A Route Based VPN is a configuration in which an IPsec VPN tunnel created between two end points is referenced by a route that determines which traffic is sent through the tunnel based on a destination IP address.
A secure tunnel (st0) interface supports only one IPv4 address and one IPv6 address at the same time. This applies to all route-based VPNs. Examples of where route-based VPNs can be used:
- There are overlapping subnets or IP addresses between the two LANs.
- A hub-and-spoke VPN topology is used in the network, and spoke-to-spoke traffic is required.
- Primary and backup VPNs are required.
- A dynamic routing protocol (for example, OSPF, RIP, or BGP) is running across the VPN.
- Configuring RIP demand circuits over point-to-multipoint VPN interfaces is not supported.
I modified my Juniper virtual lab by adding a Cisco CSRv router to act as a remote VPN gateway.
You first create a logical zone for the VPN. Go to Configure > Security > Zones/Screens > click Add.
Type Zone Name: VPN > leave the default Zone Type: Security > click OK.
Note the Secure Tunnel interface (st0.0) will be assigned to the VPN zone later.
To configure a Route Based Site-to-Site IPSec VPN, go to Configure > IPSec VPN > VPN Tunnel > Phase 1 > click Launch Wizard.
Select Site-to-Site VPN (Route based) > click Start.
A Remote Access VPN is where a remote user use the NCP client to VPN to HQ.
Type VPN Name: S2S_VPN > under Local Private Network > select Zone: trust.
Type Networks: 172.16.1.0/24 > click Add.
Under Secure Tunnel Interface > type logical unit 0 for Interface st0.0 > select Interface Zone: VPN.
Select Interface type: Numbered > type 10.1.1.1/30 > under Public Network > select Interface: ge-0/0/0.0 (vSRX WAN/Untrust) > click Next.
Type Remote Gateway Public IP: 192.168.1.140 (CSRv WAN IP address) > type Remote Private Network: 172.16.10.0/24 > click Add > click Next.
Under IKE settings (IKE Phase 1) > select IKE Security Level: Standard (group2,aes128,sha1).
Select IKE Mode: Main (if using a manual/static IP address for the WAN/Untrust) > type IKE Preshared key (ASCII): juniper2cisco (should be the same PSK on the remote device).
Note the Aggressive IKE Mode is chosen if using a DCHP address (Dynamic) for the WAN.
Under IPSec settings (IKE Phase 2) > select IPSec Security Level: Standard (esp,aes128,sha1).
Select IPSec Perfect Forward Secrecy (optional): group2 > click Next.
Under the Site-to-site VPN: Traffic Profiles > leave the default to any > click Next.
This will create a Security Policy (crypto ACL in Cisco) for the "interesting" traffic from the local to remote private networks.
Review the summary before Commit the changes.
Click Commit when done.
You can view the newly configured IKE Phase I and Phase II policy under Configure > Security > IPSec VPN > VPN Tunnel > click Phase I or Phase II.
Below are the IKE Phase I and Phase II policy configuration in Cisco CSRv router.
CSRv#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.1.140 YES NVRAM up up
GigabitEthernet2 unassigned YES TFTP administratively down down
CSRv#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
CSRv(config)#ip http authentication local // TO SIMULATE A WEB SERVER
CSRv(config)#username admin privilege 15 password 0 cisco
CSRv(config)#interface loopback200 // REMOTE LAN NETWORK
CSRv(config-if)#ip address 172.16.10.200 255.255.255.0
CSRv(config-if)#exit
CSRv(config)#crypto isakmp policy 10 // IKE PHASE 1 POLICY
CSRv(config-isakmp)#encryption aes 128
CSRv(config-isakmp)#hash sha
CSRv(config-isakmp)#group 2
CSRv(config-isakmp)#authentication pre-share
CSRv(config-isakmp)#exit
CSRv(config)#crypto isakmp key juniper2cisco address 192.168.1.150 // PRE-SHARED KEY
CSRv(config)#
CSRv(config)#crypto ipsec transform-set TSET esp-aes 128 esp-sha-hmac // IPSEC/IKE PHASE 2 POLICY
CSRv(cfg-crypto-trans)#exit
CSRv(config)#crypto ipsec profile S2S_VPN
CSRv(ipsec-profile)#set transform-set TSET
CSRv(ipsec-profile)#set pfs group2
CSRv(ipsec-profile)#exit
CSRv(config)#
CSRv(config)#interface Tunnel0
CSRv(config-if)#ip address 10.1.1.2 255.255.255.252
CSRv(config-if)#tunnel source 192.168.1.140
CSRv(config-if)#tunnel destination 192.168.1.150
CSRv(config-if)#tunnel mode ipsec ipv4
CSRv(config-if)#tunnel protection ipsec profile S2S_VPN
CSRv(config-if)#exit
CSRv(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.1
I was able to ping and HTTP from the Windows 7 VM (172.16.1.100) to 172.16.10.200 Web server located in the remote network.
To view Site-to-Site VPN IKE Phase I statistics, go to Monitor > IPSec VPN > Phase I.
Notice the SA (Security Association) State is UP.
To view IKE Phase 2 statistics, go to Monitor > IPSec VPN > Phase II. Click Refresh to update the counters.
Notice the value for the Encrypted and Decrypted packets/bytes.
You can view the same output using CLI commands below.
root@vSRX-1> show security ?
Possible completions:
advance-policy-based-routing Show advance policy based routing information
alarms Show active security alarm information
alg Show ALG security services information
application-firewall Show security application firewall policies
application-tracking Show Application tracking information
dns-cache Show DNS cache of firewall policy
dynamic-address Security dynamic address name
dynamic-policies Show security firewall dynamic policies
firewall-authentication Show firewall authentication tables, information
flow Show flow information
forward-options Show forward-options status
gprs Show GPRS information
group-vpn Show Group VPN Security information
idp Show Intrusion Detection and Prevention information
ike Show Internet Key Exchange information
internal-security-association Show internal security association
ipsec Show IP Security information
keychain Show all protocols keychain
log Show auditable security log information
match-policies Show security match policies
monitoring Show security SPU monitoring information
nat Show Network Address Translation information
pki Show public-key infrastructure information
policies Show security firewall policies
resource-manager Show resource manager security services information
screen Show screen service information
shadow-policies Show security shadow policies
softwires Show softwire information
ssh Show SSH information
tcp-encap Show TCP encapsulation information
user-identification Show user-identification information
utm Show security utm information
zones Show security zone information
root@vSRX-1> show security ike ?
Possible completions:
active-peer Show IKE active peers
debug-status Show current enabled IKE debug information
pre-shared-key Show IKE pre-shared key information for a particular group-ike-id user
security-associations Show IKE security association information
root@vSRX-1> show security ike security-associations ?
Possible completions:
<[Enter]> Execute this command
<peer-address> IP address of the peer
brief Show brief output (default)
detail Show detailed output
family Show IKE security association by family
index Index of security association (1..4294967295)
sa-type Show IKE security association by type
| Pipe through a command
root@vSRX-1> show security ike security-associations // VERIFY IKE PHASE 1
Index State Initiator cookie Responder cookie Mode Remote Address
6082118 UP 9e045a25a7735c3e ad7d83d26bfea52b Main 192.168.1.140
root@vSRX-1> show security ike security-associations index ?
Possible completions:
<index> Index of security association (1..4294967295)
root@vSRX-1> show security ike security-associations index 6082118 ?
Possible completions:
<[Enter]> Execute this command
<peer-address> IP address of the peer
brief Show brief output (default)
detail Show detailed output
family Show IKE security association by family
sa-type Show IKE security association by type
| Pipe through a command
root@vSRX-1> show security ike security-associations index 6082118 detail
IKE peer 192.168.1.140, Index 6082118, Gateway Name: gw_S2S_VPN
Role: Responder, State: UP
Initiator cookie: 9e045a25a7735c3e, Responder cookie: ad7d83d26bfea52b
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 192.168.1.150:500, Remote: 192.168.1.140:500
Lifetime: Expires in 85690 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Disabled, Size: 0
Remote Access Client Info: Unknown Client
Peer ike-id: 192.168.1.140
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 936
Output bytes : 936
Input packets: 5
Output packets: 4
Input fragmentated packets: 0
Output fragmentated packets: 0
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 192.168.1.150:500, Remote: 192.168.1.140:500
Local identity: 192.168.1.150
Remote identity: 192.168.1.140
Flags: IKE SA is created
root@vSRX-1> show security ipsec ?
Possible completions:
control-plane-security-associations Show IPSec control plane security association information
inactive-tunnels Inactive-tunnels
next-hop-tunnels Show manual and auto next-hop-tunnel entries
security-associations Show IPSec security association information
statistics Show IPSec statistics
traffic-selector Show traffic-selector information for a st0 interface
tunnel-events-statistics Show tunnel event statstics
root@vSRX-1> show security ipsec security-associations // VERIFY IPSEC/IKE PHASE 2
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 e959c4c4 2843/ 4607956 - root 500 192.168.1.140
>131073 ESP:aes-cbc-128/sha1 372d8551 2843/ 4607956 - root 500 192.168.1.140
root@vSRX-1> show security ipsec security-associations ?
Possible completions:
<[Enter]> Execute this command
brief Display brief output
detail Display detailed output
family Show IPSec security association information by family
index Index of security association (1..4294967295)
sa-type Show IPSec security association by type
traffic-selector Traffic-selector name
vpn-name VPN name
| Pipe through a command
root@vSRX-1> show security ipsec security-associations index ?
Possible completions:
<index> Index of security association (1..4294967295)
root@vSRX-1> show security ipsec security-associations index 131073 ?
Possible completions:
<[Enter]> Execute this command
brief Display brief output
detail Display detailed output
family Show IPSec security association information by family
sa-type Show IPSec security association by type
traffic-selector Traffic-selector name
vpn-name VPN name
| Pipe through a command
root@vSRX-1> show security ipsec security-associations index 131073 detail
ID: 131073 Virtual-system: root, VPN Name: S2S_VPN
Local Gateway: 192.168.1.150, Remote Gateway: 192.168.1.140
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Tunnel events:
Tue Mar 02 2021 15:23:46
: IPSec SA negotiation successfully completed (1 times)
Tue Mar 02 2021 15:23:45
: IKE SA negotiation successfully completed (1 times)
Tue Mar 02 2021 15:23:44
: No response from peer. Negotiation failed (19 times)
Tue Mar 02 2021 15:05:38
: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
Tue Mar 02 2021 15:05:33
: Bind-interface's address received. Information updated (1 times)
Tue Mar 02 2021 15:05:27
: External interface's address received. Information updated (1 times)
Tue Mar 02 2021 15:05:27
: External interface's zone received. Information updated (1 times)
Direction: inbound, SPI: e959c4c4, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2813 seconds
Lifesize Remaining: 4607956 kilobytes
Soft lifetime: Expires in 2236 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 372d8551, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 2811 seconds
Lifesize Remaining: 4607956 kilobytes
Soft lifetime: Expires in 2234 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
root@vSRX-1> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 828328
Decrypted bytes: 6840151
Encrypted packets: 4753
Decrypted packets: 7120
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
You can view the IKE Phase 1 and Phase 2 status and statistics in a Cisco router using the commands below.
CSRv#show run | section crypto
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key juniper2cisco address 192.168.1.150
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile S2S_VPN
set transform-set TSET
set pfs group2
CSRv#show crypto ?
call Show crypto call admission info
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
entropy Entropy sources
gdoi Show Crypto GKM - Group Key Management (including GDOI)
Information
gkm Show Crypto GKM - Group Key Management Information
ha Crypto High Availability information
identity Show crypto identity list
ikev2 Shows ikev2 info
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
ssl Shows SSL info
tech-support Displays relevant crypto information
tls-tunnel Shows TLS-Tunnel info
| Output modifiers
<cr>
CSRv#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.150 192.168.1.140 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
CSRv#show crypto isakmp sa ?
active Shows HA-enabled ISAKMP SAs in the active state
count Show the number of ISAKMP Security Associations
detail Show ISAKMP SA Detail
nat Show ISAKMP SA NAT Detail
standby Shows HA-enabled ISAKMP SAs in the standby state
vrf Show ISAKMP SA as per VRF
| Output modifiers
<cr>
CSRv#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 192.168.1.140 192.168.1.150 ACTIVE aes sha psk 2 23:43:21
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
CSRv#show crypto ipsec ?
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
CSRv#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.1.140
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.1.150 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 78, #pkts encrypt: 78, #pkts digest: 78
#pkts decaps: 70, #pkts decrypt: 70, #pkts verify: 70
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.140, remote crypto endpt.: 192.168.1.150
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xE959C4C4(3914974404)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x372D8551(925730129)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607990/2560)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE959C4C4(3914974404)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607967/2560)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Below is the complete show configuration.
root@vSRX-1# show
## Last changed: 2021-03-02 15:10:02 SGT
version 15.1X49-D80.4;
system {
host-name vSRX-1;
root-authentication {
encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
services {
ssh {
root-login allow;
}
web-management {
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
services {
application-identification;
}
security {
ike {
policy ike_pol_S2S_VPN {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$EGBSlM7-waZj8XZjHqQzhSrKLxdVYgoGdb2aUH5T"; ## SECRET-DATA
}
gateway gw_S2S_VPN {
ike-policy ike_pol_S2S_VPN;
address 192.168.1.140;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec_pol_S2S_VPN {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn S2S_VPN {
bind-interface st0.0;
ike {
gateway gw_S2S_VPN;
ipsec-policy ipsec_pol_S2S_VPN;
}
establish-tunnels immediately;
}
}
utm {
custom-objects {
url-pattern {
ALLOWED_WEBSITES {
value [ www.juniper.net www.google.com www.playstation.com ];
}
BLOCKED_WEBSITES {
value [ www.cisco.com www.yahoo.com www.xbox.com ];
}
}
custom-url-category {
GOOD_WEBSITES {
value ALLOWED_WEBSITES;
}
BAD_WEBSITES {
value BLOCKED_WEBSITES;
}
}
}
feature-profile {
web-filtering {
url-whitelist GOOD_WEBSITES;
url-blacklist BAD_WEBSITES;
type juniper-local;
juniper-local {
profile CUSTOM_LOCAL_WF {
default block;
custom-block-message "Website access denied. Please contact IT for assistance.";
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
timeout 30;
}
}
}
content-filtering {
profile CF_EXE {
block-content-type {
exe;
}
notification-options {
type message;
custom-message "File Download Blocked due to IT Security Policy. Please contact IT for assistance.";
}
}
}
}
utm-policy UTM_POLICY_1 {
content-filtering {
http-profile CF_EXE;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
fragment;
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
port-scan threshold 10000;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SOURCE-NAT-TRUST {
from zone trust;
to zone untrust;
rule SOURCE-NAT-TRUST {
match {
source-address 172.16.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DEST_NAT_FTP {
address 172.16.1.100/32 port 21;
}
rule-set DEST_NAT_FTP {
from zone untrust;
rule DEST_NAT_FTP {
match {
destination-address 192.168.1.150/32;
destination-port {
21;
}
}
then {
destination-nat {
pool {
DEST_NAT_FTP;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy FTP_UNTRUST_TRUST {
match {
source-address any-ipv4;
destination-address WIN7-VM;
application junos-ftp;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone untrust {
policy TRUST-UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone trust to-zone VPN {
policy policy_out_S2S_VPN {
match {
source-address addr_172_16_1_0_24;
destination-address addr_172_16_10_0_24;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone trust {
policy policy_in_S2S_VPN {
match {
source-address addr_172_16_10_0_24;
destination-address addr_172_16_1_0_24;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address WIN7-VM 172.16.1.100/32;
address addr_172_16_1_0_24 172.16.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
}
}
}
security-zone VPN {
address-book {
address addr_172_16_10_0_24 172.16.10.0/24;
}
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.150/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
st0 {
unit 0 {
family inet {
address 10.1.1.1/30;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
route 172.16.10.0/24 next-hop st0.0;
}
}
[edit]