L2 VPN Hub Configuration
Description
The following configuration is an example of setting up a L2 VPN hub. In order to get this working on a SRX fireweall it requires quite a few protocols stacked together. One thing to note is that this configuration uses pppoe to connect to the internet. I will also assume you understand how to apply a basic configuration to a SRX firewall. Interface ge-0/0/1 has a circuit id of 1 that matches the config on the spoke for interface ge-0/0/7. So get ge-0/0/7 on the spoke and ge-0/0/1 on this firewall are a pseudowire.
Configuration
The following configuration is used to setup IPSec for spokes to connect to the hub. IPSec is setup to use IKEv2 agressive to allow dynamic IP connections. The df-bit clear is used to allow for fragmentation since we will be sending large packets. All configuration for interface ge-0/0/7 can be ignored in this configuartion as I use as a transition network to route traffic back into my other attached networks. I will post the set commands at the botoom of the page. This configuration is not perfect and you should really know what you're getting yourself into! :-)
security {
ike {
proposal ike-v2-prop {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy ike-policy-1 {
mode aggressive;
proposals ike-v2-prop;
pre-shared-key ascii-text "$9$xlcN-bYgJiqfLxNbsYoaFn6AO1REc"; ## SECRET-DATA
}
gateway ike-gate-1 {
ike-policy ike-policy-1;
dynamic user-at-hostname "l2-remote@designlogic.net";
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
local-identity key-id L2-Hub;
external-interface pp0;
version v2-only;
}
gateway ike-gate-2 {
ike-policy ike-policy-1;
dynamic user-at-hostname "l2-remote-2@designlogic.net";
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
local-identity key-id L2-Hub-2;
external-interface pp0;
version v2-only;
}
}
ipsec {
vpn-monitor-options {
interval 10;
threshold 10;
}
proposal ipsec-prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-policy-1 {
perfect-forward-secrecy {
keys group1;
}
proposals ipsec-prop;
}
vpn ipsec-vpn-1 {
bind-interface st0.0;
df-bit clear;
vpn-monitor {
optimized;
}
ike {
gateway ike-gate-1;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
vpn ipsec-vpn-2 {
bind-interface st0.0;
df-bit clear;
vpn-monitor {
optimized;
}
ike {
gateway ike-gate-2;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
}
When you apply this next configuration it should also be one under the security stanza. This configuration defines the firewall zones and interfaces that belong to the various zones.
policies {
from-zone VPN-L2 to-zone VPN-L2 {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
}
}
}
pp0.0 {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
}
}
}
}
}
security-zone VPN-L2 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
lo0.0;
gr-0/0/0.0;
gr-0/0/0.1;
}
}
security-zone L2-CCC {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
}
security-zone internal {
interfaces {
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
ospf;
}
}
}
}
}
}
}
The following is the inerface section. Please notice the MTU settings for each interface as it is important to have them set correctly otherwise you will not have enough headroom to send full size packets. The GRE interfaces have fragmentation enabled as well.
interfaces {
ge-0/0/0 {
unit 0 {
encapsulation ppp-over-ether;
}
}
gr-0/0/0 {
description "GRE tunnel to Remote";
unit 0 {
clear-dont-fragment-bit;
tunnel {
source 10.255.10.1;
destination 10.255.10.10;
allow-fragmentation;
}
family inet {
mtu 2000;
filter {
input inet-packet-mode;
}
address 10.255.20.1/30;
}
family mpls {
mtu 1900;
filter {
input mpls-packet-mode;
}
}
}
unit 1 {
clear-dont-fragment-bit;
tunnel {
source 10.255.10.1;
destination 10.255.10.11;
allow-fragmentation;
}
family inet {
mtu 1500;
filter {
input inet-packet-mode;
}
address 10.255.20.5/30;
}
family mpls {
mtu 1628;
filter {
input mpls-packet-mode;
}
}
}
}
ge-0/0/1 {
mtu 1560;
encapsulation ethernet-ccc;
unit 0 {
family ccc {
filter {
input l2circuit-packet-mode;
}
}
}
}
ge-0/0/2 {
encapsulation ethernet-ccc;
unit 0 {
family ccc {
filter {
input l2circuit-packet-mode;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
address 10.128.250.20/24;
}
}
}
fxp0 {
unit 0;
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
address 10.255.255.1/32 {
primary;
}
}
family mpls;
}
}
pp0 {
unit 0 {
apply-macro CenturyLink;
ppp-options {
chap {
default-chap-secret "$9$hPyreWLxdsY4IEv8XN2gmP5z9t"; ## SECRET-DATA
local-name "<some_user>@centurylink.net";
no-rfc2486;
passive;
}
pap {
local-name "<some_user>@centurylink.net";
no-rfc2486;
local-password "$9$1XShSevWxdVs0BrKMLbwHk.f3/"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
}
family inet {
negotiate-address;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 10.255.10.1/24;
}
}
}
}
This is the routing options configuration. The default gateway and router-id are set here as well at the AS.
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop pp0.0 {
metric 1;
}
}
}
router-id 10.255.255.1;
autonomous-system 65535;
}
The following configuration is the procol section.
protocols {
mpls {
interface gr-0/0/0.0;
interface lo0.0;
interface gr-0/0/0.1;
}
bgp {
group VPLS {
type internal;
multihop;
local-address 10.255.255.1;
mtu-discovery;
family l2vpn {
signaling;
}
cluster 10.255.255.1;
neighbor 10.255.255.10;
neighbor 10.255.255.11;
}
}
ospf {
area 0.0.0.0 {
interface lo0.0 {
passive;
}
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface ge-0/0/7.0 {
inactive: authentication {
md5 1 key "$9$qmTF9Au01h/9v87dg4F36ABIrevW87Uj1EhSvMX7-w4Z"; ## SECRET-DATA
}
}
}
}
ldp {
interface gr-0/0/0.0;
interface gr-0/0/0.1;
interface all {
disable;
}
interface lo0.0;
session 10.255.255.10 {
authentication-key "$9$AmkJpuBRhrWX-9ApBIRSys2gJjHq.P"; ## SECRET-DATA
}
session 10.255.255.11 {
authentication-key "$9$AmkJpuBRhrWX-9ApBIRSys2gJjHq.P"; ## SECRET-DATA
}
}
l2circuit {
neighbor 10.255.255.10 {
interface ge-0/0/1.0 {
virtual-circuit-id 1;
ignore-mtu-mismatch;
}
}
neighbor 10.255.255.11 {
interface ge-0/0/2.0 {
virtual-circuit-id 2;
}
}
}
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
The firewall configuration below is the last section of the code and it's how we change certain types of traffic from session based to packet based forwarding.
firewall {
family inet {
filter inet-packet-mode {
term control-traffic {
from {
protocol tcp;
port [ 22 80 8080 646 179 ];
}
then accept;
}
term packet-mode {
then {
packet-mode;
accept;
}
}
}
}
family mpls {
filter mpls-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
family ccc {
filter l2circuit-packet-mode {
term ALL-TRAFFIC {
then {
packet-mode;
accept;
}
}
}
}
}
Full configuration as set commands
I'll even leave the system level stuff in the config below.
set system login user tyler uid 2000
set system login user tyler class super-user
set system login user tyler authentication encrypted-password "$6$eZ7nuXmB$alMzkCtqD23VXW9NA127Xy0K6NnUIGbsvgukV.XJVJt1Ak37zGHE0NSMDkVPcGJiasGq4r5cjcMTT9GFvOu9P."
set system root-authentication encrypted-password "$6$5AvjQglo$D/FbLzpugnDHdbqU4Gkc07EilTEspXD.wihLwfe49kyuLvf0YttuQA49yh/Z9ehk65RqOaKYU.Ck5xsMFhK440"
set system host-name SRX-L2VPN-Hub
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system services ssh
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
set security ike traceoptions file ipsec-trace-log
set security ike traceoptions flag all
set security ike proposal ike-v2-prop authentication-method pre-shared-keys
set security ike proposal ike-v2-prop dh-group group14
set security ike proposal ike-v2-prop authentication-algorithm sha-256
set security ike proposal ike-v2-prop encryption-algorithm aes-256-cbc
set security ike policy ike-policy-1 mode aggressive
set security ike policy ike-policy-1 proposals ike-v2-prop
set security ike policy ike-policy-1 pre-shared-key ascii-text "$9$xlcN-bYgJiqfLxNbsYoaFn6AO1REc"
set security ike gateway ike-gate-1 ike-policy ike-policy-1
set security ike gateway ike-gate-1 dynamic user-at-hostname "l2-remote@designlogic.net"
set security ike gateway ike-gate-1 dead-peer-detection optimized
set security ike gateway ike-gate-1 dead-peer-detection interval 10
set security ike gateway ike-gate-1 dead-peer-detection threshold 5
set security ike gateway ike-gate-1 local-identity key-id L2-Hub
set security ike gateway ike-gate-1 external-interface pp0
set security ike gateway ike-gate-1 version v2-only
set security ike gateway ike-gate-2 ike-policy ike-policy-1
set security ike gateway ike-gate-2 dynamic user-at-hostname "l2-remote-2@designlogic.net"
set security ike gateway ike-gate-2 dead-peer-detection optimized
set security ike gateway ike-gate-2 dead-peer-detection interval 10
set security ike gateway ike-gate-2 dead-peer-detection threshold 5
set security ike gateway ike-gate-2 local-identity key-id L2-Hub-2
set security ike gateway ike-gate-2 external-interface pp0
set security ike gateway ike-gate-2 version v2-only
set security ipsec vpn-monitor-options interval 10
set security ipsec vpn-monitor-options threshold 10
set security ipsec proposal ipsec-prop protocol esp
set security ipsec proposal ipsec-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-policy-1 perfect-forward-secrecy keys group1
set security ipsec policy ipsec-policy-1 proposals ipsec-prop
set security ipsec vpn ipsec-vpn-1 bind-interface st0.0
set security ipsec vpn ipsec-vpn-1 df-bit clear
set security ipsec vpn ipsec-vpn-1 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-1 ike gateway ike-gate-1
set security ipsec vpn ipsec-vpn-1 ike ipsec-policy ipsec-policy-1
set security ipsec vpn ipsec-vpn-1 establish-tunnels immediately
set security ipsec vpn ipsec-vpn-2 bind-interface st0.0
set security ipsec vpn ipsec-vpn-2 df-bit clear
set security ipsec vpn ipsec-vpn-2 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-2 ike gateway ike-gate-2
set security ipsec vpn ipsec-vpn-2 ike ipsec-policy ipsec-policy-1
set security ipsec vpn ipsec-vpn-2 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone VPN-L2 to-zone VPN-L2 policy allow-all match source-address any
set security policies from-zone VPN-L2 to-zone VPN-L2 policy allow-all match destination-address any
set security policies from-zone VPN-L2 to-zone VPN-L2 policy allow-all match application any
set security policies from-zone VPN-L2 to-zone VPN-L2 policy allow-all then permit
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ssh
set security zones security-zone VPN-L2 host-inbound-traffic system-services all
set security zones security-zone VPN-L2 host-inbound-traffic protocols all
set security zones security-zone VPN-L2 interfaces st0.0
set security zones security-zone VPN-L2 interfaces lo0.0
set security zones security-zone VPN-L2 interfaces gr-0/0/0.0
set security zones security-zone VPN-L2 interfaces gr-0/0/0.1
set security zones security-zone L2-CCC host-inbound-traffic system-services all
set security zones security-zone L2-CCC host-inbound-traffic protocols all
set security zones security-zone L2-CCC interfaces ge-0/0/1.0
set security zones security-zone L2-CCC interfaces ge-0/0/2.0
set security zones security-zone internal interfaces ge-0/0/7.0 host-inbound-traffic system-services any-service
set security zones security-zone internal interfaces ge-0/0/7.0 host-inbound-traffic protocols ospf
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces gr-0/0/0 description "GRE tunnel to Remote"
set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 0 tunnel source 10.255.10.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.255.10.10
set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 0 family inet mtu 2000
set interfaces gr-0/0/0 unit 0 family inet filter input inet-packet-mode
set interfaces gr-0/0/0 unit 0 family inet address 10.255.20.1/30
set interfaces gr-0/0/0 unit 0 family mpls mtu 1900
set interfaces gr-0/0/0 unit 0 family mpls filter input mpls-packet-mode
set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit
set interfaces gr-0/0/0 unit 1 tunnel source 10.255.10.1
set interfaces gr-0/0/0 unit 1 tunnel destination 10.255.10.11
set interfaces gr-0/0/0 unit 1 tunnel allow-fragmentation
set interfaces gr-0/0/0 unit 1 family inet mtu 1500
set interfaces gr-0/0/0 unit 1 family inet filter input inet-packet-mode
set interfaces gr-0/0/0 unit 1 family inet address 10.255.20.5/30
set interfaces gr-0/0/0 unit 1 family mpls mtu 1628
set interfaces gr-0/0/0 unit 1 family mpls filter input mpls-packet-mode
set interfaces ge-0/0/1 mtu 1560
set interfaces ge-0/0/1 encapsulation ethernet-ccc
set interfaces ge-0/0/1 unit 0 family ccc filter input l2circuit-packet-mode
set interfaces ge-0/0/2 encapsulation ethernet-ccc
set interfaces ge-0/0/2 unit 0 family ccc filter input l2circuit-packet-mode
set interfaces ge-0/0/7 unit 0 family inet address 10.128.250.20/24
set interfaces fxp0 unit 0
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 10.255.255.1/32 primary
set interfaces lo0 unit 0 family mpls
set interfaces pp0 unit 0 apply-macro CenturyLink
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$hPyreWLxdsY4IEv8XN2gmP5z9t"
set interfaces pp0 unit 0 ppp-options chap local-name "<some_user>@centurylink.net"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 ppp-options pap local-name "<some_user>@centurylink.net"
set interfaces pp0 unit 0 ppp-options pap no-rfc2486
set interfaces pp0 unit 0 ppp-options pap local-password "$9$1XShSevWxdVs0BrKMLbwHk.f3/"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet address 10.255.10.1/24
set routing-options static route 0.0.0.0/0 qualified-next-hop pp0.0 metric 1
set routing-options router-id 10.255.255.1
set routing-options autonomous-system 65535
set protocols l2iw
set protocols mpls interface gr-0/0/0.0
set protocols mpls interface lo0.0
set protocols mpls interface gr-0/0/0.1
set protocols bgp group VPLS type internal
set protocols bgp group VPLS multihop
set protocols bgp group VPLS local-address 10.255.255.1
set protocols bgp group VPLS mtu-discovery
set protocols bgp group VPLS family l2vpn signaling
set protocols bgp group VPLS cluster 10.255.255.1
set protocols bgp group VPLS neighbor 10.255.255.10
set protocols bgp group VPLS neighbor 10.255.255.11
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set protocols ospf area 0.0.0.0 interface gr-0/0/0.1
set protocols ospf area 0.0.0.0 interface ge-0/0/7.0 authentication md5 1 key "$9$qmTF9Au01h/9v87dg4F36ABIrevW87Uj1EhSvMX7-w4Z"
deactivate protocols ospf area 0.0.0.0 interface ge-0/0/7.0 authentication
set protocols ldp interface gr-0/0/0.0
set protocols ldp interface gr-0/0/0.1
set protocols ldp interface all disable
set protocols ldp interface lo0.0
set protocols ldp session 10.255.255.10 authentication-key "$9$AmkJpuBRhrWX-9ApBIRSys2gJjHq.P"
set protocols ldp session 10.255.255.11 authentication-key "$9$AmkJpuBRhrWX-9ApBIRSys2gJjHq.P"
set protocols l2circuit neighbor 10.255.255.10 interface ge-0/0/1.0 virtual-circuit-id 1
set protocols l2circuit neighbor 10.255.255.10 interface ge-0/0/1.0 ignore-mtu-mismatch
set protocols l2circuit neighbor 10.255.255.11 interface ge-0/0/2.0 virtual-circuit-id 2
set protocols l2-learning global-mode switching
set protocols rstp interface all
set firewall family inet filter inet-packet-mode term control-traffic from protocol tcp
set firewall family inet filter inet-packet-mode term control-traffic from port 22
set firewall family inet filter inet-packet-mode term control-traffic from port 80
set firewall family inet filter inet-packet-mode term control-traffic from port 8080
set firewall family inet filter inet-packet-mode term control-traffic from port 646
set firewall family inet filter inet-packet-mode term control-traffic from port 179
set firewall family inet filter inet-packet-mode term control-traffic then accept
set firewall family inet filter inet-packet-mode term packet-mode then packet-mode
set firewall family inet filter inet-packet-mode term packet-mode then accept
set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family mpls filter mpls-packet-mode term ALL-TRAFFIC then accept
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then packet-mode
set firewall family ccc filter l2circuit-packet-mode term ALL-TRAFFIC then accept
No Comments