SRX 1 (Hub Device):
Interface configuration (please note that the tunnel interface is configured as multipoint, which allows for the termination of multiple IPSec tunnels to a single logical interface.):
interfaces {
ge-0/0/0 {
unit 0 {
description "*** TRUST ***";
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "*** UNTRUST ***";
family inet {
address 172.16.1.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/32;
}
}
}
st0 {
unit 0 {
description "*** VPN ***";
multipoint;
family inet {
address 192.168.1.1/24;
}
}
}
}
Default route configuration:
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.1.2;
}
router-id 1.1.1.1;
autonomous-system 65001;
}
static {
route 0.0.0.0/0 next-hop 172.16.1.2;
}
router-id 1.1.1.1;
autonomous-system 65001;
}
BGP configuration:
protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.3 {
hold-time 30;
export 1;
peer-as 65003;
local-as 65001;
}
neighbor 192.168.1.4 {
hold-time 30;
export 1;
peer-as 65004;
local-as 65001;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.1.1.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
bgp {
group 1 {
type external;
neighbor 192.168.1.3 {
hold-time 30;
export 1;
peer-as 65003;
local-as 65001;
}
neighbor 192.168.1.4 {
hold-time 30;
export 1;
peer-as 65004;
local-as 65001;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.1.1.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
security {
ike {
policy 1-3 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$rV4KWXVwgUjq7-jqmfn6revW7-"; ## SECRET-DATA
}
policy 1-4 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$ZCDH.QF/0BEP5BEcyW8ZUjHP5"; ## SECRET-DATA
}
gateway 3 {
ike-policy 1-3;
address 172.16.3.1;
external-interface ge-0/0/1.0;
}
gateway 4 {
ike-policy 1-4;
address 172.16.4.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy 1-3 {
proposal-set standard;
}
policy 1-4 {
proposal-set standard;
}
vpn 1-3 {
bind-interface st0.0;
ike {
gateway 3;
ipsec-policy 1-3;
}
establish-tunnels immediately;
}
vpn 1-4 {
bind-interface st0.0;
ike {
gateway 4;
ipsec-policy 1-4;
}
establish-tunnels immediately;
}
}
}
Security zone configuration (please note that for my lab testing, I am allowing almost everything. In a production environment it is required to enable the necessary services and protocols at the zone level in order for things to function properly (i.e. BGP, IKE, etc.)):
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
ge-0/0/0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone vpn to-zone vpn {
policy deny-intra-spoke-traffic {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone vpn to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
SRX 3 (Spoke Device):
Interface configuration:
interfaces {
ge-0/0/0 {
unit 0 {
description "*** TRUST ***";
family inet {
address 10.3.3.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "*** UNTRUST ***";
family inet {
address 172.16.3.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 3.3.3.3/32;
}
}
}
st0 {
unit 0 {
description "*** VPN ***";
family inet {
address 192.168.1.3/24;
}
}
}
}
Default route configuration:
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.3.2;
}
router-id 3.3.3.3;
autonomous-system 65003;
}
static {
route 0.0.0.0/0 next-hop 172.16.3.2;
}
router-id 3.3.3.3;
autonomous-system 65003;
}
BGP configuration:
protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65003;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.3.3.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65003;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.3.3.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
VPN configuration:
security {
ike {
policy 3-1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
}
gateway 3-1 {
ike-policy 3-1;
address 172.16.1.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy 3-1 {
proposal-set standard;
}
vpn 3-1 {
bind-interface st0.0;
ike {
gateway 3-1;
ipsec-policy 3-1;
}
establish-tunnels immediately;
}
}
}
Security zone configuration:
zones {
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
ge-0/0/0.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
Security policy configuration:
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone trust to-zone vpn {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
SRX 4 (Spoke Device):
Interface configuration:
interfaces {
ge-0/0/0 {
unit 0 {
description "*** TRUST ***";
family inet {
address 10.4.4.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "*** UNTRUST ***";
family inet {
address 172.16.4.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 4.4.4.4/32;
}
}
}
st0 {
unit 0 {
description "*** VPN ***";
family inet {
address 192.168.1.4/24;
}
}
}
}
Default route configuration:
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.4.2;
}
router-id 4.4.4.4;
autonomous-system 65004;
}
static {
route 0.0.0.0/0 next-hop 172.16.4.2;
}
router-id 4.4.4.4;
autonomous-system 65004;
}
BGP configuration:
protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65004;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.4.4.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65004;
}
}
}
}
Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.4.4.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}
}
VPN configuration:
security {
ike {
policy 4-1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA
}
gateway 4-1 {
ike-policy 4-1;
address 172.16.1.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy 4-1 {
proposal-set standard;
}
vpn 4-1 {
bind-interface st0.0;
ike {
gateway 4-1;
ipsec-policy 4-1;
}
establish-tunnels immediately;
}
}
}
Security zone configuration:
zones {
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
ge-0/0/0.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
Security policy configuration:
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone trust to-zone vpn {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone vpn {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
Verification:
Here are some commands that can be run from operational mode for verification purposes:
show security ike security-associations
show security ipsec security-associations
show bgp neighbor
show bgp summary
show route
No comments:
Post a Comment