|
|
— |
ru:jobs:vpn_gcloud_srx [2017/04/08 13:17] (current) admin created |
| =======Configuring VPN IPSEC between Juniper SRX and Google Cloud Platform (GCP) ======= |
| ==== Introduction. ==== |
| |
| |
| **Juniper SRX**:\\ |
| GLOBAL IP: 91.208.39.16\\ |
| Local Network: 192.168.0.0/16\\ |
| |
| **GCP**:\\ |
| GLOBAL assigned static IP: 130.211.235.196\\ |
| Local Network: 10.128.0.0/20\\ |
| |
| For this example will be used pre shared key: test \\ |
| |
| Google cloud platfrom are using following IKE, IPSEC policies.\\ |
| |
| **IKE policy:**\\ |
| encryption: aes128\\ |
| hash: sha1\\ |
| Diffie-Hellman group: 2\\ |
| |
| |
| **IPSEC policy:**\\ |
| encryption: aes128\\ |
| hash: hmac_sha1\\ |
| Diffie-Hellman group: 2 |
| |
| **VPN** - tunnel mode esp |
| ==== Configuring GCP. ==== |
| |
| 1. Create Project in the chosen ZONE |
| |
| For example the project with name of pr1-163914 was created in us-central1 ZONE.\\ |
| Default local network for this ZONE - 10.128.0.0/20 |
| |
| 2. Creating VPN router\\ |
| |
| For example name of router vpn-1 and assigned static GLOBAL IP. In this example - 130.211.235.196\\ |
| |
| gcloud compute --project "pr1-163914" target-vpn-gateways create "vpn-1" --region "us-central1" --network "default" |
| gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-esp" --region "us-central1" --address "130.211.235.196" --ip-protocol "ESP" --target-vpn-gateway "vpn-1" |
| gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "vpn-1" |
| gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp4500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "vpn-1" |
| gcloud compute --project "pr1-163914" vpn-tunnels create "vpn-1-tunnel-1" --region "us-central1" --peer-address "91.208.39.16" --shared-secret "text" --ike-version "2" --target-vpn-gateway "vpn-1" |
| gcloud compute --project "avtest1-163914" routes create "vpn-1-tunnel-1-route-1" --network "default" --next-hop-vpn-tunnel "vpn-1-tunnel-1" next-hop-vpn-tunnel-region "us-central1" --destination-range "192.168.0.0/16" |
| |
| ==== Configuring Juniper. ==== |
| |
| 1. Create ST interface:\\ |
| |
| {primary:node1}[edit] |
| set interfaces st0 unit 0 description GCP |
| set interfaces st0 unit 0 family inet mtu 1460 |
| |
| |
| 2. Configuring three security zones on the Juniper:\\ |
| |
| {primary:node1}[edit] |
| set security zones security-zone ISPs interfaces reth0.0 |
| set security zones security-zone Internal interfaces reth1.0 |
| set security zones security-zone Tunnels st0.0 |
| |
| |
| 3. Configuring security policies (for this example I will not configure detail policy.)\\ |
| |
| {primary:node1}[edit] |
| set security policies default-policy permit-all |
| |
| |
| 4. Configuring IKE |
| |
| {primary:node1}[edit] |
| set security ike proposal IKE_PRO_GOOGLE authentication-method pre-shared-keys |
| set security ike proposal IKE_PRO_GOOGLE dh-group group2 |
| set security ike proposal IKE_PRO_GOOGLE authentication-algorithm sha1 |
| set security ike proposal IKE_PRO_GOOGLE encryption-algorithm aes-128-cbc |
| set security ike proposal IKE_PRO_GOOGLE lifetime-seconds 28800 |
| |
| set security ike policy IKE_POL_GOOGLE mode main |
| set security ike policy IKE_POL_GOOGLE proposals IKE_PRO_GOOGLE |
| set security ike policy IKE_POL_GOOGLE pre-shared-key ascii-text |
| |
| set security ike gateway GOOGLE ike-policy IKE_POL_GOOGLE |
| set security ike gateway GOOGLE address 130.211.235.196 |
| set security ike gateway GOOGLE local-identity inet 91.208.39.16 |
| set security ike gateway GOOGLE external-interface reth0.0 |
| set security ike gateway GOOGLE version v2-only |
| |
| |
| 5. Configuring IPSEC |
| |
| {primary:node1}[edit] |
| set security ipsec proposal IPSEC_PRO_GOOGLE protocol esp |
| set security ipsec proposal IPSEC_PRO_GOOGLE authentication-algorithm hmac-sha1-96 |
| set security ipsec proposal IPSEC_PRO_GOOGLE encryption-algorithm aes-128-cbc |
| set security ipsec proposal IPSEC_PRO_GOOGLE lifetime-seconds 3600 |
| |
| set security ipsec policy IPSEC_POL_GOOGLE perfect-forward-secrecy keys group2 |
| set security ipsec policy IPSEC_POL_GOOGLE proposals IPSEC_PRO_GOOGLE |
| |
| set security ipsec vpn VPN_GOOGLE bind-interface st0.0 |
| set security ipsec vpn VPN_GOOGLE ike gateway GOOGLE |
| set security ipsec vpn VPN_GOOGLE ike ipsec-policy IPSEC_POL_GOOGLE |
| |
| 6. Configuring routing |
| |
| {primary:node1}[edit] |
| set routing-options static route 10.128.0.0/20 next-hop st0.0 |
| |
| |
| |
| 7. Commit |
| |
| {primary:node1}[edit] |
| commit |
| |
| |
| |
| ==== About author ==== |
| [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author |