Sort of a continuation of the last post. This still uses FreeBSD, pfSense, Juniper SRX but it could fairly easily be adapted to OpnSense (fork/clone of pfSense), and other network vendor appliances.

Versions used:

Software Version
Junos 12.3X48-D105.4
FreeBSD 12.2
StrongSwan 5.9.2
pfSense 2.4

Note If you are using Junos 15.1X49 >D100, you can use IKEv2 with the traffic selectors. If not, you have to either use IKEv1, or use proxy-identity and create multiple phase2, 1 for each subnet you want to pass traffic to/from.

Requirements

  • route-based tunnel on Junos, policy-based tunnel on StrongSwan (VTI may be an option in the future).
  • Suite-B(ish) crypto: JunOS requires certificates for Suite-B on phase-1, I’m not doing that. I am still using SHA256, AES-128-CBC for phase1, and SHA256 and AES-128-GCM (Suite-B) for phase2.

JunOS config

Interface:

louisk@srx.cmhome> show configuration interfaces st0
unit 0 {
    apply-groups ipsec_interfaces;
    description "DO Tunnel";
    family inet;
    family inet6;
}

louisk@srx.cmhome>

IKE (phase 1):

louisk@srx.cmhome> show configuration security ike
inactive: traceoptions {
    file ike-debug size 10m files 2;
    flag all;
    level 10;
}
proposal ike-proposal-digital-ocean {
    authentication-method pre-shared-keys;
    dh-group group19;
    authentication-algorithm sha-256;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy ike-policy-digital-ocean {
    mode main;
    proposals ike-proposal-digital-ocean;
    pre-shared-key ascii-text "insert secret here";
}
gateway ike-gate-digital-ocean {
    ike-policy ike-policy-digital-ocean;
    address 172.16.143.91;
    dead-peer-detection {
        optimized;
        interval 10;
        threshold 5;
    }
    local-identity hostname srx.cmhome;
    remote-identity inet 172.16.143.91;
    external-interface fe-0/0/7;
    version v1-only;
}

louisk@srx.cmhome>

IPSec (phase 2):

louisk@srx.cmhome> show configuration security ipsec
inactive: traceoptions {
    flag all;
}
vpn-monitor-options {
    interval 10;
    threshold 10;
}
proposal ipsec-proposal-digital-ocean {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
}
policy ipsec-policy-digital-ocean {
    perfect-forward-secrecy {
        keys group19;
    }
    proposal-set suiteb-gcm-128;
}
vpn ipsec-vpn-digital-ocean {
    bind-interface st0.0;
    ike {
        gateway ike-gate-digital-ocean;
        ipsec-policy ipsec-policy-digital-ocean;
    }
    traffic-selector t1 {
        local-ip 192.168.0.0/20;
        remote-ip 10.10.2.0/24;
    }
    traffic-selector t2 {
        local-ip 192.168.0.0/20;
        remote-ip 192.168.17.0/24;
    }
    establish-tunnels immediately;
}

louisk@srx.cmhome>

The traffic-selector (proxy-identity if you’re using IKEv2 before Junos 15.1X49-D100) parts are required if the other side is policy-based (StrongSwan).

Security policies:

louisk@srx.cmhome> show configuration security policies from-zone trust to-zone site-2-site
policy trust-site-2-site {
    match {
        source-address net-192.168_0_0_m20;
        destination-address [ net-192.168_17_0_m24 net-10_10_2_20_m32 ];
        application any;
    }
    then {
        permit;
        count;
    }
}

louisk@srx.cmhome> show configuration security policies from-zone site-2-site to-zone trust
policy site-2-site-trust {
    match {
        source-address [ net-192.168_17_0_m24 net-10_10_2_20_m32 ];
        destination-address net-192.168_0_0_m20;
        application junos-icmp-ping;
    }
    then {
        permit;
        count;
    }
}

louisk@srx.cmhome>

If you want to be more granular about what kind of traffic you allow through, You would want to create more policy statements, and/or provide a list of applications, ports, and protocols that you wish to allow.

Security zones:

louisk@srx.cmhome> show configuration security zones security-zone site-2-site
interfaces {
    st0.0;
}

louisk@srx.cmhome>

Addressbook:

louisk@srx.cmhome> show configuration security address-book
global {
    address net-192.168_0_0_m20 {
        description CMHome;
        192.168.0.0/20;
    }
    address net-192.168_17_0_m24 {
        description "Office";
        192.168.17.0/24;
    }
    address net-10_10_2_20_m32 {
        description "DO IPSec Hub";
        10.10.2.20/32;
    }
}

louisk@srx.cmhome>

StrongSwan config

Most of this is pretty straight forward. I did find that nothing wanted to work until I changed the strongswan_interface variable to stroke. It currently defaults to vici (new configs from scratch should probably be done this way, but getting the existing configs working was faster this time).

rc.conf

strongswan_enable="YES"
strongswan_interface="stroke"
gateway_enable="YES"
ipv6_gateway_enable="YES"

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	uniqueids=yes
	# strictcrlpolicy=yes

# Add connections here.
conn %default
	ikelifetime=28800s
	keylife=3600s
	rekeymargin=3m
	keyingtries=1
	authby=secret
	keyexchange=ikev2
	mobike=no
	rekey=yes

conn to-office
	fragmentation=yes
	reauth=yes
	forceencaps=no
	mobike=yes

	installpolicy=yes
	type=tunnel
	dpddelay=10s
	dpdtimeout=60s
	dpdaction=restart
	auto=add
	authby=secret
	ike=aes128-sha256-ecp256!
	esp=aes128gcm128-sha256-ecp256,aes128gcm96-sha256-ecp256,aes128gcm64-sha256-ecp256!

	leftauth=psk
	leftsubnet=10.10.2.20/24,192.168.0.0/20
	left=172.16.143.91
	leftid=172.16.143.91

	rightauth=psk
	rightsubnet=192.168.17.0/24
	right=%any
	rightid=@office

conn to-cmhome
	keyexchange=ikev1
	fragmentation=yes
	reauth=yes
	forceencaps=no
	mobike=yes

	installpolicy=yes
	type=tunnel
	dpddelay=10s
	dpdtimeout=60s
	dpdaction=restart
	auto=add
	authby=secret
	ike=aes128-sha256-ecp256!
	esp=aes128gcm128-sha256-ecp256,aes128gcm96-sha256-ecp256,aes128gcm64-sha256-ecp256!

	leftauth=psk
	leftsubnet=10.10.2.20/24,192.168.17.0/24
	left=172.16.143.91
	leftid=172.16.143.91

	rightauth=psk
	rightsubnet=192.168.0.0/20
	right=%any
	rightid=@srx.cmhome

You can provide a comma separated list of prefixes for the left/right subnet instead of having to define new stanzas for each P2. That was nice.

Because all of the spokes in this configuration have dynamic addresses, the right needs to be set to %any. Make sure you set your identifier the same on both sides or it won’t connect.

ipsec.secrets

@srx.cmhome : PSK "insert password here"
@office : PSK "insert other password here"

You can use certs instead of PSK if you like them better. You can find examples here.

pfSense config

Overview: SHA256, AES128 CBC/GCM

Phase 1: 2 screenshots because its too long for 1

Phase 2: 2 screenshots because its too long for 1

NOTE: Ensure you allow traffic in/out the IPSec interface. With out this, you won’t get traffic to go where you want.

You can be granular, or not, up to you. Probably best to use the same applications, ports, and protocols that were defined in the SRX policy, just to keep things from being more confusing when it comes time to debug things.

Verification and testing

Tunnel is up:

louisk@srx.cmhome> show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
4286058 UP     4e4839c9f5cf00e7  5b4197e463eefd51  Main           172.16.143.91

louisk@srx.cmhome> show security ipsec sa
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <67108865 ESP:aes-gcm-128/None e36683fb 1626/ unlim - root 500 172.16.143.91
  >67108865 ESP:aes-gcm-128/None c7e91c4f 1626/ unlim - root 500 172.16.143.91
  <67108866 ESP:aes-gcm-128/None c5880593 1726/ unlim - root 500 172.16.143.91
  >67108866 ESP:aes-gcm-128/None c233855f 1726/ unlim - root 500 172.16.143.91

louisk@srx.cmhome> ping count 1 192.168.17.6
PING 192.168.17.6 (192.168.17.6): 56 data bytes
64 bytes from 192.168.17.6: icmp_seq=0 ttl=63 time=131.445 ms

--- 192.168.17.6 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 131.445/131.445/131.445/0.000 ms

louisk@srx.cmhome>

Showing policy counters/statistics after the tunnel has been up for a little bit. You should see numbers > 0 for almost everything here.

louisk@srx.cmhome> show security policies from-zone trust to-zone site-2-site detail
Policy: trust-site-2-site, action-type: permit, State: enabled, Index: 13, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: site-2-site
  Source addresses:
    net-192.168_0_0_m20(global): 192.168.0.0/20
  Destination addresses:
    net-10_10_2_20_m32(global): 10.10.2.20/32
    net-192.168_17_0_m24(global): 192.168.17.0/24
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Policy statistics:
    Input  bytes       :              9794924                   29 bps
      Initial direction:              1933478                   14 bps
      Reply direction  :              7861446                   14 bps
    Output bytes       :              9795478                   29 bps
      Initial direction:              1932016                   14 bps
      Reply direction  :              7863462                   14 bps
    Input  packets     :                24114                    0 pps
      Initial direction:                11438                    0 pps
      Reply direction  :                12676                    0 pps
    Output packets     :                24149                    0 pps
      Initial direction:                11437                    0 pps
      Reply direction  :                12712                    0 pps
    Session rate       :                 3155                    0 sps
    Active sessions    :                    1
    Session deletions  :                 3154
    Policy lookups     :                 3167

louisk@srx.cmhome>
[louisk@hub louisk 125 ]$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, FreeBSD 12.2-RELEASE-p6, amd64):
  uptime: 3 hours, since Apr 24 19:25:50 2021
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Listening IP addresses:
  172.16.143.91
Connections:
       to-office:  172.16.143.91...%any  IKEv2, dpddelay=10s
       to-office:   local:  [172.16.143.91] uses pre-shared key authentication
       to-office:   remote: [office] uses pre-shared key authentication
       to-office:   child:  10.10.2.0/24 192.168.0.0/20 === 192.168.17.0/24 TUNNEL, dpdaction=restart
   to-cmhome:  172.16.143.91...%any  IKEv1, dpddelay=10s
   to-cmhome:   local:  [172.16.143.91] uses pre-shared key authentication
   to-cmhome:   remote: [srx.cmhome] uses pre-shared key authentication
   to-cmhome:   child:  10.10.2.0/24 192.168.17.0/24 === 192.168.0.0/20 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
   to-cmhome[3]: ESTABLISHED 3 hours ago, 172.16.143.91[172.16.143.91]...98.198.238.127[srx.cmhome]
   to-cmhome[3]: IKEv1 SPIs: 4e4839c9f5cf00e7_i 5b4197e463eefd51_r*, pre-shared key reauthentication in 4 hours
   to-cmhome[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
   to-cmhome{11}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c7e91c4f_i e36683fb_o
   to-cmhome{11}:  AES_GCM_16_128/ECP_256, 9108 bytes_i (207 pkts, 2s ago), 20700 bytes_o (207 pkts, 2s ago), rekeying in 19 minutes
   to-cmhome{11}:   10.10.2.0/24 === 192.168.0.0/20
   to-cmhome{12}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c233855f_i c5880593_o
   to-cmhome{12}:  AES_GCM_16_128/ECP_256, 31888 bytes_i (692 pkts, 3s ago), 305548 bytes_o (2670 pkts, 1s ago), rekeying in 23 minutes
   to-cmhome{12}:   192.168.17.0/24 === 192.168.0.0/20
       to-office[1]: ESTABLISHED 3 hours ago, 172.16.143.91[172.16.143.91]...66.220.110.60[office]
       to-office[1]: IKEv2 SPIs: 77f55c79c761bb62_i 855552af159b5132_r*, pre-shared key reauthentication in 4 hours
       to-office[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
       to-office{10}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c12588fa_i cc7b0f52_o
       to-office{10}:  AES_GCM_16_128/ECP_256, 248788 bytes_i (4327 pkts, 1s ago), 134880 bytes_o (1328 pkts, 2s ago), rekeying in 4 minutes
       to-office{10}:   10.10.2.0/24 192.168.0.0/20 === 192.168.17.0/24
[louisk@hub louisk 126 ]$

pfSense ICMP test:

pfSense should also show traffic flowing across the tunnel

Footnotes and References