IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

pfs-jsrx100-ipsec-pbvpn

Today (with the help of my friend and skillful netadmin Malte) we finally figured out how to bring up an IPsec Site-to-Site Policy-based VPN with multiple phase2-entries behind the PfSense and a single subnet behind the SRX100.

For this to work with a Policy-Based VPN (since PfSense can’t do route-based VPN) you need to create a policy for each combination of the subnets so that juniper can generate the correct proxy-id’s. If you miss one, you end up with an error like:

Last Tunnel Down Reason: More than two SA pairs

 

Here’s the config from the J-Point of view:

set security ike proposal ike-proposal-colocation authentication-method pre-shared-keys
set security ike proposal ike-proposal-colocation dh-group group2
set security ike proposal ike-proposal-colocation authentication-algorithm sha-256
set security ike proposal ike-proposal-colocation encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-colocation lifetime-seconds 28800

set security ike policy ike-policy-colocation mode aggressive
set security ike policy ike-policy-colocation proposals ike-proposal-colocation
set security ike policy ike-policy-colocation pre-shared-key ascii-text <SECRET>

set security ike gateway ike-gate-colocation ike-policy ike-policy-colocation
set security ike gateway ike-gate-colocation dynamic hostname <HOSTNAME colocation>
set security ike gateway ike-gate-colocation local-identity hostname <LOCAL HOSTNAME>
set security ike gateway ike-gate-colocation external-interface fe-0/0/0

set security ipsec proposal ipsec-proposal-colocation protocol esp
set security ipsec proposal ipsec-proposal-colocation authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-proposal-colocation encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-colocation lifetime-seconds 3600

set security ipsec policy ipsec-policy-colocation proposals ipsec-proposal-colocation

set security ipsec vpn ipsec-vpn-colocation ike gateway ike-gate-colocation
set security ipsec vpn ipsec-vpn-colocation ike ipsec-policy ipsec-policy-colocation
set security ipsec vpn ipsec-vpn-colocation establish-tunnels immediately

set security address-book global address NW_loc2_1-1-1 1.1.1.0/24
set security address-book global address NW_loc2_1-1-2 1.1.2.0/24
set security address-book global address NW_loc2_1-1-254 1.1.254.0/24
set security address-book global address NW_Local_LAN 2.2.2.0/24

set security policies from-zone external to-zone junos-host policy allow-icmp-any match source-address any
set security policies from-zone external to-zone junos-host policy allow-icmp-any match destination-address SRX-WAN
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ping
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ike
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application custom-ipsec
set security policies from-zone external to-zone junos-host policy allow-icmp-any then permit

set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match source-address NW_loc2_1-1-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel pair-policy vpnpolicy-internal-colocation-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match source-address NW_loc2_1-1-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel pair-policy vpnpolicy-internal-colocation-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match source-address NW_loc2_1-1-254
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel pair-policy vpnpolicy-internal-colocation-3

set security nat source rule-set internal-to-external from zone internal
set security nat source rule-set internal-to-external to zone external
set security nat source rule-set internal-to-external rule no-nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 1.1.1.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 2.2.21.0/24
set security nat source rule-set internal-to-external rule no-nat-internal then source-nat off
set security nat source rule-set internal-to-external rule nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule nat-internal match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-external rule nat-internal then source-nat interface

set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match destination-address NW_loc2_1-1-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel pair-policy vpnpolicy-colocation-internal-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match destination-address NW_loc2_1-1-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel pair-policy vpnpolicy-colocation-internal-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match destination-address NW_loc2_1-1-254
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel pair-policy vpnpolicy-colocation-internal-3

set applications application custom-ipsec protocol udp
set applications application custom-ipsec destination-port 4500

set security zones security-zone external host-inbound-traffic system-services ike

Took us some time to figure out why we still had some problems but in the end we found the culprit:

security ipsec policy ipsec-policy-colocation perfect-forward-secrecy keys group5

Seems to me, that PfSense and Juniper don’t play very nice when PFS is enabled.
After deleting the PFS-Group all 3 subnets went up and traffic was able to flow.

Hopefully¬†this short article can save you some pain in the ass ūüėČ

4 thoughts on “IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

  1. Gary

    Christian, do you happen to have the PFSense config still (I see the post is old so no worries if not)?

    Reply
    1. christianscholz Post author

      Hi Gary,

      I might indeed be able to fetch it from my Archives – I will see what I can find
      But remember: this is still an old Version of PFSense and an SRX100 that we are talking about.
      Nowadays, there are many secure ways to connect PFSense and the SRX300, for example.

      –Christian

      Reply
  2. Alex

    Hello,
    Are there any ideas how to do some workaround to enable access to srx mgmt interface via Policy-based VPN tunnel? or it seems the routle policy based is the only option here?

    I tried route leaking but still it didn’t help to enable access to SRX MGMT interface (FXP0) via Policy-Base vpn tunnel.¬†
    I think since Policy-Based vpn required external interface and related static route to be in the main routing table as FXP0 so the traffic targeted to FXP0 will always prefer the Local interface (FXP0) rather than sending it to another instance then sending it to FXP0 via some mgmt switch. 

    Reply
    1. christianscholz Post author

      I personally don’t think you should try to manipulate the fxp that way – better use the “inband” method and allow the necessary services.
      — Christian

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.