SUMMARY: This article explains how to use multiple traffic selectors on a route-based VPN. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

Note: Multiple traffic selectors on a route-based VPN was introduced in Junos OS Release 12.1X46; see the Junos OS 12.1X46 Release Notes.

PROBLEM OR GOAL: If you want to establish a VPN for two or more remote private networks, you must dedicate a VPN for each such network. In prior versions of Junos OS (prior to Junos OS Release 12.1X46), you had to create separate st0 interfaces for each remote private network or route-based VPN; and for a policy-based VPN, you had to create a separate security policy binding tunnel calling each remote private network as the destination. The effort to configure each new IPsec VPN in Junos OS Release 12.1X46 and earlier increased significantly with every additional VPN. This article provides an alternative to avoid this situation.

SOLUTION:

Topology:

Local SRX: 2.2.2.2

Local Networks: 10.1.0.0/16 10.2.0.0/16

VPN Peer: 3.3.3.3

Remote Networks 192.168.1.0/24 192.168.2.0/24

Define multiple subnets using a single route-based VPN:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.0.0/16;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 10.2.0.0/16;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 172.27.199.0/24 next-hop 172.27.201.3;
        route 3.3.3.0/24 next-hop 2.2.2.1;
        route 192.168.1.0/24 next-hop st0.0;
        route 192.168.2.0/24 next-hop st0.0;
    }
}
security {
    ike {
        policy p1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "KEY"; ## SECRET-DATA
        }
        gateway g1 {
            ike-policy p1;
            address 3.3.3.3;
            external-interface fe-0/0/0;
        }
    }
    ipsec {
        policy p1 {
            proposal-set standard;
        }
        vpn v1 {
            bind-interface st0.0;
            ike {
                gateway g1;
                ipsec-policy p1;
            }
            traffic-selector t1 {
                local-ip 10.1.0.0/16;
                remote-ip 192.168.1.0/24;
            }
            traffic-selector t2 {
                local-ip 10.2.0.0/16;
                remote-ip 192.168.2.0/24;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone trust to-zone vpn {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy test {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.0;
                fe-0/0/2.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/0.0;
            }
        }
        security-zone vpn {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Verify each traffic selector:

[edit]
root@100-5# run show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
8262    UP     708f2fb601773e78  43cde54a81b6fd58  Main           3.3.3.3         

[edit]
root@100-5# run show security ipsec sa 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <268173314 ESP:3des/sha1 fa00cf7f 3476/ unlim -  root 500   3.3.3.3         
  >268173314 ESP:3des/sha1 726f8591 3476/ unlim -  root 500   3.3.3.3         
  <268173313 ESP:3des/sha1 69385788 3501/ unlim -  root 500   3.3.3.3         
  >268173313 ESP:3des/sha1 4897cca3 3501/ unlim -  root 500   3.3.3.3         

two sa for each traffic selector

root@100-5# run show security ipsec security-associations detail 
  ID: 268173314 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t1 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
  Local Identity: ipv4(10.1.0.0-10.1.255.255)
  Remote Identity: ipv4(192.168.1.0-192.168.1.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: fa00cf7f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 726f8591, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3469 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2905 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173313 Virtual-system: root, VPN Name: v1
  Local Gateway: 2.2.2.2, Remote Gateway: 3.3.3.3
  Traffic Selector Name: t2 <<<<<<<<<<<<<<<<<<<< corresponding traffic selector
  Local Identity: ipv4(10.2.0.0-10.2.255.255)
  Remote Identity: ipv4(192.168.2.0-192.168.2.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 69385788, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 4897cca3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3494 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2892 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

[ # ]

set interface "tunnel.<#>" ip unnumbered interface <outgoing-interface>  !! If not using NHTB routes
set interface "tunnel.<#>" ip <ip>/<cidr>  !! If NHTB route is needed - A random IP such as 172.16.255.1/25 will work
set interface "tunnel.<#>" zone "<zone>"
set interface "tunnel.<#>" mip <Mapped-IP> host <real-ip> netmask 255.255.255.255 vr "trust-vr"  !! If Needed

set ike p1-proposal "pre-g2-aes265-sha" preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800

set ike gateway "<gateway-name>" address <gateway-ip> Main outgoing-interface "<outgoing-interface>" preshare "<psk>" proposal "<p1-proposal>"
set vpn "<vpn_name-#>" gateway "<gateway-name>" no-replay tunnel idletime 0 proposal "<p2-proposal>" 
set vpn "<vpn_name-#>" bind interface tunnel.<#>
set vpn "<vpn_name-#>" proxy-id local-ip <ip/cidr> remote-ip <ip/cidr> "ANY"   !! Only necessary if you NEED to define proxy-ids, for instance to Cisco devices

!! Create the security rules as 'accept' rules

set route <remote-ip/cidr> interface tunnel.<#>  !! Without NHTB

set interface tunnel.<#> nhtb <IP-on-tunnel-interface-network> vpn "<vpn_name-1>"  !! With NHTB
set route <remote-ip/cidr> interface tunnel.<#> gateway <nhtb-ip>  !! With NHTB

Notes:

  • Rules should use accept action
  • Create more vpns (like vpn_name-1) for each proxy-id combination needed
  • NHTB routes are necessary if binding multiple VPNs to the same tunnel interface (for instance, when multiple proxy-IDs are required)

Documentation

[ # ]

  1. Create a UTM-1 Edge Gateway Device
    a. Configure the name
    b. Click “Edit Registration Key” button and generate a random key (this will not be used again so no need to save the key)
    c. Make sure that “Externally Managed Gateway” is checked. If not, this will count against the management server’s licensed devices
    image001.png

  2. Configure the topology and encryption domain of the device
  3. Select “IPSec VPN”
  4. Click “Add” under the “Repository of Certificates Available to the Gateway”
    a. Provide a Nickname for the certificate
    b. Leave the “CA to enroll from” the default (if using the Management server’s Certificate Authority)
    c. Choose the “Generate Option
    img002.png
    d. Leave all the defaults for the DN and choose “Ok” to generate the certificate
    img003

  5. You should now see a certificate in the Repository of the Gateway
    img004

  6. Select “View” to view the certificate and copy the “Subject” (DN) of the certificate:
    image005

  7. Choose ok
  8. Choose the “Matching Criteria” button
    a. Select “internal_ca” from the CA drop down (unless using another Certificate Authority”
    b. Check the “DN” option and paste the DN from step 6
    c. Hit ok
    image006

  9. Select “Ok” to save the object
  10. Reopen the gateway object and go back to “IPSec VPN”
  11. Select “Export p12” and choose a password for the certificate (remember this password as it will need to be provided to the remote side)
    image007

  12. Send the password and the p12 file to the remote side for them to import
  13. Continue configuring the rest of the VPN as you would any other VPN (leaving out the PSK)
  14. Push the policy

Notes:

  • This is best used for dynamic IP devices such as Safe@Office devices
  • These steps assume the Management Server is not also managing the remote dynamic IP gateways although the steps are not much different

[ # ]