID       Gateway       Port  Algorithm       SPI       Life:sec/kb Mon vsys
 <131073  10.10.104.71  500   ESP:null/sha1 d4dd1b0c  3590/ unlim U root
 >131073  10.10.104.71  500   ESP:null/sha1 85115fd   3590/ unlim U root

Similarly, you can use the command clear security isakmp to clear the Phase 1 SA.

  1. Go to ips.<your cloud name>.net

You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?

  1. From the menu on the left, click Cloud Enforcement Node Ranges
  2. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. 

For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. 
See image.

Cloud ENR