Juniper SRX: VPN configuration example

This page provides more detailed information for configuring a VPN in Skytap for use with a Juniper SRX endpoint on your external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as a sample configuration file you can use for your Juniper SRX device.

For general information, see Creating a VPN connection to your Skytap account.

Contents

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter

Name

Name for your Skytap VPN

Example: CorporateVPN

Remote Peer IP

[CUSTOMER VPN ENDPOINT] value from the sample configuration file below

Region

N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-West

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP in the same region as the VMs you want to connect to.

Example: 76.32.14.101

Enter this as the [SKYTAP VPN ENDPOINT] value in the sample configuration file below.

Skytap subnet

[SKYTAP VM IP RANGE] value from the sample configuration file below.

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Apply NAT for Connected Networks

YES

Topology

Policy-based

Phase 1 Encryption Algorithm

aes

Phase 1 Hash Algorithm

sha1

Phase 1 pre-shared Key

[SHARED SECRET KEY] value from the sample configuration file below

Phase 1 SA lifetime

28800

Phase 1 DH group

modp1536 (5)

Phase 2 encryption algorithm

aes

Phase 2 authentication algorithm

hmac_sha1

Phase 2 perfect forward secrecy (PFS)

ON

Phase 2 PFS group

Group 2

Phase 2 SA lifetime

3600

SA policy level

require

Specify maximum segment size

NO

Maximum segment size

N/A

Dead peer detection

OFF

Included remote subnets

[INTERNAL ALLOWED IP RANGE] value from the sample configuration file below.

These are the IP addresses and subnets on the external network that send and receive traffic through this VPN.

Example: 10.1.15.0/24

You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.

Excluded remote subnets

Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel. This is only used to define exclusions for VPN traffic from larger included remote subnets.

Example: 10.1.15.17/32

Sample Juniper SRX device configuration file

These are the parameters to enter in the Juniper SRX device configuration file.

Replace [VARIABLES] with specific values from Skytap or your corporate policy.

set interfaces [EXTERNAL INTERFACE] unit 0 family inet address [CUSTOMER VPN ENDPOINT]

set interfaces [INTERNAL INTERFACE] unit 0 family inet address [CUSTOMER INTERNAL NETWORK]

set security ike proposal [IKE PROPOSAL NAME] authentication-method pre-shared-keys

set security ike proposal [IKE PROPOSAL NAME]  dh-group group2

set security ike proposal [IKE PROPOSAL NAME]  authentication-algorithm sha1

set security ike proposal [IKE PROPOSAL NAME]  encryption-algorithm aes-128-cbc

set security ike proposal [IKE PROPOSAL NAME]  lifetime-seconds 28800

set security ike policy [IKE POLICY NAME] mode main

set security ike policy [IKE POLICY NAME] proposals [IKE PROPOSAL NAME]

set security ike policy [IKE POLICY NAME] pre-shared-key [SHARED SECRET KEY]

set security ike gateway [GATEWAY NAME] ike-policy [IKE POLICY NAME]

set security ike gateway [GATEWAY NAME] address [SKYTAP VPN ENDPOINT]

set security ike gateway [GATEWAY NAME] external-interface  [EXTERNAL INTERFACE].0

set security ipsec traceoptions flag security-associations

set security ipsec proposal [IPSEC PROPOSAL NAME] protocol esp

set security ipsec proposal [IPSEC PROPOSAL NAME] authentication-algorithm hmac-sha1-96

set security ipsec proposal [IPSEC PROPOSAL NAME] encryption-algorithm aes-128-cbc

set security ipsec proposal [IPSEC PROPOSAL NAME] lifetime-seconds 3600

set security ipsec policy [IPSEC POLICY NAME] perfect-forward-secrecy keys group2

set security ipsec policy [IPSEC POLICY NAME] proposals [IPSEC PROPOSAL NAME]

set security ipsec vpn [VPN NAME] df-bit clear

set security ipsec vpn [VPN NAME] ike gateway [GATEWAY NAME]

set security ipsec vpn [VPN NAME] ike ipsec-policy [IPSEC POLICY NAME]

set security address-book [ADDRESS BOOK INTERNAL NAME] address [INTERNAL SUBNET NAME] [INTERNAL ALLOWED IP RANGE]

set security address-book [ADDRESS BOOK INTERNAL NAME] attach zone [INTERNAL ZONE NAME]

set security address-book [ADDRESS BOOK SKYTAP NAME] address [SKYTAP SUBNET NAME] [SKYTAP VM IP RANGE]

set security address-book [ADDRESS BOOK SKYTAP NAME] attach zone [EXTERNAL ZONE NAME]

set security flow tcp-mss ipsec-vpn mss 1350

set security policies from-zone [INTERNAL ZONE NAME] to-zone [EXTERNAL ZONE NAME] policy [POLICY NAME (INTERNAL to EXTERNAL)] match source-address  [INTERNAL SUBNET NAME]

set security policies from-zone [INTERNAL ZONE NAME] to-zone [EXTERNAL ZONE NAME] policy [POLICY NAME (INTERNAL TO EXTERNAL)] match destination-address  [SKYTAP SUBNET NAME]

set security policies from-zone [INTERNAL ZONE NAME] to-zone [EXTERNAL ZONE NAME] policy [POLICY NAME (INTERNAL TO EXTERNAL)] match application any

set security policies from-zone [INTERNAL ZONE NAME] to-zone [EXTERNAL ZONE NAME] policy [POLICY NAME (INTERNAL TO EXTERNAL)] then permit tunnel ipsec-vpn [VPN NAME]

set security policies from-zone [INTERNAL ZONE NAME] to-zone [EXTERNAL ZONE NAME] policy [POLICY NAME (INTERNAL TO EXTERNAL)] then permit tunnel pair-policy  [POLICY NAME (EXTERNAL TO INTERNAL)]

set security policies from-zone [EXTERNAL ZONE NAME] to-zone [INTERNAL ZONE NAME] policy  [POLICY NAME (EXTERNAL TO INTERNAL)] match source-address  [SKYTAP SUBNET NAME]

set security policies from-zone [EXTERNAL ZONE NAME] to-zone [INTERNAL ZONE NAME] policy  [POLICY NAME (EXTERNAL TO INTERNAL)] match destination-address  [INTERNAL SUBNET NAME]

set security policies from-zone [EXTERNAL ZONE NAME] to-zone [INTERNAL ZONE NAME] policy  [POLICY NAME (EXTERNAL TO INTERNAL)] match application any

set security policies from-zone [EXTERNAL ZONE NAME] to-zone [INTERNAL ZONE NAME] policy  [POLICY NAME (EXTERNAL TO INTERNAL)] then permit tunnel ipsec-vpn [VPN NAME]

set security policies from-zone [EXTERNAL ZONE NAME] to-zone [INTERNAL ZONE NAME] policy  [POLICY NAME (EXTERNAL TO INTERNAL)] then permit tunnel pair-policy [POLICY NAME (INTERNAL to EXTERNAL)]

set security zones security-zone [EXTERNAL ZONE NAME] host-inbound-traffic system-services ike

set security zones security-zone [EXTERNAL ZONE NAME] interfaces [EXTERNAL INTERFACE].0

set security zones security-zone [INTERNAL ZONE NAME] host-inbound-traffic system-services all

set security zones security-zone [INTERNAL ZONE NAME] interfaces [INTERNAL INTERFACE].0

Copyright © 2024 Skytap, Inc. | Privacy Policy | Terms of Service | Support