IPSec VPN Configuration Example: Juniper SSG 20


IPSec VPN Configuration Example: Juniper SSG 20

This configuration example shows how to configure two IPSec VPN tunnels from a Juniper SSG 20 firewall running ScreenOS 6.2.0r1.0 to two Zscaler Enforcement Nodes (ZENs) in the Zscaler cloud. See the Juniper documentation to learn more about the WebUI.

As shown in the figure below, the internal traffic of the corporate office is in the Trust zone. The WAN port Ethernet 0/0 is in the Untrust zone. It sends internet-bound traffic through the VPN tunnel to the Zscaler cloud and performs NAT on the traffic it sends to the Internet.

A network diagram showing the primary and secondary IPSec tunnels from a Juniper SSG5 to two Zscaler ZENs.

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.

Dead Peer Detection (DPD) must be enabled so the firewall can detect if a VPN is offline. If this occurs, it routes the internet-bound traffic through the backup VPN. In this configuration example, a route-based VPN is configured, where two tunnels are created and then inserted as the default routes in the routing table.

Prerequisites

Ensure you have the following information for setting up the IPSec VPN tunnels:

Configuring the IPSec VPN Tunnel in the Zscaler Admin Portal

In this configuration example, the peers are using a FQDN and a pre-shared key (PSK) for authentication.

To configure the IPSec VPN tunnels in the Zscaler Admin Portal:

  1. Adding the VPN Credentials

You need the FQDN and PSK when linking the VPN credentials to a location and creating the IKE gateways.

  1. Linking the VPN Credentials to a Location

Configuring the IPSec VPN Tunnel in the Juniper SSG 20 WebUI

The following image shows the interface setup in the Juniper WebUI (Network > Interfaces > List):

Screenshot of the interface list on the Juniper WebUI

Ensure that the internet port (ethernet 0/0) is in the Untrust zone and the bgroup0 LAN and wireless ports are in the Trust zone.

Choose one of the following IKE versions and configure accordingly.

Zscaler recommends using IKEv2 because it's faster and simpler than IKEv1 and fixes IKEv1 vulnerabilities.

After completing the configuration, you can go to VPNs > Monitor Status to see the status of the IPSec VPN tunnels.
See image.

Testing the Configuration

You can test configuration by browsing from the Trust zone (through the wireless or bgroup0 LAN ports) to any website. You must log in to the Zscaler cloud before you can access the site.

Troubleshooting

You can use the following CLI commands to monitor and troubleshoot the IPSec VPN tunnels.

Screenshot of the Monitor Status page in the Juniper SSG5 WebUI. 

Configure two tunnel interfaces using the internet port (ethernet 0/0). Ensure both tunnel interfaces are in the Untrust zone.

To configure the primary tunnel interface:

  1. Log in to the Juniper SSG 20 WebUI.
    See image.
  2. Go to Network > Interfaces > List.
    See image.
  3. In the upper-right corner, choose Tunnel IF.
    See image.
  4. Click New.
    See image.
  5. On the tunnel interface Configuration page, do the following:
    See image.
    • Tunnel Interface Name: Enter a number for the tunnel interface name. The name is prepended with tunnel.. In this example, it's tunnel.1.
    • Zone (VR): Choose Untrust (trust-vr).
    • Unnumbered: Select.
    • Interface: Choose ethernet0/0 (trust-vr).
    • Maximum Transfer Unit(MTU): Enter the optimal MTU for your tunnel. In this example, it's 1400.
    • DNS Proxy: Deselect.
    • Traffic Bandwidth:
      • Egress Maximum Bandwidth: Enter the maximum bandwidth (Kbps) for outbound traffic. In this example, it's 50.
      • Egress Guaranteed Bandwidth: Enter the guaranteed bandwidth (Kbps) for outbound traffic. In this example, it's 40.
      • Ingress Maximum Bandwidth: Enter the maximum bandwidth (Kbps) for inbound traffic. In this example, it's 40.
    • NHRP Enable: Deselect.
  6. Click OK.
  7. Repeat this procedure to configure the backup tunnel interface (tunnel.2).

Screenshot of the Juniper SSG 20 WebUI login page

Screenshot of the List menu in the Juniper WebUI

Screenshot of the Tunnel IF option on the Interfaces (List) page

Screenshot of the New button on the Interfaces (List) page

Screenshot of the tunnel interface configuration on the Configuration page

Create a Phase 1 proposal with the IKE parameters below.

To create a Phase 1 proposal:

  1. Go to VPNs > AutoKey Advanced > P1 Proposal.
    See image.
  2. Click New.
    See image.
  3. On the P1 proposal Edit page, do the following:
    See image.
    • Name: Enter a name for the P1 proposal. In this example, it's ZscalerP1.
    • Authentication Method: Choose Preshare.
    • DH Group: Choose Group 14.
    • Encryption Algorithm: Choose AES-CBC(128 Bits).
    • Hash Algorithm: Ensure it's SHA-1.
    • Lifetime: Configure a lifetime. In this example, it's 24 hours.
  4. Click OK.

Screenshot of the P1 Proposal menu in the Juniper WebUI

Screenshot of the New button on the P1 Proposal page

Screenshot of the P1 proposal configuration on the Edit page

Create a Phase 2 proposal with the IKE parameters below.

To create a Phase 2 proposal:

  1. Go to VPNs > AutoKey Advanced > P2 Proposal.
    See image.
  2. Click New.
    See image.
  3. On the P2 proposal Edit page, do the following:
    See image.
    • Name: Enter a name for the P2 proposal. In this example, it's ZscalerP2.
    • Perfect Forward Secrecy: Choose NO-PFS.
    • Encapsulation: Ensure it's Encryption (ESP).
      • Encryption Algorithm: Choose NULL.

Zscaler recommends using null encryption because this reduces the load on the local router/firewall for traffic destined to the internet. If you would like to use AES, you may purchase a separate subscription.

  • Authentication Algorithm: Choose SHA-1.
  • Lifetime:
    • In Time: Configure a lifetime. In this example, it's 8 hours.
    • In Kbytes: Ensure it's "0".
  1. Click OK.

Screenshot of the P2 Proposal menu in the Juniper WebUI

Screenshot of the New button on the P2 Proposal page

Screenshot of the P2 proposal configuration on the Edit page 

Configure two IKE gateways, one for each ZEN. In this example, the primary gateway created is named Primary-Gateway with the ZEN VIP addresses 165.225.80.34. The backup gateway is named Backup-Gateway with the ZEN VIP address 185.46.212.34.

To configure the primary IKE gateway:

  1. Go to VPNs > AutoKey Advanced > Gateway.
    See image.
  2. Click New.
    See image.
  3. On the gateway Edit page, do the following:
    See image.
    • Gateway Name: Enter a name for the IKE gateway, such as "Primary-Gateway".
    • Version: Choose IKEv2.
    • Remote Gateway: Select.
    • Static IP Address: Select.
    • IP Address/Hostname: Enter the ZEN VIP address for the primary gateway. In this example, it's 165.225.80.34.
    • Peer ID: Leave blank.
    • User: Ensure it's None.
    • Group: Ensure it's None.
  4. Click Advanced.
    See image.
  5. On the advanced gateway Edit page, do the following:
    See image.
    • IKEv2 Auth Method: Select.
      • Self: Choose preshare.
      • Peer: Choose preshare.
    • Preshared Key: Enter the pre-shared key for the VPN credentials you added in the Zscaler Admin Portal.
    • Use As Seed: Leave unselected.
    • Local ID: Enter the FQDN for the VPN credentials you added in the Zscaler Admin Portal. In this example, it's the FQDN example@safemarch.com.
    • Outgoing Interface: Ensure it's ethernet0/0.
    • Security Level:
      • User Defined: Choose Custom.
      • Phase 1 Proposal: Choose the P1 proposal you created in 2. Create a Phase 1 Proposal. In this example, it's ZscalerP1.
    • Mode (Initiator): You can't modify this field.
    • Enable NAT-Traversal: Select.
      • UDP Checksum: Leave unselected.
      • Keepalive Frequency: Ensure it's "5".
    • Peer Status Detection: Choose DPD.
      • Interval: Enter "5".
      • Retry: Ensure it's "5".
      • Always Send: Select.
    • Preferred Certificate(optional):
      • Local Cert: Ensure it's None.
      • Peer CA: Ensure it's None.
      • Peer Type: Choose the peer type. In this example, it's X509-SIG.
    • Use Distinguished Name for Peer ID: Leave unselected.
  6. Click Return.
  7. Click OK.
    See image.
  8. Repeat the procedure to create the backup IKE gateway (Backup-Gateway) using the ZEN VIP address 185.46.212.34.

Screenshot of the Gateway menu in the Juniper WebUI

Screenshot of the New button on the Gateway page

Screenshot of the IKE gateway configuration on the Edit page

Screenshot of the Advanced button on the gateway Edit page

Screenshot of the advanced IKE gateway configuration on the Edit page

Screenshot of the OK button on the gateway Edit page 

Configure two AutoKey IKE VPN tunnels to two different ZENs. In this example, the primary VPN tunnel is configured from the primary IKE gateway (Primary-Gateway). It uses the global ZEN IP address 185.46.212.88 for VPN monitoring. The backup VPN tunnel is configured from the backup IKE gateway (Backup-Gateway). It uses the global ZEN IP address 185.46.212.89 for VPN monitoring.

To configure the primary VPN tunnel:

  1. Go to VPNs > AutoKey IKE.
    See image.
  2. Click New.
    See image.
  3. On the AutoKey IKE Edit page, do the following:
    See image.
    • VPN Name: Enter a name for the VPN tunnel, such as Primary-Tunnel.
    • Remote Gateway: Select.
    • Predefined: Select, and choose the primary IKE gateway you configured in 4. Configure the IKE Gateways. In this example, it's Primary-Gateway.
  4. Click Advanced.
    See image.
  5. On the advanced AutoKey IKE Edit page, do the following:
    See image.
    • Security Level:
      • User Defined: Choose Custom.
      • Phase 2 Proposal: Choose the P2 proposal you created in 3. Create a Phase 2 Proposal. In this example, it's ZscalerP2.
    • Replay Protection: Select.
    • Transport mode: Leave unselected.
    • Bind to: Choose Tunnel Interface, and choose the primary tunnel interface you configured in 1. Configure the Tunnel Interfaces. In this example, it's tunnel.1.
    • Proxy-ID: Leave unselected.
    • DSCP Marking: Ensure it's Disable.
    • VPN Group: Ensure it's None.
    • VPN Monitor: Select.
      • Source Interface: Ensure it's ethernet0/0.
      • Destination IP: Enter the global ZEN IP address for your primary tunnel. In this example, it's 185.46.212.88.
      • Optimized: Select.
      • Rekey: Select.
  6. Click Return.
  7. Click OK.
    See image.
  8. Repeat the procedure to create a backup VPN tunnel (Backup-Tunnel) using the backup tunnel interface (tunnel.2), IKE gateway (Backup-Gateway), and global ZEN IP address (185.46.212.89).

Screenshot of the AutoKey IKE menu in the Juniper WebUI

Screenshot of the New button on the AutoKey IKE page

Screenshot of the VPN configuration on the AutoKey Edit page

Screenshot of the Advanced button on the AutoKey Edit page

Screenshot of the VPN configuration on the advanced AutoKey Edit page 

Screenshot of the OK button on the AutoKey Edit page 

Configure policy-based routing (PBR) so your organization can send its outbound traffic from the Trust to the Untrust security zone and through the tunnel interfaces.

To configure PBR:

Configure an extended Access Control List (ACL). The extended ACL defines the destination IP address, ports, and protocols.

To configure the extended ACL:

  1. Go to Network > Routing > PBR > Extended ACL.
    See image.
  2. In the upper-right corner, ensure trust-vr is chosen.
    See image.
  3. Click New.
    See image.
  4. On the extended ACL Configuration page, do the following to add an entry for TCP traffic on port 80:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Extended ACL ID: Enter "1".
    • Sequence No.: Enter "10".
    • Source IP Address / Netmask: Leave blank.
    • Source Port: Leave blank.
    • Destination IP Address / Netmask: Leave blank.
    • Destination Port: Enter "80~80".
    • Protocol: Choose TCP.
    • IP-TOS (1~255): Leave blank.
  5. Click OK.
  6. Click Add Seq No.
    See image.
  7. On the extended ACL Configuration page, do the following to add an entry for TCP traffic on port 443:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Extended ACL ID: It's 1. You can't modify this field.
    • Sequence No.: Enter "20".
    • Source IP Address / Netmask: Leave blank.
    • Source Port: Leave blank.
    • Destination IP Address / Netmask: Leave blank.
    • Destination Port: Enter "443~443".
    • Protocol: Choose TCP.
    • IP-TOS (1~255): Leave blank.
  8. Click OK.
  9. Click Add Seq. No.
    See image.
  10. On the extended ACL Configuration page, do the following to add an entry for ICMP traffic:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Extended ACL ID: It's 1. You can't modify this field.
    • Sequence No.: Enter "30".
    • Source IP Address / Netmask: Leave blank.
    • Source Port: Leave blank.
    • Destination IP Address / Netmask: Leave blank.
    • Destination Port: Leave blank.
    • Protocol: Choose ICMP.
    • IP-TOS (1~255): Leave blank.
  11. Click OK.
  12. Click Add Seq. No.
    See image.
  13. On the extended ACL Configuration page, do the following to add an entry for UDP traffic on port 53:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Extended ACL ID: It's 1. You can't modify this field.
    • Sequence No.: Enter "40".
    • Source IP Address / Netmask: Leave blank.
    • Source Port: Leave blank.
    • Destination IP Address / Netmask: Leave blank.
    • Destination Port: Enter "53~53".
    • Protocol: Choose UDP.
    • IP-TOS (1~255): Leave blank.
  14. Click OK.

Your extended ACL configuration should look similar to the following:

Screenshot of the extended ACL configuration

Screenshot of the Extended ACL menu in the Juniper WebUI

Screenshot of the trust-vr option on the Extended ACL List page

Screenshot of the New button on the Extended ACL List page

Screenshot of the extended ACL configuration for TCP port 80 on the Configuration page

Screenshot of the Add Seq No button on the Extended ACL List page

Screenshot of the extended ACL configuration for TCP port 443 on the Configuration page

Screenshot of the Add Seq No button on the Extended ACL List page

Screenshot of the extended ACL configuration for ICMP traffic on the Configuration page

Screenshot of the Add Seq No button on the Extended ACL List page

Screenshot of the extended ACL configuration for UDP port 53 on the Configuration page

Create a match group for the extended ACL.

  1. Go to Network > Routing > PBR > Match Group.
    See image.
  2. In the upper-right corner, ensure trust-vr is chosen.
    See image.
  3. Click New.
    See image.
  4. On the match group Configuration page, do the following:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Match Group Name: Enter a name for the match group. In this example, it's Match-Group.
    • Sequence No.: Enter "10".
    • Extended ACL: Choose the extended ACL you configured in a. Configure an Extended Access Control List. In this example, it's 1.
  5. Click OK.

Your match group configuration should look similar to the following:

Screenshot of the match group configuration

Screenshot of the Match Group menu in the Juniper WebUI

Screenshot of the trust-vr option on the Match Group List page

Screenshot of the New button on the Match Group List page

Screenshot of the match group configuration on the Configuration page

Create an action group and route it to the tunnel interfaces.

  1. Go to Network > Routing > PBR > Action Group.
    See image.
  2. In the upper-right corner, ensure trust-vr is chosen.
    See image.
  3. Click New.
    See image.
  4. On the action group Configuration page, do the following to add an entry for the primary tunnel interface:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Action Group Name: Enter a name for the action group. In this example, it's Action-Group.
    • Sequence No.: Enter "10".
    • Route To:
      • Next Hop: Leave unselected.
      • Interface: Select, and choose the primary tunnel interface you configured in 1. Configure the Tunnel Interfaces. In this example, it's tunnel.1.
  5. Click OK.
  6. Click Add Seq No.
    See image.
  7. On the action group Configuration page, do the following to add an entry for the backup tunnel interface:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Action Group Name: Enter the same action group name used in step d above. In this example, it's Action-Group.
    • Sequence No.: Enter "20".
    • Route To:
  8. Click OK.

Your action group configuration should look similar to the following:

Screenshot of the action group configuration

Screenshot of the Action Group menu In the Juniper WebUI 

Screenshot of the trust-vr option on the Action Group List page

Screenshot of the New button on the Action Group List page

Screenshot of the action group configuration for the primary tunnel interface on the Configuration page

Screenshot of the Add Seq No button on the Action Group List page

Screenshot of the action group configuration for the backup tunnel interface on the Configuration page

Create a policy for the match and action group.

  1. Go to Network > Routing > PBR > Policy.
    See image.
  2. In the upper-right corner, ensure trust-vr is chosen.
    See image.
  3. Click New.
    See image.
  4. On the policy Configuration page, do the following:
    See image.
    • Virtual Router: It's automatically named trust-vr. You can't modify this field.
    • Policy Name: Enter a name for the policy. In this example, it's Zscaler-Policy.
    • Sequence No.: Enter "10".
    • Match Group: Choose the match group you created in b. Create a Match Group. In this example, it's Match-Group.
    • Action Group: Choose the action group you created in c. Create an Action Group. In this example, it's Action-Group.
  5. Click OK.

Screenshot of the Policy menu in the Juniper WebUI

Screenshot of the trust-vr option on the Policy List page

Screenshot of the New button on the Policy List page

Screenshot of the policy configuration on the Configuration page 

Bind the policy to the Trust interfaces.

  1. Go to Network > Routing > PBR > Policy Binding.
    See image.
    • Under the Policy Name column to the right of the bgroup0 interface, click N/A.
      See image.
    • In the Policy Binding window, do the following:
      See image.
      • Interface: It's automatically named bgroup0. You can't modify this field.
      • Enable: Select.
      • Policy: Choose the policy you created in d. Create a Policy. In this example, it's Zscaler-Policy.
    • Click OK.
    • Repeat the procedure to bind the policy to the wireless0/0 interface. 

    Screenshot of the Policy Binding menu in the Juniper WebUI

    Screenshot of the N/A button on the Policy Binding page

    Screenshot of the policy binding configuration in the Policy Binding window 

    Create two policies, one policy that allows traffic from the Trust to the Untrust zone and another policy that allows traffic from the Untrust to the Trust zone.

    1. Go to Policy > Policies.
      See image.
    2. On the Policies page, do the following:
      See image.
      • From: Choose Trust.
      • To: Choose Untrust.
    3. Click New.
      See image.
    4. On the Policies (From Trust to Untrust) page, do the following:
      See image.
      • Name (optional): Leave blank.
      • Source Address: Ensure Address Book Entry is chosen and Any is chosen from the drop-down menu.
      • Destination Address: Ensure Address Book Entry is chosen and Any is chosen from the drop-down menu.
      • Service: Ensure it's Any.
      • Application: Ensure it's None.
      • WEB Filtering: Leave unselected.
      • Action: Choose Permit.
      • Tunnel:
        • VPN: Ensure it's None.
        • Modify matching bidirectional VPN policy: Leave unselected.
        • L2TP: Ensure it's None.
      • Logging: Leave unselected.
      • Position at Top: Leave unselected.
      • Session-limit: Leave unselected.
      • Counter: Ensure it's "0".
      • Alarm without drop: Leave unselected.
    5. Click OK.
    6. Repeat the procedure to configure a second policy that allows traffic from Untrust to Trust.

    Your policy configuration should look similar to the following:

    Screenshot of the configured security zone policies

    Screenshot of the Policies menu in the Juniper WebUI

    Screenshot of the configured Policies page

    Screenshot of the New button on the Policies page

    Screenshot of the configured security zone policies on the Policies (From Trust to Untrust) page 

    Configure two tunnel interfaces using the internet port (ethernet 0/0). Ensure both tunnel interfaces are in the Untrust zone.

    To configure the primary tunnel interface:

    1. Log in to the Juniper SSG 20 WebUI.
      See image.
    2. Go to Network > Interfaces > List.
      See image.
    3. In the upper-right corner, choose Tunnel IF.
      See image.
    4. Click New.
      See image.
    5. On the tunnel interface Configuration page, do the following:
      See image.
      • Tunnel Interface Name: Enter a number for the tunnel interface name. The name is prepended with tunnel.. In this example, it's tunnel.1.
      • Zone (VR): Choose Untrust (trust-vr).
      • Unnumbered: Select.
      • Interface: Choose ethernet0/0 (trust-vr).
      • Maximum Transfer Unit(MTU): Enter the optimal MTU for your tunnel. In this example, it's 1400.
      • DNS Proxy: Deselect.
      • Traffic Bandwidth:
        • Egress Maximum Bandwidth: Enter the maximum bandwidth (Kbps) for outbound traffic. In this example, it's 50.
        • Egress Guaranteed Bandwidth: Enter the guaranteed bandwidth (Kbps) for outbound traffic. In this example, it's 40.
        • Ingress Maximum Bandwidth: Enter the maximum bandwidth (Kbps) for inbound traffic. In this example, it's 40.
      • NHRP Enable: Deselect.
    6. Click OK.
    7. Repeat this procedure to configure the backup tunnel interface (tunnel.2).

    Screenshot of the Juniper SSG 20 WebUI login page

    Screenshot of the List menu in the Juniper WebUI

    Screenshot of the Tunnel IF option on the Interfaces (List) page

    Screenshot of the New button on the Interfaces (List) page

    Screenshot of the tunnel interface configuration on the Configuration page

    Create a Phase 2 proposal with the IKE parameters below.

    To create a Phase 2 proposal:

    1. Go to VPNs > AutoKey Advanced > P2 Proposal.
      See image.
    2. Click New.
      See image.
    3. On the P2 proposal Edit page, do the following:
      See image.
      • Name: Enter a name for the P2 proposal. In this example, it's ZscalerP2.
      • Perfect Forward Secrecy: Choose NO-PFS.
      • Encapsulation: Ensure it's Encryption (ESP).
        • Encryption Algorithm: Choose NULL.

    Zscaler recommends using null encryption because this reduces the load on the local router/firewall for traffic destined to the internet. If you would like to use AES, you may purchase a separate subscription.

    • Authentication Algorithm: Choose MD5.
    • Lifetime:
      • In Time: Configure a lifetime. In this example, it's 8 hours.
      • In Kbytes: Ensure it's "0".
    1. Click OK.

    Screenshot of the P2 Proposal menu in the Juniper WebUI

    Screenshot of the New button on the P2 Proposal page

    Screenshot of the P2 proposal configuration on the Edit page

    Configure two IKE gateways, one for each ZEN. In this example, the primary gateway created is named Primary-Gateway with the ZEN VIP addresses 165.225.80.34. The backup gateway is named Backup-Gateway with the ZEN VIP address 185.46.212.34.

    To configure the primary IKE gateway:

    1. Go to VPNs > AutoKey Advanced > Gateway.
      See image.
    2. Click New.
      See image.
    3. On the gateway Edit page, do the following:
      See image.
      • Gateway Name: Enter a name for the IKE gateway, such as "Primary-Gateway".
      • Version: Ensure it's IKEv1.
      • Remote Gateway: Select.
      • Static IP Address: Select.
      • IP Address/Hostname: Enter the ZEN VIP address for the primary gateway. In this example, it's 165.225.80.34.
      • Peer ID: Leave blank.
      • User: Ensure it's None.
      • Group: Ensure it's None.
    4. Click Advanced.
      See image.
    5. On the advanced gateway Edit page, do the following:
      See image.
      • IKEv2 Auth Method: You can't modify this field.
        • Self: Choose preshare.
        • Peer: Choose preshare.
      • Preshared Key: Enter the pre-shared key for the VPN credentials you added in the Zscaler Admin Portal.
      • Use As Seed: Leave unselected.
      • Local ID: Enter the FQDN for the VPN credentials you added in the Zscaler Admin Portal. In this example, it's the FQDN example@safemarch.com.
      • Outgoing Interface: Ensure it's ethernet0/0.
      • Security Level:
        • User Defined: Choose Custom.
        • Phase 1 Proposal: Choose pre-g2-aes128-sha.
      • Mode (Initiator): Choose Aggressive.
      • Enable NAT-Traversal: Select.
        • UDP Checksum: Leave unselected.
        • Keepalive Frequency: Ensure it's "5".
      • Peer Status Detection: Choose DPD.
        • Interval: Enter "5".
        • Retry: Ensure it's "5".
        • Always Send: Select.
      • Preferred Certificate(optional):
        • Local Cert: Ensure it's None.
        • Peer CA: Ensure it's None.
        • Peer Type: Choose the peer type. In this example, it's X509-SIG.
      • Use Distinguished Name for Peer ID: Leave unselected.
    6. Click Return.
    7. Click OK.
      See image.
    8. Repeat the procedure to create the backup IKE gateway (Backup-Gateway) using the ZEN VIP address 185.46.212.34.

    Screenshot of the Gateway menu in the Juniper WebUI

    Screenshot of the New button on the Gateway page

    Screenshot of the IKE gateway configuration on the Edit page

    Screenshot of the Advanced button on the gateway Edit page

    Screenshot of the advanced IKE gateway configuration on the Edit page 

    Screenshot of the OK button on the gateway Edit page 

    Configure two AutoKey IKE VPN tunnels to two different ZENs. In this example, the primary VPN tunnel is configured from the primary IKE gateway (Primary-Gateway). It uses the global ZEN IP address 185.46.212.88 for VPN monitoring. The backup VPN tunnel is configured from the backup IKE gateway (Backup-Gateway). It uses the global ZEN IP address 185.46.212.89 for VPN monitoring.

    To configure the primary VPN tunnel:

    1. Go to VPNs > AutoKey IKE.
      See image.
    2. Click New.
      See image.
    3. On the AutoKey IKE Edit page, do the following:
      See image.
      • VPN Name: Enter a name for the VPN tunnel, such as Primary-Tunnel.
      • Remote Gateway: Select.
      • Predefined: Select, and choose the primary IKE gateway you configured in 3. Configure the IKE Gateways. In this example, it's Primary-Gateway.
    4. Click Advanced.
      See image.
    5. In the advanced AutoKey IKE Edit page, do the following:
      See image.
      • Security Level:
        • User Defined: Choose Custom.
        • Phase 2 Proposal: Choose the P2 proposal you created in 2. Create a Phase 2 Proposal. In this example, it's ZscalerP2.
      • Replay Protection: Select.
      • Transport mode: Leave unselected.
      • Bind to: Choose Tunnel Interface, and choose the primary tunnel interface you configured in 1. Configure the Tunnel Interfaces. In this example, it's tunnel.1.
      • Proxy-ID: Leave unselected.
      • DSCP Marking: Ensure it's Disable.
      • VPN Monitor: Select.
        • Source Interface: Ensure it's ethernet0/0.
        • Destination IP: Enter the global ZEN IP address for your primary tunnel. In this example, it's 185.46.212.88.
        • Optimized: Select.
        • Rekey: Select.
    6. Click Return.
    7. Click OK.
      See image.
    8. Repeat the procedure to create a backup IKE VPN tunnel (Backup-Tunnel) using the backup tunnel interface (tunnel.2), IKE gateway (Backup-Gateway), and global ZEN IP address (185.46.212.89).

    Screenshot of the AutoKey IKE menu in the Juniper WebUI

    Screenshot of the New button on the AutoKey IKE page

    Screenshot of the VPN configuration on the AutoKey Edit page

    Screenshot of the Advanced button on the AutoKey Edit page

    Screenshot of the VPN configuration on the advanced AutoKey Edit page 

    Screenshot of the OK button on the AutoKey Edit page 

    Configure policy-based routing (PBR) so your organization can send its outbound traffic from the Trust to the Untrust security zone and through the tunnel interfaces.

    To configure PBR:

    Configure an extended Access Control List (ACL). The extended ACL defines the destination IP address, ports, and protocols.

    To configure the extended ACL:

    1. Go to Network > Routing > PBR > Extended ACL.
      See image.
    2. In the upper-right corner, ensure trust-vr is chosen.
      See image.
    3. Click New.
      See image.
    4. On the extended ACL Configuration page, do the following to add an entry for TCP traffic on port 80:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Extended ACL ID: Enter "1".
      • Sequence No.: Enter "10".
      • Source IP Address / Netmask: Leave blank.
      • Source Port: Leave blank.
      • Destination IP Address / Netmask: Leave blank.
      • Destination Port: Enter "80~80".
      • Protocol: Choose TCP.
      • IP-TOS (1~255): Leave blank.
    5. Click OK.
    6. Click Add Seq No.
      See image.
    7. On the extended ACL Configuration page, do the following to add an entry for TCP traffic on port 443:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Extended ACL ID: It's 1. You can't modify this field.
      • Sequence No.: Enter "20".
      • Source IP Address / Netmask: Leave blank.
      • Source Port: Leave blank.
      • Destination IP Address / Netmask: Leave blank.
      • Destination Port: Enter "443~443".
      • Protocol: Choose TCP.
      • IP-TOS (1~255): Leave blank.
    8. Click OK.
    9. Click Add Seq. No.
      See image.
    10. On the extended ACL Configuration page, do the following to add an entry for ICMP traffic:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Extended ACL ID: It's 1. You can't modify this field.
      • Sequence No.: Enter "30".
      • Source IP Address / Netmask: Leave blank.
      • Source Port: Leave blank.
      • Destination IP Address / Netmask: Leave blank.
      • Destination Port: Leave blank.
      • Protocol: Choose ICMP.
      • IP-TOS (1~255): Leave blank.
    11. Click OK.
    12. Click Add Seq. No.
      See image.
    13. On the extended ACL Configuration page, do the following to add an entry for UDP traffic on port 53:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Extended ACL ID: It's 1. You can't modify this field.
      • Sequence No.: Enter "40".
      • Source IP Address / Netmask: Leave blank.
      • Source Port: Leave blank.
      • Destination IP Address / Netmask: Leave blank.
      • Destination Port: Enter "53~53".
      • Protocol: Choose UDP.
      • IP-TOS (1~255): Leave blank.
    14. Click OK.

    Your extended ACL configuration should look similar to the following:

    Screenshot of the extended ACL configuration

    Screenshot of the Extended ACL menu in the Juniper WebUI

    Screenshot of the trust-vr option on the Extended ACL List page

    Screenshot of the New button on the Extended ACL List page

    Screenshot of the extended ACL configuration for TCP port 80 on the Configuration page

    Screenshot of the Add Seq No button on the Extended ACL List page

    Screenshot of the extended ACL configuration for TCP port 443 on the Configuration page

    Screenshot of the Add Seq No button on the Extended ACL List page

    Screenshot of the extended ACL configuration for ICMP traffic on the Configuration page

    Screenshot of the Add Seq No button on the Extended ACL List page

    Screenshot of the extended ACL configuration for UDP port 53 on the Configuration page

    Create a match group for the extended ACL.

    1. Go to Network > Routing > PBR > Match Group.
      See image.
    2. In the upper-right corner, ensure trust-vr is chosen.
      See image.
    3. Click New.
      See image.
    4. On the match group Configuration page, do the following:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Match Group Name: Enter a name for the match group. In this example, it's Match-Group.
      • Sequence No.: Enter "10".
      • Extended ACL: Choose the extended ACL you configured in a. Configure an Extended Access Control List. In this example, it's 1.
    5. Click OK.

    Your match group configuration should look similar to the following:

    Screenshot of the match group configuration

    Screenshot of the Match Group menu in the Juniper WebUI

    Screenshot of the trust-vr option on the Match Group List page

    Screenshot of the New button on the Match Group List page

    Screenshot of the match group configuration on the Configuration page

    Create an action group and route it to the tunnel interfaces.

    1. Go to Network > Routing > PBR > Action Group.
      See image.
    2. In the upper-right corner, ensure trust-vr is chosen.
      See image.
    3. Click New.
      See image.
    4. On the action group Configuration page, do the following to add an entry for the primary tunnel interface:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Action Group Name: Enter a name for the action group. In this example, it's Action-Group.
      • Sequence No.: Enter "10".
      • Route To:
    5. Click OK.
    6. Click Add Seq No.
      See image.
    7. On the action group Configuration page, do the following to add an entry for the backup tunnel interface:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Action Group Name: Enter the same action group name used in step d above. In this example, it's Action-Group.
      • Sequence No.: Enter "20".
      • Route To:
    8. Click OK.

    Your action group configuration should look similar to the following:

    Screenshot of the action group configuration

    Screenshot of the Action Group menu In the Juniper WebUI 

    Screenshot of the trust-vr option on the Action Group List page

    Screenshot of the New button on the Action Group List page

    Screenshot of the action group configuration for the primary tunnel interface on the Configuration page

    Screenshot of the Add Seq No button on the Action Group List page

    Screenshot of the action group configuration for the backup tunnel interface on the Configuration page

    Create a policy for the match and action group.

    1. Go to Network > Routing > PBR > Policy.
      See image.
    2. In the upper-right corner, ensure trust-vr is chosen.
      See image.
    3. Click New.
      See image.
    4. On the action group Configuration page, do the following:
      See image.
      • Virtual Router: It's automatically named trust-vr. You can't modify this field.
      • Policy Name: Enter a name for the policy. In this example, it's Zscaler-Policy.
      • Sequence No.: Enter "10".
      • Match Group: Choose the match group you created in b. Create a Match Group. In this example, it's Match-Group.
      • Action Group: Choose the action group you created in c. Create an Action Group. In this example, it's Action-Group.
    5. Click OK.

    Screenshot of the Policy menu in the Juniper WebUI

    Screenshot of the trust-vr option on the Policy List page

    Screenshot of the New button on the Policy List page

    Screenshot of the policy configuration on the Configuration page 

    Bind the policy to the Trust interfaces.

    1. Go to Network > Routing > PBR > Policy Binding.
      See image.
    2. Under the Policy Name column to the right of the bgroup0 interface, click N/A.
      See image.
    3. In the Policy Binding window, do the following:
      See image.
      • Interface: It's automatically named bgroup0. You can't modify this field.
      • Enable: Select.
      • Policy: Choose the policy you created in d. Create a Policy. In this example, it's Zscaler-Policy.
    4. Click OK.
    5. Repeat the procedure to bind the policy to the wireless0/0 interface. 

    Screenshot of the Policy Binding configuration in the Juniper SSG5 WebUI

    Screenshot of the Policy Binding menu in the Juniper WebUI

    Screenshot of the N/A button on the Policy Binding page

    Screenshot of the policy binding configuration in the Policy Binding window 

    Create two policies, one policy that allows traffic from the Trust to Untrust security zone and another policy that allows traffic from the Untrust to Trust security zone.

    1. Go to Policy > Policies.
      See image.
    2. On the Policies page, do the following:
      See image.
      • From: Choose Trust.
      • To: Choose Untrust.
    3. Click New.
      See image.
    4. On the Policies (From Trust to Untrust) page, do the following:
      See image.
      • Name (optional): Leave blank.
      • Source Address: Ensure Address Book Entry is chosen and Any is chosen from the drop-down menu.
      • Destination Address: Ensure Address Book Entry is chosen and Any is chosen from the drop-down menu.
      • Service: Ensure it's Any.
      • Application: Ensure it's None.
      • WEB Filtering: Leave unselected.
      • Action: Choose Permit.
      • Tunnel:
        • VPN: Ensure it's None.
        • Modify matching bidirectional VPN policy: Leave unselected.
        • L2TP: Ensure it's None.
      • Logging: Leave unselected.
      • Position at Top: Leave unselected.
      • Session-limit: Leave unselected.
      • Counter: Ensure it's "0".
      • Alarm without drop: Leave unselected.
    5. Click OK.
    6. Repeat the procedure to configure a second policy that allows traffic from Untrust to Trust.

    Your policy configuration should look similar to the following:

    Screenshot of the configured security zone policies

    Screenshot of the Policies menu in the Juniper WebUI

    Screenshot of the configured Policies page

    Screenshot of the New button on the Policies page

    Screenshot of the configured security zone policies on the Policies (From Trust to Untrust) page 

    Enter the following commands to view the SA:

    login: netscreen
    password:
    ssg5-serial-wlan-> get sa
    total configured sa: 2
    HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
    00000014< 10.10.104.71 500 esp:null/md5 00000000 expir unlim I/I -1 0
    00000014> 10.10.104.71 500 esp:null/md5 00000000 expir unlim I/I -1 0
    00000015< 10.10.104.235 500 esp:null/md5 33511797 2149 unlim A/U -1 0
    00000015> 10.10.104.235 500 esp:null/md5 008a8a67 2149 unlim A/U -1 0
    
    ssg5-serial-wlan-> get sa active
    Total active sa: 1
    total configured sa: 2
    HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
    00000015< 10.10.104.235 500 esp:null/md5 33511797 2048 unlim A/U -1 0
    00000015> 10.10.104.235 500 esp:null/md5 008a8a67 2048 unlim A/U -1 0
    
    ssg5-serial-wlan-> get sa stat
    total configured sa: 2
    HEX ID Gateway Fragment Auth-Fail Other Totalbytes
    00000014< 10.10.104.71 0 0 0 0
    00000014> 10.10.104.71 0 0 0 0
    00000015< 10.10.104.235 0 0 0 345976469
    00000015> 10.10.104.235 0 0 0 32472216
    
    ssg5-serial-wlan-> get sa id 20
    index 0, name VPN-71, peer gateway ip 10.10.104.71. vsys<Root>
    auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<0xffffffff>.
    tunnel id 20, peer id 0, NSRP Local. site-to-site. Local interface is ethernet0/0 <10.10.120.41>.
     esp, group 2, null encryption, md5 authentication
     autokey, IN inactive, OUT inactive
     monitor<1>, latency: -1, availability: 0
     DF bit: clear
     app_sa_flags: 0x5000a4
     proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
     ike activity timestamp: 1782025
    nat-traversal map not available
    incoming: SPI 00000000, flag 00004000, tunnel info 40000014, pipeline
     life 0 sec, expired, 0 kb, 0 bytes remain
     anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 1744 seconds
     next pak sequence number: 0x0
    outgoing: SPI 00000000, flag 00000000, tunnel info 40000014, pipeline
     life 0 sec, expired, 0 kb, 0 bytes remain
     anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 1744 seconds
     next pak sequence number: 0x0
    
    ssg5-serial-wlan-> get sa id 21
    index 1, name vpn-81, peer gateway ip 10.10.104.235. vsys<Root>
    auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<0xffffffff>.
    tunnel id 21, peer id 1, NSRP Local. site-to-site. Local interface is ethernet0/0 <10.10.120.41>.
     esp, group 2, null encryption, md5 authentication
     autokey, IN active, OUT active
     monitor<1>, latency: 1, availability: 100
     DF bit: clear
     app_sa_flags: 0x4000a7
     proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
     ike activity timestamp: 1732254
    nat-traversal map not available
    incoming: SPI 33511799, flag 00004000, tunnel info 40000015, pipeline
     life 3600 sec, 3537 remain, 0 kb, 0 bytes remain
     anti-replay on, last 0x1724, window 0xffffffff, idle timeout value <0>, idled 0 seconds
     next pak sequence number: 0x0
    outgoing: SPI 01c2e484, flag 00000000, tunnel info 40000015, pipeline
     life 3600 sec, 3537 remain, 0 kb, 0 bytes remain
     anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds
     next pak sequence number: 0xc52
    ssg5-serial-wlan->

    Enter the following command to clear the SA:

    ssg5-serial-wlan-> clear sa 21