This message was posted by a user wishing to remain anonymous
Scenario
- I am utilising a policy based VPN
- The WAN/Untrust security zone will have IKE enabled on it
- The WAN/Untrsut security zone/interface is also the outbound interface for internet traffic
- I want to ensure that only the source address of 1.2.3.4 can initiate an IKE/IPSEC session with the interface
Questions
- Is there a feature already enabled that prevents initiation attempts that don't match the given ike gateway address?
- i.e "set security ike gateway IKE-GW address 1.2.3.4"
- If not, what is the best way to go about this?
- Due to the stateless nature of firewall filters it seems like this wouldn't be a good solution
- Would security policy be the better option? And if so, what would look like as there are no WAN to Trust rules (Untrust to Trust)
I understand that a VPN connection attempt won't succeed if there are mismatch of settings/secrets etc, but my preference is to reduce the potential attack surface and reconnaissance where possible.
Below is not the exact configuration I'm using, but is basically identical. It is ripped straight Juniper vLabs.
## Site A
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text "1234"
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 10.100.12.2
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Site-B ike gateway IKE-GW
set security ipsec vpn VPN-to-Site-B ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Site-B establish-tunnels immediately
set security address-book Site-A address Site-A-Net 10.100.11.0/24
set security address-book Site-A attach zone trust
set security address-book Site-B address Site-B-Net 10.100.22.0/24
set security address-book Site-B attach zone untrust
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Site-B-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Site-A-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Site-B
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Site-A-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Site-B-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Site-B
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.11.1/24
set interfaces ge-0/0/1 unit 0 family inet address 10.100.12.1/24
set routing-options static route 10.100.22.0/24 next-hop 10.100.12.2
## Site B
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text "1234"
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 10.100.12.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Site-A ike gateway IKE-GW
set security ipsec vpn VPN-to-Site-A ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Site-A establish-tunnels immediately
set security address-book Site-A address Site-A-Net 10.100.11.0/24
set security address-book Site-A attach zone untrust
set security address-book Site-B address Site-B-Net 10.100.22.0/24
set security address-book Site-B attach zone trust
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Site-B-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Site-A-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Site-A
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Site-A-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Site-B-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Site-A
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 10.100.12.2/24
set routing-options static route 10.100.11.0/24 next-hop 10.100.12.1
Thank you.