Ipsec Between Srx and Vyos

IPSEC between SRX and VYOS I wasn’t aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this post, I will show how you can configure a simple site to site IPSEC VPN between an SRX security device and VYOS. Let’s dive right into the config

First configure IKE and IPSEC on SRX side. SRX IKE Config {primary:node0}[edit] root@SRX# show security ike proposal prop-basic { authentication-method pre-sh

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

{primary:node0}[edit] root@SRX# show security ike proposal prop-basic { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 7200; } policy pol-basic { mode main; proposals prop-basic; pre-shared-key ascii-text "$9$7BNb24oGji.2gTz6/tp"; ## SECRET-DATA }

16 17 gateway vyos2 { 18 ike-policy pol-basic; 19 address 76.1.1.2; 20 external-interface reth1.953; 21 } SRX IPSEC Config {primary:node0}[edit] root@SRX# show security ipse proposal prop-basic { protocol esp;

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

{primary:node0}[edit] root@SRX# show security ipsec proposal prop-basic { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy pol-basic { proposals prop-basic; } vpn vyos2-1 { bind-interface st0.5; ike { gateway vyos2; proxy-identity { local 20.1.1.0/24; remote 10.1.1.0/24; } ipsec-policy pol-basic; } establish-tunnels immediately; } Don’t forget the followings either i.e st tunnel family inet, zone assignment and allowing IKE service on external interface.

{primary:node0}[edit] root@SRX# show interfaces st family inet;

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

{primary:node0}[edit] root@SRX# show interfaces st0.5 family inet; {primary:node0}[edit] root@SRX# show security zones security-zone VPN interfaces { st0.5; } root@SRX# show security zones security-zone INTERNET host-inbound-traffic { system-services { ike; ssh; ping; } } interfaces { reth1.953; } SRX side of the IPSEC config is completed. Now VYOS side; VYOS Phase 2 set vpn ipsec set vpn ipsec set vpn ipsec set vpn ipsec

1 2 3 4 5 6

esp-group esp-co esp-group esp-co esp-group esp-co esp-group esp-co

set vpn ipsec esp-group esp-co compression 'disable' set vpn ipsec esp-group esp-co lifetime '3600' set vpn ipsec esp-group esp-co mode 'tunnel' set vpn ipsec esp-group esp-co pfs 'disable' set vpn ipsec esp-group esp-co proposal 1 encryption '3des' set vpn ipsec esp-group esp-co proposal 1 hash 'sha1'

VYOS Phase 1 set vpn ipsec set vpn ipsec set vpn ipsec set vpn ipsec

1 2 3 4

ike-group co lifetim ike-group co prop ike-group co prop ike-group co prop

set vpn ipsec ike-group co lifetime '7200' set vpn ipsec ike-group co proposal 1 dh-group '2' set vpn ipsec ike-group co proposal 1 encryption '3des' set vpn ipsec ike-group co proposal 1 hash 'sha1' Enable IPSEC on the interface set vpn ipsec ipsec-interfaces i

1

set vpn ipsec ipsec-interfaces interface 'eth1.1400' Remote Peer Config set vpn ipsec set vpn ipsec set vpn ipsec set vpn ipsec

1 2 3 4 5 6 7 8 9 10

site-to-site peer 1 site-to-site peer 1 site-to-site peer 1 site-to-site peer 1

set vpn ipsec site-to-site peer 192.168.9.2 authentication id '76.1.1.2' set vpn ipsec site-to-site peer 192.168.9.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.168.9.2 authentication pre-shared-secret 'lab123' set vpn ipsec site-to-site peer 192.168.9.2 connection-type 'initiate' set vpn ipsec site-to-site peer 192.168.9.2 default-esp-group 'esp-co' set vpn ipsec site-to-site peer 192.168.9.2 ike-group 'co' set vpn ipsec site-to-site peer 192.168.9.2 local-address '76.1.1.2' set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 local prefix '10.1.1.0/24' set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 protocol 'all' set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 remote prefix '20.1.1.0/24' Now verification time SRX

{primary:node0} root@SRX> show security ike s node0: --------------------------------------

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

{primary:node0} root@SRX> show security ike sa node0: -------------------------------------------------------------------------Index State Initiator cookie Responder cookie Mode Remote Address 2523228 UP 3db0cde4100411fb 0a816f43565434a3 Main 76.1.1.2 {primary:node0} root@SRX> show security ipsec sa node0: -------------------------------------------------------------------------Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131079 ESP:3des/sha1 8ba57ac1 2470/ unlim - root 500 76.1.1.2 >131079 ESP:3des/sha1 ca64d806 2470/ unlim - root 500 76.1.1.2 VYOS vyos@vyos:~$ show vpn ike s Peer ID / IP Loc ---------------192.168.9.2 76

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

vyos@vyos:~$ show vpn ike sa Peer ID / IP Local ID / IP -----------------------192.168.9.2 76.1.1.2 State Encrypt Hash D-H Grp NAT-T A-Time L-Time ----- ------- ---- ------- ----- ------ -----up 3des sha1 2 no 2180 7200 vyos@vyos:~$ show vpn ipsec sa Peer ID / IP Local ID / IP -----------------------192.168.9.2 76.1.1.2 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----1 up 0.0/0.0 3des sha1 no 1943 3600 all

18 It seems everything is right. Both Phase1 and Phase2 SAs are installed. Now enjoy your tunnel:)