[vSRX/SRX] Example - Configuring site-to-site VPN between v/SRX and StrongSwan in IKEv2 using certificates

  [KB35007] Show Article Properties


Summary:

This article describes how to configure site-to-site VPN between v/SRX and StrongSwan in IKEv2 by using security certificates.

Solution:

Below is the network topology:

 
192.168.1.1/30(eth1)           192.168.1.2/30(ge-0/0/0.0)
      |Strongswan-------------------v/SRX|st0.2
10.9.141.1/24(lo:1)            10.10.27.1/32(lo0.0) 
 

In the above topology:

  • 192.168.1.1 and 192.168.1.2 are VPN end points on StrongSwan (Centos7) and the vSRX device.
  • st0.2 is the tunnel interface on the vSRX device.
  • VPN traffic is between subnets 10.9.141.1/24 and 10.10.27.0/24, which are proxy IDs.

In this example, loopback interfaces are used on both devices for testing.

Certificates and Configuration on v/SRX

lab@roffice1# run show security pki ca-certificate           
Certificate identifier: root-ca
  Issued to: student, Issued by: C = US, ST = California, O = Juniper, OU = Base, CN = student, emailAddress = student@juniper.net
  Validity:
    Not before: 07- 5-2019 12:04 UTC
    Not after: 02-25-2020 06:42 UTC
  Public key algorithm: rsaEncryption(1024 bits)

[edit]
lab@roffice1# run show security pki local-certificate certificate-id srx1    
Certificate identifier: srx1
  Issued to: srx1.juniper.net, Issued by: C = US, ST = California, O = Juniper, OU = Base, CN = student, emailAddress = student@juniper.net
  Validity:
    Not before: 07- 5-2019 12:16 UTC
    Not after: 02-25-2020 06:42 UTC
  Public key algorithm: rsaEncryption(1024 bits)

# show security ike | display set

set security ike proposal swan-phase1 authentication-method rsa-signatures
set security ike proposal swan-phase1 dh-group group2
set security ike proposal swan-phase1 authentication-algorithm sha1
set security ike proposal swan-phase1 encryption-algorithm aes-256-cbc
set security ike proposal swan-phase1 lifetime-seconds 28800

set security ike policy phase1 proposals swan-phase1
set security ike policy phase1 certificate local-certificate srx1
set security ike policy phase1 certificate peer-certificate-type x509-signature

set security ike gateway swan ike-policy phase1
set security ike gateway swan address 192.168.1.1
set security ike gateway swan local-identity distinguished-name
set security ike gateway swan remote-identity distinguished-name container CN=sswan.juniper.net
set security ike gateway swan external-interface ge-0/0/0.0
set security ike gateway swan version v2-only
set security ike gateway swan fragmentation disable

# show security ipsec | display set      

set security ipsec proposal swan-phase2 protocol esp
set security ipsec proposal swan-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal swan-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal swan-phase2 lifetime-seconds 3600

set security ipsec policy phase-2 proposals swan-phase2

set security ipsec vpn swan bind-interface st0.2
set security ipsec vpn swan ike gateway swan
set security ipsec vpn swan ike ipsec-policy phase-2
set security ipsec vpn swan traffic-selector 1 local-ip 10.10.27.0/24
set security ipsec vpn swan traffic-selector 1 remote-ip 10.9.141.0/24

# show interfaces st0.2 | display set
set interfaces st0 unit 2 family inet

show interfaces lo0 | display set
set interfaces lo0 unit 0 family inet address 10.10.27.1/32

# run show security zones | match "ge-0/0/0|lo0|st0.2|zone"
Security zone: TRUST-RO1
    lo0.0

Security zone: UNTRUST
    ge-0/0/0.0

Security zone: VPN
    st0.2

# show security zones security-zone UNTRUST | display set
set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST interfaces ge-0/0/0.0

Now configure the security policy to allow VPN traffic as per your need.

Certificates and Configuration on StrongSwan

[root@localhost username]#ipsec  listcerts

List of X.509 End Entity Certificates

  subject:  "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
  issuer:   "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  validity:  not before Aug 27 08:17:00 2019, ok
             not after  Aug 27 08:17:00 2020, ok (expires in 358 days)
  serial:    08
  altNames:  student@juniper.net
  flags:     
  subjkeyId: 6a:90:a9:1d:de:ad:62:10:d4:9e:df:9c:d8:d0:ed:a9:a5:18:bf:b9
  pubkey:    RSA 1024 bits, has private key
  keyid:     5a:a2:b0:2b:4b:ea:03:21:73:24:6d:1b:2c:c0:01:c9:5a:56:f3:55
  subjkey:   6a:90:a9:1d:de:ad:62:10:d4:9e:df:9c:d8:d0:ed:a9:a5:18:bf:b9

[root@localhost username]# ipsec listcacerts

List of X.509 CA Certificates

  subject:  "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  issuer:   "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
  validity:  not before Jul 05 08:04:00 2019, ok
             not after  Feb 25 01:42:00 2020, ok (expires in 174 days)
  serial:    01
  flags:     CA self-signed
  subjkeyId: e5:df:26:7a:85:b4:13:39:ae:a4:34:4d:1e:b3:f1:38:5d:e7:29:1c
  pubkey:    RSA 1024 bits
  keyid:     2a:e1:0a:0a:43:2c:bb:e2:66:d7:90:d3:73:04:ad:f3:1e:17:29:6e
  subjkey:   e5:df:26:7a:85:b4:13:39:ae:a4:34:4d:1e:b3:f1:38:5d:e7:29:1c

[root@localhost username]# ip addr | egrep  'eth|lo|inet' | grep -v link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
    inet 10.9.141.1/24 scope global lo:1
    inet6 ::1/128 scope host

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.1.1/30 brd 192.168.1.3 scope global noprefixroute eth1

[root@localhost username]# cat /etc/ipsec.conf
# basic configuration
config setup
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc 2, lib 2"
        uniqueids=yes
        strictcrlpolicy=no

# connection to srx1

conn to-srx1
  keyexchange=ikev2
  #authby=secret
  left=%defaultroute
  #leftid=192.168.1.1
  leftsubnet=10.9.141.0/24
  right=192.168.1.2
  rightsubnet=10.10.27.0/24
  ike=aes256-sha1-modp1024,aes256-sha1-modp2048!
  esp=aes256-sha1!
  keyingtries=0
  ikelifetime=8h
  lifetime=1h
  #dpddelay=30
  #dpdtimeout=120
  #dpdaction=restart
  auto=start
  leftid= "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"   
  rightid="C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"    
  leftcert=/etc/ipsec.d/certs/strongswan.crt
  leftsendcert=always
  rightauth=pubkey

[root@localhost username]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets

: RSA /etc/ipsec.d/private/strongswan.pem

Bringing Up the VPN and Verification

[root@localhost username]# ipsec up to-srx1
initiating IKE_SA to-srx1[4] to 192.168.1.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (380 bytes)
received packet: from 192.168.1.2[500] to 192.168.1.1[500] (407 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((40002)) CERTREQ V V V ]
received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
received unknown vendor ID: 09:00:26:89:df:d6:b7:12
received unknown vendor ID: fd:80:88:04:df:73:b1:51:50:70:9d:87:80:44:cd:e0:ac:1e:fc:de
received cert request for "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
sending cert request for "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
authentication of 'C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net' (myself) with RSA signature successful
sending end entity cert "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
establishing CHILD_SA to-srx1 
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.1.1[4500] to 192.168.1.2[4500] (1260 bytes)
received packet: from 192.168.1.2[4500] to 192.168.1.1[4500] (1084 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(SET_WINSIZE) ]
received end entity cert "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
  using certificate "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
  using trusted ca certificate "C=US, ST=California, O=Juniper, OU=Base, CN=student, E=student@juniper.net"
checking certificate status of "C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net' with RSA signature successful
IKE_SA to-srx1[4] established between 192.168.1.1[C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net]...192.168.1.2[C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net]
scheduling reauthentication in 27782s
maximum IKE_SA lifetime 28322s
CHILD_SA to-srx1  established with SPIs c1995f9c_i 1ce128f4_o and TS 10.9.141.0/24 === 10.10.27.0/24
connection 'to-srx1' established successfully

[root@localhost username]#ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-957.27.2.el7.x86_64, x86_64):
  uptime: 15 hours, since Sep 03 05:04:33 2019
  malloc: sbrk 2568192, mmap 0, used 390320, free 2177872
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.1.1

Connections:
     to-srx1:  %any...192.168.1.2  IKEv2
     to-srx1:   local:  [C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net] uses public key authentication
     to-srx1:    cert:  "C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net"
     to-srx1:   remote: [C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net] uses public key authentication
     to-srx1:   child:  10.9.141.0/24 === 10.10.27.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     to-srx1[4]: ESTABLISHED 20 minutes ago, 192.168.1.1[C=US, ST=California, O=Juniper, OU=Base, CN=sswan.juniper.net]...192.168.1.2[C=US, ST=California, O=Juniper, OU=Base, CN=srx1.juniper.net]
     to-srx1[4]: IKEv2 SPIs: 0a295cf22b1dfc99_i* 13421a3f1132a480_r, public key reauthentication in 7 hours
     to-srx1[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     to-srx1 :  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1995f9c_i 1ce128f4_o
     to-srx1 :  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 23 minutes
     to-srx1 :   10.9.141.0/24 === 10.10.27.0/24

lab@roffice1# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
7371509 UP     0a295cf22b1dfc99  13421a3f1132a480  IKEv2          192.168.1.1

lab@roffice1# run show security ipsec security-associations detail vpn-name swan

ID: 67108869 Virtual-system: root, VPN Name: swan
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Traffic Selector Name: 1
  Local Identity: ipv4(10.10.27.0-10.10.27.255)
  Remote Identity: ipv4(10.9.141.0-10.9.141.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
  Tunnel events:
    Wed Sep 04 2019 01:47:37 +0200: IPSec SA negotiation successfully completed (1 times)
    Wed Sep 04 2019 01:47:37 +0200: IKE SA negotiation successfully completed (2 times)
    
  Direction: inbound, SPI: 1ce128f4, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2218 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1628 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: c1995f9c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2218 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1628 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

lab@roffice1# run show route 10.9.141.0/24

inet.0: 22 destinations, 24 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.9.141.0/24      *[Static/5] 15:05:25
                    > via st0.2

[root@localhost username]#ping 10.10.27.1
PING 10.10.27.1 (10.10.27.1) 56(84) bytes of data.
64 bytes from 10.10.27.1: icmp_seq=1 ttl=64 time=0.648 ms
64 bytes from 10.10.27.1: icmp_seq=2 ttl=64 time=0.646 ms

lab@roffice1# run show security flow session protocol icmp    
Session ID: 35234, Policy name: vpn-in/9, Timeout: 2, Valid
  In: 10.9.141.1/2 --> 10.10.27.1/24624;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 84,
  Out: 10.10.27.1/24624 --> 10.9.141.1/2;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,

Note: The VPN is configured by using an ipsec.conf file. In the example environment, StrongSwan is compiled from source code with openssl and not gmp, similar to the following:

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp  --enable-openssl
make
make install   
Related Links: