Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX/SRX] Example - Configuring site-to-site VPN between v/SRX and StrongSwan in IKEv2 using certificates

0

0

Article ID: KB35007 KB Last Updated: 13 Sep 2019Version: 1.0
Summary:

This article describes how to configure site-to-site VPN between v/SRX and StrongSwan in IKEv2 by using security certificates.

Solution:

Below is the network topology:

 
192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
      |Strongswan-------------------v/SRX|st0.2
10.9.141.1/24(lo:1)            10.10.27.1/32(lo0.0) 
 

In the above topology:

  • 192.168.1.1 and 192.168.1.2 are VPN end points on StrongSwan (Centos7) and the vSRX device.
  • st0.2 is the tunnel interface on the vSRX device.
  • VPN traffic is between subnets 10.9.141.1/24 and 10.10.27.0/24, which are proxy IDs.

In this example, loopback interfaces are used on both devices for testing.

Certificates and Configuration on v/SRX

lab@roffice1# run show security pki ca-certificate           
Certificate identifier: root-ca
  Issued to: student, Issued by: C = US, ST = California, O = Juniper, OU = Base, CN = student, emailAddress = student@juniper.net
  Validity:
    Not before: 07- 5-2019 12:04 UTC
    Not after: 02-25-2020 06:42 UTC
  Public key algorithm: rsaEncryption(1024 bits)

[edit]
lab@roffice1# run show security pki local-certificate certificate-id srx1    
Certificate identifier: srx1
  Issued to: srx1.juniper.net, Issued by: C = US, ST = California, O = Juniper, OU = Base, CN = student, emailAddress = student@juniper.net
  Validity:
    Not before: 07- 5-2019 12:16 UTC
    Not after: 02-25-2020 06:42 UTC
  Public key algorithm: rsaEncryption(1024 bits)

# show security ike | display set

set security ike proposal swan-phase1 authentication-method rsa-signatures
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 certificate local-certificate srx1
set security ike policy phase1 certificate peer-certificate-type x509-signature

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan local-identity distinguished-name
set security ike gateway swan remote-identity distinguished-name container CN=sswan.juniper.net
set security ike gateway swan external-interface ge-0/0/0.0
set security ike gateway swan version v2-only
set security ike gateway swan fragmentation disable

# show security ipsec | display set      

set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike ipsec-policy phase-2
set security ipsec vpn swan traffic-selector 1 local-ip 10.10.27.0/24
set security ipsec vpn swan traffic-selector 1 remote-ip 10.9.141.0/24

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2

# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

Now configure the security policy to allow VPN traffic as per your need.

Certificates and Configuration on StrongSwan

[root@localhost username]#ipsec  listcerts

List of X.509 End Entity Certificates

  subject:  "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
  issuer:   "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  validity:  not before Aug 27 08:17:00 2019, ok
             not after  Aug 27 08:17:00 2020, ok (expires in 358 days)
  serial:    08
  altNames:  student@juniper.net
  flags:     
  subjkeyId: 6a:90:a9:1d:de:ad:62:10:d4:9e:df:9c:d8:d0:ed:a9:a5:18:bf:b9
  pubkey:    RSA 1024 bits, has private key
  keyid:     5a:a2:b0:2b:4b:ea:03:21:73:24:6d:1b:2c:c0:01:c9:5a:56:f3:55
  subjkey:   6a:90:a9:1d:de:ad:62:10:d4:9e:df:9c:d8:d0:ed:a9:a5:18:bf:b9

[root@localhost username]# ipsec listcacerts

List of X.509 CA Certificates

  subject:  "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  issuer:   "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  validity:  not before Jul 05 08:04:00 2019, ok
             not after  Feb 25 01:42:00 2020, ok (expires in 174 days)
  serial:    01
  flags:     CA self-signed
  subjkeyId: e5:df:26:7a:85:b4:13:39:ae:a4:34:4d:1e:b3:f1:38:5d:e7:29:1c
  pubkey:    RSA 1024 bits
  keyid:     2a:e1:0a:0a:43:2c:bb:e2:66:d7:90:d3:73:04:ad:f3:1e:17:29:6e
  subjkey:   e5:df:26:7a:85:b4:13:39:ae:a4:34:4d:1e:b3:f1:38:5d:e7:29:1c

[root@localhost username]# ip addr | egrep  'eth|lo|inet' | grep -v link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1
    inet6 ::1/128 scope host

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1

[root@localhost username]# cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
        uniqueids=yes
        strictcrlpolicy=no

# connection to srx1

conn to-srx1
  keyexchange=ikev2
  #authby=secret
  left=%defaultroute
  #leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30
  #dpdtimeout=120
  #dpdaction=restart
  auto=start
  leftid= "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"   
  rightid="C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"    
  leftcert=/etc/ipsec.d/certs/strongswan.crt
  leftsendcert=always
  rightauth=pubkey

[root@localhost username]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

: RSA /etc/ipsec.d/private/strongswan.pem

Bringing Up the VPN and Verification

[root@localhost username]# ipsec up to-srx1
initiating IKE_SA to-srx1[4] to 192.168.1.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (380 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (407 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((40002)) CERTREQ V V V ]
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received unknown vendor ID: 09:00:26:89:df:d6:b7:12
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
received cert request for "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
sending cert request for "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
authentication of 'C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net' (myself) with RSA signature successful
sending end entity cert "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
establishing CHILD_SA to-srx1 
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 192.168.1.2[4500] (1260 bytes)
received packet: from 192.168.1.2[4500] to 192.168.1.1[4500] (1084 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(SET_WINSIZE) ]
received end entity cert "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
  using certificate "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
  using trusted ca certificate "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
checking certificate status of "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net' with RSA signature successful
IKE_SA to-srx1[4] established between 192.168.1.1[C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net]...192.168.1.2[C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net]
scheduling reauthentication in 27782s
maximum IKE_SA lifetime 28322s
CHILD_SA to-srx1  established with SPIs c1995f9c_i 1ce128f4_o and TS 10.9.141.0/24 === 10.10.27.0/24
connection 'to-srx1' established successfully

[root@localhost username]#ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 15 hours, since Sep 03 05:04:33 2019
  malloc: sbrk 2568192, mmap 0, used 390320, free 2177872
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.1.1

Connections:
     to-srx1:  %any...192.168.1.2  IKEv2
     to-srx1:   local:  [C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net] uses public key authentication
     to-srx1:    cert:  "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
     to-srx1:   remote: [C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net] uses public key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[4]: ESTABLISHED 20 minutes ago, 192.168.1.1[C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net]...192.168.1.2[C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net]
     to-srx1[4]: IKEv2 SPIs: 0a295cf22b1dfc99_i* 13421a3f1132a480_r, public key reauthentication in 7 hours
     to-srx1[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1995f9c_i 1ce128f4_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 23 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24

lab@roffice1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
7371509 UP     0a295cf22b1dfc99  13421a3f1132a480  IKEv2          192.168.1.1

lab@roffice1# run show security ipsec security-associations detail vpn-name swan

ID: 67108869 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Traffic Selector Name: 1
  Local Identity: ipv4(10.10.27.0-10.10.27.255)
  Remote Identity: ipv4(10.9.141.0-10.9.141.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Sep 04 2019 01:47:37 +0200: IPSec SA negotiation successfully completed (1 times)
    Wed Sep 04 2019 01:47:37 +0200: IKE SA negotiation successfully completed (2 times)
    
  Direction: inbound, SPI: 1ce128f4, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2218 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1628 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: c1995f9c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2218 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1628 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@roffice1# run show route 10.9.141.0/24

inet.0: 22 destinations, 24 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.9.141.0/24      *[Static/5] 15:05:25
                    > via st0.2

[root@localhost username]#ping 10.10.27.1
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.648 ms
64 bytes from 10.10.27.1: icmp_seq=2 ttl=64 time=0.646 ms

lab@roffice1# run show security flow session protocol icmp    
Session ID: 35234, Policy name: vpn-in/9, Timeout: 2, Valid
  In: 10.9.141.1/2 --> 10.10.27.1/24624;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/24624 --> 10.9.141.1/2;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

Note: The VPN is configured by using an ipsec.conf file. In the example environment, StrongSwan is compiled from source code with openssl and not gmp, similar to the following:

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
make
make install   
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search