Mutiple subnets in SRX routed based VPN
By default, the proxy-id is 0.0.0.0/0 when it is not explicitly configured on SRX routed based VPN. This is an issue when remote peer is the third party devices such as Cisco ASA. When there is only one network at remote and one network at local, configure an explicit proxy-id can resolve the issue. When there are multiple subnets at either remote or local, until recent released SRX firmware which starts to support multiple proxy-id with a feature called Traffic Selector, the older version SRX can't be configured with multiple proxy-id. Here I focus on the older version SRX which doesn't support Traffic Selector.
When there are multiple networks at local side, the first thing need to try is to supernet these networks, then discuss with the peer administrator if he/she can use the supernet as the proxy-id, in Cisco world, this means remote ASA needs to use the supernet in the interesting traffic ACL (also called VPN ACL), its interface ACL should continue to use the real subnets.
For example, when local has two networks 192.168.8.0/24 and 192.168.18.0/24, the simplest supernet is 192.168.0.0/16. When the peer agrees to use 192.168.0.0/16, below is the configuration on the SRX:
policy ASA-IPSEC-POLICY {
proposal-set standard;
}
vpn ASA-VPN {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.1.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
The st0 unit 0 interface and static route is configured as usual. The security policy should continue use the real subnets:
set security policies from-zone vpn to-zone trust policy FROM-ASA match source-address NET-10.10.1.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match destination-address NET-192.168.8.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match destination-address NET-192.168.18.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match application any
set security policies from-zone vpn to-zone trust policy FROM-ASA then permit
set security policies from-zone trust to-zone vpn policy TO-ASA match source-address NET-192.168.8.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match source-address NET-192.168.18.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match destination-address NET-10.10.1.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match application any
set security policies from-zone trust to-zone vpn policy TO-ASA then permit
Below are other related configuration:
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set routing-options static route 10.10.1.0/24 next-hop st0.0
set security zones security-zone vpn interfaces st0.0
When there are multiple subnets at remote site, we should also try to do the same thing, ask peer administrator to supernet his/her subnets into one big network. However, this is not always the case, for example, remote site has two networks: 10.10.1.0/24 and 172.16.16.0/24, we will have to configure two remote networks. The below example simply use 10.10.1.0/24 and 10.10.2.0/24 without supernet. In this scenario, we will have to configure two SAs, one for each remote networks:
vpn ASA-VPN {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.1.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
vpn ASA-VPN2 {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.2.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
The important portion is the interface and static route configuration:
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.2 ipsec-vpn ASA-VPN
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.3 ipsec-vpn ASA-VPN2
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set routing-options static route 10.10.2.0/24 next-hop 172.16.8.3
set routing-options static route 10.10.1.0/24 next-hop 172.16.8.2
-------------------------------
In case we can't supernet our side networks, the configuration is getting too complicated, we will have use FBF (filter based forwarding) to choose next hop based on source IP address.
First we create a firewall filter, we can't use interface as our next hop, only through routing instance:
set firewall filter VPN-FILTER term net8 from source-address 192.168.8.0/24
set firewall filter VPN-FILTER term net8 from destination-address 10.10.1.0/24
set firewall filter VPN-FILTER term net8 then routing-instance NET-8
set firewall filter VPN-FILTER term net18 from source-address 192.168.18.0/24
set firewall filter VPN-FILTER term net18 from destination-address 10.10.1.0/24
set firewall filter VPN-FILTER term net18 then routing-instance NET-18
Next we define the routing instance, we create one instance for each local network:
set routing-instances NET-18 instance-type forwarding
set routing-instances NET-18 routing-options static route 0.0.0.0/0 next-hop st0.3
set routing-instances NET-8 instance-type forwarding
set routing-instances NET-8 routing-options static route 0.0.0.0/0 next-hop st0.0
The routing instance type is forwarding, which doesn't have any interfaces, its routing table is empty, so we will need import the interface route from the master routing table so the forwarding instance table has routes:
set routing-options interface-routes rib-group inet My-rb
set routing-options rib-groups My-rb import-rib inet.0
set routing-options rib-groups My-rb import-rib NET-18.inet.0
set routing-options rib-groups My-rb import-rib NET-8.inet.0
Below is st interface and zone configuration, one unit for each local networks:
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set interfaces st0 unit 3 family inet address 172.16.9.1/30
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.3
IPsec configuration, one SA for each local networks.
set security ipsec vpn ASA-VPN bind-interface st0.0
set security ipsec vpn ASA-VPN ike gateway ASA-GW
set security ipsec vpn ASA-VPN ike proxy-identity local 192.168.8.0/24
set security ipsec vpn ASA-VPN ike proxy-identity remote 10.10.1.0/24
set security ipsec vpn ASA-VPN ike ipsec-policy ASA-IPSEC-POLICY
set security ipsec vpn ASA-VPN establish-tunnels immediately
set security ipsec vpn ASA-VPN2 bind-interface st0.3
set security ipsec vpn ASA-VPN2 ike gateway ASA-GW
set security ipsec vpn ASA-VPN2 ike proxy-identity local 192.168.18.0/24
set security ipsec vpn ASA-VPN2 ike proxy-identity remote 10.10.1.0/24
set security ipsec vpn ASA-VPN2 ike ipsec-policy ASA-IPSEC-POLICY
set security ipsec vpn ASA-VPN2 establish-tunnels immediately
Apply filter on inbound interface:
set interfaces fe-0/0/7 unit 0 family inet filter input VPN-FILTER
set interfaces fe-0/0/7 unit 0 family inet address 192.168.8.1/24
In routed based VPN, security policy is not impacted by IPsec configuration, it is simply to control what traffic can come in and go to the configured tunnels.
When there are multiple networks at local side, the first thing need to try is to supernet these networks, then discuss with the peer administrator if he/she can use the supernet as the proxy-id, in Cisco world, this means remote ASA needs to use the supernet in the interesting traffic ACL (also called VPN ACL), its interface ACL should continue to use the real subnets.
For example, when local has two networks 192.168.8.0/24 and 192.168.18.0/24, the simplest supernet is 192.168.0.0/16. When the peer agrees to use 192.168.0.0/16, below is the configuration on the SRX:
policy ASA-IPSEC-POLICY {
proposal-set standard;
}
vpn ASA-VPN {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.1.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
The st0 unit 0 interface and static route is configured as usual. The security policy should continue use the real subnets:
set security policies from-zone vpn to-zone trust policy FROM-ASA match source-address NET-10.10.1.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match destination-address NET-192.168.8.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match destination-address NET-192.168.18.0/24
set security policies from-zone vpn to-zone trust policy FROM-ASA match application any
set security policies from-zone vpn to-zone trust policy FROM-ASA then permit
set security policies from-zone trust to-zone vpn policy TO-ASA match source-address NET-192.168.8.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match source-address NET-192.168.18.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match destination-address NET-10.10.1.0/24
set security policies from-zone trust to-zone vpn policy TO-ASA match application any
set security policies from-zone trust to-zone vpn policy TO-ASA then permit
Below are other related configuration:
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set routing-options static route 10.10.1.0/24 next-hop st0.0
set security zones security-zone vpn interfaces st0.0
When there are multiple subnets at remote site, we should also try to do the same thing, ask peer administrator to supernet his/her subnets into one big network. However, this is not always the case, for example, remote site has two networks: 10.10.1.0/24 and 172.16.16.0/24, we will have to configure two remote networks. The below example simply use 10.10.1.0/24 and 10.10.2.0/24 without supernet. In this scenario, we will have to configure two SAs, one for each remote networks:
vpn ASA-VPN {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.1.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
vpn ASA-VPN2 {
bind-interface st0.0;
ike {
gateway ASA-GW;
proxy-identity {
local 192.168.0.0/16;
remote 10.10.2.0/24;
}
ipsec-policy ASA-IPSEC-POLICY;
}
establish-tunnels immediately;
}
The important portion is the interface and static route configuration:
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.2 ipsec-vpn ASA-VPN
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.3 ipsec-vpn ASA-VPN2
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set routing-options static route 10.10.2.0/24 next-hop 172.16.8.3
set routing-options static route 10.10.1.0/24 next-hop 172.16.8.2
-------------------------------
In case we can't supernet our side networks, the configuration is getting too complicated, we will have use FBF (filter based forwarding) to choose next hop based on source IP address.
First we create a firewall filter, we can't use interface as our next hop, only through routing instance:
set firewall filter VPN-FILTER term net8 from source-address 192.168.8.0/24
set firewall filter VPN-FILTER term net8 from destination-address 10.10.1.0/24
set firewall filter VPN-FILTER term net8 then routing-instance NET-8
set firewall filter VPN-FILTER term net18 from source-address 192.168.18.0/24
set firewall filter VPN-FILTER term net18 from destination-address 10.10.1.0/24
set firewall filter VPN-FILTER term net18 then routing-instance NET-18
Next we define the routing instance, we create one instance for each local network:
set routing-instances NET-18 instance-type forwarding
set routing-instances NET-18 routing-options static route 0.0.0.0/0 next-hop st0.3
set routing-instances NET-8 instance-type forwarding
set routing-instances NET-8 routing-options static route 0.0.0.0/0 next-hop st0.0
The routing instance type is forwarding, which doesn't have any interfaces, its routing table is empty, so we will need import the interface route from the master routing table so the forwarding instance table has routes:
set routing-options interface-routes rib-group inet My-rb
set routing-options rib-groups My-rb import-rib inet.0
set routing-options rib-groups My-rb import-rib NET-18.inet.0
set routing-options rib-groups My-rb import-rib NET-8.inet.0
Below is st interface and zone configuration, one unit for each local networks:
set interfaces st0 unit 0 family inet address 172.16.8.1/24
set interfaces st0 unit 3 family inet address 172.16.9.1/30
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.3
IPsec configuration, one SA for each local networks.
set security ipsec vpn ASA-VPN bind-interface st0.0
set security ipsec vpn ASA-VPN ike gateway ASA-GW
set security ipsec vpn ASA-VPN ike proxy-identity local 192.168.8.0/24
set security ipsec vpn ASA-VPN ike proxy-identity remote 10.10.1.0/24
set security ipsec vpn ASA-VPN ike ipsec-policy ASA-IPSEC-POLICY
set security ipsec vpn ASA-VPN establish-tunnels immediately
set security ipsec vpn ASA-VPN2 bind-interface st0.3
set security ipsec vpn ASA-VPN2 ike gateway ASA-GW
set security ipsec vpn ASA-VPN2 ike proxy-identity local 192.168.18.0/24
set security ipsec vpn ASA-VPN2 ike proxy-identity remote 10.10.1.0/24
set security ipsec vpn ASA-VPN2 ike ipsec-policy ASA-IPSEC-POLICY
set security ipsec vpn ASA-VPN2 establish-tunnels immediately
Apply filter on inbound interface:
set interfaces fe-0/0/7 unit 0 family inet filter input VPN-FILTER
set interfaces fe-0/0/7 unit 0 family inet address 192.168.8.1/24
In routed based VPN, security policy is not impacted by IPsec configuration, it is simply to control what traffic can come in and go to the configured tunnels.
Wow i can say that this is another great article as expected of this blog.Bookmarked this site..
ReplyDeletehow to connect to vpn on android