=======Configuring VPN IPSEC between Juniper SRX and Google Cloud Platform (GCP) ======= ==== Introduction. ==== **Juniper SRX**:\\ GLOBAL IP: 91.208.39.16\\ Local Network: 192.168.0.0/16\\ **GCP**:\\ GLOBAL assigned static IP: 130.211.235.196\\ Local Network: 10.128.0.0/20\\ For this example will be used pre shared key: test \\ Google cloud platfrom are using following IKE, IPSEC policies.\\ **IKE policy:**\\ encryption: aes128\\ hash: sha1\\ Diffie-Hellman group: 2\\ **IPSEC policy:**\\ encryption: aes128\\ hash: hmac_sha1\\ Diffie-Hellman group: 2 **VPN** - tunnel mode esp ==== Configuring GCP. ==== 1. Create Project in the chosen ZONE For example the project with name of pr1-163914 was created in us-central1 ZONE.\\ Default local network for this ZONE - 10.128.0.0/20 2. Creating VPN router\\ For example name of router vpn-1 and assigned static GLOBAL IP. In this example - 130.211.235.196\\ *Also it can be done by using Web interface console.cloud.google.com\\ gcloud compute --project "pr1-163914" target-vpn-gateways create "vpn-1" --region "us-central1" --network "default" gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-esp" --region "us-central1" --address "130.211.235.196" --ip-protocol "ESP" --target-vpn-gateway "vpn-1" gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "vpn-1" gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp4500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "vpn-1" gcloud compute --project "pr1-163914" vpn-tunnels create "vpn-1-tunnel-1" --region "us-central1" --peer-address "91.208.39.16" --shared-secret "text" --ike-version "2" --target-vpn-gateway "vpn-1" gcloud compute --project "avtest1-163914" routes create "vpn-1-tunnel-1-route-1" --network "default" --next-hop-vpn-tunnel "vpn-1-tunnel-1" next-hop-vpn-tunnel-region "us-central1" --destination-range "192.168.0.0/16" ==== Configuring Juniper. ==== 1. Create ST interface:\\ {primary:node1}[edit] set interfaces st0 unit 0 description GCP set interfaces st0 unit 0 family inet mtu 1460 2. Configuring three security zones on the Juniper:\\ {primary:node1}[edit] set security zones security-zone ISPs interfaces reth0.0 set security zones security-zone Internal interfaces reth1.0 set security zones security-zone Tunnels st0.0 3. Configuring security policies (for this example I will not configure detail policy.)\\ {primary:node1}[edit] set security policies default-policy permit-all 4. Configuring IKE {primary:node1}[edit] set security ike proposal IKE_PRO_GOOGLE authentication-method pre-shared-keys set security ike proposal IKE_PRO_GOOGLE dh-group group2 set security ike proposal IKE_PRO_GOOGLE authentication-algorithm sha1 set security ike proposal IKE_PRO_GOOGLE encryption-algorithm aes-128-cbc set security ike proposal IKE_PRO_GOOGLE lifetime-seconds 28800 set security ike policy IKE_POL_GOOGLE mode main set security ike policy IKE_POL_GOOGLE proposals IKE_PRO_GOOGLE set security ike policy IKE_POL_GOOGLE pre-shared-key ascii-text set security ike gateway GOOGLE ike-policy IKE_POL_GOOGLE set security ike gateway GOOGLE address 130.211.235.196 set security ike gateway GOOGLE local-identity inet 91.208.39.16 set security ike gateway GOOGLE external-interface reth0.0 set security ike gateway GOOGLE version v2-only 5. Configuring IPSEC {primary:node1}[edit] set security ipsec proposal IPSEC_PRO_GOOGLE protocol esp set security ipsec proposal IPSEC_PRO_GOOGLE authentication-algorithm hmac-sha1-96 set security ipsec proposal IPSEC_PRO_GOOGLE encryption-algorithm aes-128-cbc set security ipsec proposal IPSEC_PRO_GOOGLE lifetime-seconds 3600 set security ipsec policy IPSEC_POL_GOOGLE perfect-forward-secrecy keys group2 set security ipsec policy IPSEC_POL_GOOGLE proposals IPSEC_PRO_GOOGLE set security ipsec vpn VPN_GOOGLE bind-interface st0.0 set security ipsec vpn VPN_GOOGLE ike gateway GOOGLE set security ipsec vpn VPN_GOOGLE ike ipsec-policy IPSEC_POL_GOOGLE 6. Configuring routing {primary:node1}[edit] set routing-options static route 10.128.0.0/20 next-hop st0.0 7. Commit {primary:node1}[edit] commit ==== About author ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author