Sometimes you need to setup a tunnel between different kinds of endpoints.

This article walks through the setup between a Juniper SRX and a pfSense appliance. The only part that is complicated is that the pfSense (StrongSwan) is a policy-based tunnel, and on JunOS, I wanted to use a route-based tunnel. This works from JunOS 12.3 up through 15.1 (Haven’t tested further, but I would expect it would continue working).

NOTE: StrongSwan can be somewhat CPU intensive. I’ve seen it consume multiple E5 cores just pushing 300Mbit. Depending on your requirements, you may want to skip an embedded type platform and simply deploy pfSense on a traditional server platform.

Requirements

  • route-based tunnel on Junos, policy-based tunnel on pfSense
  • IKEv2
  • Suite-B(ish) crypto: JunOS requires certificates for Suite-B on phase-1, I’m not doing that. I am still using SHA256, AES-128-CBC for phase1, and SHA256 and AES-128-GCM (Suite-B) for phase2.

JunOS config

Interface:

louisk@srx.cmhome> show configuration interfaces st0
description "FK Office IPSec";
unit 0 {
    family inet;
}

louisk@srx.cmhome>

IKE (phase 1):

louisk@srx.cmhome> show configuration security ike
proposal ike-proposal-fk {
    authentication-method pre-shared-keys;
    dh-group group19;
    authentication-algorithm sha-256;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy ike-policy-fk {
    mode main;
    proposals ike-proposal-fk;
    pre-shared-key ascii-text "secret key"
}
gateway ike-gate-fk {
    ike-policy ike-policy-fk;
    address 172.16.16.15;
    dead-peer-detection {
        optimized;
        interval 10;
        threshold 5;
    }
    local-identity inet 172.16.15.14;
    remote-identity inet 172.16.16.15;
    external-interface ge-0/0/15;
    version v2-only;
}

louisk@srx.cmhome>

IPSec (phase 2):

louisk@srx.cmhome> show configuration security ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
policy ipsec-policy-fk {
    perfect-forward-secrecy {
        keys group19;
    }
    proposal-set suiteb-gcm-128;
}
vpn ipsec-vpn-fk {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
    }
    ike {
        gateway ike-gate-fk;
        proxy-identity {
            local 198.18.0.0/20;
            remote 198.18.17.0/24;
        }
        ipsec-policy ipsec-policy-fk;
    }
    establish-tunnels immediately;
}

louisk@srx.cmhome>

The proxy-identity parts are required when the other side is policy-based.

Security policies:

louisk@srx.cmhome> show configuration security policies
from-zone trust to-zone fk-vpn {
    policy trust-fk-vpn-fk {
        match {
            source-address net-fk_198-18-0-0--20;
            destination-address net-fk_198-18-17-0--24;
            application any;
        }
        then {
            permit;
            count;
        }
    }
}
from-zone fk-vpn to-zone trust {
    policy fk-vpn-trust-fk {
        match {
            source-address net-fk_198-18-17-0--24;
            destination-address net-fk_198-18-0-0--20;
            application any;
        }
        then {
            permit;
            count;
        }
    }
}

louisk@srx.cmhome>

If you want to be more granular about what kind of traffic you allow through, You would want to create more policy statements, and/or provide a list of applications, ports, and protocols that you wish to allow.

Security zones:

louisk@srx.cmhome> show configuration security zones
security-zone fk-vpn {
    interfaces {
        st0.0;
    }
}

Addressbook:

louisk@srx.cmhome> show configuration security address-book
global {
    address net-fk_198-18-3-0--24 198.18.3.0/24;
    address net-fk_198-18-11-0--24 198.18.11.0/24;
    address net-fk_198-18-17-0--24 198.18.17.0/24;
}

louisk@srx.cmhome>

pfSense config

Overview: SHA256, AES128 CBC/GCM

Phase 1: 2 screenshots because its too long for 1

Phase 2: 2 screenshots because its too long for 1

NOTE: Ensure you allow traffic in/out the IPSec interface. With out this, you won’t get traffic to go where you want.

You can be granular, or not, up to you. Probably best to use the same applications, ports, and protocols that were defined in the SRX policy, just to keep things from being more confusing when it comes time to debug things.

Verification and testing

Tunnel is up:

louisk@srx.cmhome> show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
417185  UP     b35611b7c5d04a6a  cb74bf662dc263f3  IKEv2          172.16.16.15
417186  UP     bee74097383365d5  cf4087031dccc692  IKEv2          172.16.16.15

louisk@srx.cmhome> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-gcm-128/None 6c94a774 2625/ unlim U root 500 172.16.16.15
  >131073 ESP:aes-gcm-128/None c76b1272 2625/ unlim U root 500 172.16.16.15

louisk@srx.cmhome> ping count 1 198.18.17.6
PING 198.18.17.6 (198.18.17.6): 56 data bytes
64 bytes from 198.18.17.6: icmp_seq=0 ttl=63 time=131.445 ms

--- 198.18.17.6 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 131.445/131.445/131.445/0.000 ms

louisk@srx.cmhome>

Showing policy counters/statistics after the tunnel has been up for a little bit. You should see numbers > 0 for almost everything here.

louisk@srx.cmhome> show security policies from-zone trust to-zone fk-vpn detail
Policy: trust-fk-vpn-fk, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: fk-vpn
  Source addresses:
    net-fk_198-18-0-0--20(global): 198.18.0.0/20
  Destination addresses:
    net-fk_198-18-17-0--24(global): 198.18.17.0/24
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes       :           3012203789               150186 bps
      Initial direction:             58949928                 3970 bps
      Reply direction  :           2953253861               146215 bps
    Output bytes       :           3012138137               149984 bps
      Initial direction:             58949096                 3970 bps
      Reply direction  :           2953189041               146013 bps
    Input  packets     :              3266500                  176 pps
      Initial direction:              1109665                   69 bps
      Reply direction  :              2156835                  106 bps
    Output packets     :              3266415                  176 pps
      Initial direction:              1109649                   69 bps
      Reply direction  :              2156766                  106 bps
    Session rate       :                  197                    0 sps
    Active sessions    :                    1
    Session deletions  :                  196
    Policy lookups     :                  197

louisk@srx.cmhome>

pfSense ICMP test:

pfSense should also show traffic flowing across the tunnel

Footnotes and References