I have been tasked to to setup another site to site IPsec VPN. We nto connect to a partner and I had to get it sorted.
The first step is, whenver we need to connect to a third part company, thy most certainly will provide us with a VPN form, which we need to complete.
The form will request various piece of information, such as:
- Public IP address
- Firewall used (Make and Model)
- Private IPs or subnets which need accessing the VPN
Once you have complete the form and sent it back, you will probably receive the VPN parameters. Sometimes the same form to be complete already includes the VPN parameters.
I am going to describe the VPN setup with a ficticious thirdparty company name.
VPN Parameters
Company Name: LivingUK
Phase1
Auth method – Pre Shared Key
Encrypt - aes128
Hash - sha1
Group2
Lifetime in seconds 36400
Phase2
Encrypt - eas128
Hash - sha1
Lifetime in seconds 36400
You have to match the above parameters with Juniper Junos parameters (most the time your peer will not be a Juniper)
Proposal
Authentication Algorithm: Sha1
Authentication method: pre-shared-keys
Descriptions: "LivingUK P1"
DH Group: group2
Encryption Algorithm: aes-128-cbc
Lifetime seconds: 3600
IKE Policy
Mode: main
IKE Gateway
Policy: "PolicyName"
Setup Phase I
set interfaces st0 unit 30 description "Tunnel Name"
Create a Phase I Proposal
set security ike proposal "VPNPartner P1 Name" description "VPN Partner Name"
set security ike proposal "VPNPartner P1 Name" authentication-method pre-shared-keys
set security ike proposal "VPNPartner P1 Name" dh-group group2
set security ike proposal "VPNPartner P1 Name" authentication-algorithm sha1
set security ike proposal "VPNPartner P1 Name" encryption-algorithm aes-128-cbc
set security ike proposal "VPNPartner P1 Name" lifetime-seconds 86400
set security ike policy "IKEPolicyName" mode main
set security ike policy "IKEPolicyName" proposals "VPNPartner P1 Name"
set security ike policy "IKEPolicyName" pre-shared-key ascii-text "Your VPN Key"
set security ike gateway "IkeGatewayVPN" ike-policy "IKEPolicyName"
set security ike gateway "IkeGatewayVPN" address "Peer IP Address"
set security ike gateway "IkeGatewayVPN" external-interface reth0.0
Setup Phase II
set security ipsec proposal "IPSEC VPNPartner P2 Name" description "PhaseII"
set security ipsec proposal "IPSEC VPNPartner P2 Name" protocol esp
set security ipsec proposal "IPSEC VPNPartner P2 Name" authentication-algorithm hmac-sha1-96
set security ipsec proposal "IPSEC VPNPartner P2 Name" encryption-algorithm aes-128-cbc
set security ipsec proposal "IPSEC VPNPartner P2 Name" lifetime-seconds 28800
set security ipsec policy "IpsecPolicyP2" description "Ipsec P2 Policy"
set security ipsec policy "IpsecPolicyP2" perfect-forward-secrecy keys group2
set security ipsec policy "IpsecPolicyP2" proposals "IPSEC VPNPartner P2 Name"
set security ipsec vpn "VPNNameAK" bind-interface st0.30
set security ipsec vpn "VPNNameAK ike gateway "IkeGatewayVPN"
set security ipsec vpn "VPNNameAK ike proxy-identity local <Local IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike proxy-identity remote <Remote IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike ipsec-policy "IpsecPolicyP2"
set security ipsec vpn "VPNNameAK establish-tunnels immediately
set security nat source rule-set LANOut rule "NATRuleName" match source-address <Local IP or subnet to be matched>
set security nat source rule-set LANOut rule "NATRuleName" match destination-address <Remote IP to be matched>
set security nat source rule-set LANOut rule "NATRuleName" then source-nat off
Note: This is not finishe yet. I need to explain each parameter used within this configuration.
No comments:
Post a Comment