Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring multiple traffic selectors on a route-based VPN

0

0

Article ID: KB28820 KB Last Updated: 20 Jun 2019Version: 6.0
Summary:

This article explains how to use multiple traffic selectors on a route-based VPN. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

Note: Multiple traffic selectors on a route-based VPN was introduced in Junos OS Release 12.1X46; see the Junos OS 12.1X46 Release Notes.

Symptoms:

If you want to establish a VPN for two or more remote private networks, you must dedicate a VPN for each such network. In prior versions of Junos OS (prior to Junos OS Release 12.1X46), you had to create separate st0 interfaces for each remote private network or route-based VPN; and for a policy-based VPN, you had to create a separate security policy binding tunnel calling each remote private network as the destination. The effort to configure each new IPsec VPN in Junos OS Release 12.1X46 and earlier increased significantly with every additional VPN. This article provides an alternative to avoid this situation.

Solution:

Topology:

10.1.0.0/16 <--->                                              <---> 192.168.1.0/24
                 [SRX] 2.2.2.2 <----VPN----> 3.3.3.3 [VPN PEER]
10.2.0.0/16 <--->                                              <---> 192.168.2.0/24


SRX Configuration - Multiple subnets using a single route-based VPN:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.0.0/16;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 10.2.0.0/16;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 172.27.199.0/24 next-hop 172.27.201.3;
        route 3.3.3.0/24 next-hop 2.2.2.1;
        route 192.168.1.0/24 next-hop st0.0;<--  Not needed
 	route 192.168.2.0/24 next-hop st0.0;<--  Not needed, as Traffic selectors automatically install routes to the matching SA; this process is known as auto route insertion (ARI)
    }
}
security {
    ike {
        policy p1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$yureMXVwgUjq7-jqmfn6rev"; ## SECRET-DATA
        }
        gateway g1 {
            ike-policy p1;
            address 3.3.3.3;
            external-interface fe-0/0/0;
        }
    }
    ipsec {
        policy p1 {
            proposal-set standard;
        }
        vpn v1 {
            bind-interface st0.0;
            ike {
                gateway g1;
                ipsec-policy p1;
            }
            traffic-selector t1 {
            local-ip 10.1.0.0/16;
            remote-ip 192.168.1.0/24;
            }
            traffic-selector t2 {
            local-ip 10.2.0.0/16;
            remote-ip 192.168.2.0/24;
            }
            establish-tunnels immediately;
        }
    }
	policies {
        from-zone trust to-zone vpn {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
		from-zone vpn to-zone trust {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.0;
                fe-0/0/2.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

In set format:
set interfaces fe-0/0/0 unit 0 family inet address 2.2.2.2/24
set interfaces fe-0/0/1 unit 0 family inet address 10.1.0.0/16
set interfaces fe-0/0/2 unit 0 family inet address 10.2.0.0/16
set interfaces st0 unit 0 family inet

set routing-options static route 172.27.199.0/24 next-hop 172.27.201.3
set routing-options static route 3.3.3.0/24 next-hop 2.2.2.1
set routing-options static route 192.168.1.0/24 next-hop st0.0 <--  Not needed
set routing-options static route 192.168.2.0/24 next-hop st0.0 <--  Not needed
[Note:- as Traffic selectors automatically install routes to the matching SA; this process is known as auto route insertion (ARI)]

set security ike policy p1 mode main    
set security ike policy p1 proposal-set standard
set security ike policy p1 pre-shared-key ascii-text "$9$yureMXVwgUjq7-jqmfn6rev"
set security ike gateway g1 ike-policy p1
set security ike gateway g1 address 3.3.3.3
set security ike gateway g1 external-interface fe-0/0/0

set security ipsec policy p1 proposal-set standard
set security ipsec vpn v1 bind-interface st0.0
set security ipsec vpn v1 ike gateway g1
set security ipsec vpn v1 ike ipsec-policy p1
set security ipsec vpn v1 traffic-selector t1 local-ip 10.1.0.0/16
set security ipsec vpn v1 traffic-selector t1 remote-ip 192.168.1.0/24
set security ipsec vpn v1 traffic-selector t2 local-ip 10.2.0.0/16
set security ipsec vpn v1 traffic-selector t2 remote-ip 192.168.2.0/24
set security ipsec vpn v1 establish-tunnels immediately

set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces fe-0/0/1.0
set security zones security-zone trust interfaces fe-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0



Verification - Each traffic selector:

[edit]
root@100-5# run show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
8262    UP     708f2fb601773e78  43cde54a81b6fd58  Main           3.3.3.3         

[edit]
root@100-5# run show security ipsec sa 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <268173314 ESP:3des/sha1 fa00cf7f 3476/ unlim -  root 500   3.3.3.3         
  >268173314 ESP:3des/sha1 726f8591 3476/ unlim -  root 500   3.3.3.3         
  <268173313 ESP:3des/sha1 69385788 3501/ unlim -  root 500   3.3.3.3         
  >268173313 ESP:3des/sha1 4897cca3 3501/ unlim -  root 500   3.3.3.3         
  
***** Two SAs for each traffic selector *****

root@100-5# run show security ipsec security-associations detail 
  ID: 268173314 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t1 <-- corresponding traffic selector
  Local Identity: ipv4(10.1.0.0-10.1.255.255)
  Remote Identity: ipv4(192.168.1.0-192.168.1.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: fa00cf7f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 726f8591, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173313 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t2 <-- corresponding traffic selector
  Local Identity: ipv4(10.2.0.0-10.2.255.255)
  Remote Identity: ipv4(192.168.2.0-192.168.2.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 69385788, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 4897cca3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
Modification History:

2019-06-20: Added 'set' configuration to example.
2017-10-25: Added a line about auto route insertion (ARI) in the Solution section.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search