Knowledge Search


×
 

[SRX] Configuration example - site to site VPN between SRX and strongSwan

  [KB34920] Show Article Properties


Summary:

This article explains how to configure site-site VPN between v/SRX and strongSwan client in IKEv1 using pre-shared key.

Solution:

Example Network Diagram:

           192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
              ||strongSwan-------------------v/SRX||st0.2
        10.9.141.1/24(lo:1)              10.10.27.1/32(lo0.0)
 

 

  •  192.168.1.1 and 192.168.1.2 are VPN end points on strongSwan (Centos7) and vSRX.
  •  st0.2 is tunnel interface on the vSRX.
  •  VPN traffic is between subnets 10.9.141.0/24 & 10.10.27.0/24 - Proxy IDs.
  •  Using loopback interfaces on both the devices for testing.

Configuration on v/SRX:

# show security ike | display set
set security ike proposal swan-phase1 authentication-method pre-shared-keys
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 pre-shared-key ascii-text "$9$6Qx-/pO1IclvLEcgJDkTQEcyreWLxNVs2"

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan external-interface ge-0/0/0.0

# show security ipsec | display set      
set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike proxy-identity local 10.10.27.0/24
set security ipsec vpn swan ike proxy-identity remote 10.9.141.0/24
set security ipsec vpn swan ike proxy-identity service any
set security ipsec vpn swan ike ipsec-policy phase-2

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2
 
# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

# show security policies from-zone VPN to-zone TRUST-RO1 | display set
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match source-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match destination-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match application any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in then permit

# show security policies from-zone TRUST-RO1 to-zone VPN | display set
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match source-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match destination-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match application any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out then permit
 
# show routing-options | display set
set routing-options static route 10.9.141.0/24 next-hop st0.2

 

Configuration on strongSwan:

# cat /etc/ipsec.conf
# basic configuration
config setup
    charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
    uniqueids=yes
    strictcrlpolicy=no

# connection to srx1
conn to-srx1
  keyexchange=ikev1
  authby=secret
  left=%defaultroute
  leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30    << Please remove # and reload the config if you want to use DPD etc.
  #dpdtimeout=120
  #dpdaction=restart
  auto=start
 
# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

192.168.1.1 192.168.1.2 : PSK "Password12"

# ip addr | egrep  'eth|lo|inet'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1 << This IP will be used for VPN traffic test
    inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether XXXXXXXX brd ff:ff:ff:ff:ff:ff
    inet XXXXXX/24 brd XXXXXXX scope global noprefixroute eth0
    inet6 fe80::85a0:aa48:ea:77f8/64 scope link noprefixroute
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:19:d1:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1 << Tunnel endpoint's IP on the Strongswan
    inet6 fe80::738f:feea:4566:c43/64 scope link noprefixroute
    link/ether 52:54:00:9a:e3:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
    link/ether 52:54:00:9a:e3:7f brd ff:ff:ff:ff:ff:ff


Bringing up the VPN from strongSwan and verification:

# ipsec up to-srx1
initiating Main Mode IKE_SA to-srx1[3] to 192.168.1.2
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (216 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (192 bytes)
parsed ID_PROT response 0 [ SA V V V V V ]
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received XAuth vendor ID
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (244 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (108 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA to-srx1[3] established between 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2] << Phase 1 came up
scheduling reauthentication in 27967s
maximum IKE_SA lifetime 28507s
generating QUICK_MODE request 3434167422 [ HASH SA No ID ID ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (188 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (156 bytes)
parsed QUICK_MODE response 3434167422 [ HASH SA No ID ID ]
CHILD_SA to-srx1 established with SPIs c20ae772_i 507555de_o and TS 10.9.141.0/24 === 10.10.27.0/24 << Negotiated proxy -IDs
generating QUICK_MODE request 3434167422 [ HASH ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (60 bytes)
connection 'to-srx1' established successfully  << VPN came up fine



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 66 minutes, since Aug 14 16:09:38 2019
  malloc: sbrk 2568192, mmap 0, used 372944, free 2195248
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.1.1

Connections:
     to-srx1:  %any...192.168.1.2  IKEv1
     to-srx1:   local:  [192.168.1.1] uses pre-shared key authentication
     to-srx1:   remote: [192.168.1.2] uses pre-shared key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[3]: ESTABLISHED 34 minutes ago, 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
     to-srx1[3]: IKEv1 SPIs: 2d0cae65665a0ece_i* 66e4e60efba5ea41_r, pre-shared key reauthentication in 7 hours
     to-srx1[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c20ae772_i 507555de_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 588 bytes_i (7 pkts, 1343s ago), 588 bytes_o (7 pkts, 1343s ago), rekeying in 8 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24

 
lab@srx1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
462594  UP     2d0cae65665a0ece  66e4e60efba5ea41  Main           192.168.1.1  << pahse 1 is up and cookies/IP are matching with the ipsec statusall output from the strongswan

lab@srx1# run show security ipsec security-associations
  Total active tunnels: 3     Total Ipsec sas: 3
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
    <131075 ESP:aes-cbc-256/sha1 507555de 3585/ unlim - root 500 192.168.1.1     
  >131075 ESP:aes-cbc-256/sha1 c20ae772 3585/ unlim - root 500 192.168.1.1

lab@srx1#run show security ipsec security-associations index 131075
ID: 131075 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=10.10.27.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.9.141.0/24)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 33, Fail#: 1, Def-Del#: 0 Flag: 0x600a29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Aug 14 2019 22:41:36 +0200: IPSec SA negotiation successfully completed (1 times)
    Wed Aug 14 2019 22:41:36 +0200: IKE SA negotiation successfully completed (3 times)
    Wed Aug 14 2019 22:41:24 +0200: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)

  Direction: inbound, SPI: 507555de, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3573 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 3011 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: c20ae772, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3572 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 3010 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

 
[root@localhost vikas]# ping 10.10.27.1   << initiated the ping from strongswan to vSRX loopback interface
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.653 ms

# run show security flow session protocol icmp | refresh 1  << The traffic can be seen on the vSRX
---(refreshed at 2019-08-14 22:53:26 CEST)---
Total sessions: 0
---(refreshed at 2019-08-14 22:53:29 CEST)---
Session ID: 20394, Policy name: vpn-in/11, Timeout: 4, Valid
  In: 10.9.141.1/1 --> 10.10.27.1/12570;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/12570 --> 10.9.141.1/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

lab@srx1# run show security ipsec statistics index 131075  
ESP Statistics:
  Encrypted bytes:            15048
  Decrypted bytes:             8316
  Encrypted packets:             99 << total number of encrypted decrypted packets from the vSRX, this can be compared with the oseq/seq outputs of "ip xfrm state" from stringswan
  Decrypted packets:             99
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
 
[root@localhost vikas]# ip xfrm state
src 192.168.1.1 dst 192.168.1.2
    proto esp spi 0x1ed4f033 reqid 1 mode tunnel
    replay-window 0 flag af-unspec
    auth-trunc hmac(sha1) 0x244c32d6ea996fb3f4b28754b4cc99463549ce00 96
    enc cbc(aes) 0x215ae4fd360b723ae6bbe0471cc3e70c253b337b554a46b32946f73ed58791e3
    anti-replay context: seq 0x0, oseq 0x63, bitmap 0x00000000 
src 192.168.1.2 dst 192.168.1.1
    proto esp spi 0xceab0f9c reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) 0xfc9cd57a81c7dad69913f07888146b26c2ccec2a 96
    enc cbc(aes) 0x5d201d4c88c663913089ca656b2c2c275cd8c05bbf5136bb881d00dc5a1fc30e
    anti-replay context: seq 0x63, oseq 0x0, bitmap 0xffffffff   

    
Note: This example is not using charon, etc. for the VPN. It is using ipsec.conf file. In this environment, strongSwan is complied from source code with openssl, not gmp:

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
make
make install  
   
 
#ipsec version
Linux strongSwan U5.6.3/K3.10.0-957.27.2.el7.x86_64


lab@srx11> show version

Model: vsrx
Junos: 18.2R1.9 << vSRX version

Related Links: