Internet access through central site over IPSec VPN

Usually remote sites have local internet access but in some cases you would like to route all traffic (even internet traffic) through central site. For that case you could use MPLS services or your could go with site-to-site IPSec VPN over internet. This means that you would put all traffic from remote site into IPSec VPN tunnel.

Benefits of doing that is that you get better control over traffic, which means you can monitor all you internet traffic on one location. Implementing additional services like AntiVirus, IPS, IDS, proxy, DLP, etc is done on one location.

In example bellow i will cover how to route all traffic through site-to-site IPSec VPN over internet from remote sites through central (Data center) site.

DisableInternetExit
NETWORK DIAGRAM

Picture legend:

  • red and blue lines represent internet access for remote sites
  • green line represents communication between Site A and Site B through Data center site.
  • all traffic between data center site and remote sites is routed through site-to-site IPSec VPN

Data center SRX configuration notes:

  • For Site B configure correct Proxy-ID for IPSec VPN (check config bellow marked blue)
  • To allow communication between Site A and Site B, configure hairpin firewall policy (check config bellow marked green)

Site A SRX configuration notes:

  • SRX is configured to use route based IPSec VPN which means that with routes you can instruct SRX which traffic to put into IPSec VPN.
  • For this reason additional routing instance is needed. Additional routing instance will be used for WAN connectivity (check config bellow marked purple) and default routing instance will be used for private network and IPSec VPN.

 

FIREWALL INTERFACE SETTINGS

Config \ Firewall SRX Datacenter SRX Site A ASA Site B
Public Interface ge-0/0/0 ge-0/0/0 outside
Public IP 1.1.1.1 2.2.2.2 3.3.3.3
Private interface ge-0/0/1 ge-0/0/1 inside
Private subnet 10.0.0.0/24 172.30.1.0/24 192.168.1.0/24

SRX Datacenter configuration

edit interfaces st0 
set unit 0 description "VPN TO SiteA"
set unit 0 family inet
set unit 1 description "VPN TO SiteB"
set unit 1 family inet

edit routing-options static
set route 172.30.1.0/24 next-hop st0.0
set route 192.168.1.0/24 next-hop st0.1

edit security ike proposal IKE-Proposal-SiteA 
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc

edit security ike proposal IKE-Proposal-SiteB
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-POLICY-SiteA
set mode main
set proposals IKE-Proposal-SiteA
set pre-shared-key ascii-text "Bingo1"

edit security ike policy IKE-POLICY-SiteB
set mode main
set proposals IKE-Proposal-SiteB
set pre-shared-key ascii-text "Bingo2"

edit security ike gateway IKE-GW1-SiteA
set ike-policy IKE-POLICY-SiteA
set address 2.2.2.2
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0

edit security ike gateway IKE-GW1-SiteB
set ike-policy IKE-POLICY-SiteB
set address 3.3.3.3
set external-interface ge-0/0/0

edit security ipsec proposal IPSec-Proposal-SiteA
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc

edit security ipsec proposal IPSec-Proposal-SiteB
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 4608000

edit security ipsec policy IPSec-Policy-SiteA
set proposals IPSec-Proposal-SiteA

edit security ipsec policy IPSec-Policy-SiteB
set proposals IPSec-Proposal-SiteB

edit security ipsec vpn VPN1-SiteA
set bind-interface st0.0
set ike gateway IKE-GW1-SiteA
set ike ipsec-policy IPSec-Policy-SiteA

edit security ipsec vpn VPN1-SiteB
set bind-interface st0.1
set ike gateway IKE-GW1-SiteB
set ike proxy-identity local 0.0.0.0/0
set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy IPSec-Policy-SiteB

edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit

edit security policies from-zone VPN to-zone trust  
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit

edit security policies from-zone VPN to-zone VPN
set policy VPN-to-VPN match source-address any
set policy VPN-to-VPN match destination-address any
set policy VPN-to-VPN match application any
set policy VPN-to-VPN then permit

edit security policies from-zone VPN to-zone untrust
set policy VPN-to-untrust match source-address any
set policy VPN-to-untrust match destination-address any
set policy VPN-to-untrust match application any
set policy VPN-to-untrust then permit

edit security zones security-zone VPN  
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
set interfaces st0.1

 

SRX Site A configuration

edit interfaces st0
set unit 0 description "VPN TO Datacenter"
set unit 0 family inet

edit routing-instances WAN 
set instance-type virtual-router
set interface ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1

edit routing-options static
set route 0.0.0.0/0 next-hop st0.0

edit security ike proposal IKE-Proposal-Datacenter 
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc

edit security ike policy IKE-POLICY-Datacenter 
set mode main
set proposals IKE-Proposal-Datacenter
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Datacenter
set ike-policy IKE-POLICY-Datacenter
set address 1.1.1.1
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0

edit security ipsec proposal IPSec-Proposal-Datacenter
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc

edit security ipsec policy IPSec-Policy-Datacenter 
set proposals IPSec-Proposal-Datacenter

edit security ipsec vpn VPN1-Datacenter
set bind-interface st0.0
set ike gateway IKE-GW1-Datacenter
set ike ipsec-policy IPSec-Policy-Datacenter
set establish-tunnels immediately

edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit

edit security policies from-zone VPN to-zone trust
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

 

ASA Site B configuration

object-group network SiteB
 network-object 192.168.1.0 255.255.255.0

object-group network Nat_ANY
 network-object 0.0.0.0 0.0.0.0

object-group network Nat0
 group-object Nat_ANY

access-list VPN-Datacenter-10000 extended permit ip object-group SiteB any 

nat (inside,outside) source static SiteB SiteB destination static Nat0 Nat0 no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 3.3.3.1

crypto ipsec transform-set ASET-SHA esp-aes esp-sha-hmac 

crypto map VPNMap 10000 match address VPN-Datacenter-10000
crypto map VPNMap 10000 set peer 1.1.1.1 
crypto map VPNMap 10000 set transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key Bingo2

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

Multiple Proxy-ID’s on a route based VPN

Juniper has released Junos verison 12.1X46 which finally supports multiple Proxy-ID’s on route based VPN. In essence Proxy-ID is used in phase2 of IKE VPN negotiations. Firewall agrees with it’s peers which traffic is permitted based on specified pair of local and remote networks.

Functionality is named traffic selector and can be found under section: security -> ipsec -> vpn -> VPNName -> traffic-selector

I will use example from previous post route based site-to-site VPN between Juniper SRX and Cisco ASA and extend it for the purpose of showing how to configure traffic selector.

NETWORK DIAGRAM

IPSecVPN-TS

VPN Settings on Cisco ASA and Juniper SRX
Parameters\Device Cisco ASA Juniper SRX
Phase1(IKE) authentication sha1 sha1
encryption aes128 aes128
dh-group group2 group2
lifetime(seconds) 86400 86400
Mode main main
pre-shared-key Bingo1 Bingo1
Phase2(IPSec) protocol esp esp
authentication sha1 sha1
encription aes128 aes128
lifetime-seconds 3600 3600
lifetime-kilobytes 46000 46000
JUNIPER SRX CONFIGURATION
edit interfaces st0 
set unit 0 family inet

edit security ike proposal Proposal-Cisco
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-Policy-Cisco 
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0

edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000

edit security ipsec policy Cisco-Policy-IPSec 
set proposals Cisco-Proposal-IPSec

edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike ipsec-policy Cisco-Policy-IPSec
set traffic-selector TS1 local-ip 172.30.1.0/24
set traffic-selector TS1 remote-ip 192.168.1.0/24
set traffic-selector TS2 local-ip 172.50.1.0/24
set traffic-selector TS2 remote-ip 192.168.1.0/24

edit routing-options
set static route 192.168.1.0/24 next-hop st0.0

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0

edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit

edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
CISCO ASA CONFIGURATION
object network Nat_Site-A
 subnet 192.168.1.0 255.255.255.0

object-group network SiteB-Juniper
 network-object 172.30.1.0 255.255.255.0
 network-object 172.50.1.0 255.255.255.0

object-group network Site-A
 network-object 192.168.1.0 255.255.255.0

object-group network Nat0
 group-object SiteB-Juniper

access-list VPN-SiteB-Juniper-10000 extended permit ip object-group Site-A object-group SiteB-Juniper
nat (inside,outside) source static Site-A Site-A destination static Nat0 Nat0 no-proxy-arp route-lookup

object network Nat_Site-A
 nat (inside,outside) dynamic interface

crypto ipsec ikev1 transform-set ASET-SHA esp-aes esp-sha-hmac

crypto map VPNMap 10000 match address VPN-SiteB-Juniper-10000
crypto map VPNMap 10000 set peer 2.2.2.2
crypto map VPNMap 10000 set ikev1 transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap 10000 set security-association lifetime kilobytes 46000

crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key Bingo1

Route based site-to-site IPSec VPN between Juniper SRX and Cisco ASA

Let’s say that you got a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy based VPNs. Well, you can, but there is another option. You can use route based VPN.

Before we continue, I would like to stress out, that it is really important, that you have VPN settings identical on both sides or VPN tunnel will not come up or it will be unstable.

Network diagram
IPSecVPN
VPN Settings on Cisco ASA and Juniper SRX
Parameters\Device Cisco ASA Juniper SRX
Phase1(IKE) authentication sha1 sha1
encryption aes128 aes128
dh-group group2 group2
lifetime(seconds) 86400 86400
Mode main main
pre-shared-key Bingo1 Bingo1
Phase2(IPSec) protocol esp esp
authentication sha1 sha1
encription aes128 aes128
lifetime-seconds 3600 3600
lifetime-kilobytes 46000 46000

I would like to point out two things on which you have to pay attention, when you will be configuring route based IPSec VPN between SRX and ASA:

  • on SRX when you are creating virtual st0 interface, it has to be unnumbered
example:
edit interfaces st0 
set unit 0 family inet
  • on SRX under section security -> ipsec -> vpn -> VPNName -> ike  you have to configure proxy-identity. This will essentially tell SRX which networks it has to use for creating IPSec SA.
example:
edit security ipsec vpn VPN1-Cisco 
set ike proxy-identity local 172.30.1.0/24
set ike proxy-identity remote 192.168.1.0/24
Juniper SRX configuration

edit interfaces st0 
set unit 0 family inet

edit security ike proposal Proposal-Cisco
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-Policy-Cisco 
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0

edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000

edit security ipsec policy Cisco-Policy-IPSec 
set proposals Cisco-Proposal-IPSec

edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike proxy-identity local 172.30.1.0/24
set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy Cisco-Policy-IPSec

edit routing-options
set static route 192.168.1.0/24 next-hop st0.0

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0

edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit

edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
Cisco ASA Configuration
object network Nat_Site-A
 subnet 192.168.1.0 255.255.255.0

object-group network SiteB-Juniper
 network-object 172.30.1.0 255.255.255.0

object-group network Site-A
 network-object 192.168.1.0 255.255.255.0

object-group network Nat0
 group-object SiteB-Juniper

access-list VPN-SiteB-Juniper-10000 extended permit ip object-group Site-A object-group SiteB-Juniper
nat (inside,outside) source static Site-A Site-A destination static Nat0 Nat0 no-proxy-arp route-lookup

object network Nat_Site-A
 nat (inside,outside) dynamic interface

crypto ipsec ikev1 transform-set ASET-SHA esp-aes esp-sha-hmac

crypto map VPNMap 10000 match address VPN-SiteB-Juniper-10000
crypto map VPNMap 10000 set peer 2.2.2.2
crypto map VPNMap 10000 set ikev1 transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap 10000 set security-association lifetime kilobytes 46000

crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key Bingo1

On Juniper SRX Firewall disable SIP ALG within firewall policy

In previous post I mentioned how can SIP ALG be of benefit on Juniper SRX firewalls. But in some cases where phone clients do not support RFC 3581 and SIP ALG is enabled, SRX firewall will drop the traffic. When SIP ALG is enabled, it is applied globally. Basically it is on or off for “whole” firewall.

In this example Private PBX is located in LAN A subnet and phone clients are located in LAN B subnet. SIP ALG is enabled on SRX firewall and it is used for communication between Provider PBX and Private PBX.

For the communication between phone clients and Private PBX, SIP ALG is disabled within firewall policy.

DisableSIPALG

[edit applications]
set application DisableSIP_ALG term t1 alg ignore
set application DisableSIP_ALG term t1 protocol udp

[edit security]
set zones security-zone LAN-A address-book address PrivatePBX 192.168.1.100/32

[edit security]
set zones security-zone LAN-B address-book address LAN-B-NET 172.30.1.0/24

[edit security policies from-zone LAN-A to-zone LAN-B]
set policy PBX-to-LAN-B-DisableSIPALG match source-address PrivatePBX
set policy PBX-to-LAN-B-DisableSIPALG match destination-address LAN-B-NET
set policy PBX-to-LAN-B-DisableSIPALG match application DisableSIP_ALG
set policy PBX-to-LAN-B-DisableSIPALG then permit

[edit security policies from-zone LAN-B to-zone LAN-A]
set policy LAN-B-to-PBX-DisableSIPALG match source-address LAN-B-NET
set policy LAN-B-to-PBX-DisableSIPALG match destination-address PrivatePBX
set policy LAN-B-to-PBX-DisableSIPALG match application DisableSIP_ALG
set policy LAN-B-to-PBX-DisableSIPALG then permit

Permit SIP traffic through Juniper SRX with the help of SIP ALG

Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?

Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.

This kind of setup will work only if both PBX-es have support for RFC 3581.

On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.

SIP ALG Status

In this example additional IP address 1.1.1.100 was provided from ISP and it is assigned a static NAT mapping to IP address 192.168.1.100. IP address 1.1.1.100 will be used for SIP and RTP traffic.

SIP firewall diagram

[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.100/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.100/32

[edit security nat]
set proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32
[edit security]
set zones security-zone trust address-book address LocalPBX 192.168.1.100/32
[edit security]
set zones security-zone untrust address-book address ProviderPBX 2.2.2.200/32
[edit security policies from-zone untrust to-zone trust]
set policy PBX-Access-SIP match source-address ProviderPBX destination-address LocalPBX application junos-sip
set policy PBX-Access-SIP then permit