Multiple Site-to-Site VPNs from Juniper SRX to Azure

January 22, 2020

I found little online on how to configure two VPNs to Azure using a Juniper SRX device. I found the following useful guides:

https://support.juniper.net/support/tools/vpnconfig/#advancedSettings

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/3500177-EN.PDF

But that latter one describes enabling "multipoint" on the secure tunnel and specifying IP addresses on those tunnels. Frankly that filled me with dread and it turned out it is not necessary if you only have a couple of VPN endpoints you want to integrate. 

My network is a single subnet but uses PPP-over-ether for connectivity and that means there is not much to reference how. Here is the configuration script to configure two VPNs one at a time using two secure tunnel interfaces (st0.0 and st0.1).

 

# Internet interface is ge-0/0/0
# Internal is for all the other interfaces associated with vlan.1

# subnet 192.168.1.0/24

# useful commands:
# show security ipsec security-associations
# show security ike security-associations
# show security ike statistics
# show route <remote subnet ip address>  - this should point to st0.0

 

# 1st VPN 

# replace preshared key with your own sufficiently complex string. They can be different across the two vpns.

# x.x.x.x = remote VNET GW address.

# y.y.y.y = local public IP address

# z.z.z.z = 2nd remote VNET GW address

# I needed to route traffic to vnets with address ranges 10.100.0.0/16 and 10.200.0.0/16

 

set security ike proposal azure-proposal authentication-method pre-shared-keys
set security ike proposal azure-proposal authentication-algorithm sha1
set security ike proposal azure-proposal encryption-algorithm aes-256-cbc
set security ike proposal azure-proposal lifetime-seconds 28800
set security ike proposal azure-proposal dh-group group2

set security ike policy azure-policy mode main
set security ike policy azure-policy proposals azure-proposal
set security ike policy azure-policy pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

set security ike gateway azure-gateway ike-policy azure-policy
set security ike gateway azure-gateway address x.x.x.x
set security ike gateway azure-gateway local-identity inet y.y.y.y
set security ike gateway azure-gateway external-interface pp0.0
set security ike gateway azure-gateway version v2-only

set security ipsec proposal azure-ipsec-proposal protocol esp
set security ipsec proposal azure-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal azure-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal azure-ipsec-proposal lifetime-seconds 3600
set security ipsec policy azure-vpn-policy proposals azure-ipsec-proposal
set security ipsec vpn azure-ipsec-vpn ike gateway azure-gateway
set security ipsec vpn azure-ipsec-vpn ike ipsec-policy azure-vpn-policy
set security ipsec vpn azure-ipsec-vpn establish-tunnels immediately

set security zones security-zone Internal interfaces vlan.1
set security zones security-zone Internal host-inbound-traffic system-services ike
set security zones security-zone Internal address-book address onprem-networks-1 192.168.1.0/24
set security zones security-zone Internet interfaces ge-0/0/0.0
set security zones security-zone Internet host-inbound-traffic system-services ike
set security zones security-zone Internet address-book address azure-networks-1 10.100.0.0/16
set security zones security-zone Internet address-book address azure-networks-2 10.200.0.0/16

set security policies from-zone Internal to-zone Internet policy azure-security-Internal-to-Internet-0 match source-address onprem-networks-1
set security policies from-zone Internal to-zone Internet policy azure-security-Internal-to-Internet-0 match destination-address [ azure-networks-1 azure-networks-2 ]
set security policies from-zone Internal to-zone Internet policy azure-security-Internal-to-Internet-0 match application any
set security policies from-zone Internal to-zone Internet policy azure-security-Internal-to-Internet-0 then permit
set security policies from-zone Internet to-zone Internal policy azure-security-Internet-to-Internal-0 match source-address [ azure-networks-1 azure-networks-2 ]
set security policies from-zone Internet to-zone Internal policy azure-security-Internet-to-Internal-0 match destination-address onprem-networks-1
set security policies from-zone Internet to-zone Internal policy azure-security-Internet-to-Internal-0 match application any
set security policies from-zone Internet to-zone Internal policy azure-security-Internet-to-Internal-0 then permit

set interfaces st0 unit 0 family inet
set security zones security-zone Internet interfaces st0.0
set security zones security-zone Internet interfaces st0.0 host-inbound-traffic system-services ike
set security ipsec vpn azure-ipsec-vpn bind-interface st0.0
set routing-options static route 10.100.0.0/16 next-hop st0.0
set routing-options static route 10.200.0.0/16 next-hop st0.0
set security flow tcp-mss ipsec-vpn mss 1350


# 2nd VPN to a UK region

set security ike policy azure-policy-uk mode main
set security ike policy azure-policy-uk proposals azure-proposal
set security ike policy azure-policy-uk pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
set security ike gateway azure-gateway-uk ike-policy azure-policy-uk
set security ike gateway azure-gateway-uk address z.z.z.z
set security ike gateway azure-gateway-uk external-interface pp0.0
set security ike gateway azure-gateway-uk local-identity inet y.y.y.y
set security ike gateway azure-gateway-uk version v2-only
set security ipsec vpn azure-ipsec-vpn-uk ike gateway azure-gateway-uk
set security ipsec vpn azure-ipsec-vpn-uk ike ipsec-policy azure-vpn-policy
set security ipsec vpn azure-ipsec-vpn-uk establish-tunnels immediately

set security zones security-zone Internet address-book address azure-networks-3 10.101.0.0/16
set security policies from-zone Internal to-zone Internet policy azure-security-Internal-to-Internet-0 match destination-address [ azure-networks-1 azure-networks-2 azure-networks-3 ]
set security policies from-zone Internet to-zone Internal policy azure-security-Internet-to-Internal-0 match source-address [ azure-networks-1 azure-networks-2 azure-networks-3 ]

set interfaces st0 unit 1 family inet
set security zones security-zone Internet interfaces st0.1
set security zones security-zone Internet interfaces st0.1 host-inbound-traffic system-services ike
set security ipsec vpn azure-ipsec-vpn-uk bind-interface st0.1
set routing-options static route 10.101.0.0/16 next-hop st0.1

 

#commit

 

The tunnels should come up right away. You can check the tunnels are established by running:

show security ike security-associations

 

You should see...

 

 

 

Share on Facebook
Share on Twitter
Please reload

Featured Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Recent Posts

November 14, 2017

Please reload

Search By Tags
Please reload

Connect
  • Google+ Social Icon
  • Facebook Social Icon
  • LinkedIn Social Icon
  • Twitter Social Icon

Contact Me

  • LinkedIn Social Icon
  • Twitter Social Icon

© 2017 Matt Cowen

Wiltshire, UK