Knowledge Search


×
 

[vSRX/SRX] Example - Site-to-site IPSEC IKEv2 VPN configuration between vSRX and strongSwan using pre-shared keys

  [KB34927] Show Article Properties


Summary:

This article provides an example configuration with a site-to-site IPSEC IKEv2 VPN between vSRX and strongSwan client using pre-shared key.

Solution:

Network Topology:

192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
       | strongSwan-------------------vSRX|st0.2
10.9.141.1/24(lo:1)            10.10.27.1/32(lo0.0) 
 
  •  192.168.1.1 and 192.168.1.2 are VPN endpoints on strongSwan(Centos7) and the vSRX
  •  st0.2 is a tunnel interface on the vSRX
  •  VPN traffic between subnets 10.9.141.1/24 and 10.10.27.0/24 - Traffic Selectors
  •  Loopback interfaces are used on both the devices for testing
 

Configuration on vSRX:

# show security ike | display set
set security ike proposal swan-phase1 authentication-method pre-shared-keys
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 pre-shared-key ascii-text "
Password12"

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan external-interface ge-0/0/0.0  
set security ike gateway swan version v2-only

# show security ipsec | display set      
set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike proxy-identity service any
set security ipsec vpn swan ike ipsec-policy phase-2
set security ipsec vpn swan traffic-selector 1 local-ip 10.10.27.0/24
set security ipsec vpn swan traffic-selector 1 remote-ip 10.9.141.0/24

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

# show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2
 
# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

# show security policies from-zone VPN to-zone TRUST-RO1 | display set
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match source-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match destination-address any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in match application any
set security policies from-zone VPN to-zone TRUST-RO1 policy vpn-in then permit

# show security policies from-zone TRUST-RO1 to-zone VPN | display set
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match source-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match destination-address any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out match application any
set security policies from-zone TRUST-RO1 to-zone VPN policy vpn-out then permit

 


Configuration on strongSwan

[root@localhost user1]# cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
        uniqueids=yes
        strictcrlpolicy=no

# connection to srx1
conn to-srx1
  keyexchange=ikev2
  authby=secret
  left=%defaultroute
  leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30
  #dpdtimeout=120
  #dpdaction=restart
  auto=start

Note: Configuration statements preceded by '#' are optional statements and can be configured as per the requirement.
 

[root@localhost user1]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

192.168.1.1 192.168.1.2 : PSK "Password12"

 [root@localhost user1]# ip addr | egrep  'eth|lo|inet' | grep -v link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1
    inet6 ::1/128 scope host

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1

 

Bringing up the VPN and Verification:

[root@localhost user1]# ipsec up  to-srx1
initiating IKE_SA to-srx1[2] to 192.168.1.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (380 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((40002)) N(FRAG_SUP) V V V ]
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received unknown vendor ID: 09:00:26:89:df:d6:b7:12
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
authentication of '192.168.1.1' (myself) with pre-shared key
establishing CHILD_SA to-srx1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 192.168.1.2[4500] (268 bytes)
received packet: from 192.168.1.2[4500] to 192.168.1.1[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(SET_WINSIZE) ]
authentication of '192.168.1.2' with pre-shared key successful
IKE_SA to-srx1[2] established between 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
scheduling reauthentication in 27813s
maximum IKE_SA lifetime 28353s
CHILD_SA to-srx1 established with SPIs cbc742cc_i 67382826_o and TS 10.9.141.0/24 === 10.10.27.0/24
connection 'to-srx1' established successfully  <<<< VPN established

[root@localhost user1]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 60 seconds, since Aug 15 20:57:36 2019
  malloc: sbrk 2568192, mmap 0, used 373376, free 2194816
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:

  192.168.1.1
 
Connections:
     to-srx1:  %any...192.168.1.2  IKEv2
     to-srx1:   local:  [192.168.1.1] uses pre-shared key authentication
     to-srx1:   remote: [192.168.1.2] uses pre-shared key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[2]: ESTABLISHED 39 seconds ago, 192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
     to-srx1[2]: IKEv2 SPIs: acace696ddb0ad1e_i* 58ce0bc0927df3e4_r, pre-shared key reauthentication in 7 hours
     to-srx1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cbc742cc_i 67382826_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 168 bytes_i (2 pkts, 28s ago), 168 bytes_o (2 pkts, 28s ago), rekeying in 46 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24


lab@roffice1> show security ike security-associations 192.168.1.1             
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2022092 UP     acace696ddb0ad1e  58ce0bc0927df3e4  IKEv2          192.168.1.1     

lab@roffice1> show security ipsec security-associations vpn-name swan         
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <67108865 ESP:aes-cbc-256/sha1 67382826 3512/ unlim - root 500 192.168.1.1     
  >67108865 ESP:aes-cbc-256/sha1 cbc742cc 3512/ unlim - root 500 192.168.1.1     

lab@roffice1> show security ipsec security-associations index 67108865  
ID: 67108865 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Traffic Selector Name: 1
  Local Identity: ipv4(10.10.27.0-10.10.27.255)
  Remote Identity: ipv4(10.9.141.0-10.9.141.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Fri Aug 16 2019 02:57:57 +0200: IPSec SA negotiation successfully completed (1 times)
 
  Direction: inbound, SPI: 67382826, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3500 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2931 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: cbc742cc, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3500 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2931 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@roffice1> show route 10.9.141.1
inet.0: 22 destinations, 24 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.9.141.0/24      *[Static/5] 19:53:49   <<< Route is added per traffic selectors
                    > via st0.2  
 
[root@localhost user1]# ping 10.10.27.1      <<<<< Ping worked through the tunnel
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.573 ms
 
                    
show security flow session protocol icmp | refresh 1    <<<< Ping session can be seen on the vSRX
---(refreshed at 2019-08-16 03:01:04 CEST)---
Session ID: 1452, Policy name: vpn-in/9, Timeout: 2, Valid
  In: 10.9.141.1/14 --> 10.10.27.1/13003;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/13003 --> 10.9.141.1/14;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

 

For troubleshooting, check if the policies, etc, are installed correctly on the strongSwan and the SPIs are matching logs from the vSRX:

[root@localhost user1]# ip xfrm state 
[root@localhost user1]# ip xfrm policy
log -  /var/log/messages in centos   <<< File may change depending on your operating system

vSRX version - 18.2R1.9

[root@localhost user1]# ipsec version
Linux strongSwan U5.6.3/K3.10.0-957.27.2.el7.x86_64


Notes about this example:

  • charon is not being used for the VPN config; ipsec.conf file is being used.
  • strongSwan is complied from source code with openssl not gmp, something like below : ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
    make
    make install     
      
     
Related Links: