Juniper SRX: IPSec-VPN mit Static Key

Eine kurze Übersicht über die gängigen Befehle zur Einrichtung von IPSec-VPN auf einer Juniper-SRX. Die Vorgehensweise ist bei allen Modellen der SRX-Serie identisch.

Vorbereitung:

set security zones security-zone untrust tcp-rst
set security zones security-zone trust tcp-rst

Tunnel-Interface und Routing

set interfaces st0 unit 0 family inet address 10.11.11.1/30
set routing-options static route 192.168.23.0/24 next-hop st0.0
set security zones security-zone static-vpn interfaces st0.0

Host-Inbound IKE erlauben

set security zones security-zone untrust host-inbound-traffic system-services ike

Address-Book Einträge für alle Tunnel

set security zones security-zone trust address-book address local-net 10.10.10.0/24
set security zones security-zone vpn address-book address dresden2-lan 192.168.23.0/24

Phase 1 IKE

set security ike policy dresden2-p1-policy mode main
set security ike policy dresden2-p1-policy proposals p1-proposal
set security ike policy dresden2-p1-policy pre-shared-key ascii-text “psk”

#set security ike proposal p1-proposal authentication-method pre-shared-keys
#set security ike proposal p1-proposal dh-group group2
#set security ike proposal p1-proposal encryption-algorithm aes-256-cbc
#set security ike proposal p1-proposal authentication-algorithm sha-256
#set security ike proposal p1-proposal lifetime-seconds 86400

set security ike gateway dresden2-gw ike-policy dresden2-p1-policy
set security ike gateway dresden2-gw address 161.54.207.184
set security ike gateway dresden2-gw external-interface reth0.0
set security ike gateway dresden2-gw dead-peer-detection interval 10
set security ike gateway dresden2-gw dead-peer-detection threshold 3
set security ike gateway dresden2-gw dead-peer-detection always-send
set security ike gateway bayreuth-gw version v1-only

Phase 2 IKE

#set security ipsec policy std-ext proposal-set standard

set security ipsec vpn dresden2 ike gateway dresden2-gw
set security ipsec vpn dresden2 ike ipsec-policy std-ext
set security ipsec vpn dresden2 bind-interface st0.0
set security ipsec vpn dresden2 establish-tunnels immediately

Security Policies

edit security policies from-zone trust to-zone static-vpn
set policy lan-to-static-vpn match source-address LAN
set policy lan-to-static-vpn match destination-address all-static-vpn
set policy lan-to-static-vpn match application any
set policy lan-to-static-vpn then permit

edit security policies from-zone static-vpn to-zone trust
set policy static-vpn-to-lan match source-address all-static-vpn
set policy static-vpn-to-lan match destination-address LAN
set policy static-vpn-to-lan match application any
set policy static-vpn-to-lan then permit

MSS-Settings

set security flow tcp-mss ipsec-vpn mss 1350
Tom Schäfer

Tom Schäfer

Tom berichtet hier über seine Erfahrungen im Bereich Linux, OpenSource und IT. Er spricht außerdem gern über Finanzthemen und hasst es, in der dritten Person über sich selbst zu schreiben.

Read More