Setting up site-to-site on Juniper (JunOS) SRX
  • 3 Minutes to read

    Setting up site-to-site on Juniper (JunOS) SRX


      Article summary

      Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

      Configuring at the Juniper SRX Firewall Interface

      Please follow the steps below. Each step is accompanied by a command that needs to be executed at the JunOS interface.

      1. Create a tunnel interface. Do not assign an IP address but make sure it’s enabled for layer 3 communication.
      set interfaces st0 unit 0 family inet
      
      1. Set up the IKE Proposal
      set security ike proposal nordlayer description NordLayer-SRXTunnel
      set security ike proposal nordlayer authentication-method pre-shared-keys
      set security ike proposal nordlayer dh-group group14
      set security ike proposal nordlayer authentication-algorithm sha-256
      set security ike proposal nordlayer encryption-algorithm aes-256-cbc
      set security ike proposal nordlayer lifetime-seconds 28800
      
      1. Set up the IKE policy configuration

      2. Replace SHARED_SHARED_STRING with the shared secret you have generated (we will also need this value on our end)

      set security ike policy nordlayer-policy proposals p81
      set security ike policy nordlayer-policy pre-shared-key ascii-text SHARED_SHARED_STRING
      
      1. Set up the IKE gateway configuration

      2. Replace NORDLAYER_GW_ADDRESS with the IP address of your NordLayer dedicated server, LOCAL_ADDRESS with your local public IP

      External interface is the interface on which the above IP is configured (Local Identity Inet).

      set security ike gateway nordlayer-ike-gateway ike-policy nordlayer-policy
      set security ike gateway nordlayer-ike-gateway address NORDLAYER_GW_ADDRESS
      set security ike gateway nordlayer-ike-gateway local-identity inet LOCAL_ADDRESS
      set security ike gateway nordlayer-ike-gateway external-interface ge-0/0/0
      set security ike gateway nordlayer-ike-gateway version v1-only
      
      1. Set up the IPSec proposal
      set security ipsec proposal nordlayer-proposal description NordLayer
      set security ipsec proposal nordlayer-proposal protocol esp
      set security ipsec proposal nordlayer-proposal authentication-algorithm hmac-sha-256-128
      set security ipsec proposal nordlayer-proposal encryption-algorithm aes-256-cbc
      set security ipsec proposal nordlayer-proposal lifetime-seconds 3600
      
      1. Set up the IPSec policy configuration

      Perfect Forward Secrecy must be enabled and reference the previously defined proposal.

      set security ipsec policy ipsec-nordlayer-policy perfect-forward-secrecy keys group2
      set security ipsec policy ipsec-nordlayer-policy proposals nordlayer-proposal
      
      1. Bind your tunnel interface and apply configurations
      set security ipsec vpn nordlayer-ipsec bind-interface st0.0
      set security ipsec vpn nordlayer-ipsec ike gateway nordlayer-ike-gateway
      set security ipsec vpn nordlayer-ipsec ike ipsec-policy ipsec-nordlayer-policy
      set security ipsec vpn nordlayer-ipsec establish-tunnels on-traffic
      set security address-book global address nordlayer_internal 10.6.0.0/20
      
      1. Set Firewall security policies

      Important

      If you place the tunnel interface into your trust zone or a zone where everything is allowed, then this step can be omitted. Otherwise, you'll need to adjust according to your network topology and particular use case.

      In this example, we are allowing icmp and ssh from zone “vpn” with a source address of 10.6.0.0/16 to any address in zone “trust”.

      set security policies from-zone vpn to-zone trust policy vpn-internal match source-address nordlayer_internal
      set security policies from-zone vpn to-zone trust policy vpn-internal match destination-address any
      set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-icmp-all
      set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-ssh
      set security policies from-zone vpn to-zone trust policy vpn-internal then permit
      
      1. Set host inbound services. We must allow services destined to the firewall interfaces as well. IKE is a must in this case. Not only the tunnel interface must have it, but also your public-facing interface.
      set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services ike
      set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
      
      1. Define a static route to the NordLayer network
      set routing-options static route 10.6.0.0/20 next-hop st0.0
      

      Ending note:

      In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

      • Pre-shared key - you can generate it or we can provide it
      • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
      • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
      • Remote subnet and mask (the subnet is used in your local network)

      Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


      Was this article helpful?