Juniper Networks SRX Series Firewalls
This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN.
Confirm that you have the Cloudflare anycast IPs for your account. You should have two IPs allocated.
The goal is to configure two IPsec tunnels for each endpoint. This provides you with tunnel redundancy and the ability to load balance ingress and egress traffic (via ECMP).
Additionally, you will need to select two subnets (either /31 or /30) for the Virtual Tunnel Interfaces (st0.x) to control what traffic is routed through the tunnels.
This section of the document will cover the configuration of:
- Magic IPsec tunnels
- Magic static routes
- Start by creating the IPsec tunnels in the Cloudflare dashboard with the following values:
- Tunnel name: Up to 15 characters (no spaces).
- Description (Optional).
- Interface address: This is the Virtual Tunnel Interface (VTI =
st0.x) RFC 1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. - Customer endpoint: This is the public IP address the tunnel will be established with on the Juniper SRX.
- Cloudflare endpoint: One of the two Cloudflare anycast IP addresses.
- Pre-shared key: Choose Add pre-shared key later.
- Select Add IPsec Tunnel and fill in the values for the second tunnel to the same Juniper SRX:
- The IP addresses used for the Interface address must be a unique RFC 1918 address (
/31or/30). - The Customer endpoint is the same IP specified for the first tunnel.
- The Cloudflare Endpoint for the second tunnel will be the second Cloudflare anycast IP provisioned for your account.
- The IP addresses used for the Interface address must be a unique RFC 1918 address (
- Select Add tunnels. We also recommend selecting Test Tunnels to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses.
- Because we chose to add a pre-shared key at a later stage, you will see a warning indicator next to the tunnel names after creating them. This is expected behavior and indicates there is no pre-shared key associated with the tunnel.
- Select Edit next to one of the tunnels to generate a pre-shared key.
- Select Generate a new pre-shared key > Update and generate a pre-shared key. Make note of the pre-shared key and store it somewhere safe.
- Repeat the previous step for the second tunnel.
- Expand the properties of the first tunnel, and take note of the Tunnel ID and FQDN ID values.
- Repeat this step for the second tunnel.
This document assumes that the trust zone behind the Juniper SRX firewall has a single subnet:
10.1.20.0/24
Magic static routes define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes.
Cloudflare leverages equal-cost multi-path routing to control steering of traffic across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed.
- Create a static route with the following values. Make sure you select the first tunnel in Tunnel/Next hop:
- Description: The description for the static route assigned to your first tunnel.
- Prefix: Enter the destination subnet for which this route is intended. For this example, it is
10.1.20.0/24as stated above. - Tunnel/Next hop: Choose your first tunnel from the drop-down menu.
- Priority: Default value is
100. - Region code: Leave set to All Regions unless otherwise specified.
- Select Add Static Route to add a second route for the same subnet. Make sure the second tunnel is selected in Tunnel/Next hop.
- Select Test routes to ensure the settings will be accepted, and then select Add Routes.
- Confirm the routes were added correctly in Magic WAN > Configuration > Static Routes.
The configuration settings in this document are based on JUNOS 21.4R3-S4.9.
There may be some differences in the syntax of the commands in the version on your SRX devices, however the principles are the same. Please refer to the Juniper product documentation for more information.
The following elements will be configured on the Juniper SRX firewall(s):
- Add tunnel interfaces (
st0.x) - Assign tunnel interfaces to a security zone
- Allow required protocols to both the tunnel and untrust security zones
- IKE configuration
- IPsec configuration
- Static routes
- Security policies
- Add two tunnel interfaces:
set interfaces st0 unit 0 family inet address 10.252.2.21/31set interfaces st0 unit 1 family inet address 10.252.2.23/31- Confirm settings:
admin@srx220> show configuration interfaces st0unit 0 { family inet { address 10.252.2.21/31; }}unit 1 { family inet { address 10.252.2.23/31; }}Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to all for system-services and protocols should be fine.
set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic system-services allset security zones security-zone cloudflare interfaces st0.0 host-inbound-trafficadmin@srx220> show configuration security zones security-zone cloudflareinterfaces { st0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } st0.1 { host-inbound-traffic { system-services { all; } protocols { all; } } }}Add ping and ike to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping by default, you will need to create a firewall-filter to allow ICMP from the Cloudflare IPv4 address space ↗ — not covered in this tutorial.
set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services pingset security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ikeadmin@srx220> show configuration security zones security-zone untrustinterfaces { ge-0/0/2.0 { host-inbound-traffic { system-services { ping; ike; } } }}Add an IKE proposal that specifies the Phase 1 Configuration Parameters:
set security ike proposal cf_ike_magic_wan_prop authentication-method pre-shared-keysset security ike proposal cf_ike_magic_wan_prop dh-group group14set security ike proposal cf_ike_magic_wan_prop authentication-algorithm sha-256set security ike proposal cf_ike_magic_wan_prop encryption-algorithm aes-256-cbcset security ike proposal cf_ike_magic_wan_prop lifetime-seconds 28800Define two IKE policies — one for each of the two Magic IPsec tunnels:
Tunnel 1 (SRX220_IPSEC_01)
set security ike policy cf_magic_wan_pol_01 mode mainset security ike policy cf_magic_wan_pol_01 proposals cf_ike_magic_wan_propset security ike policy cf_magic_wan_pol_01 pre-shared-key ascii-text "$9$CnJ0tO1<REDACTED>NwsmfTQ69"Tunnel 2 (SRX220_IPSEC_02)
set security ike policy cf_magic_wan_pol_02 mode mainset security ike policy cf_magic_wan_pol_02 proposals cf_ike_magic_wan_propset security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GD<REDACTED>HqQzIEclvL"Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the local-identity hostname setting.
Tunnel 1 (SRX220_IPSEC_01)
set security ike gateway cf_magic_wan_gw_01 ike-policy cf_magic_wan_pol_01set security ike gateway cf_magic_wan_gw_01 address 162.xx.xx.164set security ike gateway cf_magic_wan_gw_01 local-identity hostname 755339a<REDACTED>1ffcc01.33145236.ipsec.cloudflare.comset security ike gateway cf_magic_wan_gw_01 external-interface ge-0/0/2.0set security ike gateway cf_magic_wan_gw_01 version v2-onlyTunnel 2 (SRX220_IPSEC_02)
set security ike gateway cf_magic_wan_gw_02 ike-policy cf_magic_wan_pol_02set security ike gateway cf_magic_wan_gw_02 address 172.xx.xx.164set security ike gateway cf_magic_wan_gw_02 local-identity hostname abac7146c<REDACTED>3de918e0.33145236.ipsec.cloudflare.comset security ike gateway cf_magic_wan_gw_02 external-interface ge-0/0/2.0set security ike gateway cf_magic_wan_gw_02 version v2-onlyAdd an IPsec proposal that specifies the Phase 2 Configuration Parameters:
set security ipsec proposal cf_ipsec_magic_wan_prop authentication-algorithm hmac-sha-256-128set security ipsec proposal cf_ipsec_magic_wan_prop encryption-algorithm aes-256-cbcset security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800Define two IPsec policies — one for each of the two Magic IPsec tunnels. It is crucial to ensure that:
- Anti-replay protection is disabled.
- Use
no-anti-replay↗ as the setting
- Use
- The SRX is the tunnel initiator:
- Cloudflare will not instantiate the tunnel
- If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel
- Use
establish-tunnels immediately↗ as the setting.
Tunnel 1 (SRX220_IPSEC_01)
set security ipsec vpn cf_magic_wan_tun_01 bind-interface st0.0set security ipsec vpn cf_magic_wan_tun_01 ike gateway cf_magic_wan_gw_01set security ipsec vpn cf_magic_wan_tun_01 ike no-anti-replayset security ipsec vpn cf_magic_wan_tun_01 ike ipsec-policy cf_magic_wan_ipsec_polset security ipsec vpn cf_magic_wan_tun_01 establish-tunnels immediatelyTunnel 2 (SRX220_IPSEC_02)
set security ipsec vpn cf_magic_wan_tun_02 bind-interface st0.1set security ipsec vpn cf_magic_wan_tun_02 ike gateway cf_magic_wan_gw_02set security ipsec vpn cf_magic_wan_tun_02 ike no-anti-replayset security ipsec vpn cf_magic_wan_tun_02 ike ipsec-policy cf_magic_wan_ipsec_polset security ipsec vpn cf_magic_wan_tun_02 establish-tunnels immediatelyThis configuration only factors in one local site (10.1.20.0/24). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (10.1.100.0/24).
Define a static route on the SRX to route traffic to 10.1.100.0/24 with redundant routes that reference each of the two tunnels. There are two ways to accomplish this:
By adding two destinations for the same route:
set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20set routing-options static route 10.1.100.0/24 next-hop 10.252.2.22admin@srx220> show configuration routing-options staticroute 10.1.100.0/24 next-hop [ 10.252.2.20 10.252.2.22 ];Or using the qualified-next-hop ↗ option:
admin@srx220> show configuration routing-options | display setset routing-options static route 0.0.0.0/0 next-hop 23.XX.XXX.46set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20set routing-options static route 10.1.100.0/24 qualified-next-hop 10.252.2.22static { route 0.0.0.0/0 next-hop 23.XX.XXX.46; route 10.1.100.0/24 { next-hop 10.252.2.20; qualified-next-hop 10.252.2.22; }}Define security policies to permit traffic flows destined for Magic WAN protected resources. The source/destination zones will need to incorporate the zone containing the tunnel interfaces.
There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy, then to add more stringent rules once general connectivity is established successfully.
From Cloudflare to trust:
set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match source-address anyset security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match destination-address anyset security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match application anyset security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust then permitset security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust then log session-closeadmin@srx220> show configuration security policies from-zone trust to-zone cloudflarepolicy trust_to_cloudflare_permit { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } }}From trust to Cloudflare:
set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match source-address anyset security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match destination-address anyset security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match application anyset security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit then permitset security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit then log session-closeTo confirm, run:
admin@srx220> show configuration security policies from-zone trust to-zone cloudflarepolicy trust_to_cloudflare_permit { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } }}There are several diagnostic commands available to view the status of IPsec tunnels.
show security ike active-peer ↗
admin@srx220> show security ike active-peerRemote Address Port Peer IKE-ID XAUTH username Assigned IP162.XXX.XX.164 500 162.XX.XXX.164 not available 0.0.0.0172.XX.XXX.164 500 172.XX.XXX.164 not available 0.0.0.0show security ike security-associations ↗
admin@srx220> show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address3628774 UP 51078ae37b319d23 1475e3b48ca89a9a IKEv2 162.XXX.XX.1643628775 UP b2d9a698b6224fc9 7fb1a9f81db0611c IKEv2 172.XX.XXX.164show security ipsec security-associations ↗
admin@srx220> show security ipsec security-associationsTotal active tunnels: 2ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131073 ESP:aes-cbc-256/sha256 d28e709e 28565/unlim - root 500 162.XXX.66.164>131073 ESP:aes-cbc-256/sha256 25aed8ae 28565/unlim - root 500 162.XXX.XX.164<131074 ESP:aes-cbc-256/sha256 3f13176d 28566/unlim - root 500 172.XX.XXX.164>131074 ESP:aes-cbc-256/sha256 965169e9 28566/unlim - root 500 172.XX.XXX.164It is very helpful to enable debug logging via traceoptions while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occurring.
set security ike traceoptions file ike-debug.logset security ike traceoptions file size 1mset security ike traceoptions file files 3set security ike traceoptions file world-readableset security ike traceoptions flag allThe log file can be viewed by doing the following:
- From an operational mode, run start shell.
- Use the
tailcommand to view the contents of the log file in real-time:tail -f /var/log/ike-debug.log - Press CTRL + C when finished.
- Type
exitto return to the operational mode prompt.
Either deactivate traceoptions or delete traceoptions once debugging is complete.
deactivate security ike traceoptionsConfirm traceoptions is deactivated with:
admin@srx220> show configuration security ikeinactive: traceoptions { file ike-debug.log size m files 3 world-readable; flag all;}It is also possible to enable traceoptions for IPsec. However, it is not possible to specify the name of the log file. All events are logged to /var/log/kmd.
set security ipsec traceoptions flag all