Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX/SRX] Example - Site-to-site IPSEC IKEv2 VPN configuration between vSRX and strongSwan using pre-shared keys

0

0

Article ID: KB34927 KB Last Updated: 24 Aug 2019Version: 1.0
Summary:

This article provides an example configuration with a site-to-site IPSEC IKEv2 VPN between vSRX and strongSwan client using pre-shared key.

Solution:

Network Topology:

192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
       | strongSwan-------------------vSRX|st0.2
10.9.141.1/24(lo:1)            10.10.27.1/32(lo0.0) 
 
  •  192.168.1.1 and 192.168.1.2 are VPN endpoints on strongSwan(Centos7) and the vSRX
  •  st0.2 is a tunnel interface on the vSRX
  •  VPN traffic between subnets 10.9.141.1/24 and 10.10.27.0/24 - Traffic Selectors
  •  Loopback interfaces are used on both the devices for testing
 

Configuration on vSRX:

# show security ike | display set
set security ike proposal swan-phase1 authentication-method pre-shared-keys
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 pre-shared-key ascii-text "
Password12"

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan external-interface ge-0/0/0.0  
set security ike gateway swan version v2-only

# show security ipsec | display set      
set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike proxy-identity service any
set security ipsec vpn swan ike ipsec-policy phase-2
set security ipsec vpn swan traffic-selector 1 local-ip 10.10.27.0/24
set security ipsec vpn swan traffic-selector 1 remote-ip 10.9.141.0/24

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

# show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2
 
# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

# show security policies from-zone VPN to-zone TRUST-RO1 | display set
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match source-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match destination-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match application any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in then permit

# show security policies from-zone TRUST-RO1 to-zone VPN | display set
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match source-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match destination-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match application any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out then permit

 


Configuration on strongSwan

[root@localhost user1]# cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
        uniqueids=yes
        strictcrlpolicy=no

# connection to srx1
conn to-srx1
  keyexchange=ikev2
  authby=secret
  left=%defaultroute
  leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30
  #dpdtimeout=120
  #dpdaction=restart
  auto=start

Note: Configuration statements preceded by '#' are optional statements and can be configured as per the requirement.
 

[root@localhost user1]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

192.168.1.1 192.168.1.2 : PSK "Password12"

 [root@localhost user1]# ip addr | egrep  'eth|lo|inet' | grep -v link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1
    inet6 ::1/128 scope host

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1

 

Bringing up the VPN and Verification:

[root@localhost user1]# ipsec up  to-srx1
initiating IKE_SA to-srx1[2] to 192.168.1.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (380 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((40002)) N(FRAG_SUP) V V V ]
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received unknown vendor ID: 09:00:26:89:df:d6:b7:12
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
authentication of '192.168.1.1' (myself) with pre-shared key
establishing CHILD_SA to-srx1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 192.168.1.2[4500] (268 bytes)
received packet: from 192.168.1.2[4500] to 192.168.1.1[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(SET_WINSIZE) ]
authentication of '192.168.1.2' with pre-shared key successful
IKE_SA to-srx1[2] established between 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
scheduling reauthentication in 27813s
maximum IKE_SA lifetime 28353s
CHILD_SA to-srx1 established with SPIs cbc742cc_i 67382826_o and TS 10.9.141.0/24 === 10.10.27.0/24
connection 'to-srx1' established successfully  <<<< VPN established

[root@localhost user1]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 60 seconds, since Aug 15 20:57:36 2019
  malloc: sbrk 2568192, mmap 0, used 373376, free 2194816
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:

  192.168.1.1
 
Connections:
     to-srx1:  %any...192.168.1.2  IKEv2
     to-srx1:   local:  [192.168.1.1] uses pre-shared key authentication
     to-srx1:   remote: [192.168.1.2] uses pre-shared key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[2]: ESTABLISHED 39 seconds ago, 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
     to-srx1[2]: IKEv2 SPIs: acace696ddb0ad1e_i* 58ce0bc0927df3e4_r, pre-shared key reauthentication in 7 hours
     to-srx1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbc742cc_i 67382826_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 168 bytes_i (2 pkts, 28s ago), 168 bytes_o (2 pkts, 28s ago), rekeying in 46 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24


lab@roffice1> show security ike security-associations 192.168.1.1             
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2022092 UP     acace696ddb0ad1e  58ce0bc0927df3e4  IKEv2          192.168.1.1     

lab@roffice1> show security ipsec security-associations vpn-name swan         
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <67108865 ESP:aes-cbc-256/sha1 67382826 3512/ unlim - root 500 192.168.1.1     
  >67108865 ESP:aes-cbc-256/sha1 cbc742cc 3512/ unlim - root 500 192.168.1.1     

lab@roffice1> show security ipsec security-associations index 67108865  
ID: 67108865 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Traffic Selector Name: 1
  Local Identity: ipv4(10.10.27.0-10.10.27.255)
  Remote Identity: ipv4(10.9.141.0-10.9.141.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Fri Aug 16 2019 02:57:57 +0200: IPSec SA negotiation successfully completed (1 times)
 
  Direction: inbound, SPI: 67382826, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3500 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2931 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: cbc742cc, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3500 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2931 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@roffice1> show route 10.9.141.1
inet.0: 22 destinations, 24 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.9.141.0/24      *[Static/5] 19:53:49   <<< Route is added per traffic selectors
                    > via st0.2  
 
[root@localhost user1]# ping 10.10.27.1      <<<<< Ping worked through the tunnel
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.573 ms
 
                    
show security flow session protocol icmp | refresh 1    <<<< Ping session can be seen on the vSRX
---(refreshed at 2019-08-16 03:01:04 CEST)---
Session ID: 1452, Policy name: vpn-in/9, Timeout: 2, Valid
  In: 10.9.141.1/14 --> 10.10.27.1/13003;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/13003 --> 10.9.141.1/14;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

 

For troubleshooting, check if the policies, etc, are installed correctly on the strongSwan and the SPIs are matching logs from the vSRX:

[root@localhost user1]# ip xfrm state 
[root@localhost user1]# ip xfrm policy
log -  /var/log/messages in centos   <<< File may change depending on your operating system

vSRX version - 18.2R1.9

[root@localhost user1]# ipsec version
Linux strongSwan U5.6.3/K3.10.0-957.27.2.el7.x86_64


Notes about this example:

  • charon is not being used for the VPN config; ipsec.conf file is being used.
  • strongSwan is complied from source code with openssl not gmp, something like below : ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
    make
    make install     
      
     
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search