Juniper

Prev Next

Available in Classic.

This section describes how to configure resources on a customer VPN gateway to create an IPsec VPN Tunnel. If the VPN gateway device is Juniper's SRX series product, please refer to the following.

Note

The local network becomes the customer network, and the remote network becomes the NAVER Cloud Platform’s private subnet. Peer IP also becomes NAVER Cloud Platform's VPN gateway public IP.

Interface IP setting

The following describes how to set an interface IP.

  • IP interface setting

    set interfaces ge-0/0/0 unit 0 family inet address <public IP>
set interfaces ge-0/0/1 unit 0 family inet address <internal private IP>

  • Tunnel interface setting

    set interfaces st0 unit 0 family inet

  • Create security zone and assign interface

    • Assign internal interface to trust zone
      set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
    • Assigning external and tunnel interfaces to untrust zones
      set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0

  • Security zone policy setting

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit

Routing setting

Set external routing, internal routing, and peer tunnel private routing respectively.

  • External routing setting

    set routing-options static route 0.0.0.0/0 next-hop <VPN gateway public IP>

  • Set up internal routing and traffic selectors

    set routing-options static route <internal private IP> next-hop <internal gateway IP>

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24

  • Peer tunnel private routing (proxy-ID) setting

    set routing-options static route <remote network private IP> next-hop st0.0

IKE setting

To set up IKE, you need to configure IKEv1 and IKEv2.

Note

Password and authentication algorithm settings must be the same as those of the IPsec VPN Gateway created in NAVER Cloud Platform console.

IKEv1 configuration

The following describes how to configure an IKEv1.

set security ike proposal <proposal 1 name> authentication-method pre-shared-keys
set security ike proposal <proposal 1 name> dh-group group2
set security ike proposal <proposal 1 name> authentication-algorithm sha1
set security ike proposal <proposal 1 name> encryption-algorithm aes-128-cbc
set security ike proposal <proposal 1 name> lifetime-seconds 28800

set security ike policy <policy 1 name> mode main
set security ike policy <policy 1 name> proposals <proposal 1 name>
set security ike policy <policy 1 name> pre-shared-key ascii-text <pre-shared key value>

set security ipsec policy <policy 1 name> perfect-forward-secrecy keys group2
set security ipsec vpn <VPN name> ike proxy-identity local <Peer IP>
set security ipsec vpn <VPN name> ike proxy-identity remote <local network>
set security ipsec vpn <VPN name> ike proxy-identity service any

set security ike gateway <VPN gateway name> ike-policy <policy 1 name>
set security ike gateway <VPN gateway name> address <Peer IP>
set security ike gateway <VPN gateway name> external-interface ge-0/0/0
set security ike gateway <VPN gateway name> version v1-only *(default)
  • D-H Group: 2
  • Encryption algorithm: aes-128
  • Hash Algorithm: sha-1
  • lifetime: 28800

IKEv2 configuration

The following describes how to configure an IKEv2.

set security ipsec proposal <proposal 2 name> protocol esp
set security ipsec proposal <proposal 2 name> authentication-algorithm hmac-sha1-96
set security ipsec proposal <proposal 2 name> encryption-algorithm aes-128-cbc
set security ipsec proposal <proposal 2 name> lifetime-seconds 3600
set security ipsec policy <policy 2 name> proposals <proposal 2 name>

set security ipsec vpn <VPN name> bind-interface st0.0
set security ipsec vpn <VPN name> ike gateway <VPN gateway name>
set security ipsec vpn <VPN name> ike ipsec-policy <policy 2 name>
set security ipsec vpn <VPN name> establish-tunnels immediately

set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 local-ip 100.1.1.0/24
set security ipsec vpn ike-vpn-DE_QA traffic-selector t1 remote-ip 192.168.100.0/24
  • Protocol: esp
  • Encryption algorithm: aes-128
  • Hash Algorithm: sha-1
  • lifetime: 3600

Check IKE tunnel

After finishing all the process, you can check the IKE tunnel status. The following shows an example of how to check.

  • IKEv1

    hostname# show security ike security-associations
Index  State  Initiator cookie   Responder cookie  Mode  Remote Address
4789230 UP    d2a027bc622f8ec6   d79c7b79fab2e1cb  Main  <Peer IP>

  • IKEv2

    hostname# show security ipsec security-associations
 Total active tunnels: 1
ID     Algorithm      SPI      Life:sec/kb     Mon lsys  Port  Gateway
<131073 ESP:aes-cbc-128/sha1   4e82e2b4 3429/4607971 - root  500 <Peer IP>
>131073 ESP:aes-cbc-128/sha1   58407288 3429/4607971 - root  500 <Peer IP>