- 3 Minutes to read
Setting up site-to-site on Juniper (JunOS) SRX
- 3 Minutes to read
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Configuring at the Juniper SRX Firewall Interface
Please follow the steps below. Each step is accompanied by a command that needs to be executed at the JunOS interface.
- Create a tunnel interface. Do not assign an IP address but make sure it’s enabled for layer 3 communication.
set interfaces st0 unit 0 family inet
- Set up the IKE Proposal
set security ike proposal nordlayer description NordLayer-SRXTunnel
set security ike proposal nordlayer authentication-method pre-shared-keys
set security ike proposal nordlayer dh-group group14
set security ike proposal nordlayer authentication-algorithm sha-256
set security ike proposal nordlayer encryption-algorithm aes-256-cbc
set security ike proposal nordlayer lifetime-seconds 28800
Set up the IKE policy configuration
Replace SHARED_SHARED_STRING with the shared secret you have generated (we will also need this value on our end)
set security ike policy nordlayer-policy proposals p81
set security ike policy nordlayer-policy pre-shared-key ascii-text SHARED_SHARED_STRING
Set up the IKE gateway configuration
Replace NORDLAYER_GW_ADDRESS with the IP address of your NordLayer dedicated server, LOCAL_ADDRESS with your local public IP
External interface is the interface on which the above IP is configured (Local Identity Inet).
set security ike gateway nordlayer-ike-gateway ike-policy nordlayer-policy
set security ike gateway nordlayer-ike-gateway address NORDLAYER_GW_ADDRESS
set security ike gateway nordlayer-ike-gateway local-identity inet LOCAL_ADDRESS
set security ike gateway nordlayer-ike-gateway external-interface ge-0/0/0
set security ike gateway nordlayer-ike-gateway version v1-only
- Set up the IPSec proposal
set security ipsec proposal nordlayer-proposal description NordLayer
set security ipsec proposal nordlayer-proposal protocol esp
set security ipsec proposal nordlayer-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal nordlayer-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal nordlayer-proposal lifetime-seconds 3600
- Set up the IPSec policy configuration
Perfect Forward Secrecy must be enabled and reference the previously defined proposal.
set security ipsec policy ipsec-nordlayer-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-nordlayer-policy proposals nordlayer-proposal
- Bind your tunnel interface and apply configurations
set security ipsec vpn nordlayer-ipsec bind-interface st0.0
set security ipsec vpn nordlayer-ipsec ike gateway nordlayer-ike-gateway
set security ipsec vpn nordlayer-ipsec ike ipsec-policy ipsec-nordlayer-policy
set security ipsec vpn nordlayer-ipsec establish-tunnels on-traffic
set security address-book global address nordlayer_internal 10.6.0.0/20
- Set Firewall security policies
Important
If you place the tunnel interface into your trust zone or a zone where everything is allowed, then this step can be omitted. Otherwise, you'll need to adjust according to your network topology and particular use case.
In this example, we are allowing icmp and ssh from zone “vpn” with a source address of 10.6.0.0/16 to any address in zone “trust”.
set security policies from-zone vpn to-zone trust policy vpn-internal match source-address nordlayer_internal
set security policies from-zone vpn to-zone trust policy vpn-internal match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-icmp-all
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-ssh
set security policies from-zone vpn to-zone trust policy vpn-internal then permit
- Set host inbound services. We must allow services destined to the firewall interfaces as well. IKE is a must in this case. Not only the tunnel interface must have it, but also your public-facing interface.
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
- Define a static route to the NordLayer network
set routing-options static route 10.6.0.0/20 next-hop st0.0
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.