Setting up site-to-site on Juniper (JunOS) SRX


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Configuring at the Juniper SRX Firewall Interface

Please follow the steps below. Each step is accompanied by a command that needs to be executed at the JunOS interface.

1. Create a tunnel interface. Do not assign an IP address but make sure it’s enabled for layer 3 communication.

set interfaces st0 unit 0 family inet

2. Set up the IKE Proposal

set security ike proposal nordlayer description NordLayer-SRXTunnel
set security ike proposal nordlayer authentication-method pre-shared-keys
set security ike proposal nordlayer dh-group group14
set security ike proposal nordlayer authentication-algorithm sha-256
set security ike proposal nordlayer encryption-algorithm aes-256-cbc
set security ike proposal nordlayer lifetime-seconds 28800

3. Set up the IKE policy configuration

4. Replace SHARED_SHARED_STRING with the shared secret you have generated (we will also need this value on our end)

set security ike policy nordlayer-policy proposals p81
set security ike policy nordlayer-policy pre-shared-key ascii-text SHARED_SHARED_STRING

5. Set up the IKE gateway configuration

6. Replace NORDLAYER_GW_ADDRESS with the IP address of your NordLayer dedicated server, LOCAL_ADDRESS with your local public IP

External interface is the interface on which the above IP is configured (Local Identity Inet).

set security ike gateway nordlayer-ike-gateway ike-policy nordlayer-policy
set security ike gateway nordlayer-ike-gateway address NORDLAYER_GW_ADDRESS
set security ike gateway nordlayer-ike-gateway local-identity inet LOCAL_ADDRESS
set security ike gateway nordlayer-ike-gateway external-interface ge-0/0/0
set security ike gateway nordlayer-ike-gateway version v1-only

7. Set up the IPSec proposal

set security ipsec proposal nordlayer-proposal description NordLayer
set security ipsec proposal nordlayer-proposal protocol esp
set security ipsec proposal nordlayer-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal nordlayer-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal nordlayer-proposal lifetime-seconds 3600

8. Set up the IPSec policy configuration

Perfect Forward Secrecy must be enabled and reference the previously defined proposal.

set security ipsec policy ipsec-nordlayer-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-nordlayer-policy proposals nordlayer-proposal

9. Bind your tunnel interface and apply configurations

set security ipsec vpn nordlayer-ipsec bind-interface st0.0
set security ipsec vpn nordlayer-ipsec ike gateway nordlayer-ike-gateway
set security ipsec vpn nordlayer-ipsec ike ipsec-policy ipsec-nordlayer-policy
set security ipsec vpn nordlayer-ipsec establish-tunnels on-traffic
set security address-book global address nordlayer_internal 10.6.0.0/20

10. Set Firewall security policies

Important

If you place the tunnel interface into your trust zone or a zone where everything is allowed, then this step can be omitted. Otherwise, you'll need to adjust according to your network topology and particular use case.

In this example, we are allowing icmp and ssh from zone “vpn” with a source address of 10.6.0.0/16 to any address in zone “trust”.

set security policies from-zone vpn to-zone trust policy vpn-internal match source-address nordlayer_internal
set security policies from-zone vpn to-zone trust policy vpn-internal match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-icmp-all
set security policies from-zone vpn to-zone trust policy vpn-internal match application junos-ssh
set security policies from-zone vpn to-zone trust policy vpn-internal then permit

11. Set host inbound services. We must allow services destined to the firewall interfaces as well. IKE is a must in this case. Not only the tunnel interface must have it, but also your public-facing interface.

set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

12. Define a static route to the NordLayer network

set routing-options static route 10.6.0.0/20 next-hop st0.0

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top