This configuration guide includes information needed to connect a Juniper SRX firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing. 


Note: This guide was created using JunOS version 12.1. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each SRX model may have slightly interface names and/or different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.


Variables Needed

You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your SRX firewall. Use these variables in the Configuration Script below.


Parameter

Source

Notes

{PRE-SHARED KEY 1}
{PRE-SHARED KEY 2}

Pureport Console/API

Pre-shared keys are auto-generated by Pureport and are unique for each VPN gateway.

{OUTSIDE INTERFACE}

Existing Juniper SRX configuration

The outside interface on a Juniper SRX is often ge-0/0/0.0. You should set this to the interface that you entered as the Customer Peer IP in the Pureport Console.

{GATEWAY 1 ADDRESS}
{GATEWAY 2 ADDRESS}

Pureport Console/API

The IKE Peer IP on the primary and secondary Pureport VPN gateways. These IPs are unique per gateway.

{CUSTOMER VTI ADDRESS 1}
{CUSTOMER VTI ADDRESS 2}

Pureport Console/API

The tunnel addresses are auto-generated by Pureport and are unique for each gateway. The format should include the IP address and mask in CIDR notation. For example: 169.254.1.1/30.

{LOCAL CIDR NETWORK}

Existing Juniper SRX configuration and/or local network documentation

Your local network address space, in CIDR notation. For example: 192.168.0.0/24.

As noted in the configuration example, you must repeat this configuration line for each local network.

{PUREPORT VTI ADDRESS 1}
{PUREPORT VTI ADDRESS 2}

Pureport Console/API

The BGP peer addresses, auto-generated by Pureport. The format should include the IP address only, without the slash notation. For example: 169.254.1.2.

{CUSTOMER ASN}

Existing Juniper SRX configuration or created for this BGP peering

If you do not already have an ASN for BGP peering, we recommend using 65501. Review the ASN selection article for details.


Configuration Script


# IKE security settings in bold below may be changed to suit your security policy

# Settings used must match the Pureport gateway configuration


set security ike proposal pureport-ike-proposal authentication-method pre-shared-keys

set security ike proposal pureport-ike-proposal authentication-algorithm sha-256

set security ike proposal pureport-ike-proposal encryption-algorithm aes-128-cbc

set security ike proposal pureport-ike-proposal lifetime-seconds 9000

set security ike proposal pureport-ike-proposal dh-group group14


set security ike policy pureport-ike-policy-1 proposals pureport-ike-proposal

set security ike policy pureport-ike-policy-1 pre-shared-key ascii-text {PRE-SHARED KEY 1}


set security ike policy pureport-ike-policy-2 proposals pureport-ike-proposal

set security ike policy pureport-ike-policy-2 pre-shared-key ascii-text {PRE-SHARED KEY 2}


set security ike gateway pureport-gateway-1 ike-policy pureport-ike-policy-1

set security ike gateway pureport-gateway-1 external-interface {OUTSIDE INTERFACE}

set security ike gateway pureport-gateway-1 address {GATEWAY 1 ADDRESS}

set security ike gateway pureport-gateway-1 no-nat-traversal

set security ike gateway pureport-gateway-1 version v2-only

set security ike gateway pureport-gateway-1 dead-peer-detection


set security ike gateway pureport-gateway-2 ike-policy pureport-ike-policy-2

set security ike gateway pureport-gateway-2 external-interface {OUTSIDE INTERFACE}

set security ike gateway pureport-gateway-2 address {GATEWAY 2 ADDRESS}

set security ike gateway pureport-gateway-2 no-nat-traversal

set security ike gateway pureport-gateway-2 version v2-only

set security ike gateway pureport-gateway-2 dead-peer-detection



# IPSEC security settings in bold below may be changed to suit your security policy

# Settings used must match the Pureport gateway configuration


set security ipsec proposal pureport-ipsec-proposal protocol esp

set security ipsec proposal pureport-ipsec-proposal authentication-algorithm hmac-sha-256-128

set security ipsec proposal pureport-ipsec-proposal encryption-algorithm aes-128-cbc

set security ipsec proposal pureport-ipsec-proposal lifetime-seconds 3000


set security ipsec policy pureport-ipsec-policy perfect-forward-secrecy keys group14

set security ipsec policy pureport-ipsec-policy proposals pureport-ipsec-proposal



# This configuration example specifies tunnel interfaces st0.1 and st0.2

# Based on your existing configuration, you may need to use different interface name


set interfaces st0.1 family inet address {CUSTOMER VTI ADDRESS 1}

set interfaces st0.1 family inet mtu 1436


set interfaces st0.2 family inet address {CUSTOMER VTI ADDRESS 2}

set interfaces st0.2 family inet mtu 1436


set security ipsec vpn vpn-pureport-1 bind-interface st0.1

set security ipsec vpn vpn-pureport-1 ike gateway pureport-gateway-1

set security ipsec vpn vpn-pureport-1 ike ipsec-policy pureport-ipsec-policy

set security ipsec vpn vpn-pureport-1 df-bit clear


set security ipsec vpn vpn-pureport-2 bind-interface st0.2

set security ipsec vpn vpn-pureport-2 ike gateway pureport-gateway-2

set security ipsec vpn vpn-pureport-2 ike ipsec-policy pureport-ipsec-policy

set security ipsec vpn vpn-pureport-2 df-bit clear


set security flow tcp-mss ipsec-vpn mss 1350



# This configuration example creates a security zone called “pureport” for the tunnel interfaces;

# Alternatively, you may use an existing security zone or use a different name to create a new one


set security zones security-zone pureport host-inbound-traffic protocols bgp

set security zones security-zone pureport interfaces st0.1

set security zones security-zone pureport interfaces st0.2



# You will need to repeat the first BGP export line below for each local network


set policy-options policy-statement BGP-EXPORT term default from route-filter {LOCAL CIDR NETWORK} exact

set policy-options policy-statement BGP-EXPORT term default then accept

set policy-options policy-statement BGP-EXPORT term reject then reject



# If you already have BGP configured you may want to use your existing BGP Group name

# and BGP export policy


set protocols bgp group ebgp type external

set protocols bgp group ebgp multipath

set protocols bgp group ebgp hold-time 30

set protocols bgp group ebgp export BGP-EXPORT

set protocols bgp group ebgp peer-as 394351

set protocols bgp group ebgp local-as {CUSTOMER ASN}

set protocols bgp group ebgp neighbor {PUREPORT VTI ADDRESS 2}

set protocols bgp group ebgp neighbor {PUREPORT VTI ADDRESS 2} 



# You must also configure security policies to permit the desired traffic across your VPN tunnels.

# The example below permits all traffic between the Internal zone and the VPN tunnels.

# Please ensure that the traffic permitted is limited to desired traffic according to your company

# security policy.


set security policies from-zone Internal to-zone pureport policy Internal-pureport match source-address any

set security policies from-zone Internal to-zone pureport policy Internal-pureport match destination-address any

set security policies from-zone Internal to-zone pureport policy Internal-pureport match application any

set security policies from-zone Internal to-zone pureport policy Internal-pureport then permit


set security policies from-zone pureport to-zone Internal policy pureport-Internal match source-address any

set security policies from-zone pureport to-zone Internal policy pureport-Internal match destination-address any

set security policies from-zone pureport to-zone Internal policy pureport-Internal match application any

set security policies from-zone pureport to-zone Internal policy pureport-Internal then permit


# The following configuration enables equal cost multipathing (ECMP)


set policy-statement ecmp-policy then load-balance per-packet

set routing-options forwarding-table export ecmp-policy