Technical Tips and Tricks: Juniper firewall example

Showing posts with label Juniper firewall example. Show all posts

Wednesday, August 26, 2015

VPN Between a Dell SonicWALL and a Juniper Networks SRX

I have seen multiple people in forums asking how to setup a site to site VPN between a Juniper SRX firewall and a Dell SonicWALL firewall. I originally created this post to provide the steps to get things working. I noticed while working with a client that following the old steps no longer work. Below are the revised steps that I took to get it working, and is based on the following topology:

First we will configure the SRX:

Configure Interfaces:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.2/30
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 point-to-point family inet

Configure Routing:

set routing-options static route 172.16.1.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1

Configure VPN Parameters:

set security ike policy SRX-TO-SW mode main
set security ike policy SRX-TO-SW proposal-set standard
set security ike policy SRX-TO-SW pre-shared-key ascii-text thisismypsk

set security ike gateway SRX-TO-SW ike-policy SRX-TO-SW
set security ike gateway SRX-TO-SW address 11.11.11.2
set security ike gateway SRX-TO-SW external-interface ge-0/0/0.0

set security ipsec policy SRX-TO-SW proposal-set standard

set security ipsec vpn SRX-TO-SW bind-interface st0.0
set security ipsec vpn SRX-TO-SW ike gateway SRX-TO-SW
set security ipsec vpn SRX-TO-SW ike proxy-identity local 192.168.1.0/24
set security ipsec vpn SRX-TO-SW ike proxy-identity remote 172.16.1.0/24
set security ipsec vpn SRX-TO-SW ike proxy-identity service any
set security ipsec vpn SRX-TO-SW ike ipsec-policy SRX-TO-SW
set security ipsec vpn SRX-TO-SW establish-tunnels immediately

set security flow tcp-mss ipsec-vpn mss 1350

Configure Security Zones:

set security zones security-zone UNTRUST interfaces ge-0/0/0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone TRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone VPN interfaces st0.0 host-inbound-traffic protocols all

Configure Security Policies:

set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST then permit

set security policies from-zone TRUST to-zone VPN policy TRUST-TO-VPN match source-address any
set security policies from-zone TRUST to-zone VPN policy TRUST-TO-VPN match destination-address any
set security policies from-zone TRUST to-zone VPN policy TRUST-TO-VPN match application any
set security policies from-zone TRUST to-zone VPN policy TRUST-TO-VPN then permit

set security policies from-zone VPN to-zone TRUST policy VPN-TO-TRUST match source-address any
set security policies from-zone VPN to-zone TRUST policy VPN-TO-TRUST match destination-address any
set security policies from-zone VPN to-zone TRUST policy VPN-TO-TRUST match application any
set security policies from-zone VPN to-zone TRUST policy VPN-TO-TRUST then permit

Configure NAT:

set security nat source rule-set TRUST-TO-UNTRUST from zone TRUST
set security nat source rule-set TRUST-TO-UNTRUST to zone UNTRUST
set security nat source rule-set TRUST-TO-UNTRUST rule SRC-NAT match source-address 192.168.1.0/24
set security nat source rule-set TRUST-TO-UNTRUST rule SRC-NAT then source-nat interface

Next we will configure the TZ:

Enable and add a VPN:

Navigate to VPN->Settings, and then check the box to enable VPN and then click Accept.

Add a new VPN by selecting Add... under VPN Policies on the same page. Enter parameters as shown in the subsequent screenshots for each tab, and then click OK.

That's really it. You can then enable or disable the VPN on the SonicWALL at any time via a checkbox next to the newly created VPN on the VPN->Settings page.

Monitoring the Tunnel:

On the TZ:

You can verify tunnel status by going to VPN->Settings, and looking under Currently Active VPN Tunnels.

On the SRX:

To verify Phase1 is complete, from operational mode issue the following command:

show security ike security-associations

To verify Phase 2 is complete, from operational mode issue the following command:

show security ipsec security-associations

Monday, February 16, 2015

Juniper Lab Environment - Part V - OSPF NSSA and Totally NSSA

This post is a continuation of my last post, which consisted of multiple OSPF areas, and specifically stub and totally stubby configuration. The fifth part in this series of blog posts will cover a topology that consists of seven vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to explore the benefits of making area 56 a NSSA and then totally NSSA area. We will then verify connectivity and reach-ability out to the internet from SRX6.

First, let's make area 56 a NSSA area, which will make area 56 almost like a stub area. The main difference is that NSSA's allow redistribution of external routes from the same area.

SRX6 Configuration:

set routing-options static route 10.66.0.0/24 discard
set routing-options static route 10.66.1.0/24 discard
set routing-options static route 10.66.2.0/24 discard
set routing-options static route 10.66.3.0/24 discard
set policy-options policy-statement static term 1 from protocol static
set policy-options policy-statement static term 1 then accept
set protocols ospf export static
set protocols ospf area 0.0.0.56 nssa
set protocols ospf area 0.0.0.56 interface ge-0/0/0.0
set protocols ospf area 0.0.0.56 interface ge-0/0/1.0

Note that above we are adding some static routes and exporting them from the route table to OSPF so that we can simulate the need for configuring a NSSA.

SRX5 Configuration:

set protocols ospf area 0.0.0.56 nssa default-lsa default-metric 10
set protocols ospf area 0.0.0.56 interface ge-0/0/1.0

Here is how the database looks now:

root@6> show ospf database

OSPF database, Area 0.0.0.56
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 5.5.5.5 5.5.5.5 0x80000004 694 0x20 0x64fe 36
Router *6.6.6.6 6.6.6.6 0x80000004 688 0x20 0x3cd 84
Network *10.10.56.6 6.6.6.6 0x80000001 693 0x20 0x2f76 32
Summary 10.7.0.0 5.5.5.5 0x80000002 274 0x20 0x6aa9 28
Summary 10.7.1.0 5.5.5.5 0x80000002 136 0x20 0x5fb3 28
Summary 10.7.2.0 5.5.5.5 0x80000001 1165 0x20 0x56bc 28
Summary 10.7.3.0 5.5.5.5 0x80000001 1165 0x20 0x4bc6 28
Summary 10.10.23.0 5.5.5.5 0x80000001 1165 0x20 0x36c6 28
Summary 10.10.27.0 5.5.5.5 0x80000001 1165 0x20 0x14e3 28
Summary 10.10.34.0 5.5.5.5 0x80000001 1165 0x20 0xb240 28
Summary 10.10.45.0 5.5.5.5 0x80000001 1165 0x20 0x2fb9 28
NSSA 0.0.0.0 5.5.5.5 0x80000003 413 0x20 0x49c9 36
NSSA *10.66.0.0 6.6.6.6 0x80000003 115 0x28 0x4aa7 36
NSSA *10.66.1.0 6.6.6.6 0x80000002 882 0x28 0x41b0 36
NSSA *10.66.2.0 6.6.6.6 0x80000002 882 0x28 0x36ba 36
NSSA *10.66.3.0 6.6.6.6 0x80000002 882 0x28 0x2bc4 36

Now let's take it one step further to make area 56 a totally NSSA, which will shrink the database even more by blocking external routes from other areas, as well as inter-area routes from other areas.

SRX5 Configuration:

set protocols ospf area 0.0.0.56 nssa no-summaries

Here is how the database looks now:

rroot@6> show ospf database

OSPF database, Area 0.0.0.56
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 5.5.5.5 5.5.5.5 0x80000008 3 0x20 0x5c03 36
Router *6.6.6.6 6.6.6.6 0x8000000a 3 0x20 0xb36e 84
Network *10.10.56.6 6.6.6.6 0x80000007 3 0x20 0x237c 32
Summary 0.0.0.0 5.5.5.5 0x80000001 17 0x20 0x75ab 28
NSSA *10.66.0.0 6.6.6.6 0x80000005 3 0x28 0x46a9 36
NSSA *10.66.1.0 6.6.6.6 0x80000004 3 0x28 0x3db2 36
NSSA *10.66.2.0 6.6.6.6 0x80000004 3 0x28 0x32bc 36
NSSA *10.66.3.0 6.6.6.6 0x80000004 3 0x28 0x27c6 36

root@6> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=50 time=26.088 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=15.279 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=10.849 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=10.458 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=13.091 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.458/15.153/26.088/5.734 ms

Saturday, February 14, 2015

Juniper Lab Environment - Part IV - OSPF Stub and Totally Stubby

This post is a continuation of my last post, which consisted of an OSPF virtual link configuration. The fourth part in this series of blog posts will cover a topology that consists of six vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to explore the benefits of making area 27 a stub area, and then taking it a step further to make it a totally stubby area. We will then verify connectivity and reach-ability out to the internet from SRX7.

Based on the current configuration (see previous posts), we will see all LSA types:

root@7> show ospf database

OSPF database, Area 0.0.0.27
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 2.2.2.2 2.2.2.2 0x80000005 220 0x22 0x8234 36
Router *7.7.7.7 7.7.7.7 0x80000003 1742 0x22 0xc439 84
Network *10.10.27.7 7.7.7.7 0x80000001 1747 0x22 0xb40f 32
Summary 10.10.23.0 2.2.2.2 0x80000004 1257 0x22 0x58ad 28
Summary 10.10.34.0 2.2.2.2 0x80000002 813 0x22 0xec0f 28
Summary 10.10.45.0 2.2.2.2 0x80000003 368 0x22 0x7b73 28
ASBRSum 3.3.3.3 2.2.2.2 0x80000003 516 0x22 0xba6a 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 0.0.0.0 3.3.3.3 0x80000001 497 0x22 0xa6ff 36

Now let's make area 27 a stub area, which will prevent all external routes, as well as local redistribution.

SRX7 Configuration:

set protocols ospf area 0.0.0.27 stub

SRX2 Configuration:

set protocols ospf area 0.0.0.27 stub default-metric 10

Here is how the database looks now:

root@7> show ospf database

OSPF database, Area 0.0.0.27

Type ID Adv Rtr Seq Age Opt Cksum Len

Router 2.2.2.2 2.2.2.2 0x80000006 9 0x20 0x9e19 36

Router *7.7.7.7 7.7.7.7 0x80000005 8 0x20 0x6697 84

Network *10.10.27.7 7.7.7.7 0x80000003 8 0x20 0xcef4 32

Summary 0.0.0.0 2.2.2.2 0x80000001 181 0x20 0xcf5d 28

Summary 10.10.23.0 2.2.2.2 0x80000001 181 0x20 0x7c8e 28

Summary 10.10.34.0 2.2.2.2 0x80000001 181 0x20 0xdf1 28

Summary 10.10.45.0 2.2.2.2 0x80000001 181 0x20 0x9d55 28

Now let's take it one step further to make area 27 a totally stubby area, which will also prevent inter-area routes.

SRX2 Configuration:

set protocols ospf area 0.0.0.27 stub default-metric 10 no-summaries

Here is how the database looks now:

root@7> show ospf database

OSPF database, Area 0.0.0.27

Type ID Adv Rtr Seq Age Opt Cksum Len

Router 2.2.2.2 2.2.2.2 0x8000000a 4 0x20 0x961d 36

Router *7.7.7.7 7.7.7.7 0x8000000a 3 0x20 0x5c9c 84

Network *10.10.27.7 7.7.7.7 0x80000007 3 0x20 0xc6f8 32

Summary 0.0.0.0 2.2.2.2 0x80000001 19 0x20 0xcf5d 28

root@7> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=21.304 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=11.713 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=10.351 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=10.280 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=12.657 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.280/13.261/21.304/4.118 ms

Saturday, February 7, 2015

Juniper Lab Environment - Part III - OSPF Virtual Link

This post is a continuation of my last post, which consisted of a BGP and OSPF configuration that connected my home network to my lab. The third part in this series of blog posts will cover a topology that consists of six vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to add on to the existing OSPF network and focus specifically on the virtual link configuration, and then verify that we can ping out to the internet from SRX7.

SRX3 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.23.3/24
set protocols ospf area 0.0.0.23 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 virtual-link neighbor-id 2.2.2.2 transit-area 0.0.0.23

SRX2 Configuration:

set interfaces ge-0/0/1 unit 0 family inet address 10.10.23.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.10.27.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set routing-options router-id 2.2.2.2
set protocols ospf area 0.0.0.23 interface ge-0/0/1.0
set protocols ospf area 0.0.0.27 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 virtual-link neighbor-id 3.3.3.3 transit-area 0.0.0.23

SRX7 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.27.7/24
set interfaces ge-0/0/1 unit 0 family inet address 10.7.0.7/24
set interfaces ge-0/0/1 unit 0 family inet address 10.7.1.7/24
set interfaces ge-0/0/1 unit 0 family inet address 10.7.2.7/24
set interfaces ge-0/0/1 unit 0 family inet address 10.7.3.7/24
set interfaces lo0 unit 0 family inet address 7.7.7.7/32
set routing-options router-id 7.7.7.7
set protocols ospf area 0.0.0.27 interface ge-0/0/0.0
set protocols ospf area 0.0.0.27 interface ge-0/0/1.0

OSPF requires all areas to be directly connected to area 0. In certain cases, it may be required to add an OSPF area that resides on the other side of a non-area 0 area. As shown above, Juniper requires that the virtual link configuration resides on ABRs that connect areas 27<->23 and 23<->0.

Verification:

root@1> show route receive-protocol bgp 10.10.13.3

inet.0: 15 destinations, 16 routes (15 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 3.3.3.3/32 10.10.13.3 65003 I
* 10.7.0.0/24 10.10.13.3 3 65003 I
* 10.7.1.0/24 10.10.13.3 3 65003 I
* 10.7.2.0/24 10.10.13.3 3 65003 I
* 10.7.3.0/24 10.10.13.3 3 65003 I
10.10.13.0/24 10.10.13.3 65003 I
* 10.10.23.0/24 10.10.13.3 65003 I
* 10.10.27.0/24 10.10.13.3 2 65003 I
* 10.10.34.0/24 10.10.13.3 65003 I
* 10.10.45.0/24 10.10.13.3 2 65003 I

root@3> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 2.2.2.2 2.2.2.2 0x80000002 675 0x22 0x8dd 36
Router *3.3.3.3 3.3.3.3 0x8000017d 1691 0x22 0x8757 48
Router 4.4.4.4 4.4.4.4 0x8000016b 1924 0x22 0x7621 48
Router 5.5.5.5 5.5.5.5 0x8000015a 81 0x22 0x9093 36
Network 10.10.34.4 4.4.4.4 0x80000158 1924 0x22 0xf981 32
Network 10.10.45.5 5.5.5.5 0x80000152 81 0x22 0xb8b0 32
Summary 10.7.0.0 2.2.2.2 0x80000001 877 0x22 0x8a97 28
Summary 10.7.1.0 2.2.2.2 0x80000001 877 0x22 0x7fa1 28
Summary 10.7.2.0 2.2.2.2 0x80000001 877 0x22 0x74ab 28
Summary 10.7.3.0 2.2.2.2 0x80000001 877 0x22 0x69b5 28
Summary 10.10.23.0 2.2.2.2 0x80000005 378 0x22 0x56ae 28
Summary *10.10.23.0 3.3.3.3 0x80000004 1699 0x22 0x3ac7 28
Summary 10.10.27.0 2.2.2.2 0x80000005 877 0x22 0x2ad6 28
ASBRSum 3.3.3.3 2.2.2.2 0x80000003 853 0x22 0xba6a 28

OSPF database, Area 0.0.0.23
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 2.2.2.2 2.2.2.2 0x80000004 527 0x22 0x10af 36
Router *3.3.3.3 3.3.3.3 0x80000006 1691 0x22 0xd3de 36
Network *10.10.23.3 3.3.3.3 0x80000001 1699 0x22 0xf8f2 32
Summary 10.7.0.0 2.2.2.2 0x80000001 877 0x22 0x8a97 28
Summary 10.7.1.0 2.2.2.2 0x80000001 877 0x22 0x7fa1 28
Summary 10.7.2.0 2.2.2.2 0x80000001 877 0x22 0x74ab 28
Summary 10.7.3.0 2.2.2.2 0x80000001 877 0x22 0x69b5 28
Summary 10.10.27.0 2.2.2.2 0x80000005 877 0x22 0x2ad6 28
Summary *10.10.34.0 3.3.3.3 0x80000003 1162 0x22 0xc235 28
Summary *10.10.45.0 3.3.3.3 0x80000003 751 0x22 0x5398 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern *0.0.0.0 3.3.3.3 0x8000004b 339 0x22 0x124a 36

root@3> show ospf neighbor
Address Interface State ID Pri Dead
10.10.34.4 ge-0/0/1.0 Full 4.4.4.4 128 36
10.10.23.2 vl-2.2.2.2 Full 2.2.2.2 0 30
10.10.23.2 ge-0/0/0.0 Full 2.2.2.2 128 35

root@2> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *2.2.2.2 2.2.2.2 0x80000002 595 0x22 0x8dd 36
Router 3.3.3.3 3.3.3.3 0x8000017d 1614 0x22 0x8757 48
Router 4.4.4.4 4.4.4.4 0x8000016b 1847 0x22 0x7621 48
Router 5.5.5.5 5.5.5.5 0x80000159 3004 0x22 0x9292 36
Network 10.10.34.4 4.4.4.4 0x80000158 1847 0x22 0xf981 32
Network 10.10.45.5 5.5.5.5 0x80000151 3004 0x22 0xbaaf 32
Summary *10.7.0.0 2.2.2.2 0x80000001 797 0x22 0x8a97 28
Summary *10.7.1.0 2.2.2.2 0x80000001 797 0x22 0x7fa1 28
Summary *10.7.2.0 2.2.2.2 0x80000001 797 0x22 0x74ab 28
Summary *10.7.3.0 2.2.2.2 0x80000001 797 0x22 0x69b5 28
Summary *10.10.23.0 2.2.2.2 0x80000005 298 0x22 0x56ae 28
Summary 10.10.23.0 3.3.3.3 0x80000004 1622 0x22 0x3ac7 28
Summary *10.10.27.0 2.2.2.2 0x80000005 797 0x22 0x2ad6 28
ASBRSum *3.3.3.3 2.2.2.2 0x80000003 773 0x22 0xba6a 28

OSPF database, Area 0.0.0.23
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *2.2.2.2 2.2.2.2 0x80000004 447 0x22 0x10af 36
Router 3.3.3.3 3.3.3.3 0x80000006 1614 0x22 0xd3de 36
Network 10.10.23.3 3.3.3.3 0x80000001 1621 0x22 0xf8f2 32
Summary *10.7.0.0 2.2.2.2 0x80000001 797 0x22 0x8a97 28
Summary *10.7.1.0 2.2.2.2 0x80000001 797 0x22 0x7fa1 28
Summary *10.7.2.0 2.2.2.2 0x80000001 797 0x22 0x74ab 28
Summary *10.7.3.0 2.2.2.2 0x80000001 797 0x22 0x69b5 28
Summary *10.10.27.0 2.2.2.2 0x80000005 797 0x22 0x2ad6 28
Summary 10.10.34.0 3.3.3.3 0x80000003 1084 0x22 0xc235 28
Summary 10.10.45.0 3.3.3.3 0x80000003 673 0x22 0x5398 28

OSPF database, Area 0.0.0.27
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *2.2.2.2 2.2.2.2 0x80000004 797 0x22 0x526a 36
Router 7.7.7.7 7.7.7.7 0x80000003 758 0x22 0x1ae8 84
Network *10.10.27.2 2.2.2.2 0x80000001 797 0x22 0xcd0f 32
Summary *10.10.23.0 2.2.2.2 0x80000001 1061 0x22 0x5eaa 28
Summary *10.10.34.0 2.2.2.2 0x80000002 150 0x22 0xec0f 28
Summary *10.10.45.0 2.2.2.2 0x80000002 1 0x22 0x7d72 28
ASBRSum *3.3.3.3 2.2.2.2 0x80000001 1061 0x22 0xbe68 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 0.0.0.0 3.3.3.3 0x8000004b 261 0x22 0x124a 36

root@2> show ospf neighbor
Address Interface State ID Pri Dead
10.10.23.3 vl-3.3.3.3 Full 3.3.3.3 0 35
10.10.23.3 ge-0/0/1.0 Full 3.3.3.3 128 33
10.10.27.7 ge-0/0/2.0 Full 7.7.7.7 128 38

root@7> show ospf database

OSPF database, Area 0.0.0.27
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 2.2.2.2 2.2.2.2 0x80000004 692 0x22 0x526a 36
Router *7.7.7.7 7.7.7.7 0x80000003 651 0x22 0x1ae8 84
Network 10.10.27.2 2.2.2.2 0x80000001 692 0x22 0xcd0f 32
Summary 10.10.23.0 2.2.2.2 0x80000001 956 0x22 0x5eaa 28
Summary 10.10.34.0 2.2.2.2 0x80000002 45 0x22 0xec0f 28
Summary 10.10.45.0 2.2.2.2 0x80000001 956 0x22 0x7f71 28
ASBRSum 3.3.3.3 2.2.2.2 0x80000001 956 0x22 0xbe68 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 0.0.0.0 3.3.3.3 0x8000004b 156 0x22 0x124a 36

root@7> show ospf neighbor
Address Interface State ID Pri Dead
10.10.27.2 ge-0/0/0.0 Full 2.2.2.2 128 36

root@7> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=14.689 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=10.233 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=14.090 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=15.701 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.233/13.678/15.701/2.071 ms

Juniper Lab Environment - Part II - Basic OSPF, & Routing Policy

This post is a continuation of my last post, which consisted of a simple BGP configuration that connected my home network to my lab. The second part in this series of blog posts will cover a topology that consists of four vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this post is to build an OSPF network and then inject routes between protocols so that we can ping out to internet from SRX5.

SRX5 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.45.5/24
set interfaces lo0 unit 0 family inet address 5.5.5.5/32
set routing-options router-id 5.5.5.5
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0

SRX4 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.10.34.4/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.45.4/24
set interfaces lo0 unit 0 family inet address 4.4.4.4/32
set routing-options router-id 4.4.4.4
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

SRX3 Configuration

set interfaces ge-0/0/1 unit 0 family inet address 10.10.34.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0

OSPF Verification:

root@3> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *3.3.3.3 3.3.3.3 0x80000109 227 0x22 0x70e2 48
Router 4.4.4.4 4.4.4.4 0x80000102 2131 0x22 0x49b7 48
Router 5.5.5.5 5.5.5.5 0x800000f8 9 0x22 0x5f24 36
Network 10.10.34.4 4.4.4.4 0x800000f2 2124 0x22 0xc71a 32
Network 10.10.45.5 5.5.5.5 0x800000f1 470 0x22 0x7c4e 32

root@3> show ospf neighbor
Address Interface State ID Pri Dead
10.10.34.4 ge-0/0/1.0 Full 4.4.4.4 128 32

root@5> show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 3.3.3.3 3.3.3.3 0x80000109 422 0x22 0x70e2 48
Router 4.4.4.4 4.4.4.4 0x80000102 2324 0x22 0x49b7 48
Router *5.5.5.5 5.5.5.5 0x800000f8 200 0x22 0x5f24 36
Network 10.10.34.4 4.4.4.4 0x800000f2 2317 0x22 0xc71a 32
Network *10.10.45.5 5.5.5.5 0x800000f1 661 0x22 0x7c4e 32

root@5> show ospf neighbor
Address Interface State ID Pri Dead
10.10.45.4 ge-0/0/0.0 Full 4.4.4.4 128 35

root@5> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.5.5.5/32         *[Direct/0] 1w1d 21:11:21
                    > via lo0.0
10.10.34.0/24      *[OSPF/10] 3d 14:41:29, metric 2
                    > to 10.10.45.4 via ge-0/0/0.0
10.10.45.0/24      *[Direct/0] 1w1d 21:11:10
                    > via ge-0/0/0.0
10.10.45.5/32      *[Local/0] 1w1d 21:11:10
                      Local via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 1w1d 21:11:26, metric 1
                      MultiRecv

Route Injection:

In the previous post, we exported a default route to BGP so that we could ping the internet from SRX3. We now need to export the same default route to OSPF so that we can also ping the internet from any router in area 0 of our OSPF network. As you can see above, SRX5 does not have a default route

SRX3 Configuration:

set policy-options policy-statement bgp term 1 from protocol bgp
set policy-options policy-statement bgp term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement bgp term 1 then accept
set protocols bgp export ospf

Default Route Verification:

root@5> show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[OSPF/150] 00:01:24, metric 0, tag 0
                    > to 10.10.45.4 via ge-0/0/0.0
5.5.5.5/32         *[Direct/0] 1w1d 21:11:21
                    > via lo0.0
10.10.34.0/24      *[OSPF/10] 3d 14:41:29, metric 2
                    > to 10.10.45.4 via ge-0/0/0.0
10.10.45.0/24      *[Direct/0] 1w1d 21:11:10
                    > via ge-0/0/0.0
10.10.45.5/32      *[Local/0] 1w1d 21:11:10
                      Local via ge-0/0/0.0
10.10.56.0/24      *[Direct/0] 10:06:18
                    > via ge-0/0/1.0
10.10.56.5/32      *[Local/0] 10:06:18
                      Local via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 1w1d 21:11:26, metric 1
                      MultiRecv

root@5> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
0 packets transmitted, 0 packets received, 100% packet loss

Even though the default route is there now, we have to remember that SRX1 does not know about the OSPF network that we just created.

root@1> show route

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:04:13
                    > to 10.234.234.1 via ge-0/0/0.0
1.1.1.1/32         *[Direct/0] 00:04:25
                    > via lo0.0
10.10.13.0/24      *[Direct/0] 00:04:13
                    > via ge-0/0/1.0
10.10.13.1/32      *[Local/0] 00:04:14
                      Local via ge-0/0/1.0
10.234.234.0/24    *[Direct/0] 00:04:13
                    > via ge-0/0/0.0
10.234.234.20/32   *[Local/0] 00:04:14
                      Local via ge-0/0/0.0

Another policy that exports our OSPF networks to BGP should do it.

SRX3 Configuration:

set policy-options policy-statement ospf term 1 from protocol ospf
set policy-options policy-statement ospf term 1 from protocol direct
set policy-options policy-statement ospf term 1 then accept
set protocols bgp export ospf

OSPF Networks Verification:

root@1> show route

inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 04:31:35
> to 10.234.234.1 via ge-0/0/0.0
1.1.1.1/32 *[Direct/0] 04:31:47
> via lo0.0
3.3.3.3/32 *[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.13.0/24 *[Direct/0] 04:31:35
> via ge-0/0/1.0
[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.13.1/32 *[Local/0] 04:31:36
Local via ge-0/0/1.0
10.10.34.0/24 *[BGP/170] 04:22:18, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.10.45.0/24 *[BGP/170] 04:22:18, MED 2, localpref 100
AS path: 65003 I
> to 10.10.13.3 via ge-0/0/1.0
10.234.234.0/24 *[Direct/0] 04:31:35
> via ge-0/0/0.0
10.234.234.20/32 *[Local/0] 04:31:36
Local via ge-0/0/0.0

Now let's try to ping the internet from SRX5.

root@5> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=12.184 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=8.414 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=12.200 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=10.210 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.414/10.752/12.200/1.574 ms

Juniper Lab Environment - Part I - Basic eBGP, and Routing Policy

I have been working in my lab for quite some time to test out different scenarios. I thought it would be useful to share a step-by-step design, and some of the different exercises I have gone through. The first part in this series of blog posts will cover a basic topology that consists of two vSRXs in my lab network, and a PA-200 that resides at the perimeter of my home network. The goal of this particular post is to use eBGP to interconnect the two vSRX firewalls (SRX1 and SRX3) and then inject a default route that will allow us to ping out to the internet from SRX3.

The following should be noted prior to moving forward:

The vSRX is a firewall. As such, it is required to configure security zones and policies. This and subsequent posts assume that the basic security features (zones/policies) have been already been configured. I will show that portion of the configuration in this post only.
The PA-200 that resides on the perimeter of my home network required a route that points back to my lab network. This will not be covered.
Some of the configuration items in these posts are for lab purposes only and may or may not be applicable/best practice in a production environment. Always consult a professional prior to making changes in a production environment!

SRX1 Configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.234.234.20/24
set interfaces ge-0/0/1 unit 0 family inet address 10.10.13.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65001
set routing-options static route 0.0.0.0/0 next-hop 10.234.234.1
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65003
set protocols bgp group 1 neighbor 10.10.13.3
set policy-options policy-statement static term 1 from protocol static
set policy-options policy-statement static term 1 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement static term 1 then accept
set protocols bgp group 1 export static

The important thing to remember about routing policy is that all actions are performed from the perspective of the routing table. In this case, there is a default route in the routing table that has the trust interface of the PA-200 as the next hop. The policy statement static is applied as an export policy because we are exporting the static route we created to the BGP routing protocol. This will allow us to see the default route on SRX3.

set security zones security-zone home host-inbound-traffic system-services all
set security zones security-zone home host-inbound-traffic protocols all
set security zones security-zone home interfaces ge-0/0/0.0
set security zones security-zone home interfaces lo0.0
set security zones security-zone lab host-inbound-traffic system-services all
set security zones security-zone lab host-inbound-traffic protocols all
set security zones security-zone lab interfaces ge-0/0/1.0
set security policies from-zone lab to-zone lab policy default-permit match source-address any
set security policies from-zone lab to-zone lab policy default-permit match destination-address any
set security policies from-zone lab to-zone lab policy default-permit match application any
set security policies from-zone lab to-zone lab policy default-permit then permit
set security policies from-zone home to-zone home policy default-permit match source-address any
set security policies from-zone home to-zone home policy default-permit match destination-address any
set security policies from-zone home to-zone home policy default-permit match application any
set security policies from-zone home to-zone home policy default-permit then permit
set security policies from-zone lab to-zone home policy default-permit match source-address any
set security policies from-zone lab to-zone home policy default-permit match destination-address any
set security policies from-zone lab to-zone home policy default-permit match application any
set security policies from-zone lab to-zone home policy default-permit then permit
set security policies from-zone home to-zone lab policy default-permit match source-address any
set security policies from-zone home to-zone lab policy default-permit match destination-address any
set security policies from-zone home to-zone lab policy default-permit match application any
set security policies from-zone home to-zone lab policy default-permit then permit
set security nat source rule-set 1 from zone lab
set security nat source rule-set 1 to zone home
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat interface

SRX3 Configuration:

set interfaces ge-0/0/2 unit 0 family inet address 10.10.13.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65003
set protocols bgp group 1 type external
set protocols bgp group 1 peer-as 65001
set protocols bgp group 1 neighbor 10.10.13.1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces lo0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit

Verification from SRX3:

root@3> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table          Tot Paths Act Paths Suppressed    History Damp State    Pending
inet.0                 1          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted
10.10.13.1            65001       5619       5628       0       6 1d 17:22:45 1/1/1/0              0/0/0/0

root@3> show route receive-protocol bgp 10.10.13.1

inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 10.10.13.1 65001 I

root@3> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[BGP/170] 00:14:10, localpref 100
AS path: 65001 I
> to 10.10.13.1 via ge-0/0/2.0
3.3.3.3/32 *[Direct/0] 05:52:13
> via lo0.0
10.10.13.0/24 *[Direct/0] 05:51:57
> via ge-0/0/2.0
10.10.13.3/32 *[Local/0] 05:51:58
Local via ge-0/0/2.0

root@3> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=10.330 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=6.143 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=10.245 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.414/10.752/12.200/1.574 ms

Saturday, April 27, 2013

VPN Between a SonicWALL TZ210 and a Juniper SRX100

I have seen multiple people in forums asking how to setup a site to site VPN between a Juniper SRX firewall and a SonicWALL firewall. Below are the steps that I took to get it working, and is based on the following topology:

First we will configure the SRX:

Configure Interfaces:

set interfaces fe-0/0/0 unit 0 family inet address 10.10.10.2/30
set interfaces fe-0/0/1 unit 0 family inet address 192.168.1.1/24

Configure Routing:

set routing-options static route 0.0.0.0/0 next-hop 10.10.10.1/30

Configure VPN Parameters:

NOTE: For this specific instance, one of the firewalls is using a dynamic public IP address for its WAN interface, thus the aggressive mode.

set security ike proposal SRX-TO-SW authentication-method pre-shared-keys
set security ike proposal SRX-TO-SW dh-group group2
set security ike proposal SRX-TO-SW authentication-algorithm sha1
set security ike proposal SRX-TO-SW encryption-algorithm aes-256-cbc
set security ike proposal SRX-TO-SW lifetime-seconds 28800

set security ike policy SRX-TO-SW mode aggressive
set security ike policy SRX-TO-SW proposals SRX-TO-SW
set security ike policy SRX-TO-SW pre-shared-key ascii-text thisismypsk

set security ike gateway SRX-TO-SW ike-policy SRX-TO-SW
set security ike gateway SRX-TO-SW address 11.11.11.2
set security ike gateway SRX-TO-SW external-interface fe-0/0/0.0

set security ipsec proposal SRX-TO-SW protocol esp
set security ipsec proposal SRX-TO-SW authentication-algorithm hmac-sha1-96
set security ipsec proposal SRX-TO-SW encryption-algorithm aes-256-cbc
set security ipsec proposal SRX-TO-SW lifetime-seconds 28800

set security ipsec policy SRX-TO-SW proposals SRX-TO-SW

set security ipsec vpn SRX-TO-SW ike gateway SRX-TO-SW
set security ipsec vpn SRX-TO-SW ike ipsec-policy SRX-TO-SW

set security flow tcp-mss ipsec-vpn mss 1350

Configure Security Zones:

set security zones security-zone UNTRUST interfaces fe-0/0/0.0
set security zones security-zone UNTRUST host-inbound-traffic system-services ike
set security zones security-zone UNTRUST address-book address SW-NET 172.16.1.0/24
set security zones security-zone TRUST interfaces fe-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST address-book address SRX-NET 192.168.1.0/24

Configure Security Policies:

set security policies from-zone TRUST to-zone UNTRUST policy SRX-TO-SW match source-address SRX-NET
set security policies from-zone TRUST to-zone UNTRUST policy SRX-TO-SW match destination-address SW-NET
set security policies from-zone TRUST to-zone UNTRUST policy SRX-TO-SW match application any
set security policies from-zone TRUST to-zone UNTRUST policy SRX-TO-SW then permit tunnel ipsec-vpn SRX-TO-SW
set security policies from-zone TRUST to-zone UNTRUST policy SRX-TO-SW then permit tunnel pair-policy SW-TO-SRX

set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST match application any
set security policies from-zone TRUST to-zone UNTRUST policy TRUST-TO-UNTRUST then permit

set security policies from-zone UNTRUST to-zone TRUST policy SW-TO-SRX match source-address SW-NET
set security policies from-zone UNTRUST to-zone TRUST policy SW-TO-SRX match destination-address SRX-NET
set security policies from-zone UNTRUST to-zone TRUST policy SW-TO-SRX match application any
set security policies from-zone UNTRUST to-zone TRUST policy SW-TO-SRX then permit tunnel ipsec-vpn SW-TO-SRX
set security policies from-zone UNTRUST to-zone TRUST policy SW-TO-SRX then permit tunnel pair-policy SRX-TO-SW

Configure NAT:

set security nat source rule-set TRUST-TO-UNTRUST from zone TRUST
set security nat source rule-set TRUST-TO-UNTRUST to zone UNTRUST
set security nat source rule-set TRUST-TO-UNTRUST rule SRC-NAT match source-address 192.168.1.0/24
set security nat source rule-set TRUST-TO-UNTRUST rule SRC-NAT then source-nat interface

Next we will configure the TZ:

Enable and add a VPN:

Navigate to VPN->Settings, and then check the box to enable VPN and then click Accept.

Add a new VPN by selecting Add... under VPN Policies on the same page. Enter parameters as shown in the subsequent screenshots for each tab, and then click OK.

That's really it. You can then enable or disable the VPN on the SonicWALL at any time via a checkbox next to the newly created VPN on the VPN->Settings page.

Monitoring the Tunnel:

On the TZ:

You can verify tunnel status by going to VPN->Settings, and looking under Currently Active VPN Tunnels.

On the SRX:

To verify Phase1 is complete, from operational mode issue the following command:

show security ike security-associations

To verify Phase 2 is complete, from operational mode issue the following command:

show security ipsec security-associations

Thursday, February 14, 2013

Juniper SRX VPN Monitor and Route Failover

Recently I ran into a scenario where I was presented with the following network topology:

As you can see (from left to right), there is 1 SRX 240 acting as the core firewall, 1 core EX4200 switch, 2 SRX 240's acting as next hops, both of which have VPN connections terminated to them from another SRX 240 at a remote site. The VPN connections are traversing an MPLS backbone which does not consist of Juniper gear, nor will it be discussed in this post. Our concern is regarding the fact that there are two possible paths (dual VPNs) between the core and the remote SRX.

In this scenario, lets assume we want to use static routing, but also allow for route failover in the event of a VPN outage.

There are multiple options that we can utilize to provide route failover in this type of scenario. Some of these options include:

Bi-directional Forwarding Detection
Real-time Network Performance with IP Monitoring
VPN Monitoring

I went with VPN Monitoring due to the fact that we are using VPNs. If this scenario didn't include VPNs, then I would've went with BFD or RPM and IP Monitoring. Here is what our configurations will look like:

Core SRX Configuration (10.0.0.1):

Configure the interface that will connect to the core switch:
set interfaces ge-0/0/0 unit 0 description "*** CORE ***"
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24

Configure a route for the remote site:
set routing-options static route 10.0.99.0/24 next-hop 10.0.0.2

Core EX Configuration (10.0.0.5):

Configure the Routed VLAN Interface:
set interfaces vlan unit 0 description "*** CORE ***"
set interfaces vlan unit 0 family inet address 10.0.0.5/24
set vlans CORE vlan-id 3
set vlans CORE l3-interface vlan.0

Configure the interfaces on the switch:
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CORE
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CORE
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members CORE
etc...

VPN1 SRX Configuration (10.0.0.2):

Configure the Routed VLAN Interface:
set interfaces vlan unit 0 description "*** CORE ***"
set interfaces vlan unit 0 family inet address 10.0.0.2/24
set vlans CORE vlan-id 3
set vlans CORE l3-interface vlan.0

Configure the interfaces that will connect to the core switch:
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members CORE
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members CORE

Configure the interface that will act as the WAN interface for our MPLS connection:
set interfaces ge-0/0/15 unit 0 description "*** MPLS CONNECTION TO REMOTE SITE ***"
set interfaces ge-0/0/15 unit 0 family inet address 1.1.1.1/30

Configure the interface that will be used for the VPN:
set interfaces st0 unit 1 description "*** CONNECTION TO REMOTE SITE ***"
set interfaces st0 unit 1 family inet address 100.100.100.1/30

Configure a default route:
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1

Configure a preferred route to the remote site via 10.0.0.2, and then a backup route via 10.0.0.3:
set routing-options static route 10.0.99.0/24 next-hop st0.1
set routing-options static route 10.0.99.0/24 qualified-next-hop 10.0.0.3 preference 6

Configure the route-based VPN:
set security ike policy IKE-POLICY-REMOTE-SITE mode main
set security ike policy IKE-POLICY-REMOTE-SITE proposal-set standard
set security ike policy IKE-POLICY-REMOTE-SITE pre-shared-key ascii-text testing123
set security ike gateway GW-REMOTE-SITE ike-policy IKE-POLICY-REMOTE-SITE
set security ike gateway GW-REMOTE-SITE address 1.1.1.2
set security ike gateway GW-REMOTE-SITE external-interface ge-0/0/15.0
set security ipsec policy IPSEC-POLICY-REMOTE-SITE perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY-REMOTE-SITE proposal-set standard
set security ipsec vpn VPN-REMOTE-SITE bind-interface st0.1
set security ipsec vpn VPN-REMOTE-SITE ike gateway GW-REMOTE-SITE
set security ipsec vpn VPN-REMOTE-SITE ike ipsec-policy

VPN-REMOTE-SITE

set security ipsec vpn VPN-REMOTE-SITE establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure VPN monitoring:
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 10
set security ipsec vpn VPN-REMOTE-SITE vpn-monitor optimized

set security ipsec vpn VPN-REMOTE-SITE vpn-monitor source-interface ge-0/0/15.0

set security ipsec vpn VPN-REMOTE-SITE vpn-monitor destination-ip 1.1.1.2

Create security zones and policies:

NOTE: For testing purposes, I opened up everything to my zones and policies. I always start this way so as to make things easier on myself. It is more effective to get what you want working first and then go back and secure things as needed (granted this is in a lab environment).

set security zones security-zone CORE host-inbound-traffic system-services all
set security zones security-zone CORE host-inbound-traffic protocols all
set security zones security-zone CORE interfaces vlan.0
set security zones security-zone MPLS host-inbound-traffic system-services all
set security zones security-zone MPLS host-inbound-traffic protocols all
set security zones security-zone MPLS interfaces ge-0/0/15.0
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.1

[edit security policies]

set from-zone CORE to-zone VPN policy CORE-TO-VPN match source-address any

set from-zone CORE to-zone VPN policy CORE-TO-VPN match destination-address any

set from-zone CORE to-zone VPN policy CORE-TO-VPN match application any

set from-zone CORE to-zone VPN policy CORE-TO-VPN then permit

set from-zone VPN to-zone CORE policy VPN-TO-CORE match source-address any

set from-zone VPN to-zone CORE policy VPN-TO-CORE match destination-address any

set from-zone VPN to-zone CORE policy VPN-TO-CORE match application any

set from-zone VPN to-zone CORE policy VPN-TO-CORE then permit

set from-zone VPN to-zone VPN policy VPN-TO-VPN match source-address any

set from-zone VPN to-zone VPN policy VPN-TO-VPN match destination-address any

set from-zone VPN to-zone VPN policy VPN-TO-VPN match application any

set from-zone VPN to-zone VPN policy VPN-TO-VPN then permit

set from-zone CORE to-zone MPLS policy CORE-TO-MPLS match source-address any

set from-zone CORE to-zone MPLS policy CORE-TO-MPLS match destination-address any

set from-zone CORE to-zone MPLS policy CORE-TO-MPLS match application any

set from-zone CORE to-zone MPLS policy CORE-TO-MPLS then permit

set from-zone MPLS to-zone CORE policy MPLS-TO-CORE match source-address any

set from-zone MPLS to-zone CORE policy MPLS-TO-CORE match destination-address any

set from-zone MPLS to-zone CORE policy MPLS-TO-CORE match application any

set from-zone MPLS to-zone CORE policy MPLS-TO-CORE then permit

set from-zone VPN to-zone MPLS policy VPN-TO-MPLS match source-address any

set from-zone VPN to-zone MPLS policy VPN-TO-MPLS match destination-address any

set from-zone VPN to-zone MPLS policy VPN-TO-MPLS match application any

set from-zone VPN to-zone MPLS policy VPN-TO-MPLS then permit

set from-zone MPLS to-zone VPN policy MPLS-TO-VPN match source-address any

set from-zone MPLS to-zone VPN policy MPLS-TO-VPN match destination-address any

set from-zone MPLS to-zone VPN policy MPLS-TO-VPN match application any

set from-zone MPLS to-zone VPN policy MPLS-TO-VPN then permit

set from-zone CORE to-zone CORE policy CORE-TO-CORE match source-address any

set from-zone CORE to-zone CORE policy CORE-TO-CORE match destination-address any

set from-zone CORE to-zone CORE policy CORE-TO-CORE match application any

set from-zone CORE to-zone CORE policy CORE-TO-CORE then permit

Configure a firewall filter so that VPN1 SRX only accepts IKE packets from specific devices:

NOTE: This can also be done with policy. When I was testing failover and simulating a down tunnel, I noticed that my VPN connection would attempt to renegotiate over my second VPN at the remote site. I simply set a firewall filter to ensure that this SRX only accepts IKE packets from the MPLS zone IP of the remote site.

set firewall family inet filter REJECT-IKE term T1 from source-address 0.0.0.0/0

set firewall family inet filter REJECT-IKE term T1 from source-address 1.1.1.2/32 except

set firewall family inet filter REJECT-IKE term T1 from protocol udp

set firewall family inet filter REJECT-IKE term T1 from destination-port 500

set firewall family inet filter REJECT-IKE term T1 then reject

set firewall family inet filter REJECT-IKE term T2 then accept

set interfaces lo0 unit 0 family inet filter input REJECT-IKE

VPN2 SRX Configuration (10.0.0.3):

Configure the Routed VLAN Interface:
set interfaces vlan unit 0 description "*** CORE ***"
set interfaces vlan unit 0 family inet address 10.0.0.3/24
set vlans CORE vlan-id 3
set vlans CORE l3-interface vlan.0

Configure the interfaces that will connect to the core switch:
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members CORE
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members CORE

Configure the interface that will act as the WAN interface for our MPLS connection:
set interfaces ge-0/0/15 unit 0 description "*** MPLS CONNECTION TO REMOTE SRX ***"
set interfaces ge-0/0/15 unit 0 family inet address 2.2.2.1/30

Configure the interface that will be used for the VPN:
set interfaces st0 unit 1 description "*** CONNECTION TO REMOTE SITE ***"
set interfaces st0 unit 1 family inet address 200.200.200.1/30

Configure a default route:
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1

Configure a route to the remote site:
set routing-options static route 10.0.99.0/24 next-hop 200.200.200.2

Configure the route-based VPN:
set security ike policy IKE-POLICY-REMOTE-SITE mode main
set security ike policy IKE-POLICY-REMOTE-SITE proposal-set standard
set security ike policy IKE-POLICY-REMOTE-SITE pre-shared-key ascii-text testing123
set security ike gateway GW-REMOTE-SITE ike-policy IKE-POLICY-REMOTE-SITE
set security ike gateway GW-REMOTE-SITE address 2.2.2.2
set security ike gateway GW-REMOTE-SITE external-interface ge-0/0/15.0
set security ipsec policy IPSEC-POLICY-REMOTE-SITE perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY-REMOTE-SITE proposal-set standard
set security ipsec vpn VPN-REMOTE-SITE bind-interface st0.1
set security ipsec vpn VPN-REMOTE-SITE ike gateway GW-REMOTE-SITE
set security ipsec vpn VPN-REMOTE-SITE ike ipsec-policy VPN-REMOTE-SITE
set security ipsec vpn VPN-REMOTE-SITE establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

NOTE: There is no need to enable VPN monitoring on this device, as we only need to be monitoring our primary path to/from the remote site. Also, I configured the security zones and policies exactly like VPN1 SRX.

Configure a firewall filter so that VPN1 SRX only accepts IKE packets from specific devices:

set firewall family inet filter REJECT-IKE term T1 from source-address 0.0.0.0/0

set firewall family inet filter REJECT-IKE term T1 from source-address 2.2.2.2/32 except

set firewall family inet filter REJECT-IKE term T1 from protocol udp

set firewall family inet filter REJECT-IKE term T1 from destination-port 500

set firewall family inet filter REJECT-IKE term T1 then reject

set firewall family inet filter REJECT-IKE term T2 then accept

set interfaces lo0 unit 0 family inet filter input REJECT-IKE

Remote SRX Configuration (10.0.99.1):

Configure the Routed VLAN Interface:
set interfaces vlan unit 0 description "*** TRUST ***"
set interfaces vlan unit 0 family inet address 10.0.99.1/24
set vlans TRUST vlan-id 3
set vlans TRUST l3-interface vlan.0

Configure the interface that will act as the WAN interface for our MPLS connections:
set interfaces ge-0/0/0 unit 10 description "*** MPLS CONNECTION TO VPN1 SRX ***"
set interfaces ge-0/0/0 unit 10 family inet address 1.1.1.2/30
set interfaces ge-0/0/0 unit 20 description "*** MPLS CONNECTION TO VPN2 SRX ***"
set interfaces ge-0/0/0 unit 20 family inet address 2.2.2.2/30

Configure the interfaces that will be used for the VPN:
set interfaces st0 unit 1 description "*** CONNECTION TO VPN1 SRX ***"
set interfaces st0 unit 1 family inet address 100.100.100.2/30
set interfaces st0 unit 2 description "*** CONNECTION TO VPN2 SRX ***"
set interfaces st0 unit 2 family inet address 200.200.200.2/30

Configure a preferred route to the core via 10.0.0.2, and then a backup route via 10.0.0.3:
set routing-options static route 0.0.0.0/0 next-hop st0.1
set routing-options static route 0.0.0.0/0 qualified-next-hop st0.2 preference 6

Configure the route-based VPNs:
set security ike policy IKE-POLICY-TO-VPN1 mode main
set security ike policy IKE-POLICY-TO-VPN1 proposal-set standard
set security ike policy IKE-POLICY-TO-VPN1 pre-shared-key ascii-text testing123
set security ike policy IKE-POLICY-TO-VPN2 mode main
set security ike policy IKE-POLICY-TO-VPN2 proposal-set standard
set security ike policy IKE-POLICY-TO-VPN2 pre-shared-key ascii-text testing123
set security ike gateway GW-TO-VPN1 ike-policy IKE-POLICY-TO-VPN1
set security ike gateway GW-TO-VPN1 address 1.1.1.1
set security ike gateway GW-TO-VPN1 external-interface ge-0/0/0.10
set security ike gateway GW-TO-VPN2 ike-policy IKE-POLICY-TO-VPN2
set security ike gateway GW-TO-VPN2 address 2.2.2.1
set security ike gateway GW-TO-VPN2 external-interface ge-0/0/0.20
set security ipsec policy IPSEC-POLICY-TO-VPN1 perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY-TO-VPN1 proposal-set standard
set security ipsec policy IPSEC-POLICY-TO-VPN2 perfect-forward-secrecy keys group2
set security ipsec policy IPSEC-POLICY-TO-VPN2 proposal-set standard
set security ipsec vpn VPN-TO-VPN1 bind-interface st0.1
set security ipsec vpn VPN-TO-VPN1 ike gateway GW-TO-VPN1
set security ipsec vpn VPN-TO-VPN1 ike ipsec-policy IPSEC-POLICY-TO-VPN1
set security ipsec vpn VPN-TO-VPN1 establish-tunnels immediately
set security ipsec vpn VPN-TO-VPN2 bind-interface st0.2
set security ipsec vpn VPN-TO-VPN2 ike gateway GW-TO-VPN2
set security ipsec vpn VPN-TO-VPN2 ike ipsec-policy IPSEC-POLICY-TO-VPN2
set security ipsec vpn VPN-TO-VPN2 establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

Configure VPN monitoring for the VPN to VPN1 SRX:
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 10
set security ipsec vpn VPN-TO-VPN1 vpn-monitor optimized
set security ipsec vpn VPN-TO-VPN1 vpn-monitor source-interface ge-0/0/0.10
set security ipsec vpn VPN-TO-VPN1 vpn-monitor destination-ip 1.1.1.1

Create security zones and policies:

set security zones security-zone TRUST host-inbound-traffic system-services all

set security zones security-zone TRUST host-inbound-traffic protocols all

set security zones security-zone TRUST interfaces vlan.0

set security zones security-zone MPLS host-inbound-traffic system-services all

set security zones security-zone MPLS host-inbound-traffic protocols all

set security zones security-zone MPLS interfaces ge-0/0/0.10

set security zones security-zone MPLS interfaces ge-0/0/0.20

set security zones security-zone VPN host-inbound-traffic system-services all

set security zones security-zone VPN host-inbound-traffic protocols all

set security zones security-zone VPN interfaces st0.1

set security zones security-zone VPN interfaces st0.2

[edit security policies]

set from-zone TRUST to-zone VPN policy TRUST-TO-VPN match destination-address any

set from-zone TRUST to-zone VPN policy TRUST-TO-VPN match application any

set from-zone TRUST to-zone VPN policy TRUST-TO-VPN then permit

set from-zone VPN to-zone TRUST policy VPN-TO-TRUST match source-address any

set from-zone VPN to-zone TRUST policy VPN-TO-TRUST match destination-address any

set from-zone VPN to-zone TRUST policy VPN-TO-TRUST match application any

set from-zone VPN to-zone TRUST policy VPN-TO-TRUST then permit

set from-zone VPN to-zone VPN policy VPN-TO-VPN match source-address any

set from-zone VPN to-zone VPN policy VPN-TO-VPN match destination-address any

set from-zone VPN to-zone VPN policy VPN-TO-VPN match application any

set from-zone VPN to-zone VPN policy VPN-TO-VPN then permit

set from-zone TRUST to-zone MPLS policy TRUST-TO-MPLS match source-address any

set from-zone TRUST to-zone MPLS policy TRUST-TO-MPLS match destination-address any

set from-zone TRUST to-zone MPLS policy TRUST-TO-MPLS match application any

set from-zone TRUST to-zone MPLS policy TRUST-TO-MPLS then permit

set from-zone MPLS to-zone TRUST policy MPLS-TO-TRUST match source-address any

set from-zone MPLS to-zone TRUST policy MPLS-TO-TRUST match destination-address any

set from-zone MPLS to-zone TRUST policy MPLS-TO-TRUST match application any

set from-zone MPLS to-zone TRUST policy MPLS-TO-TRUST then permit