Today we are going to make a multipoint VPN.
One hub site (VPN-CORE) and 2 spokes sites (LEFTY and RIGHTY2). All devices are SRXs.
Multipoint is only supported with Route based VPNs so that's what we will be using and the key point to note is that the multipoint hub only uses a single tunnel interface regardless of the number of VPN tunnels.
In real life you probably wouldn't bother with multipoint for just 2 spokes but this is a lab so lets do it!
Here is the network we are working on..
We will want to get traffic between the 2 trust zones and the server-zone running over the VPN.
SPOKE SITE CONFIG (RIGHTY2)
With colour highlights showing how all the different elements "glue" together.
1) TUNNEL INTERFACE
Create the tunnel interface.
All the tunnel interfaces are in the same subnet - 20.0.20.0/24
set interfaces st0 unit 0 family inet address 20.0.20.3/24
2) ROUTING
a) Define default route to point to the cloud.
set routing-options static route 0.0.0.0/0 next-hop 3.3.3.1
b) Define which destination traffic we wish to access to via the tunnel interface.
We wish to get to the server network behind VPN-CORE via the VPN,
set routing-options static route 192.168.210.0/24 next-hop st0.0
3) SPOKE CONFIG PHASE 1 and 2
a) Define Phase 1 proposal set
set security ike proposal aes-phase1 authentication-method pre-shared-keys
set security ike proposal aes-phase1 dh-group group2
set security ike proposal aes-phase1 authentication-algorithm sha1
set security ike proposal aes-phase1 encryption-algorithm aes-256-cbc
set security ike proposal aes-phase1 lifetime-seconds 86400
b) Define Phase 1 policy
set security ike policy hub_p1_pol mode main
set security ike policy hub_p1_pol proposals aes-phase1
set security ike policy hub_p1_pol pre-shared-key ascii-text testkey2
c) Define Phase 1 gateway
set security ike gateway hub_gw ike-policy hub_p1_pol
set security ike gateway hub_gw address 4.4.4.2
set security ike gateway hub_gw external-interface fe-0/0/7.0
set security ike gateway hub_gw version v1-only
The IP address here is the external address of the hub SRX ans the external interface in the physical interface the VPN traffic will use
d) Define Phase 2 proposal set
set security ipsec proposal aes-phase2 protocol esp
set security ipsec proposal aes-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal aes-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal aes-phase2 lifetime-seconds 3600
e) Define Phase 2 policy
set security ipsec policy hub_p2_pol perfect-forward-secrecy keys group2
set security ipsec policy hub_p2_pol proposals aes-phase2
f) Define the VPN
set security ipsec vpn hub_vpn bind-interface st0.0
set security ipsec vpn hub_vpn ike gateway hub_gw
set security ipsec vpn hub_vpn ike ipsec-policy hub_p2_pol
set security ipsec vpn hub_vpn establish-tunnels immediately
You can clearly see how the VPN section of the config ties all the other elements together
So no difference in configuring the spoke side of a multipoint VPN as compared to configuring one side of a point-to-point link.
4) VPN ZONE
Define a VPN security zone and put the tunnel interface in it.
set security zones security-zone vpn interfaces st0.0
5) ADDRESSES
Define any needed addresses for the policy rules
Local address..
set security address-book global address net_192.168.197.0/24 192.168.197.0/24
Remote address..
set security address-book global address net_192.168.210.0/24 192.168.210.0/24
6) POLICY
Create appropriate policy rules according to your needs
From the local network to the remote server network on any port
set security policies from-zone trust to-zone vpn policy vpn_core_access match source-address net_192.168.197.0/24
set security policies from-zone trust to-zone vpn policy vpn_core_access match destination-address net_192.168.210.0/24
set security policies from-zone trust to-zone vpn policy vpn_core_access match application any
set security policies from-zone trust to-zone vpn policy vpn_core_access then permit
set security policies from-zone trust to-zone vpn policy vpn_core_access then log session-init
From the remote server network to the local network on any port
set security policies from-zone vpn to-zone trust policy vpn_core_access match source-address net_192.168.210.0/24
set security policies from-zone vpn to-zone trust policy vpn_core_access match destination-address net_192.168.197.0/24
set security policies from-zone vpn to-zone trust policy vpn_core_access match application any
set security policies from-zone vpn to-zone trust policy vpn_core_access then permit
set security policies from-zone vpn to-zone trust policy vpn_core_access then log session-init
7) ALLOW IKE
Permit IKE on the external facing security zone
set security zones security-zone cloud-link host-inbound-traffic system-services ike
HUB SITE CONFIG (VPN-CORE)
1) TUNNEL INTERFACE
set interfaces st0.0 multipoint family inet address 20.0.20.4/24
* Note the use of the keywork Multipoint. This is the only tunnel interface we will need to create on the hub site. Which leads us to..
NHTB.
The hub device has only one tunnel interface in a multipoint config so it needs a way to be able to decide which VPN to use for what traffic.
For this it uses the next-hop tunnel binding table (NHTB) feature which maps VPN names to next hop IP gateways. VPN name in this instance means the actual name given in the set security ipsec vpn command. The remote device's st0 interface IP is the next hop IP for the NHTB
Here are the elements to get traffic into the correct tunnel for a specific destination address.
inet.0 - destination address to next hop mapping
NHTB - next hop mapping to VPN ....i.e The link between the destination route and the VPN to use for that route
As all the devices in our network are SRXs we dont need to manually define the NHTB table as the NHTB mappings can be discovered during Phase 1 negotiations. If we didnt have Junos (or ScreenOS) devices as both ends we would need to manually define the NHTB entries.
We will see this all more clearly in the output when its all working below.
2) ROUTING
a) Define default route to point to the cloud.
set routing-options static route 0.0.0.0/0 next-hop 4.4.4.1
b) Define the next hops for the remote destination networks pointing to the remote st0 IPs
set routing-options static route 192.168.197.0/24 next-hop 20.0.20.3
set routing-options static route 192.168.20.0/24 next-hop 20.0.20.2
set routing-options static route 192.168.30.0/24 next-hop 20.0.20.2
set routing-options static route 192.168.40.0/24 next-hop 20.0.20.2
If this was a point-to-point to point VPN we would add the route for the remote networks pointing to st0.x. But we cant do that with the multipoint config as we only have the one tunnel! So we use the remote tunnel IP for the next hop IP (Remote st0 IP)
3) HUB CONFIG PHASE 1 and 2
a) Define Phase 1 proposal set
set security ike proposal aes-phase1 authentication-method pre-shared-keys
set security ike proposal aes-phase1 dh-group group2
set security ike proposal aes-phase1 authentication-algorithm sha1
set security ike proposal aes-phase1 encryption-algorithm aes-256-cbc
set security ike proposal aes-phase1 lifetime-seconds 86400
b) Define Phase 1 policies
set security ike policy righty2_p1_pol mode main
set security ike policy righty2_p1_pol proposals aes-phase1
set security ike policy righty2_p1_pol pre-shared-key ascii-text testkey2
set security ike policy lefty_p1_pol mode main
set security ike policy lefty_p1_pol proposals aes-phase1
set security ike policy lefty_p1_pol pre-shared-key ascii-text testkey
c) Define Phase 1 gateways
set security ike gateway righty2_gw ike-policy righty2_p1_pol
set security ike gateway righty2_gw address 3.3.3.2
set security ike gateway righty2_gw external-interface fe-0/0/7.0
set security ike gateway righty2_gw version v1-only
set security ike gateway lefty_gw ike-policy lefty_p1_pol
set security ike gateway lefty_gw address 2.2.2.2
set security ike gateway lefty_gw external-interface fe-0/0/7.0
set security ike gateway lefty_gw version v1-only
d) Define Phase 2 proposal set
set security ipsec proposal aes-phase2 protocol esp
set security ipsec proposal aes-phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal aes-phase2 encryption-algorithm aes-256-cbc
set security ipsec proposal aes-phase2 lifetime-seconds 3600
e) Define Phase 2 policies
set security ipsec policy righty2_p2_pol perfect-forward-secrecy keys group2
set security ipsec policy righty2_p2_pol proposals aes-phase2
set security ipsec policy lefty_p2_pol perfect-forward-secrecy keys group2
set security ipsec policy lefty_p2_pol proposals aes-phase2
f) Define the VPNs
set security ipsec vpn righty2_vpn bind-interface st0.0
set security ipsec vpn righty2_vpn ike gateway righty2_gw
set security ipsec vpn righty2_vpn ike ipsec-policy righty2_p2_pol
set security ipsec vpn righty2_vpn establish-tunnels immediately
set security ipsec vpn lefty_vpn bind-interface st0.0
set security ipsec vpn lefty_vpn ike gateway lefty_gw
set security ipsec vpn lefty_vpn ike ipsec-policy lefty_p2_pol
set security ipsec vpn lefty_vpn establish-tunnels immediately
Note the use of the same tunnel interface.
4) VPN ZONE
Define a VPN security zone and put the tunnel interface in it.
set security zones security-zone vpn interfaces st0.0
5) ADDRESSES
Define any needed addresses for the policy rules
Local address..
set security address-book global address net_192.168.210.0/24 192.168.210.0/24
Remote address..
set security address-book global address net_192.168.197.0/24 192.168.197.0/24
set security address-book global address net_192.168.20.0/24 192.168.20.0/24
set security address-book global address net_192.168.30.0/24 192.168.30.0/24
set security address-book global address net_192.168.40.0/24 192.168.40.0/24
6) POLICY
From the remote networks to the local server network on any port
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match source-address net_192.168.197.0/24
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match source-address net_192.168.20.0/24
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match source-address net_192.168.30.0/24
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match source-address net_192.168.40.0/24
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match destination-address net_192.168.210.0/24
set security policies from-zone vpn to-zone server-zone policy vpn_core_access match application any
set security policies from-zone vpn to-zone server-zone policy vpn_core_access then permit
set security policies from-zone vpn to-zone server-zone policy vpn_core_access then log session-init
From the local server network to the remote networks on any port
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match source-address net_192.168.210.0/24
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match destination-address net_192.168.197.0/24
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match destination-address net_192.168.20.0/24
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match destination-address net_192.168.30.0/24
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match destination-address net_192.168.40.0/24
set security policies from-zone server-zone to-zone vpn policy vpn_core_access match application any
set security policies from-zone server-zone to-zone vpn policy vpn_core_access then permit
set security policies from-zone server-zone to-zone vpn policy vpn_core_access then log session-init
7) ALLOW IKE
Permit IKE on the external facing security zone
set security zones security-zone cloud-link host-inbound-traffic system-services ike
VERIFICATION
SPOKE SIDE VERIFICATION
1) Check Phase 1 is up..
blogger@RIGHTY2> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3184912 UP 0b97d84cc0ef6274 6484e2b7dfa56dc0 Main 4.4.4.2
blogger@RIGHTY2> show security ike security-associations detail
IKE peer 4.4.4.2, Index 3184912,
Role: Responder, State: UP
Initiator cookie: 0b97d84cc0ef6274, Responder cookie: 6484e2b7dfa56dc0
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 3.3.3.2:500, Remote: 4.4.4.2:500
Lifetime: Expires in 73786 seconds
Peer ike-id: 4.4.4.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 2872
Output bytes : 2244
Input packets: 17
Output packets: 8
Flags: IKE SA is created
IPSec security associations: 5 created, 4 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 3.3.3.2:500, Remote: 4.4.4.2:500
Local identity: 3.3.3.2
Remote identity: 4.4.4.2
Flags: IKE SA is created
2) Check Phase 2 is up..
blogger@RIGHTY2> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:aes-256/sha1 92cde104 2231/ unlim - root 500 4.4.4.2
>131073 ESP:aes-256/sha1 8ef2d2ea 2231/ unlim - root 500 4.4.4.2
blogger@RIGHTY2> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 3.3.3.2, Remote Gateway: 4.4.4.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: 92cde104, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2200 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1628 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 8ef2d2ea, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2200 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1628 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
3) Check stats..
blogger@RIGHTY2> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 88160
Decrypted bytes: 48720
Encrypted packets: 580
Decrypted packets: 580
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
HUB SIDE VERIFICATION
1) Check Phase 1 is up..
blogger@VPN-CORE> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6340566 UP 3a4e4de2147e1425 3a329010954c4d83 Main 2.2.2.2
6340567 UP cce17ea8c4fbbaa5 01463a6a9e1bdd7b Main 3.3.3.2
blogger@VPN-CORE> show security ike security-associations detail
IKE peer 2.2.2.2, Index 6340566, Gateway Name: lefty_gw
Role: Initiator, State: UP
Initiator cookie: 3a4e4de2147e1425, Responder cookie: 3a329010954c4d83
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 4.4.4.2:500, Remote: 2.2.2.2:500
Lifetime: Expires in 85593 seconds
Peer ike-id: 2.2.2.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 916
Output bytes : 1000
Input packets: 4
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 4.4.4.2:500, Remote: 2.2.2.2:500
Local identity: 4.4.4.2
Remote identity: 2.2.2.2
Flags: IKE SA is created
IKE peer 3.3.3.2, Index 6340567, Gateway Name: righty2_gw
Role: Initiator, State: UP
Initiator cookie: cce17ea8c4fbbaa5, Responder cookie: 01463a6a9e1bdd7b
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 4.4.4.2:500, Remote: 3.3.3.2:500
Lifetime: Expires in 85593 seconds
Peer ike-id: 3.3.3.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 916
Output bytes : 1000
Input packets: 4
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 4.4.4.2:500, Remote: 3.3.3.2:500
Local identity: 4.4.4.2
Remote identity: 3.3.3.2
Flags: IKE SA is created
2) Check Phase 2 is up..
blogger@VPN-CORE> show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-256/sha1 9434a8a9 2755/ unlim - root 500 2.2.2.2
>131074 ESP:aes-cbc-256/sha1 47c144b2 2755/ unlim - root 500 2.2.2.2
<131073 ESP:aes-cbc-256/sha1 1298cf37 2755/ unlim - root 500 3.3.3.2
>131073 ESP:aes-cbc-256/sha1 12f7c6b5 2755/ unlim - root 500 3.3.3.2
4 phase 2 SAs - one pair for each of the spoke sites - exactly what we expect for a route based VPN.
blogger@VPN-CORE> show security ipsec security-associations detail
ID: 131074 Virtual-system: root, VPN Name: lefty_vpn
Local Gateway: 4.4.4.2, Remote Gateway: 2.2.2.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0
Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: 9434a8a9, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2752 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2130 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 47c144b2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2752 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2130 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
ID: 131073 Virtual-system: root, VPN Name: righty2_vpn
Local Gateway: 4.4.4.2, Remote Gateway: 3.3.3.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.0
Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: 1298cf37, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2752 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2118 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 12f7c6b5, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2752 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2118 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
3) Check NHTB table and routing..
blogger@VPN-CORE> show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag IKE-ID XAUTH username
20.0.20.2 st0.0 lefty_vpn Auto 2.2.2.2
20.0.20.3 st0.0 righty2_vpn Auto 3.3.3.2
See how the NHTB entries have been auto installed due to phase 1 negotiations. If we were using a point-to-point VPN we would see no output for this command.
Here is a VPN debug showing the NHTB negotiations between the hub and 2 spokes.
blogger@VPN-CORE> show log VPNLOG | match NHTB
[Jan 2 12:38:42]Construction NHTB payload for local:4.4.4.2, remote:2.2.2.2 IKEv1 P1 SA index 6340566 sa-cfg lefty_vpn
[Jan 2 12:38:42]iked_nhtb_get_tunnel_ifam: got ifa error 0
[Jan 2 12:38:42]Construction NHTB payload for local:4.4.4.2, remote:3.3.3.2 IKEv1 P1 SA index 6340567 sa-cfg righty2_vpn
[Jan 2 12:38:42]iked_nhtb_get_tunnel_ifam: got ifa error 0
[Jan 2 12:38:42]Received NHTB payload from local:4.4.4.2, remote:2.2.2.2 IKEv1 P1 SA index 6340566
[Jan 2 12:38:42]Received NHTB private IP address 20.0.20.2
[Jan 2 12:38:42]In iked_nhtb_config_send_msg Adding GENCFG msg with key = 20002
[Jan 2 12:38:42]iked_nhtb_config_send_msg: Successfully added NHTB Config with key
[Jan 2 12:38:42]nhtb route operation: ifindex=69, (69), rttabl=0
[Jan 2 12:38:42]iked_nhtb_add_entry: Not adding NHTB entry to kernel as IKED_NHTB_IN_KERNEL is set
[Jan 2 12:38:42]Received NHTB payload from local:4.4.4.2, remote:3.3.3.2 IKEv1 P1 SA index 6340567
[Jan 2 12:38:42]Received NHTB private IP address 20.0.20.3
[Jan 2 12:38:43]In iked_nhtb_config_send_msg Adding GENCFG msg with key = 20001
[Jan 2 12:38:43]iked_nhtb_config_send_msg: Successfully added NHTB Config with key
[Jan 2 12:38:43]nhtb route operation: ifindex=69, (69), rttabl=0
[Jan 2 12:38:43]iked_nhtb_add_entry: Not adding NHTB entry to kernel as IKED_NHTB_IN_KERNEL is set
Note how the phase 1 SAs above match the following info..
blogger@VPN-CORE> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6340566 UP 3a4e4de2147e1425 3a329010954c4d83 Main 2.2.2.2
6340567 UP cce17ea8c4fbbaa5 01463a6a9e1bdd7b Main 3.3.3.2
So lets go over the routing from the hub SRX to get to the remote network behind RIGHYT2 - 192.168.197.0/24
Here is how I think it through..
blogger@VPN-CORE> show route 192.168.197.0
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.197.0/24 *[Static/5] 00:18:43
> to 20.0.20.3 via st0.0
The above says to get to the remote network 192.168.197.0/24 go via 20.0.20.3 via st0.0
We know 20.0.20.3 is the IP of st0.0 on RIGHTY2
But how do we get to 20.0.20.3?
blogger@VPN-CORE> show security ipsec next-hop-tunnels
Next-hop gateway interface IPSec VPN name Flag IKE-ID XAUTH username
20.0.20.2 st0.0 lefty_vpn Auto 2.2.2.2
20.0.20.3 st0.0 righty2_vpn Auto 3.3.3.2
The above says we get to 20.0.20.3 via the righty2_vpn.
4) Check stats..
blogger@VPN-CORE> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 13568
Decrypted bytes: 7420
Encrypted packets: 68
Decrypted packets: 83
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
5) Check ESP is in the session flow table
blogger@VPN-CORE> show security flow session | match esp
In: 2.2.2.2/37940 --> 4.4.4.2/43177;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0
In: 2.2.2.2/0 --> 4.4.4.2/0;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0
In: 3.3.3.2/4760 --> 4.4.4.2/53047;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0
In: 3.3.3.2/0 --> 4.4.4.2/0;esp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0
You can also see the same thing with show security flow session tunnel
SPOKE TO SPOKE COMMUNICATIONS
With what we have set up in this lab, the spokes will not be allowed to talk to each other. If you wanted to allow the spokes to talk to each other you would need..
On the HUB..
An intra vpn zone policy such as..
set security policies from-zone vpn to-zone vpn policy intra-vpn match source-address any
set security policies from-zone vpn to-zone vpn policy intra-vpn match destination-address any
set security policies from-zone vpn to-zone vpn policy intra-vpn match application any
set security policies from-zone vpn to-zone vpn policy intra-vpn then permit
set security policies from-zone vpn to-zone vpn policy intra-vpn then log session-init
On the Spokes..
Adjust the policies accordingly and don't forget to add the routes to the other spoke(s) via st0.0
Model: srx210he
JUNOS Software Release [12.1X45-D15.5]
good job ......
ReplyDeleteExcellent writeup. I have seen mixed answers but does multipoint work with sites that have dynamic IP addresses? Hub site has static then 20 or so spoke sites with dynamic IP addresses.
ReplyDeletehi,
ReplyDeleteI got this lab works using srx240 as hub where the spokes are srx100/210, I cannot get the srx210-he2 to work as hub .. the ipsec phase1/2 not coming up