This configuration guide includes information needed to connect a Juniper SRX firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing.
Note: This guide was created using JunOS version 12.1. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each SRX model may have slightly different interface names and/or different commands. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.
Variables Needed
You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your SRX firewall. Use these variables in the Configuration Script below.
Parameter | Source | Notes |
---|---|---|
{PRE-SHARED KEY 1} | Pureport Console/API | Pre-shared keys are auto-generated by Pureport and are unique for each VPN gateway. |
{OUTSIDE INTERFACE} | Existing Juniper SRX configuration | The outside interface on a Juniper SRX is often ge-0/0/0.0. You should set this to the interface that you entered as the Customer Peer IP in the Pureport Console. |
{GATEWAY 1 ADDRESS} | Pureport Console/API | The IKE Peer IP on the primary and secondary Pureport VPN gateways. These IPs are unique per gateway. |
{CUSTOMER VTI ADDRESS 1} | Pureport Console/API | The tunnel addresses are auto-generated by Pureport and are unique for each gateway. The format should include the IP address and mask in CIDR notation. For example: 169.254.1.1/30. |
{LOCAL CIDR NETWORK} | Existing Juniper SRX configuration and/or local network documentation | Your local network address space, in CIDR notation. For example: 192.168.0.0/24. As noted in the configuration example, you must repeat this configuration line for each local network. |
{PUREPORT VTI ADDRESS 1} | Pureport Console/API | The BGP peer addresses, auto-generated by Pureport. The format should include the IP address only, without the slash notation. For example: 169.254.1.2. |
{CUSTOMER ASN} | Existing Juniper SRX configuration or created for this BGP peering | If you do not already have an ASN for BGP peering, we recommend using 65501. Review the ASN selection article for details. |
Configuration Script
# IKE security settings in bold below may be changed to suit your security policy # Settings used must match the Pureport gateway configuration set security ike proposal pureport-ike-proposal authentication-method pre-shared-keys set security ike proposal pureport-ike-proposal authentication-algorithm sha-256 set security ike proposal pureport-ike-proposal encryption-algorithm aes-128-cbc set security ike proposal pureport-ike-proposal lifetime-seconds 9000 set security ike proposal pureport-ike-proposal dh-group group14 set security ike policy pureport-ike-policy-1 proposals pureport-ike-proposal set security ike policy pureport-ike-policy-1 pre-shared-key ascii-text {PRE-SHARED KEY 1} set security ike policy pureport-ike-policy-2 proposals pureport-ike-proposal set security ike policy pureport-ike-policy-2 pre-shared-key ascii-text {PRE-SHARED KEY 2} set security ike gateway pureport-gateway-1 ike-policy pureport-ike-policy-1 set security ike gateway pureport-gateway-1 external-interface {OUTSIDE INTERFACE} set security ike gateway pureport-gateway-1 address {GATEWAY 1 ADDRESS} set security ike gateway pureport-gateway-1 no-nat-traversal set security ike gateway pureport-gateway-1 version v2-only set security ike gateway pureport-gateway-1 dead-peer-detection set security ike gateway pureport-gateway-2 ike-policy pureport-ike-policy-2 set security ike gateway pureport-gateway-2 external-interface {OUTSIDE INTERFACE} set security ike gateway pureport-gateway-2 address {GATEWAY 2 ADDRESS} set security ike gateway pureport-gateway-2 no-nat-traversal set security ike gateway pureport-gateway-2 version v2-only set security ike gateway pureport-gateway-2 dead-peer-detection # IPSEC security settings in bold below may be changed to suit your security policy # Settings used must match the Pureport gateway configuration set security ipsec proposal pureport-ipsec-proposal protocol esp set security ipsec proposal pureport-ipsec-proposal authentication-algorithm hmac-sha-256-128 set security ipsec proposal pureport-ipsec-proposal encryption-algorithm aes-128-cbc set security ipsec proposal pureport-ipsec-proposal lifetime-seconds 3000 set security ipsec policy pureport-ipsec-policy perfect-forward-secrecy keys group14 set security ipsec policy pureport-ipsec-policy proposals pureport-ipsec-proposal # This configuration example specifies tunnel interfaces st0.1 and st0.2 # Based on your existing configuration, you may need to use different interface name set interfaces st0.1 family inet address {CUSTOMER VTI ADDRESS 1} set interfaces st0.1 family inet mtu 1436 set interfaces st0.2 family inet address {CUSTOMER VTI ADDRESS 2} set interfaces st0.2 family inet mtu 1436 set security ipsec vpn vpn-pureport-1 bind-interface st0.1 set security ipsec vpn vpn-pureport-1 ike gateway pureport-gateway-1 set security ipsec vpn vpn-pureport-1 ike ipsec-policy pureport-ipsec-policy set security ipsec vpn vpn-pureport-1 df-bit clear set security ipsec vpn vpn-pureport-2 bind-interface st0.2 set security ipsec vpn vpn-pureport-2 ike gateway pureport-gateway-2 set security ipsec vpn vpn-pureport-2 ike ipsec-policy pureport-ipsec-policy set security ipsec vpn vpn-pureport-2 df-bit clear set security flow tcp-mss ipsec-vpn mss 1350 # This configuration example creates a security zone called “pureport” for the tunnel interfaces; # Alternatively, you may use an existing security zone or use a different name to create a new one set security zones security-zone pureport host-inbound-traffic protocols bgp set security zones security-zone pureport interfaces st0.1 set security zones security-zone pureport interfaces st0.2 # You will need to repeat the first BGP export line below for each local network set policy-options policy-statement BGP-EXPORT term default from route-filter {LOCAL CIDR NETWORK} exact set policy-options policy-statement BGP-EXPORT term default then accept set policy-options policy-statement BGP-EXPORT term reject then reject # If you already have BGP configured you may want to use your existing BGP Group name # and BGP export policy set protocols bgp group ebgp type external set protocols bgp group ebgp multipath set protocols bgp group ebgp hold-time 30 set protocols bgp group ebgp export BGP-EXPORT set protocols bgp group ebgp peer-as 394351 set protocols bgp group ebgp local-as {CUSTOMER ASN} set protocols bgp group ebgp neighbor {PUREPORT VTI ADDRESS 2} set protocols bgp group ebgp neighbor {PUREPORT VTI ADDRESS 2} # You must also configure security policies to permit the desired traffic across your VPN tunnels. # The example below permits all traffic between the Internal zone and the VPN tunnels. # Please ensure that the traffic permitted is limited to desired traffic according to your company # security policy. set security policies from-zone Internal to-zone pureport policy Internal-pureport match source-address any set security policies from-zone Internal to-zone pureport policy Internal-pureport match destination-address any set security policies from-zone Internal to-zone pureport policy Internal-pureport match application any set security policies from-zone Internal to-zone pureport policy Internal-pureport then permit set security policies from-zone pureport to-zone Internal policy pureport-Internal match source-address any set security policies from-zone pureport to-zone Internal policy pureport-Internal match destination-address any set security policies from-zone pureport to-zone Internal policy pureport-Internal match application any set security policies from-zone pureport to-zone Internal policy pureport-Internal then permit # The following configuration enables equal cost multipathing (ECMP) set policy-options policy-statement ecmp-policy then load-balance per-packet set routing-options forwarding-table export ecmp-policy |