Site-to-site VPN - SSG140 and 3party(unknown appliance) with source NAT(hidden local network)

 

 juniper-src_nat-1.png

 Assumptions:

All traffic from corporate network 10.0.0.0/8 will be seen on 3rd party  as 10.131.12.65

Only connections initiated from our network are allowed.(one-directional vpn) - "users from 3rd party does not see our hosts but can respond"

Only traffic to 94.17.25.128/25 remote network is allowed via vpn tunnel.

 

 CONFIGURATION

 Phase 1 Proposal

 

Authentication Method

Pre-Shared Key

DH Group

2

Encryption Algorithm

AES-256

Hash Algorithm

SHA-1

Lifetime

28800 seconds

Mode

Main Mode

 Phase 2 Proposal

 

PFS

DH group2

Encapsulation

ESP

Encrytion Algorithm

AES-256

Authentication Algorithm

SHA-1

Lifetime

3600 seconds

Encryption Domain(*)

remote network  : 94.17.25.128 /25

our network : 10.131.12.64 /27

 

  • set ike-phase 1 proposal and ike-phase2 proposal

 PHASE 1

set ike p1-proposal "pre-g2-aes256-sha" preshare group2 esp aes256 sha-1 second 28800

PHASE 2

 set ike p2-proposal "3rdparty" group2 esp aes256 sha-1 second 3600

  • configure vpn

set ike gateway "3rd-pri-resource_link" address 12.90.64.9 Main outgoing-interface "ethernet0/9" preshare "secret!!!" proposal "pre-g2-aes256-sha"


set vpn "3rd-pri-resource_link" gateway "3rd-pri-resource_link" replay tunnel idletime 0 proposal "3rdparty"

  • set tunnel interface

set interface tunnel.1 zone "Untrust"

set interface tunnel.1 ip 10.131.12.65/27



  • bind vpn tunnel to tunnel.1 interface

set vpn "3rd-pri-resource_link" bind interface tunnel.1

  •  set route for traffic which should go to tunnel

set route 94.17.25.128 255.255.255.128 interface tunnel.1

  • set address

set address "Untrust" "94.17.25.128/25" 94.17.25.128 255.255.255.128 "3rdparty address"
 

  • set policy to nat all traffic coming to 94.17.25.128/25 network to interface IP(10.131.12.65)

 set policy id x from "Trust" to "Untrust"  "Any" "94.17.25.128/25" "ANY" nat src permit

  •   configure which traffic should be go via vpn tunnel

 set vpn "3rd-pri-resource_link" proxy-id local-ip 10.131.12.64/27 remote-ip 94.17.25.128/25 "ANY"

  •  test vpn connection
  • monitor vpn

->get sa

total configured sa: 62
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000078<    12.90.64.9  500 esp:a256/sha1 84f2aaa3  3574 unlim A/-    -1 0
00000078>    12.90.64.9  500 esp:a256/sha1 318f6414  3574 unlim A/-    -1 0

 ->  get sa id 0x78
index 61, name XXX, peer gateway ip 12.90.64.9. vsys<Root>
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 120, peer id 6, NSRP Local.     site-to-site. Local interface is ethernet0/9 <x.x.x.x>.
  esp, group 2, a256 encryption, sha1 authentication
  autokey, IN active, OUT active
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x400067
  proxy id: local 10.131.12.64/255.255.255.224, remote 94.17.25.128/255.255.255.128, proto 0, port 0
  ike activity timestamp: -2089671524
  DSCP-mark : disabled
nat-traversal map not available
incoming: SPI 84f2aac6, flag 00004000, tunnel info 40000078, pipeline
  life 3600 sec, 2535 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x15, window 0x1fffff, idle timeout value <0>, idled 1018 seconds
  next pak sequence number: 0x0
  bytes/paks:1650/38; sw bytes/paks:1650/38
outgoing: SPI 5c8f6414, flag 00000000, tunnel info 40000078, pipeline
  life 3600 sec, 2535 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 1018 seconds
  next pak sequence number: 0x1d
  bytes/paks:2206/48; sw bytes/paks:2206/48

 

 dzbanek 2012-12-28

 

 

 

 

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.