Last active
November 1, 2021 09:02
-
-
Save GauntletWizard/7957fdcc1bc76aa3dc120c6d0e000787 to your computer and use it in GitHub Desktop.
IPSEC Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
conn internal | |
authby=secret | |
auto=start | |
# Phase 1: | |
ike=aes256-sha2-dh14 | |
ikelifetime=14400s | |
# Phase 2: | |
esp=aes256-sha2_256 | |
salifetime=3600s | |
leftid=@us | |
left=172.16.1.135 | |
# rsakey AwEAAfCEk | |
# leftrsasigkey=0sAwEAAfCEkexyTa9ZM4qBobjXKpTP/mYpgRBr9Dox5KAZNdHABVF8UWcd9tYpKHL/y4cMPW1Tl/QJKKXX08/+2DoPi+O2R/7znqOKUnldM8dQSjMqIHq2mn46yRVf5qBCMyOY5dnFg8JuN8Mid/Jed6lVXtc1j0mcGcHetiBRGcqPCvs+rL8H7UgQ+fE8xri2LYkeuYjaPwIlKm8V/bA5ylWyrYF4+6gG2eyhejUmfMU9NCz6NayfNw6JXM4FcRQlyEm631WSC4DbMfmfUz8YmDXxTniCgooltlFojrNnwbmAh+zbgyorqen+3U0pjEITQDzZ7ncKHU4p/mQUmq42BK7Jnn8Diuafhf+O/f39t/nnVDUtt790h5OYtBBwKLflDXNiL86rTBsxh3nqxQAOOJqiSdd22bZCoHnqafL1yn2zvtK57JEq729YPHhMNwJZWEgnMj4mkK6RdVgjW/A0Se/nsfb1iYK7GL5dc1E9F7jdakKKQGsJoU8vwsXDS877QcKkpCkmy78AnZsplTnjAA/VpMb2uySAkyX2iTljmC3sy2n8g0F/H5cTvMkTPbWFKlOM+CcKpMDpSUAjlxYZjrXFw1WRhHgRMQwIPSqnJkH7sTC8RrZKy4LjEhyfcFd5QGMPeCIllPo8rx7XLkgO1j19E873S8J/yT7OYn9H | |
rightid=@them | |
right=172.16.1.64 | |
# rsakey AwEAAbAx0 | |
# rightrsasigkey=0sAwEAAbAx0gBzeCInprN56SrtKZ9BTQnkMtQO1Pz/Ei++URF54VMsWI0gl8TpcaQcf9c3+BEbH6nqWAr0WeN0+7D3qLWyFopZyZ6dq0HOz6VnXtvp2Cron7Sk+A75xrdcsDavK/cAuz/90QZHRqa7AgrXWOPayAX0l3o64BqwRDsiLUaIjsX7+2vzbkKTuqfHMno4JfUgvibtIlRLO1DIoGrwaDNvy7SLebRH0sM9l+nl0jLTy+swkXu74SesUbp1Utzn1ELowDWIPUt0OHqsk9cJYXP3cOCLj5zCcNPvXkvXhir/c3JLS1UH7RWPfC0RLisZt76d4xcC0LLColkQbtBNTy6d6VJTC6KthvecgpOpmj3c52y2FhZmnJaeGct+lTsF/+tq7DIX/GLpfivIMIHvaSAbiBM6Zg8T4GWEeCvI3Fw64M8+P/V11AxOs95ElZQSNUa4CTVnZcyIh/45KU85TeS7Q5Of5LJOEMaDu5/MxtccL1VwBERVRdRACypGSQ7wClxufWHEs+hq4tjvJpYlH0ALVc7ujZ5/KWaNb08VdV1QbxmZTpJR3TmzDv02PNjKVHSg8S9M4Rr8yEIzpQxIo+k= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
000 "internal": 172.16.1.64<172.16.1.64>[@them]...172.16.1.135<172.16.1.135>[@us]; unrouted; eroute owner: #0 | |
000 "internal": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; | |
000 "internal": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] | |
000 "internal": our auth:secret, their auth:secret | |
000 "internal": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; | |
000 "internal": labeled_ipsec:no; | |
000 "internal": policy_label:unset; | |
000 "internal": ike_life: 14400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; | |
000 "internal": retransmit-interval: 500ms; retransmit-timeout: 60s; | |
000 "internal": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; | |
000 "internal": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; | |
000 "internal": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; | |
000 "internal": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; | |
000 "internal": our idtype: ID_FQDN; our id=@them; their idtype: ID_FQDN; their id=@us | |
000 "internal": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both | |
000 "internal": newest ISAKMP SA: #0; newest IPsec SA: #0; | |
000 "internal": IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048 | |
000 "internal": ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128 | |
000 | |
000 Total IPsec connections: loaded 1, active 0 | |
000 | |
000 State Information: DDoS cookies not required, Accepting new IKE connections | |
000 IKE SAs: total(12), half-open(12), open(0), authenticated(0), anonymous(0) | |
000 IPsec SAs: total(0), authenticated(0), anonymous(0) | |
000 | |
000 #2: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #3: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #5: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #7: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #8: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #10: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #12: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #13: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #15: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set | |
000 #17: "internal":500 STATE_MAIN_R0 (expecting MI1); none in -1s; nodpd; idle; import:not set |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
request dhcp client renew all | |
show security ike security-associations | |
show security ipsec inactive-tunnels | |
show security ipsec security-associations | |
# IPS and aliases: | |
@ Test1/Terraform | |
set security address-book global address Host1-Net 172.16.1.238/32 | |
# Test2/Manual: | |
set security address-book global address Host2-Net 172.16.1.245/32 | |
# | |
set interfaces ge-0/0/0 unit 0 family inet address 172.16.1.150/24 | |
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 | |
set interfaces lo0 unit 0 family inet address 10.100.100.1/32 | |
set routing-options static route 0.0.0.0/0 next-hop 172.16.13.2 | |
set security zones security-zone trust host-inbound-traffic system-services all | |
set security zones security-zone trust interfaces ge-0/0/0.0 | |
set security zones security-zone untrust host-inbound-traffic system-services ike | |
set security zones security-zone untrust host-inbound-traffic system-services ping | |
set security zones security-zone untrust interfaces ge-0/0/1.0 | |
# https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html | |
set security nat source pool pool_1 address 192.0.2.250/32 | |
set security nat source rule-set SR_SET_1 from zone trust | |
set security nat source rule-set SR_SET_1 to zone untrust | |
# match sources from our local network | |
set security nat source rule-set SR_SET_1 rule rule1 match source-address 172.16.0.0/12 | |
# External nat | |
set security nat source rule-set SR_SET_1 rule rule1 match destination-address 0.0.0.0/0 | |
set security nat source rule-set SR_SET_1 rule rule1 then source-nat pool pool_1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-policy-based-ipsec-vpns.html#id-understanding-policy-based-ipsec-vpns | |
https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-aws-guide-pwp.pdf | |
- Page 23 has interface mappings. | |
https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-nat-configuration-overview.html | |
https://www.juniper.net/documentation/en_US/day-one-books/AWS_vSRX_Cookbook22.pdf | |
Someone else's config: | |
https://gist.github.com/dijeesh/3e1f5526ca06846a715142b82fdf53c0 | |
AWS Guide to juniper: | |
https://docs.aws.amazon.com/vpn/latest/s2svpn/Juniper_Troubleshooting.html | |
https://support.juniper.net/support/tools/vpnconfig/#ipTypes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment