Summary:
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.
Problem or Goal:
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.
Assumptions:
Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.
Solution:
Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.
Site A Configuration details:
--------------------------------------
Define address objects
WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
* Address Name: lan-B
* IP Address/Netmask: 1.1.2.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
* Address Name: lan-A
* IP address/Netmask: 1.1.1.0/24
CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24
Define IKE gateway (Phase 1)
WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
- Gateway Name: toB
- Security Level: Standard
- Static IP Address: 1.1.2.50
- Preshared Key: netscreen
- Outgoing Zone: V1-Untrust
CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard
Define IPSec VPN (Phase 2)
WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
- VPN Name: toB
- Security Level: Standard
- Remote Gateway: Predefined: toB
CLI:
set vpn toB gateway toB sec-level standard
Define policy
WEBUI:
Select Policies and following, then click New
- From: V1-Trust
- To: V1 Untrust
- Source Address: Address Book Entry, lan-A
- Destination Address: Address Boot Entry, lan-B
- Service: ANY
- Action: Tunnel
- Tunnel: VPN, toB
- Modify matching bidirectional VPN policy: check
CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000
Define static route
Select Network > Routing > Destination, then click New
Enter following and click OK
- IP Address/Netmask: 0.0.0.0/0
- Next Hop: Gateway (selected)
- Interface: VLAN1
- Gateway IP Address: 1.1.1.1
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1
Site B Configuration details:
--------------------------------------
Define address objects
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
- Address Name: lan-A
- IP Address/Netmask: 1.1.1.0/24
Enter following and click OK
- Address Name: lan-B
- IP address/Netmask: 1.1.2.0/24
CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24
Define IKE gateway (Phase1)
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
- Gateway Name: toA
- Security Level: Standard
- Static IP Address: 1.1.1.50
- Preshared Key: netscreen
- Outgoing Zone: V1-Untrust
CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard
Define IPSec VPN (Phase 2)
Select VPNs > Autokey IKE and click New
Enter following and click OK
- VPN Name: toA
- Security Level: Standard
- Remote Gateway: Predefined: toA
CLI:
set vpn toA gateway toA sec-level standard
Define policy
Select Policies and following, then click New
- From: V1-Trust
- To: V1-Untrust
Enter following and click OK
- Source Address: Address Book Entry, lan-B
- Destination Address: Address Boot Entry, lan-A
- Service: ANY
- Action: Tunnel
- Tunnel: VPN, toA
- Modify matching bidirectional VPN policy: check
CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000
Define static route
Select Network > Routing > Destination, then click New
Enter following and click OK
- IP Address/Netmask: 0.0.0.0/0
- Next Hop: Gateway (selected)
- Interface: VLAN1
- Gateway IP Address: 1.1.2.1
set route 0.0.0.0/0 gateway 1.1.2.1
Technical Documentation
A Transparent mode VPN example is also included in the Technical Documentation:
ScreenOS Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks
ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdfChapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf
Purpose:
Related Links:
'업무이야기 > Security' 카테고리의 다른 글
Juniper SRX Firewall Password Recovery (0) | 2012.03.21 |
---|---|
Juniper 인터넷 2회선을 이용한 Load Balancing (0) | 2012.02.21 |
Juniper Firewall ALG (0) | 2012.02.20 |
Juniper Firewall DHCP Server Configuration (0) | 2012.01.27 |
LG SafeZone IPS 2400 뒷면..... (0) | 2012.01.26 |