IPsec VPN Configuration Example: Juniper SSG5


IPsec VPN Configuration Example: Juniper SSG5

This example illustrates how to configure two IPsec VPN tunnels from a Juniper SSG5 firewall to two ZENs in the zscaler cloud.

As shown in the figure, the internal traffic of the corporate office is in the Trust zone. The WAN port Ethernet 0/0 is in the Untrust zone. It sends Internet-bound traffic through the VPN tunnel to the Zscaler cloud and performs NAT on the traffic that it sends to the Internet.

In this example, the peers are using a pre-shared key for authentication and the FQDN of the peer.

DPD and VPN monitoring must be enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the other VPN. We are also configuring a route-based VPN where we are creating two tunnels and inserting them as the default routes in the routing table.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

Prerequisites

Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:

  • The FQDN of the peer (In this example, it is abc@test.net.)
  • The PSK (In this example, the PSK is abc.)

Additionally, ensure you have the IP addresses of the ZENs. Learn how to locate ZEN IP addresses for your tunnels.

Configure the Zscaler Service

Log in to the admin portal and add the VPN credentials, and then link them to the location as described below.

Adding VPN Credentials

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose FQDN and enter the FQDN abc@test.net. This is the FQDN that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.

Linking VPN Credentials to the Location

  1. Go to Administration > Resources > Locations.
  2. Either Add or Edit a location and do the following:
    • Enter the location name NW Branch.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  3. Click Save and activate the change.

Configure the Juniper SSG5 Firewall

This section describes how to configure two IPsec VPN tunnel interfaces on a Juniper SSG5 firewall running version 6.0.0 r3. Refer to the Juniper documentation for additional information about the user interface. Log in to the Juniper SSG5 and complete the tasks below.

Configure the Interfaces and Bind Them to the Trust and Untrust Zones

Configure the following interfaces:

  • Egress port is Ethernet 0/0 in the Untrust Zone.
  • bgroup0 LAN and wireless ports in the Trust Zone
  • Tunnel interfaces in the Untrust Zone

The following step describes how to configure the tunnel.1 interface. Follow the same steps to configure the tunnel.2 interface.

  1. Navigate to Network > Interfaces > List and select New Tunnel IF.
  2. Complete the following:
    • Tunnel Interface Name: tunnel.1
    • Zone (VR): Untrust (trust-vr)
    • Select Unnumbered and from the Interface drop-down, choose ethernet0/0 (trust-vr)
    • Set the MTU to 1300.
  3. Click OK.

Configure the VPN Tunnel Interfaces

Create a static route to the Zscaler ZENs via the gateway learned on Ethernet 0/0.

  1. Navigate to Network > Routing > Destination > trust-vr and click New. Enter the following, and then click OK:
    • IP Address/Netmask: 0.0.0.0/0
    • Click Gateway and complete the following:
      • Interface: ethernet0/0
      • Gateway IP Address: 10.10.104.0/24 (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.)

The following steps describe how to create an IPsec VPN tunnel using the tunnel.1 interface. Follow the same steps to configure the tunnel.2 interface.

  1. Navigate to VPNs > AutoKey Advanced > Gateway and click New.
  2. Complete the following:
    • Gateway Name: vpn-235
    • Click Remote Gateway, select Static IP Address and enter 10.10.104.235. This is the IP address of the Zscaler ZEN in this example. (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.) 

  1. Click Advanced and complete the following:
    • Preshared Key: abc
    • Local ID: abc@test.net
    • Security Level: Click Custom and from the Phase-1 Proposal drop-down, select pre-g2-aes128-sha.
    • Mode (Initiator): Click Aggressive
    • Click Enable NAT-Traversal
    • Keepalive Frequency: Enter 5 seconds
    • Peer Status Detection: Select DPD and set the following:
      Interval: 
      Threshold: 5
      Retry: 5
  2. Click Return, and then click OK.

Configure IKE Parameters

The following steps describe how to configure the Phase 2 Proposal.  Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in the example below, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and configure the Phase 2 proposal accordingly.

  1. Navigate to VPNs > AutoKey Advanced > P2 Proposal and click New.
  2. Complete the following:
    • Enter a name, such as ZS-VPN.
    • Perfect Forward Secrecy: Select DH Group2.
    • Encapsulation: Select Encryption (ESP).
      • Encryption Algorithm: Choose NULL.
      • Authentication Algorithm: Choose MD5.
    • Lifetime: Set In Time to 8 hours.
  3. Click OK.

The following step describes how to specify the AutoKey IKE parameters for the tunnel.1 interface. Follow the same steps to configure the tunnel.2 interface.

  1. Navigate to VPNs > AutoKey IKE and click New.
  2. Complete the following:
    • Select Remote Gateway and do the following:
    • Click Predefined and select vpn-235.
    • Outgoing Interface: Select ethernet0/0.
  3. Click Advanced and complete the following:
    • Security Level: Select User Defined (Custom) and from the Phase-2 Proposal drop-down, select ZS-VPN.
    • Select Replay Protection
    • Bind to: Click Tunnel Interface and select tunnel.1
    • Select VPN Monitor and complete the following:
    • Source Interface: ethernet 0/0
    • Destination IP: Enter any IP address that is always reachable, such as the ZEN IP address.
    • Select Optimized
    • Select Rekey

Configure Policy-Based Routing

Configure policy-based routing to ensure that the branch can send its outbound traffic from the Trust zone to the Untrust zone, and out through one of the newly created tunnel interfaces.

  1. Navigate to Network > Routing > PBR > Extended ACL.
  2. Select New to create an extended ACL and add an entry for TCP traffic on port 80. Complete the following and click OK:
    • Extended ACL ID: 1
    • Sequence No. 50
    • Destination Port: 80~80
    • Protocol: TCP
  3. Click Add Seq. No, complete the following to add an entry for TCP traffic on port 443, and then clickOK:
    • Sequence No. 60
    • Destination Port: 443~443
    • Protocol: TCP
  4. Click Add Seq. No,  complete the following to add an entry for ICMP traffic, and then click OK:
    • Sequence No. 70
    • Protocol: ICMP
  5. Click Add Seq. No, complete the following to add an entry for UDP traffic on port 53, and then clickOK:
    • Sequence No. 80
    • Destination Port: 53~53
    • Protocol: UDP

Create a match group named test to match the newly created extended ACL.

  1. Navigate to Network > Routing > PBR > Match Group and click New.
  2. Complete the following:
    • Match Group Name: test
    • Seq. No: 10
    • Extended ACL: Select 1.
  3. Click OK.

Create an action group named test2, and set the next hop to tunnel.1 and tunnel.2.

  1. Navigate to Network > PBR > Action Group and click New to create an action group.
  2. Complete the following and click OK to add an entry for tunnel.1:
    • Action Group Name: test2
    • Seq. No: 30
    • Route To: Click Interface and select tunnel.1.
  3. Complete the following and click OK to add an entry for tunnel.2:
    • Action Group Name: test2
    • Seq. No: 10
    • Route To: Click Interface and select tunnel.2.

Create a policy test2 and specify the match group test and action group test2.

  1. Navigate to Network > Routing > PBR > Policy and click New.
  2. Complete the following and click OK:
    • Policy Name: test2
    • Seq. No: 10
    • Match Group: Select test.
    • Action Group: Select test2.

Bind the test2 policy to the Trust interfaces.

  1. Navigate to Network > Routing > PBR > Policy Binding.
  2. Do the following to bind the test 2 policy to the wireless0/0 interface:
    • Click N/A in the Policy Name field to the right of wireless0/0.
    • In the Policy Binding dialog, click Enable and from the Policy drop-down, select test2. Click OK to exit the dialog.
  3. Do the following to bind the test 2 policy to the bgroup0 interface:
    • Click N/A in the Policy Name field to the right of bgroup0.
    • In the Policy Binding dialog, click Enable and from the Policy drop-down, select test2. Click OK to exit the dialog.

Define the Policies

Create two policies. Create one policy that allows traffic from the Trust to the Untrust zone and another policy that allows traffic from the Untrust to the Trust zone.

  1. Navigate to Policy > Policies.
  2. Select the following, and then click New:
    • From drop-down: Select Trust
    • To drop-down: Select Untrust
  3. Complete the following and click OK:
    • Source Address: Any
    • Destination Address: Any
    • Service: Any
    • Action: Permit

Create the same policy from the Untrust zone to the Trust zone. Following are the completed policies:

After you have completed the configuration, you can monitor the status of the tunnel by navigating to VPNs > Monitor Status.

You can also test the tunnel by browsing from the Trust zone (through the wireless or ebgroup0 LAN ports) to any site, such as www.google.com. You are then required to log in to the Zscaler cloud before you can access the site.

Troubleshooting

Following are some sample commands that you can use to monitor and troubleshoot the VPNs.

View the SA

login: netscreen
password:
ssg5-serial-wlan-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000014< 10.10.104.71 500 esp:null/md5 00000000 expir unlim I/I -1 0
00000014> 10.10.104.71 500 esp:null/md5 00000000 expir unlim I/I -1 0
00000015< 10.10.104.235 500 esp:null/md5 33511797 2149 unlim A/U -1 0
00000015> 10.10.104.235 500 esp:null/md5 008a8a67 2149 unlim A/U -1 0

ssg5-serial-wlan-> get sa active
Total active sa: 1
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000015< 10.10.104.235 500 esp:null/md5 33511797 2048 unlim A/U -1 0
00000015> 10.10.104.235 500 esp:null/md5 008a8a67 2048 unlim A/U -1 0

ssg5-serial-wlan-> get sa stat
total configured sa: 2
HEX ID Gateway Fragment Auth-Fail Other Totalbytes
00000014< 10.10.104.71 0 0 0 0
00000014> 10.10.104.71 0 0 0 0
00000015< 10.10.104.235 0 0 0 345976469
00000015> 10.10.104.235 0 0 0 32472216

ssg5-serial-wlan-> get sa id 20
index 0, name VPN-71, peer gateway ip 10.10.104.71. vsys<Root>
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<0xffffffff>.
tunnel id 20, peer id 0, NSRP Local. site-to-site. Local interface is ethernet0/0 <10.10.120.41>.
 esp, group 2, null encryption, md5 authentication
 autokey, IN inactive, OUT inactive
 monitor<1>, latency: -1, availability: 0
 DF bit: clear
 app_sa_flags: 0x5000a4
 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
 ike activity timestamp: 1782025
nat-traversal map not available
incoming: SPI 00000000, flag 00004000, tunnel info 40000014, pipeline
 life 0 sec, expired, 0 kb, 0 bytes remain
 anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 1744 seconds
 next pak sequence number: 0x0
outgoing: SPI 00000000, flag 00000000, tunnel info 40000014, pipeline
 life 0 sec, expired, 0 kb, 0 bytes remain
 anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 1744 seconds
 next pak sequence number: 0x0

ssg5-serial-wlan-> get sa id 21
index 1, name vpn-81, peer gateway ip 10.10.104.235. vsys<Root>
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<0xffffffff>.
tunnel id 21, peer id 1, NSRP Local. site-to-site. Local interface is ethernet0/0 <10.10.120.41>.
 esp, group 2, null encryption, md5 authentication
 autokey, IN active, OUT active
 monitor<1>, latency: 1, availability: 100
 DF bit: clear
 app_sa_flags: 0x4000a7
 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
 ike activity timestamp: 1732254
nat-traversal map not available
incoming: SPI 33511799, flag 00004000, tunnel info 40000015, pipeline
 life 3600 sec, 3537 remain, 0 kb, 0 bytes remain
 anti-replay on, last 0x1724, window 0xffffffff, idle timeout value <0>, idled 0 seconds
 next pak sequence number: 0x0
outgoing: SPI 01c2e484, flag 00000000, tunnel info 40000015, pipeline
 life 3600 sec, 3537 remain, 0 kb, 0 bytes remain
 anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds
 next pak sequence number: 0xc52
ssg5-serial-wlan->

Clear an SA

ssg5-serial-wlan-> clear sa 21
  1. Go to ips.<your cloud name>.net

You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?

  1. From the menu on the left, click Cloud Enforcement Node Ranges
  2. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. 

For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. 
See image.

Cloud ENR