Juniper Networks SRX Series Firewalls
This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN.
Confirm that you have the Cloudflare anycast IPs for your account. You should have two IPs allocated.
The goal is to configure two IPsec tunnels for each endpoint. This provides you with tunnel redundancy and the ability to load balance ingress and egress traffic (via ECMP).
Additionally, you will need to select two subnets (either /31
or /30
) for the Virtual Tunnel Interfaces (st0.x
) to control what traffic is routed through the tunnels.
This section of the document will cover the configuration of:
- Magic IPsec tunnels
- Magic static routes
- Start by creating the IPsec tunnels in the Cloudflare dashboard with the following values:
- Tunnel name: Up to 15 characters (no spaces).
- Description (Optional).
- Interface address: This is the Virtual Tunnel Interface (VTI =
st0.x
) RFC 1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. - Customer endpoint: This is the public IP address the tunnel will be established with on the Juniper SRX.
- Cloudflare endpoint: One of the two Cloudflare anycast IP addresses.
- Pre-shared key: Choose Add pre-shared key later.
- Select Add IPsec Tunnel and fill in the values for the second tunnel to the same Juniper SRX:
- The IP addresses used for the Interface address must be a unique RFC 1918 address (
/31
or/30
). - The Customer endpoint is the same IP specified for the first tunnel.
- The Cloudflare Endpoint for the second tunnel will be the second Cloudflare anycast IP provisioned for your account.
- The IP addresses used for the Interface address must be a unique RFC 1918 address (
- Select Add tunnels. We also recommend selecting Test Tunnels to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses.
- Because we chose to add a pre-shared key at a later stage, you will see a warning indicator next to the tunnel names after creating them. This is expected behavior and indicates there is no pre-shared key associated with the tunnel.
- Select Edit next to one of the tunnels to generate a pre-shared key.
- Select Generate a new pre-shared key > Update and generate a pre-shared key. Make note of the pre-shared key and store it somewhere safe.
- Repeat the previous step for the second tunnel.
- Expand the properties of the first tunnel, and take note of the Tunnel ID and FQDN ID values.
- Repeat this step for the second tunnel.
This document assumes that the trust zone behind the Juniper SRX firewall has a single subnet:
10.1.20.0/24
Magic static routes define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes.
Cloudflare leverages equal-cost multi-path routing to control steering of traffic across the tunnels. The default priority for each route is 100
— traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed.
- Create a static route with the following values. Make sure you select the first tunnel in Tunnel/Next hop:
- Description: The description for the static route assigned to your first tunnel.
- Prefix: Enter the destination subnet for which this route is intended. For this example, it is
10.1.20.0/24
as stated above. - Tunnel/Next hop: Choose your first tunnel from the drop-down menu.
- Priority: Default value is
100
. - Region code: Leave set to All Regions unless otherwise specified.
- Select Add Static Route to add a second route for the same subnet. Make sure the second tunnel is selected in Tunnel/Next hop.
- Select Test routes to ensure the settings will be accepted, and then select Add Routes.
- Confirm the routes were added correctly in Magic WAN > Configuration > Static Routes.
The configuration settings in this document are based on JUNOS 21.4R3-S4.9.
There may be some differences in the syntax of the commands in the version on your SRX devices, however the principles are the same. Please refer to the Juniper product documentation for more information.
The following elements will be configured on the Juniper SRX firewall(s):
- Add tunnel interfaces (
st0.x
) - Assign tunnel interfaces to a security zone
- Allow required protocols to both the tunnel and untrust security zones
- IKE configuration
- IPsec configuration
- Static routes
- Security policies
- Add two tunnel interfaces:
- Confirm settings:
Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping
, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to all
for system-services and protocols should be fine.
Add ping
and ike
to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping
by default, you will need to create a firewall-filter to allow ICMP from the Cloudflare IPv4 address space ↗ — not covered in this tutorial.
Add an IKE proposal that specifies the Phase 1 Configuration Parameters:
Define two IKE policies — one for each of the two Magic IPsec tunnels:
Tunnel 1 (SRX220_IPSEC_01)
Tunnel 2 (SRX220_IPSEC_02)
Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the local-identity
hostname setting.
Tunnel 1 (SRX220_IPSEC_01)
Tunnel 2 (SRX220_IPSEC_02)
Add an IPsec proposal that specifies the Phase 2 Configuration Parameters:
Define two IPsec policies — one for each of the two Magic IPsec tunnels. It is crucial to ensure that:
- Anti-replay protection is disabled.
- Use
no-anti-replay
↗ as the setting
- Use
- The SRX is the tunnel initiator:
- Cloudflare will not instantiate the tunnel
- If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel
- Use
establish-tunnels immediately
↗ as the setting.
Tunnel 1 (SRX220_IPSEC_01)
Tunnel 2 (SRX220_IPSEC_02)
This configuration only factors in one local site (10.1.20.0/24
). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (10.1.100.0/24
).
Define a static route on the SRX to route traffic to 10.1.100.0/24
with redundant routes that reference each of the two tunnels. There are two ways to accomplish this:
By adding two destinations for the same route:
Or using the qualified-next-hop ↗ option:
Define security policies to permit traffic flows destined for Magic WAN protected resources. The source/destination zones will need to incorporate the zone containing the tunnel interfaces.
There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy, then to add more stringent rules once general connectivity is established successfully.
From Cloudflare to trust:
From trust to Cloudflare:
To confirm, run:
There are several diagnostic commands available to view the status of IPsec tunnels.
show security ike active-peer
↗
show security ike security-associations
↗
show security ipsec security-associations
↗
It is very helpful to enable debug logging via traceoptions
while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occurring.
The log file can be viewed by doing the following:
- From an operational mode, run start shell.
- Use the
tail
command to view the contents of the log file in real-time: - Press CTRL + C when finished.
- Type
exit
to return to the operational mode prompt.
Either deactivate traceoptions
or delete traceoptions
once debugging is complete.
Confirm traceoptions
is deactivated with:
It is also possible to enable traceoptions
for IPsec. However, it is not possible to specify the name of the log file. All events are logged to /var/log/kmd
.