IPSec in IBM SoftLayer (2）

(2)Customer end: Juniper SRX Firewall (route based ***)

1. Create tunnel interface, *** security zone and bind tunnel interface into *** security zone
   

   set interfaces st0 unit 0 family inet
   

   set security zones security-zone *** interfaces st0.0

   
   

2. Phase 1

   set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
   set security ike proposal ike-phase1-proposal dh-group group2
   set security ike proposal ike-phase1-proposal authentication-algorithm md5
   set security ike proposal ike-phase1-proposal encryption-algorithm 3des-cbc
   set security ike policy ike-phase1-policy mode main
   set security ike policy ike-phase1-policy proposals ike-phase1-proposal
   set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$OmpvBhyleWx-wvWjkq.5TRhSylMLxN-bsKvJG"
   set security ike gateway SL ike-policy ike-phase1-policy
   set security ike gateway SL address x.x.x.x
   set security ike gateway SL external-interface ge-0/0/0.0

   Note: x.x.x.x is SoftLayer IPSec Gateway IP

3. Phase 2

   set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-md5-96
   set security ipsec proposal ipsec-phase2-proposal encryption-algorithm 3des-cbc
   set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
   set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
   set security ipsec *** SL*** bind-interface st0.0
   set security ipsec *** SL*** ike gateway SL
   set security ipsec *** SL*** ike proxy-identity local 192.168.109.0/24
   set security ipsec *** SL*** ike proxy-identity remote 10.66.24.0/26
   set security ipsec *** SL*** ike proxy-identity service any
   set security ipsec *** SL*** ike ipsec-policy ipsec-phase2-policy
   set security ipsec *** SL*** establish-tunnels on-traffic

   Note: the proxy ID configuration is very important.
   

4. Security Policy 1 (Outbound)

   set security address-book Trust address local_network 192.168.109.0/24
   set security address-book Trust attach zone trust
   

   set security policies from-zone trust to-zone *** policy outbound match source-address local_network
   set security policies from-zone trust to-zone *** policy outbound match destination-address any
   set security policies from-zone trust to-zone *** policy outbound match application any
   set security policies from-zone trust to-zone *** policy outbound then permit

   
   

5. Security Policy 1 (Inbound)

   set security policies from-zone *** to-zone trust policy inbound match source-address any
   set security policies from-zone *** to-zone trust policy inbound match destination-address local_network
   set security policies from-zone *** to-zone trust policy inbound match application any
   set security policies from-zone *** to-zone trust policy inbound then permit

   Note: this any-any rule is only for illustration.

   
   

6. Routing

   set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
   set routing-options static route 10.66.24.0/26 next-hop st0.0

7. Verify IPSec status

   root@SRX1> show security ike sa    
   Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
   3878661 UP     4fe84303034a5be3  8674368c9212747f  Main           x.x.x.x 
   3878662 UP     417c49e6abd24de3  ad718e32b2c94602  Main           x.x.x.x  
   3878675 UP     c74fa9e1cbac457b  8eab37fe32b29aa3  Main           x.x.x.x  
   
   root@SRX1> show security ipsec sa  
     Total active tunnels: 1
     ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
     <131073 ESP:3des/md5  c25f6085 704/  unlim   -   root 4500  x.x.x.x  
     >131073 ESP:3des/md5  ebf61035 704/  unlim   -   root 4500  x.x.x.x