Juniper SRX, IPSec, and PfSense

Sometimes you need to setup a tunnel between different kinds of endpoints.

This article walks through the setup between a Juniper SRX and a pfSense appliance. The only part that is complicated is that the pfSense (StrongSwan ) is a policy-based tunnel, and on JunOS, I wanted to use a route-based tunnel. This works from JunOS 12.3 up through 15.1 (Haven’t tested further, but I would expect it would continue working).

NOTE: StrongSwan can be somewhat CPU intensive. I’ve seen it consume multiple E5 cores just pushing 300Mbit. Depending on your requirements, you may want to skip an embedded type platform and simply deploy pfSense on a traditional server platform.

Requirements

  • route-based tunnel on Junos, policy-based tunnel on pfSense
  • IKEv2
  • Suite-B(ish) crypto: JunOS requires certificates for Suite-B on phase-1, I’m not doing that. I am still using SHA256, AES-128-CBC for phase1, and SHA256 and AES-128-GCM (Suite-B) for phase2.

JunOS config

Interface:

1louisk@srx.cmhome> show configuration interfaces st0
2description "FK Office IPSec";
3unit 0 {
4    family inet;
5}
6
7louisk@srx.cmhome>

IKE (phase 1):

 1louisk@srx.cmhome> show configuration security ike
 2proposal ike-proposal-fk {
 3    authentication-method pre-shared-keys;
 4    dh-group group19;
 5    authentication-algorithm sha-256;
 6    encryption-algorithm aes-128-cbc;
 7    lifetime-seconds 28800;
 8}
 9policy ike-policy-fk {
10    mode main;
11    proposals ike-proposal-fk;
12    pre-shared-key ascii-text "secret key"
13}
14gateway ike-gate-fk {
15    ike-policy ike-policy-fk;
16    address 172.16.16.15;
17    dead-peer-detection {
18        optimized;
19        interval 10;
20        threshold 5;
21    }
22    local-identity inet 172.16.15.14;
23    remote-identity inet 172.16.16.15;
24    external-interface ge-0/0/15;
25    version v2-only;
26}
27
28louisk@srx.cmhome>

IPSec (phase 2):

 1louisk@srx.cmhome> show configuration security ipsec
 2vpn-monitor-options {
 3    interval 10;
 4    threshold 10;
 5}
 6policy ipsec-policy-fk {
 7    perfect-forward-secrecy {
 8        keys group19;
 9    }
10    proposal-set suiteb-gcm-128;
11}
12vpn ipsec-vpn-fk {
13    bind-interface st0.0;
14    vpn-monitor {
15        optimized;
16    }
17    ike {
18        gateway ike-gate-fk;
19        proxy-identity {
20            local 198.18.0.0/20;
21            remote 198.18.17.0/24;
22        }
23        ipsec-policy ipsec-policy-fk;
24    }
25    establish-tunnels immediately;
26}
27
28louisk@srx.cmhome>

The proxy-identity parts are required when the other side is policy-based.

Security policies:

 1louisk@srx.cmhome> show configuration security policies
 2from-zone trust to-zone fk-vpn {
 3    policy trust-fk-vpn-fk {
 4        match {
 5            source-address net-fk_198-18-0-0--20;
 6            destination-address net-fk_198-18-17-0--24;
 7            application any;
 8        }
 9        then {
10            permit;
11            count;
12        }
13    }
14}
15from-zone fk-vpn to-zone trust {
16    policy fk-vpn-trust-fk {
17        match {
18            source-address net-fk_198-18-17-0--24;
19            destination-address net-fk_198-18-0-0--20;
20            application any;
21        }
22        then {
23            permit;
24            count;
25        }
26    }
27}
28
29louisk@srx.cmhome>

If you want to be more granular about what kind of traffic you allow through, You would want to create more policy statements, and/or provide a list of applications, ports, and protocols that you wish to allow.

Security zones:

1louisk@srx.cmhome> show configuration security zones
2security-zone fk-vpn {
3    interfaces {
4        st0.0;
5    }
6}

Addressbook:

1louisk@srx.cmhome> show configuration security address-book
2global {
3    address net-fk_198-18-3-0--24 198.18.3.0/24;
4    address net-fk_198-18-11-0--24 198.18.11.0/24;
5    address net-fk_198-18-17-0--24 198.18.17.0/24;
6}
7
8louisk@srx.cmhome>

pfSense config

Overview: SHA256, AES128 CBC/GCM

Phase 1: 2 screenshots because its too long for 1

Phase 2: 2 screenshots because its too long for 1

NOTE: Ensure you allow traffic in/out the IPSec interface. With out this, you won’t get traffic to go where you want.

You can be granular, or not, up to you. Probably best to use the same applications, ports, and protocols that were defined in the SRX policy, just to keep things from being more confusing when it comes time to debug things.

Verification and testing

Tunnel is up:

 1louisk@srx.cmhome> show security ike sa
 2Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
 3417185  UP     b35611b7c5d04a6a  cb74bf662dc263f3  IKEv2          172.16.16.15
 4417186  UP     bee74097383365d5  cf4087031dccc692  IKEv2          172.16.16.15
 5
 6louisk@srx.cmhome> show security ipsec sa
 7  Total active tunnels: 1
 8  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 9  <131073 ESP:aes-gcm-128/None 6c94a774 2625/ unlim U root 500 172.16.16.15
10  >131073 ESP:aes-gcm-128/None c76b1272 2625/ unlim U root 500 172.16.16.15
11
12louisk@srx.cmhome> ping count 1 198.18.17.6
13PING 198.18.17.6 (198.18.17.6): 56 data bytes
1464 bytes from 198.18.17.6: icmp_seq=0 ttl=63 time=131.445 ms
15
16--- 198.18.17.6 ping statistics ---
171 packets transmitted, 1 packets received, 0% packet loss
18round-trip min/avg/max/stddev = 131.445/131.445/131.445/0.000 ms
19
20louisk@srx.cmhome>

Showing policy counters/statistics after the tunnel has been up for a little bit. You should see numbers > 0 for almost everything here.

 1louisk@srx.cmhome> show security policies from-zone trust to-zone fk-vpn detail
 2Policy: trust-fk-vpn-fk, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
 3  Policy Type: Configured
 4  Sequence number: 1
 5  From zone: trust, To zone: fk-vpn
 6  Source addresses:
 7    net-fk_198-18-0-0--20(global): 198.18.0.0/20
 8  Destination addresses:
 9    net-fk_198-18-17-0--24(global): 198.18.17.0/24
10  Application: any
11    IP protocol: 0, ALG: 0, Inactivity timeout: 0
12      Source port range: [0-0]
13      Destination port range: [0-0]
14  Per policy TCP Options: SYN check: No, SEQ check: No
15  Policy statistics:
16    Input  bytes       :           3012203789               150186 bps
17      Initial direction:             58949928                 3970 bps
18      Reply direction  :           2953253861               146215 bps
19    Output bytes       :           3012138137               149984 bps
20      Initial direction:             58949096                 3970 bps
21      Reply direction  :           2953189041               146013 bps
22    Input  packets     :              3266500                  176 pps
23      Initial direction:              1109665                   69 bps
24      Reply direction  :              2156835                  106 bps
25    Output packets     :              3266415                  176 pps
26      Initial direction:              1109649                   69 bps
27      Reply direction  :              2156766                  106 bps
28    Session rate       :                  197                    0 sps
29    Active sessions    :                    1
30    Session deletions  :                  196
31    Policy lookups     :                  197
32
33louisk@srx.cmhome>

pfSense ICMP test:

pfSense should also show traffic flowing across the tunnel

Footnotes and References

Copyright

Comments