IPSEC between StrongSwan and SRX

In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX
firewall and Linux with racoon. In this post, I will explain how you can set up a route based
IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is
below;

Tunnel Peers: debian1 and j41

Tunnel End point addresses: debian1(192.168.3.11) j41(212.45.64.2)
Protected Networks: debian1(10.33.1.0/24) j41(10.34.1.0/24)
SRX Junos Release: 12.1X46-D15.3
StrongSwan Release: 4.5.2-1.5+deb7u2
LINUX
Create your strongswan configuration files as below;
/etc/ipsec.conf
config setup
charonstart=yes
plutostart=yes

1
2
3

config setup
charonstart=yes
plutostart=yes

4
5
6
7
8
9
10
11
12
13
14
15
16
17

conn j41-srx
authby=secret
auto=start
esp=aes128-sha1,3des-sha1!
ike=aes128-sha1-modp2048,3des-sha1-modp1536!
ikelifetime=28800
keyexchange=ikev1
leftid=@debian1.example.com
rightid=@j41.example.com
left=192.168.3.11
right=212.45.64.2
leftsubnet=10.33.1.0/24
rightsubnet=10.34.1.0/24
/etc/ipsec.secrets
@debian1.example.com @j41.e

1 @debian1.example.com @j41.example.com : PSK "lab123"

Strongswan config is this much, now SRX config.
IKE
lab@J41-Amsterdam# show se
authentication-method pre-shar
dh-group group14;
authentication-algorithm sha1;

1
2
3
4
5
6
7
8
9
10
11
12

lab@J41-Amsterdam# show security ike proposal strongswan

authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
[edit]
lab@J41-Amsterdam# show security ike policy stronswan
mode main;
description "Debian1 PSK strongswan";
proposals strongswan;
pre-shared-key ascii-text "$9$uN.70Icyrv8LNcSwYoaUD"; ## SECRET-DATA

13
14
15
16
17
18
19
20

[edit]
lab@J41-Amsterdam# show security ike gateway gw-debian1-strongswan
ike-policy stronswan;
address 192.168.3.11;
local-identity hostname j41.example.com;
remote-identity hostname debian1.example.com;
external-interface ge-0/0/0.64;
As I have several configuration for different peers, you can see IKE proposal,policy and gateway
configuration in order.
IPSEC
[edit]
lab@J41-Amsterdam# show se
protocol esp;
authentication-algorithm hmac-s

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

[edit]
lab@J41-Amsterdam# show security ipsec proposal strongswan
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
[edit]
lab@J41-Amsterdam# show security ipsec policy strongswan
perfect-forward-secrecy {
keys group14;
}
proposals strongswan;
[edit]
lab@J41-Amsterdam# show security ipsec vpn vpn-debian1-strongswan
bind-interface st0.0;
ike {
gateway gw-debian1-strongswan;
proxy-identity {
local 10.34.1.0/24;
remote 10.33.1.0/24;
}
ipsec-policy strongswan;
}
establish-tunnels immediately;

IPSEC config is also in the same order proposal,policy and vpn.

Lets verify this setup on two sides;
SRX
root@J41-Amsterdam> show s
Index State Initiator cookie Re
5695104 UP bd883616bc293

1
2
3
4
5
6
7
8
9

root@J41-Amsterdam> show security ike sa

Index State Initiator cookie Responder cookie Mode
Remote Address
5695104 UP bd883616bc2937de 35dea150eee8edc6 Main
192.168.3.11
root@J41-Amsterdam> show security ipsec sa
Total active tunnels: 1
ID Algorithm
SPI
Life:sec/kb Mon lsys Port Gateway
<131082 ESP:aes-cbc-128/sha1 80677dc 2893/ unlim - root 500 192.168.3.11
>131082 ESP:aes-cbc-128/sha1 ce787e8c 2893/ unlim - root 500 192.168.3.11
Strongswan
root@debian1:~#
ipsec status j41-srx
000 "j41-srx":
10.33.1.0/24===192.168.3.11[de

1 root@debian1:~# ipsec status j41-srx

2 000 "j41-srx":
3 10.33.1.0/24===192.168.3.11[debian1.example.com]...212.45.64.2[j41.example.com]===10.
4 34.1.0/24; erouted; eroute owner: #4
5 000 "j41-srx": newest ISAKMP SA: #3; newest IPsec SA: #4;
6 000
7 000 #4: "j41-srx" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in
8 2602s; newest IPSEC; eroute owner
9 000 #4: "j41-srx" esp.80677dc@212.45.64.2 (0 bytes) esp.ce787e8c@192.168.3.11 (0 bytes);
10 tunnel
11 000 #3: "j41-srx" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
12 EVENT_SA_REPLACE in 27802s; newest ISAKMP
13 000 #2: "j41-srx" STATE_QUICK_I2 (sent QI2, IPsec SA established);
14 EVENT_SA_REPLACE in 2106s
15 000 #2: "j41-srx" esp.f09e63ad@212.45.64.2 (0 bytes) esp.c3a90cd4@192.168.3.11 (0
16 bytes); tunnel
17 000 #1: "j41-srx" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in

27065s
000
Security Associations:
no match
18
19 root@debian1:~# ip -s xfrm policy list src 10.33.1.0/24
20 src 10.33.1.0/24 dst 10.34.1.0/24 uid 0
21
dir out action allow index 521 priority 1859 ptype main share any flag (0x00000000)
22
lifetime config:
23
limit: soft (INF)(bytes), hard (INF)(bytes)
24
limit: soft (INF)(packets), hard (INF)(packets)
25
expire add: soft 0(sec), hard 0(sec)
26
expire use: soft 0(sec), hard 0(sec)
27
lifetime current:
28
0(bytes), 0(packets)
29
add 2014-04-15 21:15:05 use tmpl src 192.168.3.11 dst 212.45.64.2
proto esp spi 0x00000000(0) reqid 16384(0x00004000) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
As you can see tunnel is established properly. I have tested this config two times on these
releases. I hope there isnt any mistake so far. I havent passed traffic on this setup as my purpose
was to see how the configuration is done but I dont think there should be a problem. Should you
have any feedback, please feel free to comment!