Knowledgebase

Scheme: How it works.

A detailed description of the tunnel parameters can be found in a separate article.

Data center side settings:

1. Hover oven on Edge Gateway button, click on with the right button of the mouse it and choose Edge Gateway Services.
2. On the tab VPN enable Enable VPN (IPsec VPN service status for advanced gateway).
3. Press Add to add a tunnel (or ”+” on the tab IPsec VPN Sites for advanced gateway).
4. Choose the name of the tunnel, in the field Establish VPN to: choose remote network, choose virtual data center network in Loca lNetworks, specify internal networks in your remote data center in Peer Networks, Edge address in Local ID, remote router address in Peer ID/ Peer IP, choose Encryption Protocol.

Setting on Juniper SRX side:

1. Creating a tunnel interface, security zone, and static route to the VDC network:
   # set interfaces st0 unit 1 description CLOUD
   # set security zones security-zone VPN interfaces st0.1
   # set routing-options static route 192.168.3.0/24 next-hop st0.1
2. IKE settings phase 1:
   # set security ike proposal PRP-IKE-EDGE authentication-method pre-shared-keys
   # set security ike proposal PRP-IKE-EDGE dh-group group14
   # set security ike proposal PRP-IKE-EDGE authentication-algorithm sha1
   # set security ike proposal PRP-IKE-EDGE encryption-algorithm aes-128-cbc
   # set security ike proposal PRP-IKE-EDGE lifetime-seconds 28800
   # set security ike policy POL-IKE-EDGE mode main
   # set security ike policy POL-IKE-EDGE proposals PRP-IKE-EDGE
   # set security ike policy POL-IKE-EDGE pre-shared-key ascii-text <pre-shared-key>
   # set security ike gateway GWY-EDGE ike-policy POL-IKE-EDGE
   # set security ike gateway GWY-EDGE address 178.170.172.165
   # set security ike gateway GWY-EDGE external-interface ge0/0.1
   # set security ike gateway GWY-EDGE local-address 212.232.58.14
3. IKE settings phase 2:
   # set security ipsec proposal PRP-IPS-EDGE protocol esp
   # set security ipsec proposal PRP-IPS-EDGE authentication-algorithm hmac-sha1-96
   # set security ipsec proposal PRP-IPS-EDGE encryption-algorithm aes-128-cbc
   # set security ipsec proposal PRP-IPS-EDGE lifetime-seconds 3600
   # set security ipsec policy POL-IPS-EDGE perfect-forward-secrecy keys group14
   # set security ipsec policy POL-IPS-EDGE proposals PRP-IPS-EDGE
   # set security ipsec vpn VPN-EDGE bind-interface st0.1
   # set security ipsec vpn VPN-EDGE ike gateway GWY-EDGE;
   # set security ipsec vpn VPN-EDGE ike proxy-identity local 192.168.1.0/24 remote 192.168.3.0/24 service any
   # set security ipsec vpn VPN-EDGE ike ipsec-policy POL-IPS-EDGE
   # set security ipsec vpn VPN-EDGE establish-tunnels immediately
4. Configuration of permission security rules and polices, and applying changes
   # set security policies from-zone VPN to-zone LAN policy Allow_ANY match source-address any
   # set security policies from-zone VPN to-zone LAN policy Allow_ANY match destination-address any
   # set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
   # set security policies from-zone VPN to-zone LAN policy Allow_ANY then permit
   # set security policies from-zone LAN to-zone VPN policy Allow_ANY match source-address any
   # set security policies from-zone LAN to-zone VPN policy Allow_ANY match destination-address any
   # set security policies from-zone VPN to-zone LAN policy Allow_ANY match application any
   # set security policies from-zone LAN to-zone VPN policy Allow_ANY then permit
   # set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match source-address 178.170.172.165/32
   # set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match destination-address any
   # set security policies from-zone WAN to-zone junos-host policy EDGE_IKE match application junos-ike
   # set security policies from-zone WAN to-zone junos-host policy EDGE_IKE then permit 
   # commit
5. Checking up the configured tunnel :
   > show security ike security-associations
   Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
   2889938 UP     cd87ba170d9fd401  978fbcb18f5feb82  Main           178.170.172.165
   > show security ipsec security-associations
     Total active tunnels: 1
     ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
     <131074 ESP:aes-cbc-128/sha1 b81ee807 258/ unlim - root 500 178.170.172.165
     >131074 ESP:aes-cbc-128/sha1 c0bc14ab 258/ unlim - root 500 178.170.172.165
     <131074 ESP:aes-cbc-128/sha1 5c13c32b 3124/ unlim - root 500 178.170.172.165
     >131074 ESP:aes-cbc-128/sha1 c5d7bd1c 3124/ unlim - root 500 178.170.172.165

Note:

If it is necessary to create multiple security-associations between more than 2 networks, instead of the ipsec vpn ike proxy-identity directive use ipsec vpn traffic-selector according to the number of required SAs. Example: adding the subnet 192.168.4.0/24 on the virtual data center side:

deactivate set security ipsec vpn VPN-EDGE ike proxy-identity
set security ipsec vpn VPN-EDGE traffic-selector ts1 local-ip 192.168.1.0/24 remote-ip 192.168.3.0/24
set security ipsec vpn VPN-EDGE traffic-selector ts2 local-ip 192.168.1.0/24 remote-ip 192.168.4.0/24

Have you tried Virtual cloud servers by Cloud4Y? Not yet? 

Leave a request and get a 10-day free trial.