Juniper SRX Site to Site IPsec VPN and IP Monitoring with route fail-over configuration

Semangat pagi, kali ini om rizki mau share nih after ngelab sama suhu suhu di kantor, maklum ane suka sering lupa, makanya ane share dah, ntu ada topologi silahkan di lalab dulu.

Skenario lab hari ini adalah, trafik dari Branch menuju HO menggunakan link VPN Primary itu yg jalur merah, tapi kalo link antara HO-R2 putus, si branch masih bisa terkoneksi ke HO melalui backup VPN yg jalur biru melalui jalur DRC-R1-HO.

Langsung aja kita ke konfigurasi nya.

labs

Konfigurasi Juniper SRX-HO

set interface

set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.2/24
set interfaces ge-0/0/2 unit 0 family inet address 30.30.30.1/24
set interfaces ge-0/0/3 unit 0 family inet address 100.100.100.1/24

Set interface Tunnel

set interfaces st0 unit 0 family inet address 11.11.11.1/24
set interfaces st0 unit 1 family inet address 12.12.12.1/24
set interfaces st0 unit 2 family inet address 13.13.13.2/24

Set Static Route

 set routing-options static route 10.10.10.0/24 next-hop 20.20.20.1
 set routing-options static route 50.50.50.0/24 next-hop 30.30.30.2
 set routing-options static route 50.50.50.0/24 qualified-next-hop 20.20.20.1 preference 10
 set routing-options static route 40.40.40.0/24 next-hop 30.30.30.2
 set routing-options static route 40.40.40.0/24 qualified-next-hop 20.20.20.1 preference 10
 set routing-options static route 150.150.150.0/24 next-hop st0.2
 set routing-options static route 200.200.200.0/24 next-hop st0.0

Set Ike

 set security ike proposal ike-proposal-test1 authentication-method pre-shared-keys
 set security ike proposal ike-proposal-test1 dh-group group5
 set security ike proposal ike-proposal-test1 authentication-algorithm sha1
 set security ike proposal ike-proposal-test1 encryption-algorithm aes-256-cbc
 set security ike proposal ike-proposal-test1 lifetime-seconds 28000
 set security ike policy ike-policy-test1 mode main
 set security ike policy ike-policy-test1 proposals ike-proposal-test1
 set security ike policy ike-policy-test1 pre-shared-key ascii-text 
 set security ike gateway ike-drc ike-policy ike-policy-test1
 set security ike gateway ike-drc address 50.50.50.2
 set security ike gateway ike-drc external-interface ge-0/0/2.0
 set security ike gateway ike-branch ike-policy ike-policy-test1
 set security ike gateway ike-branch address 40.40.40.2
 set security ike gateway ike-branch external-interface ge-0/0/2.0
 set security ike gateway ike-branch-backup ike-policy ike-policy-test1
 set security ike gateway ike-branch-backup address 40.40.40.2
 set security ike gateway ike-branch-backup external-interface ge-0/0/1

set IPsec

 set security ipsec proposal ipsec-Proposal-test1 protocol esp
 set security ipsec proposal ipsec-Proposal-test1 authentication-algorithm hmac-sha1-96
 set security ipsec proposal ipsec-Proposal-test1 encryption-algorithm aes-128-cbc
 set security ipsec proposal ipsec-Proposal-test1 lifetime-seconds 3600
 set security ipsec policy ipsec-Policy-test1 perfect-forward-secrecy keys group2
 set security ipsec policy ipsec-Policy-test1 proposals ipsec-Proposal-test1
 set security ipsec vpn ipsec-vpn-drc bind-interface st0.2
 set security ipsec vpn ipsec-vpn-drc ike gateway ike-drc
 set security ipsec vpn ipsec-vpn-drc ike idle-time 3600
 set security ipsec vpn ipsec-vpn-drc ike proxy-identity local 100.100.100.0/24
 set security ipsec vpn ipsec-vpn-drc ike proxy-identity remote 150.150.150.0/24
 set security ipsec vpn ipsec-vpn-drc ike proxy-identity service any
 set security ipsec vpn ipsec-vpn-drc ike ipsec-policy ipsec-Policy-test1
 set security ipsec vpn ipsec-vpn-drc establish-tunnels immediately
 set security ipsec vpn ipsec-vpn-branch bind-interface st0.0
 set security ipsec vpn ipsec-vpn-branch ike gateway ike-branch
 set security ipsec vpn ipsec-vpn-branch ike idle-time 3600
 set security ipsec vpn ipsec-vpn-branch ike proxy-identity local 100.100.100.0/24
 set security ipsec vpn ipsec-vpn-branch ike proxy-identity remote 200.200.200.0/24
 set security ipsec vpn ipsec-vpn-branch ike proxy-identity service any
 set security ipsec vpn ipsec-vpn-branch ike ipsec-policy ipsec-Policy-test1
 set security ipsec vpn ipsec-vpn-branch establish-tunnels immediately
 set security ipsec vpn ipsec-vpn-backup bind-interface st0.1
 set security ipsec vpn ipsec-vpn-backup ike gateway ike-branch-backup
 set security ipsec vpn ipsec-vpn-backup ike idle-time 3600
 set security ipsec vpn ipsec-vpn-backup ike proxy-identity local 100.100.100.0/24
 set security ipsec vpn ipsec-vpn-backup ike proxy-identity remote 200.200.200.0/24
 set security ipsec vpn ipsec-vpn-backup ike proxy-identity service any
 set security ipsec vpn ipsec-vpn-backup ike ipsec-policy ipsec-Policy-test1
 set security ipsec vpn ipsec-vpn-backup establish-tunnels immediately

Set Security zone and member zone

 set security zones security-zone trust host-inbound-traffic system-services all
 set security zones security-zone trust host-inbound-traffic protocols all
 set security zones security-zone trust interfaces ge-0/0/3.0
 set security zones security-zone VPN host-inbound-traffic protocols all
 set security zones security-zone VPN interfaces st0.0
 set security zones security-zone VPN interfaces st0.1
 set security zones security-zone VPN interfaces st0.2
 set security zones security-zone ISP1 host-inbound-traffic system-services all
 set security zones security-zone ISP1 host-inbound-traffic protocols all
 set security zones security-zone ISP1 interfaces ge-0/0/2.0
 set security zones security-zone ISP2 host-inbound-traffic system-services all
 set security zones security-zone ISP2 host-inbound-traffic protocols all
 set security zones security-zone ISP2 interfaces ge-0/0/1.0

Set Policy

Untuk policy any any any permit aja dulu ya lau, kalo di ketikin disini gk cukup halamannya .. wkkwkwūüėÄ

Set IP Monitoring with route failover

 set services rpm probe example test test-name target address 40.40.40.2
 set services rpm probe example test test-name probe-count 3
 set services rpm probe example test test-name probe-interval 5
 set services rpm probe example test test-name test-interval 10
 set services rpm probe example test test-name thresholds successive-loss 3
 set services rpm probe example test test-name thresholds total-loss 3
 set services rpm probe example test test-name destination-interface ge-0/0/2.0
 set services rpm probe example test test-name next-hop 30.30.30.2
 set services ip-monitoring policy test match rpm-probe example
 set services ip-monitoring policy test then preferred-route route 200.200.200.0/24 next-hop 12.12.12.2

Verification on SRX HO.

 root# run show security ike security-associations
 Index   State  Initiator cookie          Responder cookie  Mode           Remote Address
 1161061 UP     a59fee6e9587a507  6ffd737a631b5171  Main           50.50.50.2
 1161081 UP     0b6efbbdce53b630  44307dab1378d7fb  Main           40.40.40.2
 1161082 UP     796bc1918a221975  18d641db4341d48f  Main           40.40.40.2
 1161080 UP     1ee702baabd95218  231c28a9c12d7080  Main           40.40.40.2
 1161079 UP     48914d71d31a6823  708a26c8cba4af24  Main           40.40.40.2
root# run show security ipsec security-associations
 Total active tunnels: 3
 ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
 <131075 ESP:aes-128/sha1 84e53e18 1457/ unlim -  root 500   40.40.40.2
 >131075 ESP:aes-128/sha1 c3c85e6d 1457/ unlim -  root 500   40.40.40.2
 <131074 ESP:aes-128/sha1 ab2853d3 1459/ unlim -  root 500   40.40.40.2
 >131074 ESP:aes-128/sha1 29e56dd6 1459/ unlim -  root 500   40.40.40.2
 <131073 ESP:aes-128/sha1 2f2238f6 701/ unlim -   root 500   50.50.50.2
 >131073 ESP:aes-128/sha1 5ee66108 701/ unlim -   root 500   50.50.50.2
root# run show interfaces terse |no-more
 ge-0/0/1.0              up    up   inet     20.20.20.2/24
 ge-0/0/2                up    up
 ge-0/0/2.0              up    up   inet     30.30.30.1/24
 ge-0/0/3                up    up
 ge-0/0/3.0              up    up   inet     100.100.100.1/24
 st0                     up    up
 st0.0                   up    up   inet     11.11.11.1/24
 st0.1                   up    up   inet     12.12.12.1/24
 st0.2                   up    up   inet     13.13.13.2/24
root# run show services ip-monitoring status
Policy - test (Status: PASS)
 RPM Probes:
 Probe name             Test Name       Address          Status
 ---------------------- --------------- ---------------- ---------
 example                test-name       40.40.40.2       PASS
 Route-Action:
 route-instance    route             next-hop         state
 ----------------- ----------------- ---------------- -------------
 inet.0            200.200.200.0/24  12.12.12.2       NOT-APPLIED

Konfigurasi Juniper SRX-Branch 1

set interface

 set interfaces ge-0/0/1 unit 0 family inet address 40.40.40.2/24
 set interfaces ge-0/0/2 unit 0 family inet address 200.200.200.1/24

Set interface Tunnel

 set interfaces st0 unit 0 family inet address 11.11.11.2/24
 set interfaces st0 unit 1 family inet address 12.12.12.2/24

Set Static Route

 set routing-options static route 0.0.0.0/0 next-hop 40.40.40.1
 set routing-options static route 100.100.100.0/24 next-hop st0.0

Set Ike

 set security ike proposal ike-proposal-to-HO authentication-method pre-shared-keys
 set security ike proposal ike-proposal-to-HO dh-group group5
 set security ike proposal ike-proposal-to-HO authentication-algorithm sha1
 set security ike proposal ike-proposal-to-HO encryption-algorithm aes-256-cbc
 set security ike proposal ike-proposal-to-HO lifetime-seconds 28000
 set security ike policy ike-policy-to-HO mode main
 set security ike policy ike-policy-to-HO proposals ike-proposal-to-HO
 set security ike policy ike-policy-to-HO pre-shared-key ascii-text 
 set security ike gateway ike-gateway-to-HO ike-policy ike-policy-to-HO
 set security ike gateway ike-gateway-to-HO address 30.30.30.1
 set security ike gateway ike-gateway-to-HO external-interface ge-0/0/1.0
 set security ike gateway ike-gateway-to-HO-2 ike-policy ike-policy-to-HO
 set security ike gateway ike-gateway-to-HO-2 address 20.20.20.2
 set security ike gateway ike-gateway-to-HO-2 external-interface ge-0/0/1.0

Set IPsec

 set security ipsec proposal ipsec-proposal-to-HO authentication-algorithm hmac-sha1-96
 set security ipsec proposal ipsec-proposal-to-HO encryption-algorithm aes-128-cbc
 set security ipsec proposal ipsec-proposal-to-HO lifetime-seconds 3600
 set security ipsec policy ipsec-policy-to-HO perfect-forward-secrecy keys group2
 set security ipsec policy ipsec-policy-to-HO proposals ipsec-proposal-to-HO
 set security ipsec vpn ipsec-vpn-to-HO bind-interface st0.0
 set security ipsec vpn ipsec-vpn-to-HO ike gateway ike-gateway-to-HO
 set security ipsec vpn ipsec-vpn-to-HO ike idle-time 3600
 set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity local 200.200.200.0/24
 set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity remote 100.100.100.0/24
 set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity service any
 set security ipsec vpn ipsec-vpn-to-HO ike ipsec-policy ipsec-policy-to-HO
 set security ipsec vpn ipsec-vpn-to-HO establish-tunnels immediately
 set security ipsec vpn ipsec-vpn-to-HO-2 bind-interface st0.1
 set security ipsec vpn ipsec-vpn-to-HO-2 ike gateway ike-gateway-to-HO-2
 set security ipsec vpn ipsec-vpn-to-HO-2 ike idle-time 3600
 set security ipsec vpn ipsec-vpn-to-HO-2 ike proxy-identity local 200.200.200.0/24
 set security ipsec vpn ipsec-vpn-to-HO-2 ike proxy-identity remote 100.100.100.0/24
 set security ipsec vpn ipsec-vpn-to-HO-2 ike proxy-identity service any
 set security ipsec vpn ipsec-vpn-to-HO-2 ike ipsec-policy ipsec-policy-to-HO
 set security ipsec vpn ipsec-vpn-to-HO-2 establish-tunnels immediately

Set Security zone and member zone

 set security zones security-zone trust address-book address local 200.200.200.0/24
 set security zones security-zone trust host-inbound-traffic system-services all
 set security zones security-zone trust host-inbound-traffic protocols all
 set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all
 set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols all
 set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
 set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
 set security zones security-zone vpn address-book address remote 100.100.100.0/24
 set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
 set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
 set security zones security-zone vpn interfaces st0.1 host-inbound-traffic system-services all
 set security zones security-zone vpn interfaces st0.1 host-inbound-traffic protocols all

Set Policy

Untuk policy any any any permit aja dulu ya lau, kalo di ketikin disini gk cukup halamannya .. wkkwkwūüėÄ

Set IP Monitoring with route failover

 set services rpm probe probe-30.30.30.0/24 test test-probe-30 target address 30.30.30.1
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 probe-count 3
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 probe-interval 5
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 test-interval 10
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 thresholds successive-loss 3
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 thresholds total-loss 3
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 destination-interface ge-0/0/1.0
 set services rpm probe probe-30.30.30.0/24 test test-probe-30 next-hop 40.40.40.1
 set services ip-monitoring policy policy-probe-30 match rpm-probe probe-30.30.30.0/24
 set services ip-monitoring policy policy-probe-30 then preferred-route route 
 100.100.100.0/24 next-hop 12.12.12.1

Verification SRX-Branch

 root# run show security ike security-associations |no-more
 Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
 5796483 UP     0b6efbbdce53b630  44307dab1378d7fb  Main           20.20.20.2
 5796480 UP     1ee702baabd95218  231c28a9c12d7080  Main           30.30.30.1
 5796482 UP     796bc1918a221975  18d641db4341d48f  Main           20.20.20.2
 5796481 UP     48914d71d31a6823  708a26c8cba4af24  Main           30.30.30.1
 root# run show security ike security-associations |no-more
 Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
 5796483 UP     0b6efbbdce53b630  44307dab1378d7fb  Main           20.20.20.2
 5796480 UP     1ee702baabd95218  231c28a9c12d7080  Main           30.30.30.1
 5796482 UP     796bc1918a221975  18d641db4341d48f  Main           20.20.20.2
 5796481 UP     48914d71d31a6823  708a26c8cba4af24  Main           30.30.30.1
  root# run show interfaces terse |no-more
 ge-0/0/1.0              up    up   inet     40.40.40.2/24
 ge-0/0/2                up    down
 ge-0/0/2.0              up    down inet     200.200.200.1/24
st0.0                    up    up   inet     11.11.11.2/24
st0.1                    up    up   inet     12.12.12.2/24
root# run show services ip-monitoring status
Policy - policy-probe-30 (Status: PASS)
 RPM Probes:
 Probe name             Test Name       Address          Status
 ---------------------- --------------- ---------------- ---------
 probe-30.30.30.0/24    test-probe-30   30.30.30.1       PASS
 Route-Action:
 route-instance    route             next-hop         state
 ----------------- ----------------- ---------------- -------------
 inet.0            100.100.100.0/24  12.12.12.1       NOT-APPLIED
root#

Konfigurasi Juniper SRX-DRC

set interface

 set interfaces ge-0/0/1 unit 0 family inet address 50.50.50.2/24
 set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.2/24
 set interfaces ge-0/0/3 unit 0 family inet address 150.150.150.1/24

Set interface Tunnel

 set interfaces st0 unit 0 family inet address 13.13.13.1/24

Set Static Route

 set routing-options static route 0.0.0.0/0 next-hop 50.50.50.1
 set routing-options static route 0.0.0.0/0 qualified-next-hop 10.10.10.1 preference 10
 set routing-options static route 100.100.100.0/24 next-hop st0.0
 set routing-options static route 20.20.20.0/24 next-hop 10.10.10.1

Set Ike

 set security ike proposal ike-proposal-to-HO authentication-method pre-shared-keys
 set security ike proposal ike-proposal-to-HO dh-group group5
 set security ike proposal ike-proposal-to-HO authentication-algorithm sha1
 set security ike proposal ike-proposal-to-HO encryption-algorithm aes-256-cbc
 set security ike proposal ike-proposal-to-HO lifetime-seconds 28000
 set security ike policy ike-policy-to-HO mode main
 set security ike policy ike-policy-to-HO proposals ike-proposal-to-HO
 set security ike policy ike-policy-to-HO pre-shared-key ascii-text 
 set security ike gateway ike-gateway-to-HO ike-policy ike-policy-to-HO
 set security ike gateway ike-gateway-to-HO address 30.30.30.1
 set security ike gateway ike-gateway-to-HO external-interface ge-0/0/1

set IPsec

set security ipsec proposal ipsec-Proposal-to-HO authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-Proposal-to-HO encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-Proposal-to-HO lifetime-seconds 3600
set security ipsec policy ipsec-Policy-to-HO perfect-forward-secrecy keys group2
set security ipsec policy ipsec-Policy-to-HO proposals ipsec-Proposal-to-HO
set security ipsec vpn ipsec-vpn-to-HO bind-interface st0.0
set security ipsec vpn ipsec-vpn-to-HO ike gateway ike-gateway-to-HO
set security ipsec vpn ipsec-vpn-to-HO ike idle-time 3600
set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity local 150.150.150.0/24
set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity remote 100.100.100.0/24
set security ipsec vpn ipsec-vpn-to-HO ike proxy-identity service any
set security ipsec vpn ipsec-vpn-to-HO ike ipsec-policy ipsec-Policy-to-HO
set security ipsec vpn ipsec-vpn-to-HO establish-tunnels immediately

Set Security zone and member zone

 set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
 set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic protocols all
 set security zones security-zone untrust host-inbound-traffic system-services all
 set security zones security-zone untrust host-inbound-traffic protocols all
 set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
 set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
 set security zones security-zone vpn host-inbound-traffic system-services all
 set security zones security-zone vpn host-inbound-traffic protocols all
 set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
 set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
 set security zones security-zone untrust-2 interfaces ge-0/0/2.0 host-inbound-traffic system-services all
 set security zones security-zone untrust-2 interfaces ge-0/0/2.0 host-inbound-traffic protocols all

Set Policy

Lagi lagi any any any permit dulu sajah ke semua zone.

 

Konfigurasi R1

set interfaces ge-0/0/1 unit 0 family inet address 20.20.20.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24
set routing-options static route 100.100.100.0/24 next-hop 20.20.20.2
set routing-options static route 150.150.150.0/24 next-hop 10.10.10.2
set routing-options static route 50.50.50.0/24 next-hop 10.10.10.2
set routing-options static route 40.40.40.0/24 next-hop 10.10.10.2
set routing-options static route 200.200.200.0/24 next-hop 10.10.10.2

Konfigurasi R2

set interfaces ge-0/0/1 unit 0 family inet address 30.30.30.2/24
set interfaces ge-0/0/2 unit 0 family inet address 40.40.40.1/24
set interfaces ge-0/0/3 unit 0 family inet address 50.50.50.1/24
set routing-options static route 100.100.100.0/24 next-hop 30.30.30.1
set routing-options static route 100.100.100.0/24 qualified-next-hop 50.50.50.2 preference 10
set routing-options static route 200.200.200.0/24 next-hop 40.40.40.2
set routing-options static route 150.150.150.0/24 next-hop 50.50.50.2
set routing-options static route 10.10.10.0/24 next-hop 50.50.50.2
set routing-options static route 20.20.20.0/24 next-hop 30.30.30.1
set routing-options static route 20.20.20.0/24 qualified-next-hop 50.50.50.2 preference 10
set routing-options static route 160.160.160.0/24 next-hop 60.60.60.2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s