IPSec tunnel between Juniper SRX and pfSense Firewall

How to set up an IPsec tunnel between a pfSense Firewall and a Juniper vSRX firewall. PfSense is a leading open source firewall distribution. Junos vSRX is Juniper’s firewall or security router. In this article we go into how to configure site to site VPNs between the two different vendors.

For people just looking for the VPN configuration, scroll down a bit.

Setup

 

For this setup I’m using VMware workstation. You can download pfSense for free from the pfSense website. Junipers vSRX can be downloaded with a trial license for 60 days. Ideally for testing or to train for exams. Juniper vSRX can be downloaded here.

I gave the pfSense for this setup 3 interfaces. The first interface I put in the standard NAT mode so it provides internet connectivity. This is not needed for this setup, but it was kinda nice for my test clients. The second interface I put in a LAN segment called “TRUST” and the third interface i put in a LAN segment called “UNTRUST”. Those LAN segments were created manually.

When you download the vSRX from the Juniper website, it will come in an OVA format. When you install it will show 3 network interfaces. The first one is the management interface. The second interface should be ge-0/0/0 and the third interface should be ge-0/0/1.

Interface ge-0/0/0 I put in LAN segment UNTRUST so it can see the pfSense firewall. Interface ge-0/0/1 I left for the trust side of the SRX.

That’s sufficient for this lab. So no need to add interfaces for it. When I installed the OVA the license was also automatically activated. You can have test clients as well. But actually it’s not necessary to do just a PING test.

Here’s a little scheme of my setup, if you are building something yourself it’s always very helpful to make a drawing of what you want to do. It gives you some overview, especially handy for troubleshooting. Or to overview the setup when you didn’t touch it for a while.

PfSense configuration

So when you boot the VM or boot your machine with the live CD it’s actually a self-explanatory process. After a reboot, you can configure the interfaces from a nice text menu. Just as a note: if you configure only a WAN connection you can connect later to that IP address to configure the firewall. If you configure a WAN and a LAN interface, the GUI will only be available from the LAN interface. And now the annoying bit: if you only configure the WAN interface and want to do the rest of the configuration (including interfaces) from the WEBGUI, then make sure you created access policies to reach the WEBGUI from the WAN interface or you will be locked out :). I tell this from experience ;).

Anyway, didn’t want to elaborate too much on the install process. Just log into your webgui (admin/pfsense).

So anyway, put the interfaces how you like it. Now let’s do the same on the SRX.

SRX configuration

When the vSRX boots up for the first time. You have to do following steps:

  1. Log in as the root user without a password (he shouldn’t even ask a password)
  2. You will log into the Shell mode, to go to user mode type: “cli”
  3. Now you are in the running mode, to go to the configuration mode type: “configure”

Now you are ready to make changes.

First thing to do: root authentication. The system won’t commit untill you have set a root password:

set system root plain-text-password

Now you can enter your new password.

Next we configure the interfaces:

set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/30
set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24

Because the SRX is a security device we need to assign the interfaces to security zones

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0

That’s kinda it untill we go to the VPN configurations.

VPN Configuration

Allow inbound connections

I put the scheme on the side so we still know what we are doing 😉

Because we are working with security devices, we first need to allow the VPN’s to connect. The firewalls will block all traffic normally unless we allow it.

On the pfSense firewall we need to add some policies to allow the VPN to be built.

So I added a policy to allow UDP 500 (ISAKMP it’s built-in) to the UNTRUST address of the firewall coming from the SRX an I added a rule to allow ESP traffic.

If you are using this on the internet it’s also useful to open port 4500. Nat traversal makes the ESP packets encapsulate into UDP 4500. It depends on the tunnel you try to set up and whether you are using natting or not.

For the SRX we need to configure host inbound services to allow the VPN traffic:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

So now we have made little holes in our Firewalls to allow the VPN tunnels to be set up and processed.

Now we need to configure the two phases necessary to make an IPSec VPN tunnel:

In Phase 1, the participants establish a secure channel in which to negotiate the IPsec security associations, in Phase 2 the actual encrypting and authenticating the ensuing exchanges of user data happens.

Phase 1 is also where you have to fill in the preshared key (if you want to use preshared keys). Be careful with exchanging keys with other parties.

Phase 1

On pfSense:

You can change settings here of course. Some people like to put those hash and DH group settings on the max. I don’t know if that helps a lot. Just make sure it corresponds to the SRX settings. If not you will get a proposal mismatch. If you get that, you know where to look 😉

On SRX:

set security ike proposal ike-prop description pfsense
set security ike proposal ike-prop authentication-method pre-shared-keys
set security ike proposal ike-prop dh-group group2
set security ike proposal ike-prop authentication-algorithm sha-256
set security ike proposal ike-prop encryption-algorithm aes-256-cbc
set security ike proposal ike-prop lifetime-seconds 28800
set security ike policy ike-pol mode main
set security ike policy ike-pol proposals ike-prop
set security ike policy ike-pol pre-shared-key ascii-text "$9$mPz6u0Icrvz3RSeK7Ns24"
set security ike gateway gat-pfsense ike-policy ike-pol
set security ike gateway gat-pfsense address 192.168.20.1
set security ike gateway gat-pfsense external-interface ge-0/0/0
set security ike gateway gat-pfsense version v2-only

That’s it, now let’s move on to Phase 2

Phase 2

PfSense

If you want to connect more subnets or networks you have to make more Phase 2 configs. It also serves as the routes. You don’t need to install routes to a VPN interface or something. By configuring the phase 2 the routing is also applied.

On the SRX

Now it get’s a bit more complicated. On the SRX we usually configure route based VPN’s and pfSense uses policy based VPN’s. So we need to configure some steps:

  1. Configure a tunnel interface
  2. Bind the interface to a security zone (example vpn)
  3. Apply the route behind the tunnel to the tunnel interface
  4. Configure the IPsec (phase2)
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0 

set routing-options static route 192.168.10.0/24 next-hop st0.0 

set security ipsec proposal prop-pfsense protocol esp
set security ipsec proposal prop-pfsense authentication-algorithm hmac-sha-256-128
set security ipsec proposal prop-pfsense encryption-algorithm aes-256-cbc
set security ipsec proposal prop-pfsense lifetime-seconds 3600
set security ipsec policy pol-pfsense perfect-forward-secrecy keys group2
set security ipsec policy pol-pfsense proposals prop-pfsense
set security ipsec vpn vpn-pfsense bind-interface st0.0
set security ipsec vpn vpn-pfsense ike gateway gat-pfsense
set security ipsec vpn vpn-pfsense ike ipsec-policy pol-pfsense
set security ipsec vpn vpn-pfsense establish-tunnels immediately

With the “set security ipsec vpn vpn-pfsense ike gateway gat-pfsense” command we connect the Phase 2 to the Phase 1.

After a commit it should start creating the VPN.

Checking the VPN

To check on pfSense

On the SRX

Phase 1:

show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3380897 UP b46f6a0eb04ecb2d 46679bd1a04b742a IKEv2 192.168.20.1

Phase 2:

show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha256 97e82a03 2285/ unlim - root 500 192.168.20.1
>131073 ESP:aes-cbc-256/sha256 c7ef3bb2 2285/ unlim - root 500 192.168.20.1

Allow Traffic

Now we have a tunnel, but as you will notice, no traffic can pass over it. This is because we need some security policies to allow that.

Actually if you didn’t change the pfSense standard config it will allow traffic from the LAN (trust) side to anywhere, so that may work. On the SRX you need some policies anyway.

PfSense (standard rules)

If you want to allow traffic that comes from the tunnel to your networks, you will have to make a policy for it (also a policy that is more strict):

On the SRX it’s the same thing:

set security policies from-zone vpn to-zone trust policy allowall match source-address any
set security policies from-zone vpn to-zone trust policy allowall match destination-address any
set security policies from-zone vpn to-zone trust policy allowall match application any
set security policies from-zone vpn to-zone trust policy allowall then permit

set security policies from-zone trust to-zone vpn policy allowall match source-address any
set security policies from-zone trust to-zone vpn policy allowall match destination-address any
set security policies from-zone trust to-zone vpn policy allowall match application any
set security policies from-zone trust to-zone vpn policy allowall then permit

Testing

PfSense

SRX

davy> ping 192.168.10.1 source 192.168.100.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
64 bytes from 192.168.10.1: icmp_seq=0 ttl=64 time=20.756 ms
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=2.665 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=2.137 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=1.608 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=2.485 ms

Conclusion

As you can see it’s not that hard to make a site to site VPN with a PfSense firewall and a Juniper SRX. It only requires a few clicks and some commands.

If you are building your setup it’s quite handy to make a scheme of what you want to accomplish. Also if you build a tunnel with another party it’s good to make a fill in document for the settings. And to agree on the settings.

Thanks for reading!

Leave a Reply