How to Connect a Juniper SRX Firewall to Windows Azure Virtual Network Gateway the Easy Way

Thanks to a MS MVP Shannon Fritz who wrote a great blog post about setting up the Azure side of the Networking I thought that I only add to his great work and show you how to connect your local network running a Juniper SRX or J Series to the Azure Infrastructure in 1 easy step.  OK a bit more than one step but how about 1 commit its just like a step.

I’ll run down each section of the required config assuming that you already have a running SRX in production and that you have a fully functional Azure VM, Virtual Network and a Gateway already deployed in your Azure Account. The Azure side can be see in Shannon’s blog post.

This VPN form your local network to your Azure cloud Virtual Network will be route based.

 

Prep your trust zone

You will have to ensure that you have an address book entry which matches the Local Network which you registered with azure.

set security zone security zone trust address-book address Complete-Local-Network 10.0.0.0/8

 

Create a VPN Security Zone for Azure

A separate zone is not a full requirement I just like to have my VPN’s in there own zone to separate policies easier.

We will also add in the VPN interface we are going to use for Azure routing and an address book for all of our azure networks which matches the azure address space.

set security zone security-zone azure address-book address Azure-Virtual-Network 172.19.0.0/16

set security zone security-zone azure interface st0.172

st0.172 was my selection of a sub interface for the azure network you can make the sub interface your desired number.

 

Fragmentation Settings

One of the common mistakes new firewall people make are with the packet size travelling through VPN’s and slow performance.  This is primarily because the new firewall people do not get the proper tcp-mss flow size. Set the correct size and your packets flow smother and faster Azure recommends 1350

set security flow tcp-mss ipsec-vpn 1350

 

Routing Configuration

We now need to tell the SRX where to send your data  we will be adding a static route for the 172.16.0.0/16 network to the Azure tunnel interface st0.172

set routing-options static route 172.16.0.0/16 next-hop st0.172

 

Policy Configuration

Now that we tell the packets to go to azure tunnel interface we have to allow them that whole authorization piece.

We are going to setup a simple authorization policy for traffic form our entire network to our entire azure network.  We will also setup the reciprocal policy so that traffic can be initiated starting from either site to the other.

We will also allow any traffic through the tunnel and log it.  In a production environment you may want to define tighter security policies.

This policy sets outbound from your network to the Azure network.

set security policy from zone trust to zone azure policy trust-to-azure match source-address Complete-Local-Network

set security policy from zone trust to zone azure policy trust-to-azure match destination-address  Azure-Virtual-Network

set security policy from zone trust to zone azure policy trust-to-azure match application any

set security policy from zone trust to zone azure policy trust-to-azure then permit

set security policy from zone trust to zone azure policy trust-to-azure then log session-init

set security policy from zone trust to zone azure policy trust-to-azure then log session-close

This policy sets outbound from the Azure network to your network Azure network.

set security policy from zone trust to zone azure policy azure-to-trust match source-address Azure-Virtual-Network 

set security policy from zone trust to zone azure policy azure-to-trust match destination-address  Complete-Local-Network

set security policy from zone trust to zone azure policy azure-to-trust match application any

set security policy from zone trust to zone azure policy azure-to-trust then permit

set security policy from zone trust to zone azure policy azure-to-trust then log session-init

set security policy from zone trust to zone azure policy azure-to-trust then log session-close

 

VPN Settings

OK we have everything in place now except for the actual tunnel to Azure.  The tunnel to Azure is going to be a IPSec IKEv2 Preshared key tunnel  this is currently the only supported funnel for the SRX.

Once tou create your gateway in azure you will be given your tunnel IP Endpoint address along with the initial preshared key.  The key can be changed at anytime my reissuing a key in the Azure interface.

I will use 1.1.1.1 as the address the a example key of mysecretkey for the shared secret my example external interface is reth7.77

Below is the ike and ipsec settings.

set security ike proposal azure-proposal authentication-method pre-shared-keys
set security ike proposal azure-proposal dh-group group2
set security ike proposal azure-proposal authentication-algorithm sha1
set security ike proposal azure-proposal encryption-algorithm aes-256-cbc
set security ike proposal azure-proposal lifetime-seconds 28800
set security ike policy azure-policy-1 mode main
set security ike policy azure-policy-1 proposals azure-proposal
set security ike policy azure-policy-1 pre-shared-key ascii-text mysecretkey
set security ike gateway azure-gateway-1 ike-policy azure-policy-1
set security ike gateway azure-gateway-1 address 1.1.1.1
set security ike gateway azure-gateway-1 external-interface reth7.77
set security ike gateway azure-gateway-1 version v2-only

set security ipsec proposal azure-ipsec-proposal protocol esp
set security ipsec proposal azure-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal azure-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal azure-ipsec-proposal lifetime-seconds 3600
set security ipsec policy azure-vpn-policy-1 proposals azure-ipsec-proposal
set security ipsec vpn azure-ipsec-vpn-1 bind-interface st0.172
set security ipsec vpn azure-ipsec-vpn-1 ike gateway azure-gateway-1
set security ipsec vpn azure-ipsec-vpn-1 ike ipsec-policy azure-vpn-policy-1
set security ipsec vpn azure-ipsec-vpn-1 establish-tunnels immediately

 

Your All Done, Just that last step left remember I promised it would be a single step.

commit comment “VPN Setup to Azure”

You’re all up and running now you can ping, remote desktop etc to any of your VM’s

Verification

You can now verify your tunnel is up and running with the following commands

show security ike active-peer
node0:
————————————————————————–
Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP
1.1.1.1                         500      1.1.1.1                      

show security ike security-associations
node0:
————————————————————————–
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address  
7776655 UP     6t6t5t4r4e43e540  3e34ew34eeadb945  IKEv2          1.1.1.    

show security ipsec security-associations
node0:
————————————————————————–
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway  
  <111111 ESP:aes-256/sha1 aaaaaaa 3185/ unlim -   root 500   1.1.1.1    
  >111112 ESP:aes-256/sha1 bbbbbbb 3185/ unlim -  root 500   1.1.1.1    

show security ipsec statistics              
node0:
————————————————————————–

ESP Statistics:
  Encrypted bytes:           399912
  Decrypted bytes:           314925
  Encrypted packets:           3309
  Decrypted packets:           3333
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

node1:
————————————————————————–

ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

Enjoy working with Azure and your Juniper SRX

 

 

 

 

 

 

About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to How to Connect a Juniper SRX Firewall to Windows Azure Virtual Network Gateway the Easy Way

  1. Pingback: Windows Azure Community News Roundup #74 | The Right Tool Kit For Your Home Based Business

  2. Pingback: Windows Azure Community News Roundup #74 - Windows Azure Blog

  3. Pingback: Windows Azure Community News Roundup #74 - Windows Azure - Site Home - MSDN Blogs

  4. David Taylor says:

    This is a great article. Thanks for helping me get out of a jam as I had not changed my fragmentation settings on my SSG. I do have one question however. I am seeing packet loss during every P1 negotiation pass which is set to 28800 seconds. Would you have any idea why this happens? Any thought would be greatly appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s