How to set up an IPsec tunnel between a pfSense Firewall and a Juniper vSRX firewall. PfSense is a leading open source firewall distribution. Junos vSRX is Juniper’s firewall or security router. In this article we go into how to configure site to site VPNs between the two different vendors.
For people just looking for the VPN configuration, scroll down a bit.
For this setup I’m using VMware workstation. You can download pfSense for free from the pfSense website. Junipers vSRX can be downloaded with a trial license for 60 days. Ideally for testing or to train for exams. Juniper vSRX can be downloaded here.
I gave the pfSense for this setup 3 interfaces. The first interface I put in the standard NAT mode so it provides internet connectivity. This is not needed for this setup, but it was kinda nice for my test clients. The second interface I put in a LAN segment called “TRUST” and the third interface i put in a LAN segment called “UNTRUST”. Those LAN segments were created manually.
When you download the vSRX from the Juniper website, it will come in an OVA format. When you install it will show 3 network interfaces. The first one is the management interface. The second interface should be ge-0/0/0 and the third interface should be ge-0/0/1.
Interface ge-0/0/0 I put in LAN segment UNTRUST so it can see the pfSense firewall. Interface ge-0/0/1 I left for the trust side of the SRX.
That’s sufficient for this lab. So no need to add interfaces for it. When I installed the OVA the license was also automatically activated. You can have test clients as well. But actually it’s not necessary to do just a PING test.
Here’s a little scheme of my setup, if you are building something yourself it’s always very helpful to make a drawing of what you want to do. It gives you some overview, especially handy for troubleshooting. Or to overview the setup when you didn’t touch it for a while.
So when you boot the VM or boot your machine with the live CD it’s actually a self-explanatory process. After a reboot, you can configure the interfaces from a nice text menu. Just as a note: if you configure only a WAN connection you can connect later to that IP address to configure the firewall. If you configure a WAN and a LAN interface, the GUI will only be available from the LAN interface. And now the annoying bit: if you only configure the WAN interface and want to do the rest of the configuration (including interfaces) from the WEBGUI, then make sure you created access policies to reach the WEBGUI from the WAN interface or you will be locked out :). I tell this from experience ;).
Anyway, didn’t want to elaborate too much on the install process. Just log into your webgui (admin/pfsense).
So anyway, put the interfaces how you like it. Now let’s do the same on the SRX.
When the vSRX boots up for the first time. You have to do following steps:
- Log in as the root user without a password (he shouldn’t even ask a password)
- You will log into the Shell mode, to go to user mode type: “cli”
- Now you are in the running mode, to go to the configuration mode type: “configure”
Now you are ready to make changes.
First thing to do: root authentication. The system won’t commit untill you have set a root password:
set system root plain-text-password
Now you can enter your new password.
Next we configure the interfaces:
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24
Because the SRX is a security device we need to assign the interfaces to security zones
set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust interfaces ge-0/0/0.0
That’s kinda it untill we go to the VPN configurations.
Allow inbound connections
I put the scheme on the side so we still know what we are doing 😉
Because we are working with security devices, we first need to allow the VPN’s to connect. The firewalls will block all traffic normally unless we allow it.
On the pfSense firewall we need to add some policies to allow the VPN to be built.
So I added a policy to allow UDP 500 (ISAKMP it’s built-in) to the UNTRUST address of the firewall coming from the SRX an I added a rule to allow ESP traffic.
If you are using this on the internet it’s also useful to open port 4500. Nat traversal makes the ESP packets encapsulate into UDP 4500. It depends on the tunnel you try to set up and whether you are using natting or not.
For the SRX we need to configure host inbound services to allow the VPN traffic:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
So now we have made little holes in our Firewalls to allow the VPN tunnels to be set up and processed.
Now we need to configure the two phases necessary to make an IPSec VPN tunnel:
In Phase 1, the participants establish a secure channel in which to negotiate the IPsec security associations, in Phase 2 the actual encrypting and authenticating the ensuing exchanges of user data happens.
Phase 1 is also where you have to fill in the preshared key (if you want to use preshared keys). Be careful with exchanging keys with other parties.
You can change settings here of course. Some people like to put those hash and DH group settings on the max. I don’t know if that helps a lot. Just make sure it corresponds to the SRX settings. If not you will get a proposal mismatch. If you get that, you know where to look 😉
set security ike proposal ike-prop description pfsense set security ike proposal ike-prop authentication-method pre-shared-keys set security ike proposal ike-prop dh-group group2 set security ike proposal ike-prop authentication-algorithm sha-256 set security ike proposal ike-prop encryption-algorithm aes-256-cbc set security ike proposal ike-prop lifetime-seconds 28800 set security ike policy ike-pol mode main set security ike policy ike-pol proposals ike-prop set security ike policy ike-pol pre-shared-key ascii-text "$9$mPz6u0Icrvz3RSeK7Ns24" set security ike gateway gat-pfsense ike-policy ike-pol set security ike gateway gat-pfsense address 192.168.20.1 set security ike gateway gat-pfsense external-interface ge-0/0/0 set security ike gateway gat-pfsense version v2-only
That’s it, now let’s move on to Phase 2
If you want to connect more subnets or networks you have to make more Phase 2 configs. It also serves as the routes. You don’t need to install routes to a VPN interface or something. By configuring the phase 2 the routing is also applied.
On the SRX
Now it get’s a bit more complicated. On the SRX we usually configure route based VPN’s and pfSense uses policy based VPN’s. So we need to configure some steps:
- Configure a tunnel interface
- Bind the interface to a security zone (example vpn)
- Apply the route behind the tunnel to the tunnel interface
- Configure the IPsec (phase2)
set interfaces st0 unit 0 family inet set security zones security-zone vpn interfaces st0.0 set routing-options static route 192.168.10.0/24 next-hop st0.0 set security ipsec proposal prop-pfsense protocol esp set security ipsec proposal prop-pfsense authentication-algorithm hmac-sha-256-128 set security ipsec proposal prop-pfsense encryption-algorithm aes-256-cbc set security ipsec proposal prop-pfsense lifetime-seconds 3600 set security ipsec policy pol-pfsense perfect-forward-secrecy keys group2 set security ipsec policy pol-pfsense proposals prop-pfsense set security ipsec vpn vpn-pfsense bind-interface st0.0 set security ipsec vpn vpn-pfsense ike gateway gat-pfsense set security ipsec vpn vpn-pfsense ike ipsec-policy pol-pfsense set security ipsec vpn vpn-pfsense establish-tunnels immediately
With the “set security ipsec vpn vpn-pfsense ike gateway gat-pfsense” command we connect the Phase 2 to the Phase 1.
After a commit it should start creating the VPN.
Checking the VPN
To check on pfSense
On the SRX
show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3380897 UP b46f6a0eb04ecb2d 46679bd1a04b742a IKEv2 192.168.20.1
show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-256/sha256 97e82a03 2285/ unlim - root 500 192.168.20.1 >131073 ESP:aes-cbc-256/sha256 c7ef3bb2 2285/ unlim - root 500 192.168.20.1
Now we have a tunnel, but as you will notice, no traffic can pass over it. This is because we need some security policies to allow that.
Actually if you didn’t change the pfSense standard config it will allow traffic from the LAN (trust) side to anywhere, so that may work. On the SRX you need some policies anyway.
PfSense (standard rules)
If you want to allow traffic that comes from the tunnel to your networks, you will have to make a policy for it (also a policy that is more strict):
On the SRX it’s the same thing:
set security policies from-zone vpn to-zone trust policy allowall match source-address any set security policies from-zone vpn to-zone trust policy allowall match destination-address any set security policies from-zone vpn to-zone trust policy allowall match application any set security policies from-zone vpn to-zone trust policy allowall then permit set security policies from-zone trust to-zone vpn policy allowall match source-address any set security policies from-zone trust to-zone vpn policy allowall match destination-address any set security policies from-zone trust to-zone vpn policy allowall match application any set security policies from-zone trust to-zone vpn policy allowall then permit
davy> ping 192.168.10.1 source 192.168.100.1 PING 192.168.10.1 (192.168.10.1): 56 data bytes 64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=20.756 ms 64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=2.665 ms 64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=2.137 ms 64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=1.608 ms 64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=2.485 ms
As you can see it’s not that hard to make a site to site VPN with a PfSense firewall and a Juniper SRX. It only requires a few clicks and some commands.
If you are building your setup it’s quite handy to make a scheme of what you want to accomplish. Also if you build a tunnel with another party it’s good to make a fill in document for the settings. And to agree on the settings.
Thanks for reading!