IPSEC between StrongSwan and SRXIn one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX firewall and Linux with racoon. In this post, I will explain how you can set up a route based IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is below;

Tunnel Peers: debian1 and j41Tunnel End point addresses: debian1(192.168.3.11) — j41(212.45.64.2)Protected Networks: debian1(10.33.1.0/24) — j41(10.34.1.0/24)SRX Junos Release: 12.1X46-D15.3StrongSwan Release: 4.5.2-1.5+deb7u2

LINUX

Create your strongswan configuration files as below;

/etc/ipsec.conf

1234

config setup        charonstart=yes        plutostart=yes

config setup charonstart=yes plutostart=yes

567891011121314151617

conn j41-srx     authby=secret     auto=start     esp=aes128-sha1,3des-sha1!     ike=aes128-sha1-modp2048,3des-sha1-modp1536!     ikelifetime=28800     keyexchange=ikev1     leftid=@debian1.example.com     rightid=@j41.example.com     left=192.168.3.11     right=212.45.64.2     leftsubnet=10.33.1.0/24     rightsubnet=10.34.1.0/24

/etc/ipsec.secrets

1 @debian1.example.com @j41.example.com : PSK "lab123"

Strongswan config is this much, now SRX config.

IKE

12345678910111213

lab@J41-Amsterdam# show security ike proposal strongswanauthentication-method pre-shared-keys;dh-group group14;authentication-algorithm sha1;encryption-algorithm aes-128-cbc;

[edit]lab@J41-Amsterdam# show security ike policy stronswanmode main;description "Debian1 PSK strongswan";proposals strongswan;pre-shared-key ascii-text "$9$uN.70Icyrv8LNcSwYoaUD"; ## SECRET-DATA

@debian1.example.com @j41.e

lab@J41-Amsterdam# show seauthentication-method pre-shardh-group group14;authentication-algorithm sha1;

14151617181920

[edit]lab@J41-Amsterdam# show security ike gateway gw-debian1-strongswanike-policy stronswan;address 192.168.3.11;local-identity hostname j41.example.com;remote-identity hostname debian1.example.com;external-interface ge-0/0/0.64;

As I have several configuration for different peers, you can see IKE proposal,policy and gateway configuration in order.

IPSEC

12345678910111213141516171819202122232425

[edit]lab@J41-Amsterdam# show security ipsec proposal strongswanprotocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm aes-128-cbc;

[edit]lab@J41-Amsterdam# show security ipsec policy strongswanperfect-forward-secrecy {    keys group14;}proposals strongswan;

[edit]lab@J41-Amsterdam# show security ipsec vpn vpn-debian1-strongswanbind-interface st0.0;ike {    gateway gw-debian1-strongswan;    proxy-identity {        local 10.34.1.0/24;        remote 10.33.1.0/24;    }    ipsec-policy strongswan;}establish-tunnels immediately;

IPSEC config is also in the same order proposal,policy and vpn.

[edit]lab@J41-Amsterdam# show seprotocol esp;authentication-algorithm hmac-s

Let’s verify this setup on two sides;

SRX

123456789

root@J41-Amsterdam> show security ike saIndex   State  Initiator cookie  Responder cookie  Mode           Remote Address5695104 UP     bd883616bc2937de  35dea150eee8edc6  Main           192.168.3.11

root@J41-Amsterdam> show security ipsec sa  Total active tunnels: 1  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  <131082 ESP:aes-cbc-128/sha1 80677dc 2893/ unlim - root 500 192.168.3.11  >131082 ESP:aes-cbc-128/sha1 ce787e8c 2893/ unlim - root 500 192.168.3.11

Strongswan

12345678910111213141516171819

root@debian1:~# ipsec status j41-srx000 "j41-srx": 10.33.1.0/24===192.168.3.11[debian1.example.com]...212.45.64.2[j41.example.com]===10.34.1.0/24; erouted; eroute owner: #4000 "j41-srx":   newest ISAKMP SA: #3; newest IPsec SA: #4;000000 #4: "j41-srx" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2602s; newest IPSEC; eroute owner000 #4: "j41-srx" esp.80677dc@212.45.64.2 (0 bytes) esp.ce787e8c@192.168.3.11 (0 bytes); tunnel000 #3: "j41-srx" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27802s; newest ISAKMP000 #2: "j41-srx" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2106s000 #2: "j41-srx" esp.f09e63ad@212.45.64.2 (0 bytes) esp.c3a90cd4@192.168.3.11 (0 bytes); tunnel000 #1: "j41-srx" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27065s000

root@J41-Amsterdam> show sIndex State Initiator cookie Re5695104 UP bd883616bc293

root@debian1:~# ipsec status j41-srx000 "j41-srx": 10.33.1.0/24===192.168.3.11[de

20212223242526272829

Security Associations:  no match

root@debian1:~# ip -s xfrm policy list src 10.33.1.0/24src 10.33.1.0/24 dst 10.34.1.0/24 uid 0        dir out action allow index 521 priority 1859 ptype main share any flag  (0x00000000)        lifetime config:          limit: soft (INF)(bytes), hard (INF)(bytes)          limit: soft (INF)(packets), hard (INF)(packets)          expire add: soft 0(sec), hard 0(sec)          expire use: soft 0(sec), hard 0(sec)        lifetime current:          0(bytes), 0(packets)          add 2014-04-15 21:15:05 use -        tmpl src 192.168.3.11 dst 212.45.64.2                proto esp spi 0x00000000(0) reqid 16384(0x00004000) mode tunnel                level required share any                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

As you can see tunnel is established properly. I have tested this config two times on these releases. I hope there isn’t any mistake so far. I haven’t passed traffic on this setup as my purpose was to see how the configuration is done but I don’t think there should be a problem. Should you have any feedback, please feel free to comment!