aws vpn with juniper srx- lab sheet
TRANSCRIPT
AWS VPN with Juniper SRX
http://bluechiptek.com/
Prerequisites Juniper SRX running JunOS Amazon Web Services account Internet connectivity for the Juniper SRX device Familiarity with JunOS
More often than not in the current technology business industries organizations are finding themselves in situations that require the agility and cost control features of the cloud while leveraging their existing private infrastructure. These types of network configurations are commonly referred to as Hybrid Cloud deployments, or Hybrid for short when used in the context of discussing cloud related architectures.
There are several options available when designing connectivity between an existing private network facility and the AWS cloud platform. The two most common are direct Ethernet connections and Virtual Private Networks (VPNs). The direct connection approach involves deploying physical hardware to a location where Amazon offers 1G or 10G Ethernet ports directly on their devices for linking their network to yours. A VPN connection allows you the ability to provision a tunnel over your existing Internet connectivity into a specific AWS Virtual Private Cloud (VPC).
Many, if not most, organizations have already invested in a firewall security appliance. These firewalls typically protect sensitive corporate data while also preventing unauthorized external access to network resources. The Juniper SRX series firewall appliances are a common choice for this vital role in the network architecture. The SRX product shares the same JunOS configuration language and commands as the Juniper router and switch products, making administration tasks across the network as a whole much less complicated. One of the basic features of most firewall appliances is the ability to terminate VPN tunnels. This is the feature we will focus on for this article.
AWS VPN ConfigurationThe first step is to create the necessary configuration entities within the AWS VPC where the VPN tunnel will terminate. The three necessary entities are the Customer Gateway, Virtual Private Gateway and the VPN connection itself. The Customer Gateway is a representation of the public IP address assigned to the SRX Internet interface. This IP address cannot be behind a NAT. The Virtual Private Gateway is the logical router within the AWS VPC. The VPN connection defines the tunnel between the Virtual Private Gateway and the Customer Gateway.
Customer Gateway Configuration
1. Login to the AWS Management Console with a use that possess the proper permissions to administer VPC configurations.
2. Navigate to the appropriate region for the VPN configuration.3. Select the VPC item from the Services pull-down menu.4. Select the Customer Gateways item from the left navigation panel.5. Select the blue “Create Customer Gateway” button at the top of the main input panel.6. In the dialog box that is presented on the screen, provide a descriptive name for the
Customer Gateway.
7. Select the appropriate routing type. This will most likely be dynamic since most organizations will want multiple VPN tunnels for redundancy.
8. Provide the external public IP address for the SRX Internet connected interface.9. Provide the BGP ASN if dynamic routing was selected in step #7.10. Click on the blue “Yes, Create” button.
Virtual Private Gateway Configuration
1. Select the Virtual Private Gateways item from the left navigation panel.2. Click on the blue “Create Virtual Private Gateway” button at the top of the main input
panel.3. Provide a descriptive name for the new Virtual Private Gateway.4. Click on the blue “Yes, Create” button.5. Ensure that the newly created Virtual Private Gateway is selected from the list and click
on the “Attach VPC” button at the top.6. Select the appropriate VPC to attach the Virtual Private Gateway (router).7. Click on the blue “Yes, Attach” button.
VPN Tunnel Configuration
1. Select the VPN Connections item from the left navigation panel.2. Click on the blue “Create VPN Connection” button at the top of the main input panel.3. Provide a descriptive name for the new VPN connection.4. Select the Virtual Private Gateway defined above.5. Select the existing Customer Gateway defined above.6. Select the appropriate Routing Option7. Click on the blue “Yes, Create” button.
The VPN Connection state will show pending until the system has completed the configuration. Once the State changes to available, it is ready for use. After selecting the newly created VPN connection from the list, click on the Tunnel Details tab below to retrieve the AWS public IP address for the VPC. These will be used in the SRX configuration below.
Juniper SRX Configuration
The next step in the process is to complete the necessary configuration on the SRX to establish the VPN tunnel into the AWS VPC. Amazon will download a configuration file for your device if you select Juniper J-Series Routers with JunOS 9.5+ below is an example file output from AWS. Below is a sample configuration for our example VPC from the Download.
# Amazon Web Services# Virtual Private Cloud## AWS utilizes unique identifiers to manipulate the configuration of # a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier# and is associated with two other identifiers, namely the # Customer Gateway Identifier and the Virtual Private Gateway Identifier.## Your VPN Connection ID : vpn-4f6b755d# Your Virtual Private Gateway ID : vgw-815c829f# Your Customer Gateway ID : cgw-e437e9fa## This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway.### --------------------------------------------------------------------------------# IPSec Tunnel #1# --------------------------------------------------------------------------------# #1: Internet Key Exchange (IKE) Configuration## A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters.#
set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-algorithm sha1set security ike proposal ike-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbcset security ike proposal ike-prop-vpn-4f6b755d-1 lifetime-seconds 28800set security ike proposal ike-prop-vpn-4f6b755d-1 dh-group group2
# An IKE policy is established to associate a Pre Shared Key with the # defined proposal.#set security ike policy ike-pol-vpn-4f6b755d-1 mode main set security ike policy ike-pol-vpn-4f6b755d-1 proposals ike-prop-vpn-4f6b755d-1set security ike policy ike-pol-vpn-4f6b755d-1 pre-shared-key ascii-text ZnxevWnXVaVxY9fZ7ogYcfo67j1FCNYv
# The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and# IKE policy.## This example shows the outside of the tunnel as interface ge-0/0/0.0.# This should be set to the interface that IP address 1.2.3.4 is# associated with.# This address is configured with the setup for your Customer Gateway.## If the address changes, the Customer Gateway and VPN Connection must be recreated.#set security ike gateway gw-vpn-4f6b755d-1 ike-policy ike-pol-vpn-4f6b755d-1set security ike gateway gw-vpn-4f6b755d-1 external-interface ge-0/0/0.0set security ike gateway gw-vpn-4f6b755d-1 address 52.24.14.229
# Troubleshooting IKE connectivity can be aided by enabling IKE tracing.# The configuration below will cause the router to log IKE messages to# the 'kmd' log. Run 'show messages kmd' to retrieve these logs.# set security ike traceoptions file kmd# set security ike traceoptions file size 1024768# set security ike traceoptions file files 10# set security ike traceoptions flag all
# #2: IPSec Configuration## The IPSec proposal defines the protocol, authentication, encryption, and# lifetime parameters for our IPSec security association.#set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 protocol espset security ipsec proposal ipsec-prop-vpn-4f6b755d-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbcset security ipsec proposal ipsec-prop-vpn-4f6b755d-1 lifetime-seconds 3600
# The IPSec policy incorporates the Diffie-Hellman group and the IPSec# proposal.#set security ipsec policy ipsec-pol-vpn-4f6b755d-1 perfect-forward-secrecy keys group2set security ipsec policy ipsec-pol-vpn-4f6b755d-1 proposals ipsec-prop-vpn-4f6b755d-1
# A security association is defined here. The IPSec Policy and IKE gateways# are associated with a tunnel interface (st0.1).# The tunnel interface ID is assumed; if other tunnels are defined on# your router, you will need to specify a unique interface name # (for example, st0.10).#set security ipsec vpn vpn-4f6b755d-1 bind-interface st0.1set security ipsec vpn vpn-4f6b755d-1 ike gateway gw-vpn-4f6b755d-1set security ipsec vpn vpn-4f6b755d-1 ike ipsec-policy ipsec-pol-vpn-4f6b755d-1set security ipsec vpn vpn-4f6b755d-1 df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic# messages to be sent to ensure a Security Association remains operational.#set security ike gateway gw-vpn-4f6b755d-1 dead-peer-detection
# #3: Tunnel Interface Configuration#
# The tunnel interface is configured with the internal IP address.#set interfaces st0.1 family inet address 169.254.12.166/30set interfaces st0.1 family inet mtu 1436set security zones security-zone trust interfaces st0.1
# The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound.#set security zones security-zone untrust host-inbound-traffic system-services ike
# The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound.#set security zones security-zone trust host-inbound-traffic protocols bgp
# This option causes the router to reduce the Maximum Segment Size of# TCP packets to prevent packet fragmentation.#set security flow tcp-mss ipsec-vpn mss 1387
# --------------------------------------------------------------------------------# #4: Border Gateway Protocol (BGP) Configuration# # BGP is used within the tunnel to exchange prefixes between the# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC.# # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. ## To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term# EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop.# # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured# as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS.## We establish a basic route policy to export a default route to the# Virtual Private Gateway. #set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject
set protocols bgp group ebgp type external
set protocols bgp group ebgp neighbor 169.254.12.165 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.12.165 peer-as 7224set protocols bgp group ebgp neighbor 169.254.12.165 hold-time 30set protocols bgp group ebgp neighbor 169.254.12.165 local-as 65000## --------------------------------------------------------------------------------# IPSec Tunnel #2
# --------------------------------------------------------------------------------# #1: Internet Key Exchange (IKE) Configuration## A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters.#set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-algorithm sha1set security ike proposal ike-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbcset security ike proposal ike-prop-vpn-4f6b755d-2 lifetime-seconds 28800set security ike proposal ike-prop-vpn-4f6b755d-2 dh-group group2
# An IKE policy is established to associate a Pre Shared Key with the # defined proposal.#set security ike policy ike-pol-vpn-4f6b755d-2 mode main set security ike policy ike-pol-vpn-4f6b755d-2 proposals ike-prop-vpn-4f6b755d-2set security ike policy ike-pol-vpn-4f6b755d-2 pre-shared-key ascii-text t2CBKxE71diOCcORGe.KGFYtYDAyBSQM
# The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and# IKE policy.## This example shows the outside of the tunnel as interface ge-0/0/0.0.# This should be set to the interface that IP address 1.2.3.4 is# associated with.# This address is configured with the setup for your Customer Gateway.## If the address changes, the Customer Gateway and VPN Connection must be recreated.#set security ike gateway gw-vpn-4f6b755d-2 ike-policy ike-pol-vpn-4f6b755d-2set security ike gateway gw-vpn-4f6b755d-2 external-interface ge-0/0/0.0set security ike gateway gw-vpn-4f6b755d-2 address 52.37.31.163
# Troubleshooting IKE connectivity can be aided by enabling IKE tracing.# The configuration below will cause the router to log IKE messages to# the 'kmd' log. Run 'show messages kmd' to retrieve these logs.# set security ike traceoptions file kmd# set security ike traceoptions file size 1024768# set security ike traceoptions file files 10# set security ike traceoptions flag all
# #2: IPSec Configuration
## The IPSec proposal defines the protocol, authentication, encryption, and# lifetime parameters for our IPSec security association.#set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 protocol espset security ipsec proposal ipsec-prop-vpn-4f6b755d-2 authentication-algorithm hmac-sha1-96set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbcset security ipsec proposal ipsec-prop-vpn-4f6b755d-2 lifetime-seconds 3600
# The IPSec policy incorporates the Diffie-Hellman group and the IPSec# proposal.#set security ipsec policy ipsec-pol-vpn-4f6b755d-2 perfect-forward-secrecy keys group2set security ipsec policy ipsec-pol-vpn-4f6b755d-2 proposals ipsec-prop-vpn-4f6b755d-2
# A security association is defined here. The IPSec Policy and IKE gateways# are associated with a tunnel interface (st0.2).# The tunnel interface ID is assumed; if other tunnels are defined on# your router, you will need to specify a unique interface name # (for example, st0.10).#set security ipsec vpn vpn-4f6b755d-2 bind-interface st0.2set security ipsec vpn vpn-4f6b755d-2 ike gateway gw-vpn-4f6b755d-2set security ipsec vpn vpn-4f6b755d-2 ike ipsec-policy ipsec-pol-vpn-4f6b755d-2set security ipsec vpn vpn-4f6b755d-2 df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic# messages to be sent to ensure a Security Association remains operational.#set security ike gateway gw-vpn-4f6b755d-2 dead-peer-detection
# #3: Tunnel Interface Configuration#
# The tunnel interface is configured with the internal IP address.#set interfaces st0.2 family inet address 169.254.12.194/30set interfaces st0.2 family inet mtu 1436set security zones security-zone trust interfaces st0.2
# The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound.#
set security zones security-zone untrust host-inbound-traffic system-services ike
# The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound.#set security zones security-zone trust host-inbound-traffic protocols bgp
# This option causes the router to reduce the Maximum Segment Size of# TCP packets to prevent packet fragmentation.#set security flow tcp-mss ipsec-vpn mss 1387
# --------------------------------------------------------------------------------# #4: Border Gateway Protocol (BGP) Configuration# # BGP is used within the tunnel to exchange prefixes between the# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC.# # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. ## To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term# EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop.# # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured# as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS.## We establish a basic route policy to export a default route to the# Virtual Private Gateway. #set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject
set protocols bgp group ebgp type external
set protocols bgp group ebgp neighbor 169.254.12.193 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 169.254.12.193 peer-as 7224set protocols bgp group ebgp neighbor 169.254.12.193 hold-time 30set protocols bgp group ebgp neighbor 169.254.12.193 local-as 65000#
# Additional Notes and Questions# - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide# - Amazon Virtual Private Cloud Network Administrator Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide# - XSL Version: 2009-07-15-1119716
Make the necessary changes to your configuration in Notepad or Text Editor. You may wish to change your tunnel interface unit numbers (if st0.1 and st0.2 are already used)
Then perform the following steps to load and commit the configuration above onto your device. ,
Ssh to SRX DeviceStart shellVi aws.cfg<paste text configlet>:wq!ExitEditLoad merge aws.cfgCommit
The security policies for the trusted and VPN zones must be defined, as they are not included in the Configuration downloaded from AWS.
Security Zone Policy Configuration
set security zones security-zone vpn address-book address net-cfgr_172-31-0-0--16 172.31.0.0/16set security zones security-zone trust address-book address net-cfgr_191-168-254-0--24 192.168.254.0/24set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-254-0--24set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_172-31-0-0--16set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permitset security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_172-31-0-0--16set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-254-0--24set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application anyset security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
Based upon the example subnets used in the security policy statements above, once the VPN tunnel is established, communication between the 192.168.254.0/24 subnet in the private datacenter should be allowed to the AWS VPC subnet of 172.31.0.0/16.
Show commands:
• Show security ike security-associations• Show security ipsec security-associations• Show bgp summary• Ping <BGP Peer>• Show route receive-protocol bgp <neighbor>• Show route advertise-protocol bgp <neighbor>• Show route <vpc-network>/<mask>
To fully test the end to end connectivity, simply launch an instance within your AWS VPC and execute a ping from that instance to a system within your private datacenter network.