Eine kurze Übersicht über die gängigen Befehle zur Einrichtung von IPSec-VPN auf einer Juniper-SRX. Die Vorgehensweise ist bei allen Modellen der SRX-Serie identisch.

Vorbereitung:

set security zones security-zone untrust tcp-rst
set security zones security-zone trust tcp-rst

Tunnel-Interface und Routing

set interfaces st0 unit 0 family inet address 10.11.11.1/30
set routing-options static route 192.168.23.0/24 next-hop st0.0
set security zones security-zone static-vpn interfaces st0.0

Host-Inbound IKE erlauben

set security zones security-zone untrust host-inbound-traffic system-services ike

Address-Book Einträge für alle Tunnel

set security zones security-zone trust address-book address local-net 10.10.10.0/24
set security zones security-zone vpn address-book address dresden2-lan 192.168.23.0/24

Phase 1 IKE

set security ike policy dresden2-p1-policy mode main
set security ike policy dresden2-p1-policy proposals p1-proposal
set security ike policy dresden2-p1-policy pre-shared-key ascii-text “psk”

#set security ike proposal p1-proposal authentication-method pre-shared-keys
#set security ike proposal p1-proposal dh-group group2
#set security ike proposal p1-proposal encryption-algorithm aes-256-cbc
#set security ike proposal p1-proposal authentication-algorithm sha-256
#set security ike proposal p1-proposal lifetime-seconds 86400

set security ike gateway dresden2-gw ike-policy dresden2-p1-policy
set security ike gateway dresden2-gw address 161.54.207.184
set security ike gateway dresden2-gw external-interface reth0.0
set security ike gateway dresden2-gw dead-peer-detection interval 10
set security ike gateway dresden2-gw dead-peer-detection threshold 3
set security ike gateway dresden2-gw dead-peer-detection always-send
set security ike gateway bayreuth-gw version v1-only

Phase 2 IKE

#set security ipsec policy std-ext proposal-set standard

set security ipsec vpn dresden2 ike gateway dresden2-gw
set security ipsec vpn dresden2 ike ipsec-policy std-ext
set security ipsec vpn dresden2 bind-interface st0.0
set security ipsec vpn dresden2 establish-tunnels immediately

Security Policies

edit security policies from-zone trust to-zone static-vpn
set policy lan-to-static-vpn match source-address LAN
set policy lan-to-static-vpn match destination-address all-static-vpn
set policy lan-to-static-vpn match application any
set policy lan-to-static-vpn then permit

edit security policies from-zone static-vpn to-zone trust
set policy static-vpn-to-lan match source-address all-static-vpn
set policy static-vpn-to-lan match destination-address LAN
set policy static-vpn-to-lan match application any
set policy static-vpn-to-lan then permit

MSS-Settings

set security flow tcp-mss ipsec-vpn mss 1350