VNS3 IPsec Configuration VNS3 to Juniper SSG

© 2018

Site-to-Site IPsec Tunnel

2

IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds.

• Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are:

• IKE1 or IKE2 • AES256 or AES128 or 3DES • SHA1 or MD5 • NAT-Traversal capability (some clouds require NAT-Traversal encapsulation -

AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (192.169.3.0/24) and the VNS3 Overlay Network (172.31.1.0/24).

This guide will provide steps to setup the Juniper SSG side of the IPsec configuration.

The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability.

Public Cloud

Overlay Network Subnet: 172.31.1.0/24

Cloud Server Overlay IP: 172.31.1.1

Server B LAN IP: 192.168.3.100

Server A LAN IP: 192.168.3.50

Customer Remote Office Remote subnet: 192.168.3.0/24

VNS3 public IP: 184.73.174.250 overlay IP: 172.31.1.250

Firewall / IPsec Juniper SSG

Active IPsec tunnel 192.168.3.0/24 - 172.31.1.0/24

© 2018

Create Tunnel Interface

3

The first step in setting up an IPsec tunnel is to create a tunnel interface the Juniper will use for the connection, if one is not already created and ready for use.

Click Network>Interface>List from the right column menu.

Click New in the top right of the resulting Interfaces List page next to the drop down menu with Tunnel IF selected.

Enter a tunnel integer in the Tunnel Interface Name field. In this example we use 1 as no other tunnel interfaces are configured.

Select Trust from the Zone (VR) drop down menu.

Select the Unnumbered radio button and select the outside or public interface from the drop down list. In our example we use ethernet0/0 (trust-vr) as that is the port that is being used to access the public Internet through out Network Lab edge.

Click OK.

© 2018

Create Phase 1 Proposal Object

4

It is recommended best practices to create a specific Phase 1 proposal definition for the VNS3 configuration and specify only that proposal in the Gateway setup. This prevents the tunnel from being negotiated with other parameters.

Click VPNs>AutoKey Advanced>P1 Proposal.

Click New.

Enter a Name in the Name field. In this example we use VNS3 P1.

Select Preshare from the Authentication Method drop down.

Select Group 5 from the DH Group drop down.

Select AES-CBC(256 Bits) from the Encryption Algorithm drop down.

Select SHA-1 from the Hash Algorithm drop down.

Enter 3600 in the Lifetime field and click the Sec radio button.

Click OK.

NOTE: these are the default and recommended VNS3 settings for Phase 1. You can use whatever settings you choose, just remember they need to match exactly with the VNS3 side of the configuration.

© 2018

Create Phase 2 Proposal Object

5

It is recommended best practices to create a specific Phase 2 proposal definition for the VNS3 configuration and specify only that proposal in the Auto IKE setup. This prevents the tunnel from being negotiated with other parameters.

Click VPNs>AutoKey Advanced>P2 Proposal.

Click New.

Enter a Name in the Name field. In this example we use VNS3 P1.

Select DH Group 5 from the Perfect Forward Secrecy drop down.

Select AES-CBC(256 Bits) from the Encryption Algorithm drop down.

Select SHA-1 from the Hash Algorithm drop down.

Enter 2800 in the Lifetime field and click the Sec radio button.

Click OK.

NOTE: these are the default and recommended VNS3 settings for Phase 2. You can use whatever settings you choose, just remember they need to match exactly with the VNS3 side of the configuration.

© 2018

Create Gateway (Phase 1)

6

Create a Gateway configuration for the VNS3 Controller on the Juniper to provide details about IPsec Phase 1 negotiation.

Click VPNs>AutoKey Advanced>Gateway.

Enter a Name for the Gateway.

Select Remote Gateway and Static IP Address.

Enter the Public IP of the VNS3 Controller in the IP Address/Hostname field.

*If using NAT-Traversal Encapsulation you will need to enter the VNS3 Local Private IP (default 192.0.2.254) in the Peer ID field.

Click Advanced.

Enter a PSK in the Preshared Key field. In our example we use test.

If the Juniper is not in the network edge, enter it's NAT'd IP in the Local ID field.

Click on the Custom User Defined radio button under Security Level then select the custom VNS3 Phase 1 proposal created earlier.

Click Enable NAT-Traversal if using NAT-Traversal Encapsulation.

Click Return then OK.

© 2018

Add VPN: Proposals

7

Now that the remote Gateway (VNS3) is defined and Phase 1 settings are configured, Phase 2 parameters can be entered.

Click VPNs>AutoKey IKE

Enter a Name for the AutoKey IKE Object in the VPN Name field.

Click the Remote Gateway radio button.

Click Predefined and select the Gateway that was just created.

Click Advanced.

Click on the Custom User Defined radio button under Security Level then select the custom VNS3 Phase 2 proposal created earlier.

Click Tunnel Interface then select the tunnel.1 interface previously created under Bind to.

Click Return then OK.

© 2018

Add Policies

8

Now that the Gateway, Phase1 and Phase2 definitions have been added to the Juniper, the next step is to setup the appropriate policies to allow traffic from the Local and Remote subnets to pass.

Two rules are required for each tunnel.

1.Rule from Trust Zone to Untrust Zone - this rule allows traffic from the local subnet ( Juniper subnet - in our example 192.168.5.0/24) to the remote subnet (VNS3 Overlay subnet - in our example 172.31.1.0/24).

2.Rule from Untrust Zone to Trust Zone - this rule allows traffic from remote subnet (VNS3 Overlay subnet - in our example 172.31.1.0/24) to the local subnet ( Juniper subnet - in our example 192.168.5.0/24).

For Rule #1 Above select Trust on the From drop down and Untrust on the To drop down, then click New.

Enter the Source (192.168.5.0/24) and Destination Addresses (172.31.1.0/24) select ANY in the Service drop down and click OK.

For Rule #1 Above select Untrust on the From drop down and Trust on the To drop down, then click New.

Enter the Source (172.31.1.0/24) and Destination Addresses (192.168.5.0/24) select ANY in the Service drop down and click OK.

© 2018

IPsec Review

9

Finally we need to add the appropriate route to allow traffic to flow from the Juniper subnet through the appropriate tunnel interface to the VNS3 remote Overlay subent.

Click Routing>Destination.

Enter the VNS3 remote Overlay subnet (172.31.1.0/24 in our example) in the IP Address/Netmask field.

Click the Gateway radio button and select tunnel.1 from the Interface drop down.

Click OK.

© 2018

Troubleshooting

10

© 2018

Tunnel Traffic

11

Depending on your network architecture, tunnel traffic may need to be passed from the Juniper side of the connection to start the initial IPsec negotiation. Ping the VNS3 Controller instance's Overlay IP address (listed on the Runtime Status page) from a device on the Juniper local subnet.

© 2018

Peer ID

12

If VNS3 has NAT-Traversal enabled (VNS3 default setting), you will need to enter in the Peer ID in the Gateway definition. Without this entered, there will be INVALID_ID errors in the VNS3 IPsec logs and the tunnel will not negotiate.

If VNS3 has NAT-Traversal disabled, you will not need to enter the Peer ID.

© 2018

VPN Monitor

13

Juniper recommends enabling VPN Monitor in all Policy-based VPN setup guides. VPN Monitor is not supported in connections to VNS3 Managers. It prevents traffic from traversing the tunnel.

Make sure VPN Monitor is disabled on the VPNs>AutoKey IKE>Advanced page.

© 2018

VNS3 Document Links

14

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions (Free & Lite Editions | BYOL)Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.