Route-Based and Policy-Based VPNs with NAT-T | Junos OS (2024)

Table of Contents
Understanding NAT-T See Also Example: Configuring a Route-Based VPN with the Responder behind a NAT Device Requirements Overview Configuration Verification See Also Example: Configuring a Policy-Based VPN with Both an Initiatorand a Responder Behind a NAT Device Requirements Overview Configuration Verification See Also Example: Configuring NAT-T with Dynamic Endpoint VPN Requirements Overview Configuration Verification See Also Related Documentation Change History Table

Network Address Translation-Traversal (NAT-T)is a method used for managing IP address translation-related issuesencountered when the data protected by IPsec passes through a deviceconfigured with NAT for address translation.

Understanding NAT-T

Network Address Translation-Traversal (NAT-T) is a method forgetting around IP address translation issues encountered when dataprotected by IPsec passes through a NAT device for address translation.Any changes to the IP addressing, which is the function of NAT, causesIKE to discard packets. After detecting one or more NAT devices alongthe datapath during Phase 1 exchanges, NAT-T adds a layer of UserDatagram Protocol (UDP) encapsulation to IPsec packets so they arenot discarded after address translation. NAT-T encapsulates both IKEand ESP traffic within UDP with port 4500 used as both the sourceand destination port. Because NAT devices age out stale UDP translations,keepalive messages are required between the peers.

NAT-T is enabled by default therefore you must use the no-nat-traversal statement at the [edit security ike gateway gateway-name hierarchy level for disabling the NAT-T.

There are two broad categories of NAT:

  • Static NAT, where there is a one-to-one relationship betweenthe private and public addresses. Static NAT works in both inboundand outbound directions.

  • Dynamic NAT, where there is a many-to-one or many-to-manyrelationship between the private and public addresses. Dynamic NATworks in the outbound direction only.

The location of a NAT device can be such that:

  • Only the IKEv1 or IKEv2 initiator is behind a NAT device.Multiple initiators can be behind separate NAT devices. Initiatorscan also connect to the responder through multiple NAT devices.

  • Only the IKEv1 or IKEv2 responder is behind a NAT device.

  • Both the IKEv1 or IKEv2 initiator and the responder arebehind a NAT device.

Dynamic endpoint VPN covers the situation where the initiator'sIKE external address is not fixed and is therefore not known by theresponder. This can occur when the initiator's address is dynamicallyassigned by an ISP or when the initiator's connection crosses a dynamicNAT device that allocates addresses from a dynamic address pool.

Configuration examples for NAT-T are provided for the topologyin which only the responder is behind a NAT device and the topologyin which both the initiator and responder are behind a NAT device.Site-to-site IKE gateway configuration for NAT-T is supported on boththe initiator and responder. A remote IKE ID is used to validate apeer’s local IKE ID during Phase 1 of IKE tunnel negotiation.Both the initiator and responder require a local-identity and a remote-identity setting.

On SRX5400, SRX5600, and SRX5800 devices, the IPsec NAT-Ttunnel scaling and sustaining issues are as follows:

  • For a given private IP address, the NAT device shouldtranslate both 500 and 4500 private ports to the same public IP address.

  • The total number of tunnels from a given public translatedIP cannot exceed 1000 tunnels.

Starting from Junos OS Release 19.2R1, PowerMode IPSec (PMI) for NAT-T is supported only on SRX5400, SRX5600, and SRX5800 devices equipped with SRX5K-SPC3 Services Processing Card (SPC), or with vSRX Virtual Firewall.

See Also

  • IPsec Overview

Example: Configuring a Route-Based VPN with the Responder behind a NAT Device

This example shows how to configure a route-based VPN with a responder behind a NAT device between a branch office and the corporate office.

  • Requirements
  • Overview
  • Configuration
  • Verification

Requirements

Before you begin, read IPsec Overview.

Overview

In this example, you configure a route-based VPN. Host1 will use the VPN to connect to their corporate headquarters on SRX2.

Figure 1 shows an example of a topology for route-based VPN with only the responder behind a NAT device.

Figure 1: Route-Based VPN Topology with Only the Responder behind a NAT DeviceRoute-Based and Policy-Based VPNs with NAT-T | Junos OS (1)

In this example, you configure interfaces, IPsec, and security policies for both an initiator in SRX1 and a responder in SRX2. Then you configure IKE Phase 1 and IPsec Phase 2 parameters.

SRX1 sends packets with the destination address of 172.16.21.1 to establish the VPN. The NAT device translates the destination address to 10.1.31.1.

See Table 1 through Table 3 for specific configuration parameters used for the initiator in the examples.

Table 1: Interface, Routing Options, and Security Parameters for SRX1

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/1

172.16.11.1/24

ge-0/0/0

10.1.11.1/24

st0.0 (tunnel interface)

10.1.100.1/24

Static routes

10.1.21.0/24

The next hop is st0.0.

172.16.21.1/32

The next hop is 172.16.11.2.

Security zones

untrust

  • The system services of IKE and ping.

  • The ge-0/0/1.0 and the st0.0 interfaces are bound to this zone.

trust

  • Allow all system services.

  • Allow all protocols.

  • The ge-0/0/0.0 interface is bound to this zone.

Security policies

to-SRX2

Permit traffic from 10.1.11.0/24 in the trust zone to 10.1.21.0/24 in the untrust zone.

from-SRX2

Permit traffic from 10.1.21.0/24 in the untrust zone to 10.1.11.0/24 in the trust zone.

Table 2: IKE Phase 1 Configuration Parameters for SRX1

Feature

Name

Configuration Parameters

Proposal

ike_prop

  • Authentication method: pre-shared-keys

  • Diffie-Hellman group: group2

  • Authentication algorithm: sha1

  • Encryption algorithm: 3des-cbc

Policy

ike_pol

  • Mode: main

  • Proposal reference: ike_prop

  • IKE Phase 1 policy authentication method: pre-shared-key ascii-text

Gateway

gw1

  • IKE policy reference: ike_pol

  • External interface: ge-0/0/1.0

  • Gateway address: 172.16.21.1

  • Local peer (initiator): branch_natt1@example.net

  • Remote peer (responder): responder_natt1@example.net

Table 3: IPsec Phase 2 Configuration Parameters for SRX1

Feature

Name

Configuration Parameters

Proposal

ipsec_prop

  • Protocol: esp

  • Authentication algorithm: hmac-sha1-96

  • Encryption algorithm: 3des-cbc

Policy

ipsec_pol

  • Proposal reference: ipsec_prop

  • Perfect forward secrecy (PFS) keys: group2

VPN

vpn1

  • IKE gateway reference: gw1

  • IPsec policy reference: ipsec_pol

  • Bind to interface: st0.0

  • Establish tunnels immediately

See Table 4 through Table 6 for specific configuration parameters used for the responder in the examples.

Table 4: Interface, Routing Options, and Security Parameters for SRX2

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/1

10.1.31.1/24

ge-0/0/0

10.1.21.1/24

st0.0 (tunnel interface)

10.1.100.2/24

Static routes

172.16.11.1/32

The next hop is 10.1.31.2.

10.1.11.0/24

The next hop is st0.0.

Security zones

untrust

  • Allow IKE and ping system services.

  • The ge-0/0/1.0 and the st0.0 interfaces are bound to this zone.

trust

  • Allow all system services.

    Allow all protocols.

  • The ge-0/0/0.0 interface is bound to this zone.

Security policies

to-SRX1

Permit traffic from 10.1.21.0/24 in the trust zone to 10.1.11.0/24 in the untrust zone.

from-SRX1

Permit traffic from 10.1.11.0/24 in the untrust zone to 10.1.21.0/24 in the trust zone.

Table 5: IKE Phase 1 Configuration Parameters for SRX2

Feature

Name

Configuration Parameters

Proposal

ike_prop

  • Authentication method: pre-shared-keys

  • Diffie-Hellman group: group2

  • Authentication algorithm: sha1

  • Encryption algorithm: 3des-cbc

Policy

ike_pol

  • Mode: main

  • Proposal reference: ike_prop

  • IKE Phase 1 policy authentication method: pre-shared-key ascii-text

Gateway

gw1

  • IKE policy reference: ike_pol

  • External interface: ge-0/0/1.0

  • Gateway address: 172.16.11.1

  • Local peer (responder): responder_natt1@example.net

  • Remote peer (initiator): branch_natt1@example.net

Table 6: IPsec Phase 2 Configuration Parameters for SRX2

Feature

Name

Configuration Parameters

Proposal

ipsec_prop

  • Protocol: esp

  • Authentication algorithm: hmac-sha1-96

  • Encryption algorithm: 3des-cbc

Policy

ipsec_pol

  • Proposal reference: ipsec_prop

  • PFS keys: group2

VPN

vpn1

  • IKE gateway reference: gw1

  • IPsec policy reference: ipsec_pol

  • Bind to interface: st0.0

  • Establish tunnels immediately

Configuration

  • Configuring Interface, Routing Options, and Security Parameters for SRX1
  • Configuring IKE for SRX1
  • Configuring IPsec for SRX1
  • Configuring Interfaces, Routing Options, and Security Parameters for SRX2
  • Configuring IKE for SRX2
  • Configuring IPsec for SRX2
  • Configuration for the NAT Device

Configuring Interface, Routing Options, and Security Parameters for SRX1

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure interfaces, static routes, and security parameters:

  1. Configure the interfaces connected to the Internet, Host1, and the interface used for the VPN.

  2. Configure static routes for the traffic that will use the VPN and for SRX1 to reach the NAT device.

  3. Configure the untrust security zone.

  4. Configure the trust security zone.

  5. Configure address books for the networks used in the security policies.

  6. Create security policies to allow traffic between the hosts.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE for SRX1

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IKE:

  1. Create an IKE Phase 1 proposal.

  2. Create an IKE Phase 1 policy.

  3. Configure the IKE Phase 1 gateway parameters. The gateway address should be the IP for the NAT device.

Results

From configuration mode, confirm your configuration by entering the show security ike command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IPsec for SRX1

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IPsec:

  1. Create an IPsec Phase 2 proposal.

  2. Create the IPsec Phase 2 policy.

  3. Configure the IPsec VPN parameters.

Results

From configuration mode, confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Interfaces, Routing Options, and Security Parameters for SRX2

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure interfaces, static routes, and security parameters:

  1. Configure the interfaces connected to the Internet, Host2, and the interface used for the VPN.

  2. Configure static routes for the traffic that will use the VPN and for SRX2 to reach SRX1.

  3. Configure the untrust security zone.

  4. Configure the trust security zone.

  5. Configure address books for the networks used in the security policies.

  6. Create security policies to allow traffic between the hosts.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE for SRX2

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IKE:

  1. Create an IKE Phase 1 proposal.

  2. Create an IKE Phase 1 policy.

  3. Configure the IKE Phase 1 gateway parameters. The gateway address should be the IP for SRX1.

Results

From configuration mode, confirm your configuration by entering the show security ike command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IPsec for SRX2

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IPsec:

  1. Create an IPsec Phase 2 proposal.

  2. Create the IPsec Phase 2 policy.

  3. Configure the IPsec VPN parameters.

Results

From configuration mode, confirm your configuration by entering the show security ipsec command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuration for the NAT Device

CLI Quick Configuration

Static NAT is used in the example. Static NAT is bidirectional which means that traffic from 10.1.31.1 to 172.16.11.1 will also use the same NAT configuration.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

  • Verifying the IKE Phase 1 Status on SRX1
  • Verifying IPsec Security Associations on SRX1
  • Verifying the IKE Phase 1 Status on SRX2
  • Verifying IPsec Security Associations on SRX2
  • Verifying Host-to-Host Reachability

Verifying the IKE Phase 1 Status on SRX1

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command. For a more detailed output, use the show security ike security-associations detail command.

Meaning

The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed, there was a problem with Phase 1 establishment. Check the IKE policy parameters and external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, which you can use in the show security ike security-associations index detail command to get more information about the SA.

  • Remote address—Verify that the remote IP address is correct and that port 4500 is being used for peer-to-peer communication. Remember that NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500.

  • Role initiator state

    • Up—The Phase 1 SA is established.

    • Down—There was a problem establishing the Phase 1 SA.

    • Both peers in the IPsec SA pair are using port 4500.

    • Peer IKE ID—Verify the remote address is correct.

    • Local identity and remote identity—Verify these are correct.

  • Mode—Verify that the correct mode is being used.

Verify that the following are correct in your configuration:

  • External interfaces (the interface must be the one that receives IKE packets)

  • IKE policy parameters

  • Preshared key information

  • Phase 1 proposal parameters (must match on both peers)

The show security ike security-associations command lists additional information about security associations:

Verifying IPsec Security Associations on SRX1

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IPsec status.

Action

From operational mode, enter the show security ipsec security-associations command. For a more detailed output, use the show security ipsec security-associations detail command.

Meaning

The output from the show security ipsec security-associations command lists the following information:

  • The remote gateway has an address of 172.16.21.1.

  • Both peers in the IPsec SA pair are using port 4500.

  • The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 2160/ unlim value indicates that the Phase 2 lifetime expires in 2160 seconds, and that no lifesize has been specified, which indicates that it is unlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is not dependent on Phase 1 after the VPN is up.

  • VPN monitoring is not enabled for this SA, as indicated by a hyphen in the Mon column. If VPN monitoring is enabled, U indicates that monitoring is up, and D indicates that monitoring is down.

  • The virtual system (vsys) is the root system, and it always lists 0.

Verifying the IKE Phase 1 Status on SRX2

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show security ike security-associations command. For a more detailed output, use the show security ike security-associations detail command.

Meaning

The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed, there was a problem with Phase 1 establishment. Check the IKE policy parameters and external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, which you can use in the show security ike security-associations detail command to get more information about the SA.

  • Remote address—Verify that the remote IP address is correct and that port 4500 is being used for peer-to-peer communication.

  • Role responder state

    • Up—The Phase 1 SA has been established.

    • Down—There was a problem establishing the Phase 1 SA.

    • Peer IKE ID—Verify the address is correct.

    • Local identity and remote identity—Verify these addresses are correct.

  • Mode—Verify that the correct mode is being used.

Verify that the following are correct in your configuration:

  • External interfaces (the interface must be the one that receives IKE packets)

  • IKE policy parameters

  • Preshared key information

  • Phase 1 proposal parameters (must match on both peers)

The show security ike security-associations command lists additional information about security associations:

  • Authentication and encryption algorithms used

  • Phase 1 lifetime

  • Traffic statistics (can be used to verify that traffic is flowing properly in both directions)

  • Role information

    Troubleshooting is best performed on the peer using the responder role.

  • Initiator and responder information

  • Number of IPsec SAs created

  • Number of Phase 2 negotiations in progress

Verifying IPsec Security Associations on SRX2

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IPsec status.

Action

From operational mode, enter the show security ipsec security-associations command. For a more detailed output, use the show security ipsec security-associations detail command.

Meaning

The output from the show security ipsec security-associations command lists the following information:

  • The remote gateway has an ip address of 172.16.11.1.

  • Both peers in the IPsec SA pair are using port 4500.

  • The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 1562/ unlim value indicates that the Phase 2 lifetime expires in 1562 seconds, and that no lifesize has been specified, which indicates that it is unlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is not dependent on Phase 1 after the VPN is up.

  • VPN monitoring is not enabled for this SA, as indicated by a hyphen in the Mon column. If VPN monitoring is enabled, U indicates that monitoring is up, and D indicates that monitoring is down.

  • The virtual system (vsys) is the root system, and it always lists 0.

The output from the show security ipsec security-associations index index_iddetail command lists the following information:

  • The local identity and remote identity make up the proxy ID for the SA.

    A proxy ID mismatch is one of the most common causes for a Phase 2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.

  • Another common reason for Phase 2 failure is not specifying the ST interface binding. If IPsec cannot complete, check the kmd log or set trace options.

Verifying Host-to-Host Reachability

  • Purpose
  • Action
  • Meaning
Purpose

Verify Host1 can reach Host2.

Action

From Host1 ping Host2. To verify the traffic is using the VPN, use the command show security ipsec statistics on SRX1. Clear the statistics by using the command clear security ipsec statistics before running the ping command.

Meaning

The outputs show Host1 can ping Host2 and that the traffic is using the VPN.

See Also

  • IPsec Overview

  • Example: Configuring a Policy-Based VPN

Example: Configuring a Policy-Based VPN with Both an Initiatorand a Responder Behind a NAT Device

This example shows how to configure a policy-basedVPN with both an initiator and a responder behind a NAT device toallow data to be securely transferred between a branch office andthe corporate office.

  • Requirements
  • Overview
  • Configuration
  • Verification

Requirements

Before you begin, read IPsec Overview.

Overview

In this example, you configure a policy-based VPN for a branchoffice in Chicago, Illinois, because you want to conserve tunnel resourcesbut still get granular restrictions on VPN traffic. Users in the branchoffice will use the VPN to connect to their corporate headquartersin Sunnyvale, California.

In this example, you configure interfaces, routing options,security zones, security policies for both an initiator and a responder.

Figure 2 showsan example of a topology for a VPN with both an initiator and a responderbehind a static NAT device.

Figure 2: Policy-BasedVPN Topology with Both an Initiator and a Responder Behind a NAT DeviceRoute-Based and Policy-Based VPNs with NAT-T | Junos OS (2)

In this example, you configure interfaces, an IPv4 default route,and security zones. Then you configure IKE Phase 1, including localand remote peers, IPsec Phase 2, and the security policy. Note inthe example above, the responder’s private IP address 13.168.11.1is hidden by the static NAT device and mapped to public IP address1.1.100.1.

See Table 7 through Table 10 for specific configuration parameters used for the initiatorin the examples.

Table 7: Interface,Routing Options, and Security Zones for the Initiator

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/0

12.168.99.100/24

ge-0/0/1

10.1.99.1/24

Static routes

10.2.99.0/24 (default route)

The next hop is 12.168.99.100.

1.1.100.0/24

12.168.99.100

Security zones

trust

  • All system services are allowed.

  • All protocols are allowed.

  • The ge-0/0/1.0 interface is bound to this zone.

untrust

  • The ge-0/0/0.0 interface is bound to this zone.

Table 8: IKE Phase 1 ConfigurationParameters for the Initiator

Feature

Name

Configuration Parameters

Proposal

ike_prop

  • Authentication method: pre-shared-keys

  • Diffie-Hellman group: group2

  • Authentication algorithm: md5

  • Encryption algorithm: 3des-cbc

Policy

ike_pol

  • Mode: main

  • Proposal reference: ike_prop

  • IKE Phase 1 policy authentication method: pre-shared-keyascii-text

Gateway

gate

  • IKE policy reference: ike_pol

  • External interface: ge-0/0/1.0

  • Gateway address: 1.1.100.23

  • Local peer is hostname chicago

  • Remote peer is hostname sunnyvale

Table 9: IPsec Phase2 Configuration Parameters for the Initiator

Feature

Name

Configuration Parameters

Proposal

ipsec_prop

  • Protocol: esp

  • Authentication algorithm: hmac-md5-96

  • Encryption algorithm: 3des-cbc

Policy

ipsec_pol

  • Proposal reference: ipsec_prop

  • Perfect forward secrecy (PFS): group1

VPN

first_vpn

  • IKE gateway reference: gate

  • IPsec policy reference: ipsec_pol

Table 10: SecurityPolicy Configuration Parameters for the Initiator

Purpose

Name

Configuration Parameters

The security policy permits tunnel traffic from the trustzone to the untrust zone.

pol1

  • Match criteria:

    • source-address any

    • destination-address any

    • application any

  • Action: permit tunnel ipsec-vpn first_vpn

The security policy permits tunnel traffic from the untrustzone to the trust zone.

pol1

  • Match criteria:

    • application any

  • Action: permit tunnel ipsec-vpn first_vpn

See Table 11 through Table 14 for specific configuration parameters used for the responderin the examples.

Table 11: Interface,Routing Options, and Security Zones for the Responder

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/0

13.168.11.100/24

ge-0/0/1

10.2.99.1/24

Static routes

10.1.99.0/24 (default route)

The next hop is 13.168.11.100

1.1.100.0/24

13.168.11.100

Security zones

trust

  • All system services are allowed.

  • All protocols are allowed.

  • The ge-0/0/1.0 interface is bound to this zone.

untrust

  • The ge-0/0/0.0 interface is bound to this zone.

Table 12: IKE Phase 1 ConfigurationParameters for the Responder

Feature

Name

Configuration Parameters

Proposal

ike_prop

  • Authentication method: pre-shared-keys

  • Diffie-Hellman group: group2

  • Authentication algorithm: md5

  • Encryption algorithm: 3des-cbc

Policy

ike_pol

  • Mode: main

  • Proposal reference: ike_prop

  • IKE Phase 1 policy authentication method: pre-shared-keyascii-text

Gateway

gate

  • IKE policy reference: ike_pol

  • External interface: ge-0/0/1.0

  • Gateway address: 1.1.100.22

  • Always send dead-peer detection

  • Local peer is hostname sunnyvale

  • Remote peer is hostname chicago

Table 13: IPsec Phase2 Configuration Parameters for the Responder

Feature

Name

Configuration Parameters

Proposal

ipsec_prop

  • Protocol: esp

  • Authentication algorithm: hmac-md5-96

  • Encryption algorithm: 3des-cbc

Policy

ipsec_pol

  • Proposal reference: ipsec_prop

  • Perfect forward secrecy (PFS): group1

VPN

first_vpn

  • IKE gateway reference: gate

  • IPsec policy reference: ipsec_pol

Table 14: SecurityPolicy Configuration Parameters for the Responder

Purpose

Name

Configuration Parameters

The security policy permits tunnel traffic from the trustzone to the untrust zone.

pol1

  • Match criteria:

    • source-address any

    • destination-address any

    • application any

  • Action: permit tunnel ipsec-vpn first_vpn

The security policy permits tunnel traffic from the untrustzone to the trust zone.

pol1

  • Match criteria:

    • application any

  • Action: permit tunnel ipsec-vpn first_vpn

Configuration

  • Configuring Interface, Routing Options, and Security Zonesfor the Initiator
  • Configuring IKE for the Initiator
  • Configuring IPsec for the Initiator
  • Configuring Security Policies for the Initiator
  • Configuring NAT for the Initiator
  • Configuring Interface, Routing Options, and Security Zonesfor the Responder
  • Configuring IKE for the Responder
  • Configuring IPsec for the Responder
  • Configuring Security Policies for the Responder
  • Configuring NAT for the Responder

Configuring Interface, Routing Options, and Security Zonesfor the Initiator

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure interfaces, static routes, and security zones:

  1. Configure Ethernet interface information.

  2. Configure static route information.

  3. Configure the trust security zone.

  4. Assign an interface to the trust security zone.

  5. Specify system services for the trust security zone.

  6. Assign an interface to the untrust security zone.

Results

From configuration mode, confirm your configurationby entering the show interfaces, show routing-options, and show security zones commands If the output doesnot display the intended configuration, repeat the instructions inthis example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE for the Initiator

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure IKE:

  1. Create the IKE Phase 1 proposal.

  2. Define the IKE proposal authentication method.

  3. Define the IKE proposal Diffie-Hellman group.

  4. Define the IKE proposal authentication algorithm.

  5. Define the IKE proposal encryption algorithm.

  6. Create an IKE Phase 1 policy.

  7. Set the IKE Phase 1 policy mode.

  8. Specify a reference to the IKE proposal.

  9. Define the IKE Phase 1 policy authentication method.

  10. Create an IKE Phase 1 gateway and define its externalinterface.

  11. Create an IKE Phase 1 gateway address.

  12. Define the IKE Phase 1 policy reference.

  13. Set local-identity for the local peer.

Results

From configuration mode, confirm your configurationby entering the show security ike command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IPsec for the Initiator

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure IPsec:

  1. Create an IPsec Phase 2 proposal.

  2. Specify the IPsec Phase 2 proposal protocol.

  3. Specify the IPsec Phase 2 proposal authentication algorithm.

  4. Specify the IPsec Phase 2 proposal encryption algorithm.

  5. Specify the IPsec Phase 2 proposal reference.

  6. Specify IPsec Phase 2 to use perfect forward secrecy (PFS)group1.

  7. Specify the IKE gateway.

  8. Specify the IPsec Phase 2 policy.

Results

From configuration mode, confirm your configurationby entering the show security ipsec command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Security Policies for the Initiator

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure security policies:

  1. Create the security policy to permit traffic from thetrust zone to the untrust zone.

  2. Create the security policy to permit traffic from theuntrust zone to the trust zone.

Results

From configuration mode, confirm your configurationby entering the show security policies command. If theoutput does not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring NAT for the Initiator

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure the initiator providing NAT:

  1. Configure interfaces.

  2. Configure zones.

  3. Configure NAT.

  4. Configure the default security policy.

  5. Configure the routing option.

Results

From configuration mode, confirm your configurationby entering the show security nat command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Interface, Routing Options, and Security Zonesfor the Responder

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure interfaces, static routes, security zones, andsecurity policies:

  1. Configure Ethernet interface information.

  2. Configure static route information.

  3. Assign an interface to the untrust security zone.

  4. Configure the trust security zone.

  5. Assign an interface to the trust security zone.

  6. Specify allowed system services for the trust securityzone.

Results

From configuration mode, confirm your configurationby entering the show interfaces, show routing-options, and show security zones commands. If the output doesnot display the intended configuration, repeat the instructions inthis example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IKE for the Responder

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure IKE:

  1. Define the IKE proposal authentication method.

  2. Define the IKE proposal Diffie-Hellman group.

  3. Define the IKE proposal authentication algorithm.

  4. Define the IKE proposal encryption algorithm.

  5. Create an IKE Phase 1 policy.

  6. Set the IKE Phase 1 policy mode.

  7. Specify a reference to the IKE proposal.

  8. Define the IKE Phase 1 policy authentication method.

  9. Create an IKE Phase 1 gateway and define its dynamic hostname.

  10. Create an IKE Phase 1 gateway and define its externalinterface.

  11. Define the IKE Phase 1 policy reference.

Results

From configuration mode, confirm your configurationby entering the show security ike command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring IPsec for the Responder

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure IPsec:

  1. Create an IPsec Phase 2 proposal.

  2. Specify the IPsec Phase 2 proposal protocol.

  3. Specify the IPsec Phase 2 proposal authentication algorithm.

  4. Specify the IPsec Phase 2 proposal encryption algorithm.

  5. Create the IPsec Phase 2 policy.

  6. Set IPsec Phase 2 to use perfect forward secrecy (PFS)group1.

  7. Specify the IPsec Phase 2 proposal reference.

  8. Specify the IKE gateway.

  9. Specify the IPsec Phase 2 policy.

Results

From configuration mode, confirm your configurationby entering the show security ipsec command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring Security Policies for the Responder

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure security policies:

  1. Create the security policy to permit traffic from thetrust zone to the untrust zone.

  2. Create the security policy to permit traffic from theuntrust zone to the trust zone.

Results

From configuration mode, confirm your configurationby entering the show security policies command. If theoutput does not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Configuring NAT for the Responder

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure the responder providing NAT:

  1. Configure interfaces.

  2. Configure zones.

  3. Configure NAT.

  4. Configure the default security policy.

  5. Configure the routing option.

Results

From configuration mode, confirm your configurationby entering the show security nat command. If the outputdoes not display the intended configuration, repeat the instructionsin this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is workingproperly, perform these tasks:

  • Verifying the IKE Phase 1 Status for the Initiator
  • Verifying IPsec Security Associations for the Initiator
  • Verifying the IKE Phase 1 Status for the Responder
  • Verifying IPsec Security Associations for the Responder

Verifying the IKE Phase 1 Status for the Initiator

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IKE Phase 1 status.

Action

Before starting the verification process, you must send traffic from a host in the 10.1.99.0 network to a host in the 10.2.99.0 network. For route-based VPNs, traffic can be initiated by the SRX Series Firewall through the tunnel. We recommend that when testing IPsec tunnels, test traffic be sent from a separate device on one side of the VPN to a second device on the other side of the VPN. For example, initiate a ping operation from 10.1.99.2 to 10.2.99.2.

From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.

Meaning

The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed,there was a problem with Phase 1 establishment. Check the IKE policyparameters and external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, whichyou can use in the show security ike security-associations indexdetail command to get more information about the SA.

  • Remote address—Verify that the remote IP addressis correct and that port 4500 is being used for peer-to-peer communication.

  • Role initiator state

    • Up—The Phase 1 SA has been established.

    • Down—There was a problem establishing the Phase1 SA.

    • Both peers in the IPsec SA pair are using port 4500, whichindicates that NAT-T is implemented. (NAT-T uses port 4500 or anotherrandom high-numbered port.)

    • Peer IKE ID—Verify the remote (responder) ID iscorrect. In this example, the hostname is sunnyvale.

    • Local identity and remote identity—Verify theseare correct.

  • Mode—Verify that the correct mode is being used.

Verify that the following are correct in your configuration:

  • External interfaces (the interface must be the one thatreceives IKE packets)

  • IKE policy parameters

  • Preshared key information

  • Phase 1 proposal parameters (must match on both peers)

The show security ike security-associations commandlists additional information about security associations:

  • Authentication and encryption algorithms used

  • Phase 1 lifetime

  • Traffic statistics (can be used to verify that trafficis flowing properly in both directions)

  • Role information

    Troubleshooting is best performed on the peer using the responderrole.

  • Initiator and responder information

  • Number of IPsec SAs created

  • Number of Phase 2 negotiations in progress

Verifying IPsec Security Associations for the Initiator

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IPsec status.

Action

From operational mode, enter the show securityipsec security-associations command. After obtaining an indexnumber from the command, use the show security ipsec security-associationsindex index_number detail command.

Meaning

The output from the show security ipsec security-associations command lists the following information:

  • The remote gateway has a NAT address of 13.168.11.100.

  • Both peers in the IPsec SA pair are using port 4500, whichindicates that NAT-T is implemented. (NAT-T uses port 4500 or anotherrandom high-numbered port.).

  • The SPIs, lifetime (in seconds), and usage limits (orlifesize in KB) are shown for both directions. The 3390/ unlimitedvalue indicates that the Phase 2 lifetime expires in 3390 seconds,and that no lifesize has been specified, which indicates that it isunlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as Phase2 is not dependent on Phase 1 after the VPN is up.

  • VPN monitoring is not enabled for this SA, as indicatedby a hyphen in the Mon column. If VPN monitoring is enabled, U indicatesthat monitoring is up, and D indicates that monitoring is down.

  • The virtual system (vsys) is the root system, and it alwayslists 0.

Verifying the IKE Phase 1 Status for the Responder

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IKE Phase 1 status.

Action

From operational mode, enter the show securityike security-associations command. After obtaining an indexnumber from the command, use the show security ike security-associationsindex index_number detail command.

Meaning

The show security ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed,there was a problem with Phase 1 establishment. Check the IKE policyparameters and external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, whichyou can use in the show security ike security-associations indexdetail command to get more information about the SA.

  • Remote address—Verify that the remote IP addressis correct and that port 4500 is being used for peer-to-peer communication.

  • Role responder state

    • Up—The Phase 1 SA has been established.

    • Down—There was a problem establishing the Phase1 SA.

    • Peer IKE ID—Verify the local ID for the peer iscorrect. In this example, the hostname is chicago.

    • Local identity and remote identity—Verify theseare correct.

  • Mode—Verify that the correct mode is being used.

Verify that the following are correct in your configuration:

  • External interfaces (the interface must be the one thatreceives IKE packets)

  • IKE policy parameters

  • Preshared key information

  • Phase 1 proposal parameters (must match on both peers)

The show security ike security-associations commandlists additional information about security associations:

  • Authentication and encryption algorithms used

  • Phase 1 lifetime

  • Traffic statistics (can be used to verify that trafficis flowing properly in both directions)

  • Role information

    Troubleshooting is best performed on the peer using the responderrole.

  • Initiator and responder information

  • Number of IPsec SAs created

  • Number of Phase 2 negotiations in progress

Verifying IPsec Security Associations for the Responder

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IPsec status.

Action

From operational mode, enter the show securityipsec security-associations command. After obtaining an indexnumber from the command, use the show security ipsec security-associationsindex index_number detail command.

Meaning

The output from the show security ipsec security-associations command lists the following information:

  • The remote gateway has a NAT address of 1.1.100.23.

  • Both peers in the IPsec SA pair are using port 4500, whichindicates that NAT-T is implemented. (NAT-T uses port 4500 or anotherrandom high-numbered port.)

  • The SPIs, lifetime (in seconds), and usage limits (orlifesize in KB) are shown for both directions. The 3571/ unlim valueindicates that the Phase 2 lifetime expires in 3571 seconds, and thatno lifesize has been specified, which indicates that it is unlimited.Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is notdependent on Phase 1 after the VPN is up.

  • VPN monitoring is not enabled for this SA, as indicatedby a hyphen in the Mon column. If VPN monitoring is enabled, U indicatesthat monitoring is up, and D indicates that monitoring is down.

  • The virtual system (vsys) is the root system, and it alwayslists 0.

See Also

  • IPsec Overview

  • Understanding Policy-Based IPsec VPNs

Example: Configuring NAT-T with Dynamic Endpoint VPN

This example shows how to configure a route-based VPN wherethe IKEv2 initiator is a dynamic endpoint behind a NAT device.

  • Requirements
  • Overview
  • Configuration
  • Verification

Requirements

This example uses the following hardware and softwarecomponents:

  • Two SRX Series Firewalls configured in a chassis cluster

  • One SRX Series Firewall providing NAT

  • One SRX Series Firewall providing branch office network access

  • Junos OS Release 12.1X46-D10 or later for IKEv2 NAT-Tsupport

Overview

In this example, an IPsec VPN is configured between the branchoffice (IKEv2 initiator) and headquarters (IKEv2 responder) to securenetwork traffic between the two locations. The branch office is locatedbehind the NAT device. The branch office address is assigned dynamicallyand is unknown to the responder. The initiator is configured withthe remote identity of the responder for tunnel negotiation. Thisconfiguration establishes a dynamic endpoint VPN between the peersacross the NAT device.

Figure 3 shows an example of a topologywith NAT-Traversal (NAT-T) and dynamic endpoint VPN.

Figure 3: NAT-T with Dynamic Endpoint VPNRoute-Based and Policy-Based VPNs with NAT-T | Junos OS (3)

In this example, the initiator’s IP address, 192.179.100.50,which has been dynamically assigned to the device, is hidden by theNAT device and translated to 100.10.1.253.

The following configuration options apply in this example:

  • The local identity configured on the initiator must matchthe remote gateway identity configured on the responder.

  • Phase 1 and Phase 2 options must match between the initiatorand responder.

In this example, the default security policy that permits alltraffic is used for all devices. More restrictive security policiesshould be configured for production environments. See Security Policies Overview.

Starting with JunosOS Release 12.1X46-D10 and Junos OS Release 17.3R1, the default valuefor the nat-keepalive option configured at the [editsecurity ike gateway gateway-name] hierarchylevel has been changed from 5 seconds to 20 seconds.

In SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involvingNAT traversal do not work if the IKE peer is behind a NAT device thatwill change the source IP address of the IKE packets during the negotiation.For example, if the NAT device is configured with DIP, it changesthe source IP because the IKE protocol switches the UDP port from500 to 4500. (Platform support depends on the Junos OS release inyour installation.)

Configuration

  • Configuring the Branch Office Device (IKEv2 Initiator)
  • Configuring the NAT Device
  • Configuring the Headquarters Device (IKEv2 Responder)

Configuring the Branch Office Device (IKEv2 Initiator)

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure the branch office device:

  1. Configure interfaces.

  2. Configure routing options.

  3. Configure zones.

  4. Configure Phase 1 options.

  5. Configure Phase 2 options.

  6. Configure the security policy.

Results

From configuration mode, confirm your configurationby entering the show interfaces, show routing-options, show security zones, show security ike, show security ipsec, and show security policies commands.If the output does not display the intended configuration, repeatthe configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the NAT Device

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

To configure the intermediate router providing NAT:

  1. Configure interfaces.

  2. Configure zones.

  3. Configure NAT.

  4. Configure the default security policy.

Results

From configuration mode, confirm your configurationby entering the show interfaces, show security zones, show security nat source, and show security policies commands. If the output does not display the intended configuration,repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the Headquarters Device (IKEv2 Responder)

  • CLI Quick Configuration
  • Step-by-Step Procedure
  • Results
CLI Quick Configuration

To quickly configure this example, copy the following commands,paste them into a text file, remove any line breaks, change any detailsnecessary to match your network configuration, copy and paste thecommands into the CLI at the [edit] hierarchy level, andthen enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode in the CLI User Guide.

  1. Configure two nodes as the chassis cluster.

  2. Configure interfaces.

  3. Configure routing options.

  4. Configure zones.

  5. Configure Phase 1 options.

  6. Configure Phase 2 options.

  7. Configure the default security policy.

Results

From configuration mode, confirm your configurationby entering the show chassis cluster, show interfaces, show routing-options, show security zones, show security ike, show security ipsec, and show security policies commands. If the output does not displaythe intended configuration, repeat the configuration instructionsin this example to correct it.

Verification

Confirm that the configuration is working properly.

  • Verifying the IKE Phase 1 Status for the Responder
  • Verifying IPsec Security Associations for the Responder

Verifying the IKE Phase 1 Status for the Responder

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IKE Phase 1 status.

Action

From operational mode on node 0, enter the show security ike security-associations command. Afterobtaining an index number from the command, use the showsecurity ike security-associations detail command.

Meaning

The show security ike security-associations commandlists all active IKE Phase 1 SAs. If no SAs are listed, there wasa problem with Phase 1 establishment. Check the IKE policy parametersand external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, whichyou can use in the show security ike security-associations index index_id detail command to get more informationabout the SA.

  • Remote address—Verify that the local IP addressis correct and that port 4500 is being used for peer-to-peer communication.

  • Role responder state

    • Up—The Phase 1 SA has been established.

    • Down—There was a problem establishing the Phase1 SA.

    • Peer IKE ID—Verify the address is correct.

    • Local identity and remote identity—Verify theseaddresses are correct.

  • Mode—Verify that the correct mode is being used.

Verify that the following are correct in your configuration:

  • External interfaces (the interface must be the one thatsends IKE packets)

  • IKE policy parameters

  • Preshared key information

  • Phase 1 proposal parameters (must match on both peers)

The show security ike security-associations commandlists additional information about security associations:

  • Authentication and encryption algorithms used

  • Phase 1 lifetime

  • Traffic statistics (can be used to verify that trafficis flowing properly in both directions)

  • Role information

    Troubleshooting is best performed on the peer using the responderrole.

  • Initiator and responder information

  • Number of IPsec SAs created

  • Number of Phase 2 negotiations in progress

Verifying IPsec Security Associations for the Responder

  • Purpose
  • Action
  • Meaning
Purpose

Verify the IPsec status.

Action

From operational mode on node 0, enter the show security ipsec security-associations command.After obtaining an index number from the command, use the show security ipsec security-associations detail command.

Meaning

The output from the show security ipsec security-associations command lists the following information:

  • The remote gateway has an IP address of 100.10.1.253.

  • The SPIs, lifetime (in seconds), and usage limits (orlifesize in KB) are shown for both directions. The lifetime valueindicates that the Phase 2 lifetime expires in 7186 seconds, and thatno lifesize has been specified, which indicates that it is unlimited.Phase 2 lifetime can differ from Phase 1 lifetime, as Phase 2 is notdependent on Phase 1 after the VPN is up.

  • The virtual system (vsys) is the root system, and it alwayslists 0.

The output from the show security ipsec security-associationsindex index_id detail command lists thefollowing information:

  • The local identity and remote identity make up the proxyID for the SA.

    A proxy ID mismatch is one of the most common causes for a Phase2 failure. If no IPsec SA is listed, confirm that Phase 2 proposals,including the proxy ID settings, match for both peers. For route-basedVPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, andservice=any. Issues can occur with multiple route-based VPNs fromthe same peer IP. In this case, a unique proxy ID for each IPsec SAmust be specified. For some third-party vendors, the proxy ID mustbe manually entered to match.

  • Another common reason for Phase 2 failure is not specifyingthe ST interface binding. If IPsec cannot complete, check the kmdlog or set trace options.

See Also

  • IPsec Overview

  • Security Policies Overview

Related Documentation

  • Traffic Selectors in Route-BasedVPNs

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

12.1X46-D10

Starting with JunosOS Release 12.1X46-D10 and Junos OS Release 17.3R1, the default valuefor the nat-keepalive option configured at the [editsecurity ike gateway gateway-name] hierarchylevel has been changed from 5 seconds to 20 seconds.

Route-Based and Policy-Based VPNs with NAT-T | Junos OS (2024)
Top Articles
Netwrix Auditor for Active Directory
How To: Buy Bitcoin With Cash
Craigslist Houses For Rent In Denver Colorado
AllHere, praised for creating LAUSD’s $6M AI chatbot, files for bankruptcy
J & D E-Gitarre 905 HSS Bat Mark Goth Black bei uns günstig einkaufen
Greedfall Console Commands
Remnant Graveyard Elf
No Credit Check Apartments In West Palm Beach Fl
Hallelu-JaH - Psalm 119 - inleiding
Valentina Gonzalez Leak
Wisconsin Women's Volleyball Team Leaked Pictures
The fabulous trio of the Miller sisters
Mills and Main Street Tour
Diesel Mechanic Jobs Near Me Hiring
Byui Calendar Fall 2023
V-Pay: Sicherheit, Kosten und Alternativen - BankingGeek
Our History
Brazos Valley Busted Newspaper
Chime Ssi Payment 2023
Weathervane Broken Monorail
Star Wars Armada Wikia
Horses For Sale In Tn Craigslist
Royalfh Obituaries Home
Lbrands Login Aces
What we lost when Craigslist shut down its personals section
The Goonies Showtimes Near Marcus Rosemount Cinema
The Procurement Acronyms And Abbreviations That You Need To Know Short Forms Used In Procurement
Insidious 5 Showtimes Near Cinemark Southland Center And Xd
Package Store Open Near Me Open Now
Abga Gestation Calculator
Rogold Extension
About | Swan Medical Group
O'reilly Auto Parts Ozark Distribution Center Stockton Photos
Watchdocumentaries Gun Mayhem 2
Help with your flower delivery - Don's Florist & Gift Inc.
Chris Provost Daughter Addie
Clark County Ky Busted Newspaper
Ippa 番号
Streameast.xy2
Housing Intranet Unt
Lake Kingdom Moon 31
Wasmo Link Telegram
Locate phone number
Weekly Math Review Q2 7 Answer Key
Mitchell Kronish Obituary
Ghareeb Nawaz Texas Menu
Sechrest Davis Funeral Home High Point Nc
A rough Sunday for some of the NFL's best teams in 2023 led to the three biggest upsets: Analysis
Gander Mountain Mastercard Login
Grand Park Baseball Tournaments
Gummy Bear Hoco Proposal
The Missile Is Eepy Origin
Latest Posts
How to export an account's private key | MetaMask Help Center 🦊♥️
Where to Get a Debt Consolidation Loan
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 6110

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.