Thanks to a MS MVP Shannon Fritz who wrote a great blog post about setting up the Azure side of the Networking I thought that I only add to his great work and show you how to connect your local network running a Juniper SRX or J Series to the Azure Infrastructure in 1 easy step. OK a bit more than one step but how about 1 commit its just like a step.
I’ll run down each section of the required config assuming that you already have a running SRX in production and that you have a fully functional Azure VM, Virtual Network and a Gateway already deployed in your Azure Account. The Azure side can be see in Shannon’s blog post.
This VPN form your local network to your Azure cloud Virtual Network will be route based.
Prep your trust zone
You will have to ensure that you have an address book entry which matches the Local Network which you registered with azure.
set security zone security zone trust address-book address Complete-Local-Network 10.0.0.0/8
Create a VPN Security Zone for Azure
A separate zone is not a full requirement I just like to have my VPN’s in there own zone to separate policies easier.
We will also add in the VPN interface we are going to use for Azure routing and an address book for all of our azure networks which matches the azure address space.
set security zone security-zone azure address-book address Azure-Virtual-Network 172.19.0.0/16
set security zone security-zone azure interface st0.172
st0.172 was my selection of a sub interface for the azure network you can make the sub interface your desired number.
Fragmentation Settings
One of the common mistakes new firewall people make are with the packet size travelling through VPN’s and slow performance. This is primarily because the new firewall people do not get the proper tcp-mss flow size. Set the correct size and your packets flow smother and faster Azure recommends 1350
set security flow tcp-mss ipsec-vpn 1350
Routing Configuration
We now need to tell the SRX where to send your data we will be adding a static route for the 172.16.0.0/16 network to the Azure tunnel interface st0.172
set routing-options static route 172.16.0.0/16 next-hop st0.172
Policy Configuration
Now that we tell the packets to go to azure tunnel interface we have to allow them that whole authorization piece.
We are going to setup a simple authorization policy for traffic form our entire network to our entire azure network. We will also setup the reciprocal policy so that traffic can be initiated starting from either site to the other.
We will also allow any traffic through the tunnel and log it. In a production environment you may want to define tighter security policies.
This policy sets outbound from your network to the Azure network.
set security policy from zone trust to zone azure policy trust-to-azure match source-address Complete-Local-Network
set security policy from zone trust to zone azure policy trust-to-azure match destination-address Azure-Virtual-Network
set security policy from zone trust to zone azure policy trust-to-azure match application any
set security policy from zone trust to zone azure policy trust-to-azure then permit
set security policy from zone trust to zone azure policy trust-to-azure then log session-init
set security policy from zone trust to zone azure policy trust-to-azure then log session-close
This policy sets outbound from the Azure network to your network Azure network.
set security policy from zone trust to zone azure policy azure-to-trust match source-address Azure-Virtual-Network
set security policy from zone trust to zone azure policy azure-to-trust match destination-address Complete-Local-Network
set security policy from zone trust to zone azure policy azure-to-trust match application any
set security policy from zone trust to zone azure policy azure-to-trust then permit
set security policy from zone trust to zone azure policy azure-to-trust then log session-init
set security policy from zone trust to zone azure policy azure-to-trust then log session-close
VPN Settings
OK we have everything in place now except for the actual tunnel to Azure. The tunnel to Azure is going to be a IPSec IKEv2 Preshared key tunnel this is currently the only supported funnel for the SRX.
Once tou create your gateway in azure you will be given your tunnel IP Endpoint address along with the initial preshared key. The key can be changed at anytime my reissuing a key in the Azure interface.
I will use 1.1.1.1 as the address the a example key of mysecretkey for the shared secret my example external interface is reth7.77
Below is the ike and ipsec settings.
set security ike proposal azure-proposal authentication-method pre-shared-keys
set security ike proposal azure-proposal dh-group group2
set security ike proposal azure-proposal authentication-algorithm sha1
set security ike proposal azure-proposal encryption-algorithm aes-256-cbc
set security ike proposal azure-proposal lifetime-seconds 28800
set security ike policy azure-policy-1 mode main
set security ike policy azure-policy-1 proposals azure-proposal
set security ike policy azure-policy-1 pre-shared-key ascii-text mysecretkey
set security ike gateway azure-gateway-1 ike-policy azure-policy-1
set security ike gateway azure-gateway-1 address 1.1.1.1
set security ike gateway azure-gateway-1 external-interface reth7.77
set security ike gateway azure-gateway-1 version v2-only
set security ipsec proposal azure-ipsec-proposal protocol esp
set security ipsec proposal azure-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal azure-ipsec-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal azure-ipsec-proposal lifetime-seconds 3600
set security ipsec policy azure-vpn-policy-1 proposals azure-ipsec-proposal
set security ipsec vpn azure-ipsec-vpn-1 bind-interface st0.172
set security ipsec vpn azure-ipsec-vpn-1 ike gateway azure-gateway-1
set security ipsec vpn azure-ipsec-vpn-1 ike ipsec-policy azure-vpn-policy-1
set security ipsec vpn azure-ipsec-vpn-1 establish-tunnels immediately
Your All Done, Just that last step left remember I promised it would be a single step.
commit comment “VPN Setup to Azure”
You’re all up and running now you can ping, remote desktop etc to any of your VM’s
Verification
You can now verify your tunnel is up and running with the following commands
show security ike active-peer
node0:
————————————————————————–
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
1.1.1.1 500 1.1.1.1
show security ike security-associations
node0:
————————————————————————–
Index State Initiator cookie Responder cookie Mode Remote Address
7776655 UP 6t6t5t4r4e43e540 3e34ew34eeadb945 IKEv2 1.1.1.
show security ipsec security-associations
node0:
————————————————————————–
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<111111 ESP:aes-256/sha1 aaaaaaa 3185/ unlim – root 500 1.1.1.1
>111112 ESP:aes-256/sha1 bbbbbbb 3185/ unlim – root 500 1.1.1.1
show security ipsec statistics
node0:
————————————————————————–
ESP Statistics:
Encrypted bytes: 399912
Decrypted bytes: 314925
Encrypted packets: 3309
Decrypted packets: 3333
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
node1:
————————————————————————–
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Enjoy working with Azure and your Juniper SRX