Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring a Security Policy for a Route-Based VPN

0

0

Article ID: KB10110 KB Last Updated: 04 Feb 2021Version: 7.0
Summary:
 

When creating a route-based VPN on an SRX Series device, a security policy is necessary to allow traffic in/out of the tunnel. This article provides an example for configuring a security policy for a route-based VPN.

 

Symptoms:
 
  • Is a security policy needed for route-based VPNs on an SRX Series device?

  • I want a configuration example for creating a security policy with a route-based VPN.

 

Solution:
 

When creating a route-based VPN, a security policy is needed to permit/deny traffic in and out of the tunnel. Security policies are based on the security zones that the secure tunnel (st0) interface and LAN side interfaces are bound to.

Network Topology

Corporate Office - Sunnyvale

  • The subnet 192.168.2.0/24 is part of the zone "trust."

  • The st0.0 interface is in zone "vpn."

  • Egress traffic is from zone "trust" to zone "vpn."

  • Ingress traffic is from zone "vpn" to zone "trust."

There are three basic steps to creating a security policy:

  1. Create an address book entry, if one does not already exist.

  2. (Optional) Create a custom application, if no predefined applications encompass the protocol or ports needed.

  3. Create the security policy, which specifies the from and to zones, source address, destination address, and application.

Steps

  1. Create an address book entry.

CLI

root@Sunnyvale# set security zones security-zone trust address-book address Sunnyvale 192.168.2.0/24
root@Sunnyvale# set security zones security-zone vpn address-book address NewYork 192.168.3.0/24

J-Web

  1. On the Corporate Office - Sunnyvale SRX device, go to Configure > Security > Policy Elements.

  2. To add an address book entry for each zone, click Address Books.

  3. Click the zone for which you would like to add an address book entry.

  4. If the address book entry required does not exist, then click Add.

  5. In the Address Name field, specify a name (example: Sunnyvale). Note that the name must be a string beginning with a letter and consisting of letters, numbers, dashes, and underscores.

  6. In IP Address/Prefix, enter the IP address/subnet mask (example: 192.168.2.0/24).

or

In DNS Name, specify a fully qualified domain name. Note that the SRX Series device must have a working DNS server configured to resolve the domain name.

  1. Click OK

Repeat steps c-g to create the NewYork address book entry. Click OK again to return to the Security Policies screen.

  1. (Optional) Create a custom application.  

If you do not want to use predefined policy applications in your policy, you can easily create custom applications. For an example, consult: KB10140 - [SRX] Example - Configuring a security policy with a custom application.

In this article (Step 3), the "any" application will be used to allow all traffic.

  1. Create a security policy to permit the traffic. 

CLI

root@Sunnyvale# set security policies from-zone trust to-zone vpn policy vpn_egress match source-address Sunnyvale
root@Sunnyvale# set security policies from-zone trust to-zone vpn policy vpn_egress match destination-address NewYork 
root@Sunnyvale# set security policies from-zone trust to-zone vpn policy vpn_egress match application any
root@Sunnyvale# set security policies from-zone trust to-zone vpn policy vpn_egress then permit

root@Sunnyvale# set security policies from-zone vpn to-zone trust policy vpn_ingress match source-address NewYork
root@Sunnyvale# set security policies from-zone vpn to-zone trust policy vpn_ingress match destination-address Sunnyvale
root@Sunnyvale# set security policies from-zone vpn to-zone trust policy vpn_ingress match application any
root@Sunnyvale# set security policies from-zone vpn to-zone trust policy vpn_ingress then permit

J-Web

  1. On the Corporate Office - Sunnyvale SRX device, on the Configure > Security > Policy screen, click Apply policy.

  2. In the Zone Direction area, select the From Zone and To Zone (example: from zone trust to zone vpn).

  3. Click Add a Policy.

  4. Specify Policy Name, then click (+) to expand and select Match Criterias.

  5. Select the Source Address Book and Destination Address Book objects on the right and click the left arrow (<-) for both, to add to the Matched list.

  6. Select the custom application just created and click the left arrow (<-) to add to the Matched list. Note, custom applications are normally listed at the bottom of the list.

  7. For Policy Action, select Permit from the pull-down menu. Note that this will show more options to select. Do NOT select an IPSec-VPN Tunnel or Pair Policy as these are used only for Policy-Based VPNs.

  8. Click OK to commit the changes. If you would like to re-arrange the policy order, use the Move Up or Down option on the Security Policies screen.

  9. Click OK again to return to the main policy configuration screen.

 

Modification History:
 
  • 2020-06-26: Article reviewed for accuracy; no changes required.

  • 2021-02-04: Article reviewed for accuracy; minor changes made

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search