IPsec Site-to-Site Tunnel between SRX100 and PfSense (Policy-Based VPN)

pfs-jsrx100-ipsec-pbvpn

Today (with the help of my friend and skillful netadmin Malte) we finally figured out how to bring up an IPsec Site-to-Site Policy-based VPN with multiple phase2-entries behind the PfSense and a single subnet behind the SRX100.

For this to work with a Policy-Based VPN (since PfSense can’t do route-based VPN) you need to create a policy for each combination of the subnets so that juniper can generate the correct proxy-id’s. If you miss one, you end up with an error like:

Last Tunnel Down Reason: More than two SA pairs

 

Here’s the config from the J-Point of view:

set security ike proposal ike-proposal-colocation authentication-method pre-shared-keys
set security ike proposal ike-proposal-colocation dh-group group2
set security ike proposal ike-proposal-colocation authentication-algorithm sha-256
set security ike proposal ike-proposal-colocation encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-colocation lifetime-seconds 28800

set security ike policy ike-policy-colocation mode aggressive
set security ike policy ike-policy-colocation proposals ike-proposal-colocation
set security ike policy ike-policy-colocation pre-shared-key ascii-text <SECRET>

set security ike gateway ike-gate-colocation ike-policy ike-policy-colocation
set security ike gateway ike-gate-colocation dynamic hostname <HOSTNAME colocation>
set security ike gateway ike-gate-colocation local-identity hostname <LOCAL HOSTNAME>
set security ike gateway ike-gate-colocation external-interface fe-0/0/0

set security ipsec proposal ipsec-proposal-colocation protocol esp
set security ipsec proposal ipsec-proposal-colocation authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-proposal-colocation encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-colocation lifetime-seconds 3600

set security ipsec policy ipsec-policy-colocation proposals ipsec-proposal-colocation

set security ipsec vpn ipsec-vpn-colocation ike gateway ike-gate-colocation
set security ipsec vpn ipsec-vpn-colocation ike ipsec-policy ipsec-policy-colocation
set security ipsec vpn ipsec-vpn-colocation establish-tunnels immediately

set security address-book global address NW_loc2_1-1-1 1.1.1.0/24
set security address-book global address NW_loc2_1-1-2 1.1.2.0/24
set security address-book global address NW_loc2_1-1-254 1.1.254.0/24
set security address-book global address NW_Local_LAN 2.2.2.0/24

set security policies from-zone external to-zone junos-host policy allow-icmp-any match source-address any
set security policies from-zone external to-zone junos-host policy allow-icmp-any match destination-address SRX-WAN
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ping
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application junos-ike
set security policies from-zone external to-zone junos-host policy allow-icmp-any match application custom-ipsec
set security policies from-zone external to-zone junos-host policy allow-icmp-any then permit

set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match source-address NW_loc2_1-1-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-1 then permit tunnel pair-policy vpnpolicy-internal-colocation-1
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match source-address NW_loc2_1-1-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-2 then permit tunnel pair-policy vpnpolicy-internal-colocation-2
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match source-address NW_loc2_1-1-254
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match destination-address NW_Local_LAN
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 match application any
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone external to-zone internal policy vpnpolicy-colocation-internal-3 then permit tunnel pair-policy vpnpolicy-internal-colocation-3

set security nat source rule-set internal-to-external from zone internal
set security nat source rule-set internal-to-external to zone external
set security nat source rule-set internal-to-external rule no-nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 1.1.1.0/24
set security nat source rule-set internal-to-external rule no-nat-internal match destination-address 2.2.21.0/24
set security nat source rule-set internal-to-external rule no-nat-internal then source-nat off
set security nat source rule-set internal-to-external rule nat-internal match source-address 2.2.2.0/24
set security nat source rule-set internal-to-external rule nat-internal match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-external rule nat-internal then source-nat interface

set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match destination-address NW_loc2_1-1-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-1 then permit tunnel pair-policy vpnpolicy-colocation-internal-1
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match destination-address NW_loc2_1-1-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-2 then permit tunnel pair-policy vpnpolicy-colocation-internal-2
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match source-address NW_Local_LAN
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match destination-address NW_loc2_1-1-254
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 match application any
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel ipsec-vpn ipsec-vpn-colocation
set security policies from-zone internal to-zone external policy vpnpolicy-internal-colocation-3 then permit tunnel pair-policy vpnpolicy-colocation-internal-3

set applications application custom-ipsec protocol udp
set applications application custom-ipsec destination-port 4500

set security zones security-zone external host-inbound-traffic system-services ike

Took us some time to figure out why we still had some problems but in the end we found the culprit:

security ipsec policy ipsec-policy-colocation perfect-forward-secrecy keys group5

Seems to me, that PfSense and Juniper don’t play very nice when PFS is enabled.
After deleting the PFS-Group all 3 subnets went up and traffic was able to flow.

HopefullyΒ this short article can save you some pain in the ass πŸ˜‰

New Site – New Rules – New Cloud

As you may have noticed, this Website has just been migrated to Canada – wait – what????

I finally took the last Step to go “full Cloud” – so all my V-Servers are now Cloud based at OVH.

Therefore, this Site now is located in Canada – this might affect latency – however most of my followers will be happy, since they live in the US πŸ˜‰

If you have any Questions on how I managed to get all my 33VM’s alone into the Cloud in 1 Night without disruption feel free to contact me.

 

In the next few Months my Posts will heavily increase, as my JNCIE-SEC Training has started – stay tuned πŸ˜‰

SRX Security Policy at Group-Level – Careful what you wish for…

Just struggled with this one and thought that this might be helpful.

To log every denied packet on my SRX-100 (Living-Room and HomeOffice-Room) I use groups so I don’t accidentally forget to set the “log session-init” at the bottom of each zone.
But today I wondered why my Traffic that was passing from Zone1 to Zone2 didn’t show up in the logs – there was no configuration at all for this Zones and here’s the tricky part, that you find when searching extremely careful in the Juniper Docs:

set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
set apply-groups default-deny-group

This will only work if any Rule has been defined under the [security policies] section – if there is no Rule, the “Group-Rule” will not be created and therefore the traffic will not be visible.

If the above group is applied to the [security policies] hierarchy, it will not automatically populate the required policies; but will populate policies only for the zones that have security policies already configured. (http://kb.juniper.net/InfoCenter/index?page=content&id=KB25700&actp=search)

Today I’ve learned something new and this shows that you can never learn enough πŸ˜‰

SRX Default Drop Log

      No Comments on SRX Default Drop Log

Have you ever wondered where the SRX stores the Logs for what it denied?
Back in my Checkpoint days we had this nice Dashboard which showed us the Packets that the Firewall denied so we could immediately check if our Rules applied successfully or not. Since the SRX can’t show this, here’s a nice little trick to show you all Packets being blocked by the Firewall. For this to work you would have to create a “log session-init” Deny-Rule for every zone as the “last” Rule (of course there still is implicit deny, but implicit deny does not log by default). When facing many Zones, this will be much too complex. It can be done simpler:

set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init

set apply-groups default-deny-group

This adds a Group to every Zone. The Zone-Specific Rules apply first – so your Rule-set it safe, since it is more specific and as we all know JunOS always puts the more specific first. At the End the group policy will be inserted – right before your implicit deny (which is “invisible”).

If you are like me, you don’t want to look at the “messages” log, since it contains many more Events – not so good when looking at denied Packets. So create a new File to put only the “Deny”-Packets in it:

system {

syslog {

file session-create-log {
any any;
match RT_FLOW_SESSION_CREATE;
}
file denied-traffic-log {
any any;
match RT_FLOW_SESSION_DENY

}

}

With “show log {name of logfile}” you can watch the Packets, that have been denied. Of course if your colleague is on the phone and you want him to press his connection-button so you can instantly monitor, whats happening you can issue the “monitor start {name of logfile}”. This will show all events “Live” on the CLI. Don’t forget to turn this off “monitor stop {name of logfile}”. You can however “rotate” the Files so they don’t steal your free Disk Space:

set system syslog file denied-traffic-log archive size 100k
set system syslog file denied-traffic-log archive files 5
set system syslog file denied-traffic-log archive world-readable

 

JUNOS 11.4R1 introduced “global security policies” – you can (and I prefer this) do it via another way:

set security policies global policy default-log-and-drop match source-address any
set security policies global policy default-log-and-drop match destination-address any
set security policies global policy default-log-and-drop match application any
set security policies global policy default-log-and-drop then deny
set security policies global policy default-log-and-drop then log session-init

But remember:
You have to use global address-books for this solution to apply – you cannot mix Zone-Specific address-books and global-address-books.
I always prefer the global address book since you don’t have to create Hosts 2-times when they are needed in different Zones – but that’s just my “taste”.

 

 

Juniper Summmit 2016 – The Disruptive Decade

I went to the Juniper Summit in Frankfurt, Germany on Wednesday the 13th of April. It was really interesting seeing so many Juniper Employees and Partners and of course also the great Minds who shared many good Sessions with the Crowd. Also Juniper took the 20years and we all received various gifts and a 20Years Sticker – way to go Juniper!

IMG_20160417_165546

The Juniper Power-Bank

IMG_3508

 

POC – Pilot – Project :: Objectives and Difference

Customers sometimes ask me, what the Difference between a POC and a Pilot is. I found this nice Sheet (but had to modify it / tweak it since it did not reflect correctly in my Opinion)

POC-Pilot-Project

Although a Pilot is very near the Production I personally would never purchase licenses before I checked, that the Pilot works flawlessly. I think one of the biggest Core-Differences is, that a Poc is on Vendor-near Hardware in the Lab and the Pilot is happening in your Live-Infrastructure with the final Vendor Hardware and Config.