SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Dynamic VPN to HQ Firewall

    Posted 09-15-2023 10:13
    Edited by Jodi Meier 09-18-2023 10:21

    Hello Community, 

    I have recently been tasked to set up a VPN on an SRX300 to peer with our HQ Juniper firewall. Part of the requirement is that the SRX300 should be able to connect  to HQ with different peer addresses as it will be moved to different locations around the country and still peer with HQ.

    My main issue is that our HQ Firewall is locked down with security policies to allow only specific IP in.  so Unless I specify the SRX300's gateway IP on the HQ. the VPN will not come up. 

    Is there a way that I can add a security rule to allow any incoming IKE packet from the SRX300's hostname whilst blocking every other incoming attempt?

    Thanks in advance for your responses.

    Referring to the attached config seen below,  normally I would put the SRX300's IP in the address group ABC-VPN-GRP, but since the SRX300's address will be dynamically changing per new location, I cannot do this.
    The VPN only works when I add the line "set security ike gateway p1-customer-CompanyABC address 1.1.1.1" 

    HQ FW
    set security ike proposal p1-proposal-CompanyABC-1 authentication-method pre-shared-keys
    set security ike proposal p1-proposal-CompanyABC-1 dh-group group20
    set security ike proposal p1-proposal-CompanyABC-1 authentication-algorithm sha-256
    set security ike proposal p1-proposal-CompanyABC-1 encryption-algorithm aes-256-cbc
    set security ike proposal p1-proposal-CompanyABC-1 lifetime-seconds 28800
    set security ike policy p1-policy-cust-CompanyABC mode main
    set security ike policy p1-policy-cust-CompanyABC proposals p1-proposal-CompanyABC-1
    set security ike policy p1-policy-cust-CompanyABC pre-shared-key ascii-text "$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    set security ike gateway p1-customer-CompanyABC ike-policy p1-policy-cust-CompanyABC
    set security ike gateway p1-customer-CompanyABC address 1.1.1.1
    set security ike gateway p1-customer-CompanyABC remote-identity hostname CompanyABC-networks.com
    set security ike gateway p1-customer-CompanyABC external-interface ae1.3002
    set security ike gateway p1-customer-CompanyABC version v2-only
    set security ipsec vpn vpn-cust-CompanyABC ike gateway p1-customer-CompanyABC
    set security ipsec vpn vpn-cust-CompanyABC ike ipsec-policy p2-policy-CompanyABC
    set security ipsec proposal p2-proposal-CompanyABC protocol esp
    set security ipsec proposal p2-proposal-CompanyABC authentication-algorithm hmac-sha-256-128
    set security ipsec proposal p2-proposal-CompanyABC encryption-algorithm aes-256-cbc
    set security ipsec proposal p2-proposal-CompanyABC lifetime-seconds 3600
    set security ipsec policy p2-policy-CompanyABC perfect-forward-secrecy keys group19
    set security ipsec policy p2-policy-CompanyABC proposals p2-proposal-CompanyABC
    set security ipsec vpn vpn-cust-CompanyABC bind-interface st0.12
    set security ipsec vpn vpn-cust-CompanyABC establish-tunnels immediately
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match source-address ABC-VPN-GRP
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match destination-address ABCFWP01
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application junos-ike
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application ipsec-500
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application ipsec-1500
    set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN then permit
     
     
     
    REMOTE SRX300
     
    set security ike traceoptions file vpn-log
    set security ike traceoptions flag all
    set security ike proposal p1-base-proposal authentication-method pre-shared-keys
    set security ike proposal p1-base-proposal dh-group group20
    set security ike proposal p1-base-proposal authentication-algorithm sha-256
    set security ike proposal p1-base-proposal encryption-algorithm aes-256-cbc
    set security ike proposal p1-base-proposal lifetime-seconds 28800
    set security ike policy p1-policy-CompanyABC proposals p1-base-proposal
    set security ike policy p1-policy-CompanyABC pre-shared-key ascii-text "$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    set security ike gateway p1-gateway-CompanyABC-dail-VPN ike-policy p1-policy-CompanyABC
    set security ike gateway p1-gateway-CompanyABC-dail-VPN address 2.2.2.2
    set security ike gateway p1-gateway-CompanyABC-dail-VPN local-identity hostname CompanyABC-networks.com
    set security ike gateway p1-gateway-CompanyABC-dail-VPN external-interface ge-0/0/0.0
    set security ike gateway p1-gateway-CompanyABC-dail-VPN version v2-only
    set security ipsec vpn vpn-CompanyABC-cloud ike gateway p1-gateway-CompanyABC-dail-VPN
    set security ipsec vpn vpn-CompanyABC-cloud ike ipsec-policy p2-base-policy
    set security ipsec proposal p2-base-proposal protocol esp
    set security ipsec proposal p2-base-proposal authentication-algorithm hmac-sha-256-128
    set security ipsec proposal p2-base-proposal encryption-algorithm aes-256-cbc
    set security ipsec proposal p2-base-proposal lifetime-seconds 3600
    set security ipsec policy p2-base-policy perfect-forward-secrecy keys group19



  • 2.  RE: Dynamic VPN to HQ Firewall

    Posted 09-23-2023 20:28

    Only the remote site will specify an ip address, not the static/HQ side.  This will have only the matching host name.  See this short example of the differences.

    https://supportportal.juniper.net/s/article/SRX-Length-of-hostname-in-aggressive-mode-site-to-site-IPSec-VPN



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------