Configuring VPN IPSEC between Juniper SRX and Google Cloud Platform (GCP)

Introduction.

Juniper SRX:
GLOBAL IP: 91.208.39.16
Local Network: 192.168.0.0/16

GCP:
GLOBAL assigned static IP: 130.211.235.196
Local Network: 10.128.0.0/20

For this example will be used pre shared key: test

Google cloud platfrom are using following IKE, IPSEC policies.

IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 2

IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 2

VPN - tunnel mode esp

Configuring GCP.

1. Create Project in the chosen ZONE

For example the project with name of pr1-163914 was created in us-central1 ZONE.
Default local network for this ZONE - 10.128.0.0/20

2. Creating VPN router

For example name of router vpn-1 and assigned static GLOBAL IP. In this example - 130.211.235.196
*Also it can be done by using Web interface console.cloud.google.com

gcloud compute --project "pr1-163914" target-vpn-gateways create "vpn-1" --region "us-central1" --network "default"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-esp" --region "us-central1" --address "130.211.235.196" --ip-protocol "ESP" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "500" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" forwarding-rules create "vpn-1-rule-udp4500" --region "us-central1" --address "130.211.235.196" --ip-protocol "UDP" --port-range "4500" --target-vpn-gateway "vpn-1"
gcloud compute --project "pr1-163914" vpn-tunnels create "vpn-1-tunnel-1" --region "us-central1" --peer-address "91.208.39.16" --shared-secret "text" --ike-version "2" --target-vpn-gateway "vpn-1"
gcloud compute --project "avtest1-163914" routes create "vpn-1-tunnel-1-route-1" --network "default" --next-hop-vpn-tunnel "vpn-1-tunnel-1" next-hop-vpn-tunnel-region "us-central1" --destination-range "192.168.0.0/16"

Configuring Juniper.

1. Create ST interface:

{primary:node1}[edit]
set interfaces st0 unit 0 description GCP
set interfaces st0 unit 0 family inet mtu 1460

2. Configuring three security zones on the Juniper:

{primary:node1}[edit]
set security zones security-zone ISPs interfaces reth0.0
set security zones security-zone Internal interfaces reth1.0
set security zones security-zone Tunnels st0.0
 

3. Configuring security policies (for this example I will not configure detail policy.)

{primary:node1}[edit]
set security policies default-policy permit-all

4. Configuring IKE

{primary:node1}[edit]
set security ike proposal IKE_PRO_GOOGLE authentication-method pre-shared-keys
set security ike proposal IKE_PRO_GOOGLE dh-group group2
set security ike proposal IKE_PRO_GOOGLE authentication-algorithm sha1
set security ike proposal IKE_PRO_GOOGLE encryption-algorithm aes-128-cbc
set security ike proposal IKE_PRO_GOOGLE lifetime-seconds 28800
set security ike policy IKE_POL_GOOGLE mode main
set security ike policy IKE_POL_GOOGLE proposals IKE_PRO_GOOGLE
set security ike policy IKE_POL_GOOGLE pre-shared-key ascii-text

set security ike gateway GOOGLE ike-policy IKE_POL_GOOGLE
set security ike gateway GOOGLE address 130.211.235.196
set security ike gateway GOOGLE local-identity inet 91.208.39.16
set security ike gateway GOOGLE external-interface reth0.0
set security ike gateway GOOGLE version v2-only

5. Configuring IPSEC

{primary:node1}[edit]
set security ipsec proposal IPSEC_PRO_GOOGLE protocol esp
set security ipsec proposal IPSEC_PRO_GOOGLE authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PRO_GOOGLE encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PRO_GOOGLE lifetime-seconds 3600
set security ipsec policy IPSEC_POL_GOOGLE perfect-forward-secrecy keys group2
set security ipsec policy IPSEC_POL_GOOGLE proposals IPSEC_PRO_GOOGLE
set security ipsec vpn VPN_GOOGLE bind-interface st0.0
set security ipsec vpn VPN_GOOGLE ike gateway GOOGLE
set security ipsec vpn VPN_GOOGLE ike ipsec-policy IPSEC_POL_GOOGLE

6. Configuring routing

{primary:node1}[edit]
set routing-options static route 10.128.0.0/20 next-hop st0.0

7. Commit

{primary:node1}[edit]
commit

About author

Profile of the author

en/jobs/vpn_gcloud_srx.txt · Last modified: 2017/04/08 13:21 by admin
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki