In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX
firewall and Linux with racoon. In this post, I will explain how you can set up a route based
IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is
below;
1
2
3
config setup
charonstart=yes
plutostart=yes
4
5
6
7
8
9
10
11
12
13
14
15
16
17
conn j41-srx
authby=secret
auto=start
esp=aes128-sha1,3des-sha1!
ike=aes128-sha1-modp2048,3des-sha1-modp1536!
ikelifetime=28800
keyexchange=ikev1
leftid=@debian1.example.com
rightid=@j41.example.com
left=192.168.3.11
right=212.45.64.2
leftsubnet=10.33.1.0/24
rightsubnet=10.34.1.0/24
/etc/ipsec.secrets
@debian1.example.com @j41.e
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[edit]
lab@J41-Amsterdam# show security ike gateway gw-debian1-strongswan
ike-policy stronswan;
address 192.168.3.11;
local-identity hostname j41.example.com;
remote-identity hostname debian1.example.com;
external-interface ge-0/0/0.64;
As I have several configuration for different peers, you can see IKE proposal,policy and gateway
configuration in order.
IPSEC
[edit]
lab@J41-Amsterdam# show se
protocol esp;
authentication-algorithm hmac-s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[edit]
lab@J41-Amsterdam# show security ipsec proposal strongswan
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
[edit]
lab@J41-Amsterdam# show security ipsec policy strongswan
perfect-forward-secrecy {
keys group14;
}
proposals strongswan;
[edit]
lab@J41-Amsterdam# show security ipsec vpn vpn-debian1-strongswan
bind-interface st0.0;
ike {
gateway gw-debian1-strongswan;
proxy-identity {
local 10.34.1.0/24;
remote 10.33.1.0/24;
}
ipsec-policy strongswan;
}
establish-tunnels immediately;
1
2
3
4
5
6
7
8
9
27065s
000
Security Associations:
no match
18
19 root@debian1:~# ip -s xfrm policy list src 10.33.1.0/24
20 src 10.33.1.0/24 dst 10.34.1.0/24 uid 0
21
dir out action allow index 521 priority 1859 ptype main share any flag (0x00000000)
22
lifetime config:
23
limit: soft (INF)(bytes), hard (INF)(bytes)
24
limit: soft (INF)(packets), hard (INF)(packets)
25
expire add: soft 0(sec), hard 0(sec)
26
expire use: soft 0(sec), hard 0(sec)
27
lifetime current:
28
0(bytes), 0(packets)
29
add 2014-04-15 21:15:05 use tmpl src 192.168.3.11 dst 212.45.64.2
proto esp spi 0x00000000(0) reqid 16384(0x00004000) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
As you can see tunnel is established properly. I have tested this config two times on these
releases. I hope there isnt any mistake so far. I havent passed traffic on this setup as my purpose
was to see how the configuration is done but I dont think there should be a problem. Should you
have any feedback, please feel free to comment!