Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration example - site to site VPN between SRX and strongSwan

0

0

Article ID: KB34920 KB Last Updated: 23 Aug 2019Version: 1.0
Summary:

This article explains how to configure site-site VPN between v/SRX and strongSwan client in IKEv1 using pre-shared key.

Solution:

Example Network Diagram:

           192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
              ||strongSwan-------------------v/SRX||st0.2
        10.9.141.1/24(lo:1)              10.10.27.1/32(lo0.0)
 

 

  •  192.168.1.1 and 192.168.1.2 are VPN end points on strongSwan (Centos7) and vSRX.
  •  st0.2 is tunnel interface on the vSRX.
  •  VPN traffic is between subnets 10.9.141.0/24 & 10.10.27.0/24 - Proxy IDs.
  •  Using loopback interfaces on both the devices for testing.

Configuration on v/SRX:

# show security ike | display set
set security ike proposal swan-phase1 authentication-method pre-shared-keys
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 pre-shared-key ascii-text "$9$6Qx-/pO1IclvLEcgJDkTQEcyreWLxNVs2"

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan external-interface ge-0/0/0.0

# show security ipsec | display set      
set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike proxy-identity local 10.10.27.0/24
set security ipsec vpn swan ike proxy-identity remote 10.9.141.0/24
set security ipsec vpn swan ike proxy-identity service any
set security ipsec vpn swan ike ipsec-policy phase-2

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2
 
# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

# show security policies from-zone VPN to-zone TRUST-RO1 | display set
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match source-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match destination-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match application any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in then permit

# show security policies from-zone TRUST-RO1 to-zone VPN | display set
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match source-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match destination-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match application any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out then permit
 
# show routing-options | display set
set routing-options static route 10.9.141.0/24 next-hop st0.2

 

Configuration on strongSwan:

# cat /etc/ipsec.conf
# basic configuration
config setup
    charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
    uniqueids=yes
    strictcrlpolicy=no

# connection to srx1
conn to-srx1
  keyexchange=ikev1
  authby=secret
  left=%defaultroute
  leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30    << Please remove # and reload the config if you want to use DPD etc.
  #dpdtimeout=120
  #dpdaction=restart
  auto=start
 
# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

192.168.1.1 192.168.1.2 : PSK "Password12"

# ip addr | egrep  'eth|lo|inet'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1 << This IP will be used for VPN traffic test
    inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether XXXXXXXX brd ff:ff:ff:ff:ff:ff
    inet XXXXXX/24 brd XXXXXXX scope global noprefixroute eth0
    inet6 fe80::85a0:aa48:ea:77f8/64 scope link noprefixroute
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:19:d1:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1 << Tunnel endpoint's IP on the Strongswan
    inet6 fe80::738f:feea:4566:c43/64 scope link noprefixroute
    link/ether 52:54:00:9a:e3:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
    link/ether 52:54:00:9a:e3:7f brd ff:ff:ff:ff:ff:ff


Bringing up the VPN from strongSwan and verification:

# ipsec up to-srx1
initiating Main Mode IKE_SA to-srx1[3] to 192.168.1.2
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (216 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (192 bytes)
parsed ID_PROT response 0 [ SA V V V V V ]
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received XAuth vendor ID
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (244 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (108 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA to-srx1[3] established between 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2] << Phase 1 came up
scheduling reauthentication in 27967s
maximum IKE_SA lifetime 28507s
generating QUICK_MODE request 3434167422 [ HASH SA No ID ID ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (188 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (156 bytes)
parsed QUICK_MODE response 3434167422 [ HASH SA No ID ID ]
CHILD_SA to-srx1 established with SPIs c20ae772_i 507555de_o and TS 10.9.141.0/24 === 10.10.27.0/24 << Negotiated proxy -IDs
generating QUICK_MODE request 3434167422 [ HASH ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (60 bytes)
connection 'to-srx1' established successfully  << VPN came up fine



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 66 minutes, since Aug 14 16:09:38 2019
  malloc: sbrk 2568192, mmap 0, used 372944, free 2195248
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.1.1

Connections:
     to-srx1:  %any...192.168.1.2  IKEv1
     to-srx1:   local:  [192.168.1.1] uses pre-shared key authentication
     to-srx1:   remote: [192.168.1.2] uses pre-shared key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[3]: ESTABLISHED 34 minutes ago, 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
     to-srx1[3]: IKEv1 SPIs: 2d0cae65665a0ece_i* 66e4e60efba5ea41_r, pre-shared key reauthentication in 7 hours
     to-srx1[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c20ae772_i 507555de_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 588 bytes_i (7 pkts, 1343s ago), 588 bytes_o (7 pkts, 1343s ago), rekeying in 8 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24

 
lab@srx1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
462594  UP     2d0cae65665a0ece  66e4e60efba5ea41  Main           192.168.1.1  << pahse 1 is up and cookies/IP are matching with the ipsec statusall output from the strongswan

lab@srx1# run show security ipsec security-associations
  Total active tunnels: 3     Total Ipsec sas: 3
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
    <131075 ESP:aes-cbc-256/sha1 507555de 3585/ unlim - root 500 192.168.1.1     
  >131075 ESP:aes-cbc-256/sha1 c20ae772 3585/ unlim - root 500 192.168.1.1

lab@srx1#run show security ipsec security-associations index 131075
ID: 131075 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=10.10.27.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.9.141.0/24)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 33, Fail#: 1, Def-Del#: 0 Flag: 0x600a29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Aug 14 2019 22:41:36 +0200: IPSec SA negotiation successfully completed (1 times)
    Wed Aug 14 2019 22:41:36 +0200: IKE SA negotiation successfully completed (3 times)
    Wed Aug 14 2019 22:41:24 +0200: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)

  Direction: inbound, SPI: 507555de, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3573 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 3011 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: c20ae772, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3572 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 3010 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

 
[root@localhost vikas]# ping 10.10.27.1   << initiated the ping from strongswan to vSRX loopback interface
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.653 ms

# run show security flow session protocol icmp | refresh 1  << The traffic can be seen on the vSRX
---(refreshed at 2019-08-14 22:53:26 CEST)---
Total sessions: 0
---(refreshed at 2019-08-14 22:53:29 CEST)---
Session ID: 20394, Policy name: vpn-in/11, Timeout: 4, Valid
  In: 10.9.141.1/1 --> 10.10.27.1/12570;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/12570 --> 10.9.141.1/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

lab@srx1# run show security ipsec statistics index 131075  
ESP Statistics:
  Encrypted bytes:            15048
  Decrypted bytes:             8316
  Encrypted packets:             99 << total number of encrypted decrypted packets from the vSRX, this can be compared with the oseq/seq outputs of "ip xfrm state" from stringswan
  Decrypted packets:             99
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
 
[root@localhost vikas]# ip xfrm state
src 192.168.1.1 dst 192.168.1.2
    proto esp spi 0x1ed4f033 reqid 1 mode tunnel
    replay-window 0 flag af-unspec
    auth-trunc hmac(sha1) 0x244c32d6ea996fb3f4b28754b4cc99463549ce00 96
    enc cbc(aes) 0x215ae4fd360b723ae6bbe0471cc3e70c253b337b554a46b32946f73ed58791e3
    anti-replay context: seq 0x0, oseq 0x63, bitmap 0x00000000 
src 192.168.1.2 dst 192.168.1.1
    proto esp spi 0xceab0f9c reqid 1 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) 0xfc9cd57a81c7dad69913f07888146b26c2ccec2a 96
    enc cbc(aes) 0x5d201d4c88c663913089ca656b2c2c275cd8c05bbf5136bb881d00dc5a1fc30e
    anti-replay context: seq 0x63, oseq 0x0, bitmap 0xffffffff   

    
Note: This example is not using charon, etc. for the VPN. It is using ipsec.conf file. In this environment, strongSwan is complied from source code with openssl, not gmp:

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
make
make install  
   
 
#ipsec version
Linux strongSwan U5.6.3/K3.10.0-957.27.2.el7.x86_64


lab@srx11> show version

Model: vsrx
Junos: 18.2R1.9 << vSRX version

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search