search cancel

Web Security Service Legacy IPSEC Connectivity Instructions - Juniper SRX

book

Article ID: 174357

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Symantec tested and validated that Juniper® devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the pre-shared secret method, which requires a unique gateway IP address (no NAT-T). 


Version Demonstrated

  • SRX100h
  • Requires JUNOS Software Release [10.0R1.8] or later

This procedure provides a guideline configuration that you can apply to the above model or other Juniper models. It is likely that you have an existing Juniper device configured in your network; therefore, slight alterations to the existing deployment might be required.

Environment

Deployment Notes

  • The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
  • The device must have an external routeable IP address.
  • Do not send Auth Connector traffic to the Web Security Service.
  • You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
  • The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Resolution

  Prerequisite A—Verify that the router is ready for configuration.

  1. Select Configure > Interfaces.
  2. Verify the list has as many interface pairs as required, plus the management interface.

Step 1- Create a Phase 1 Proposal

  1. Select Configure > IPsec VPN > Auto Tunnel > Phase 1.
  2. Click Add.
    The device displays the Add Proposal/IKE Proposal dialog.
  3. Define the proposal.

    The Web Security Service supports many encryption combinations. See See Reference: IKE Encryption and Authentication Algorithms.
    1. Name the proposal.
    2. Authentication Algorithm—Select a supported value; for example, sha256.
    3. Authentication Method—Select pre-shared-keys.
    4. (Optional) Enter a Description the proposal. A descriptive name allows others in your organization to know the purpose. 
    5. Diffie-Hellman (DH) Group—Select a supported group; for example, group5.
    6. Encryption Algorithm— Select a supported value; for example, aes-218-cbc.
    7. Lifetime seconds—Set to 48000.
    8. Click OK.

Step 2—Define the IKE Policy

  1. On the Configure > IPsec > VPN > Auto Tunnel > Phase 1 page, click the IKE Policy tab.
  2. Click Add. The device displays the Add Policy/IKE Policy dialog/tab.
  3. Configure the IKE policy to use the cloud phase 1 proposal defined in Step 1.
    1. Name the policy.
    2. Mode—Select main.
    3. Select User Defined; select the P1 Proposal from Step 1 and click the arrow to move it to the Selected list.
  4. Define the pre-shared key, which is the string that validates the encrypted tunnel between the router and the Web Security Service. 
    1. Click the IKE Policy Options tab.
    2. Select Pre Shared Key.
    3. Select Ascii text and enter the key.
      Tip: The PSK must be at least eight characters and cannot use special characters.
    4. Click OK.

Step 3—Create a Site to Site Tunnel gateway. You must also enable Dead Peer Detection and disable NAT Traversal

  1. On the Configure > IPsec > VPN > Auto Tunnel > Phase 1 page, click the IKE Gateway tab.
  2. Click Add.
    The device displays the Add Gateway/IKE Gateway dialog/tab.
  3. Configure the gateway to use the IKE policy from Step 2.
    1. Name the gateway.
    2. Select the IKE Policy that you defined in Step 2.
    3. Select which External Interface connects to the Web Security Service.
    4. Select Site to Site Tunnel.
    5. Enter the primary Web Security ServiceIP Address.
      Refer to this article to determine the closest Data Center to your network: https://support.symantec.com/en_US/article.TECH242979.html
    6. For the Local ID, select IP Address and enter the device's external IP address.
  4. Enable Dead Peer Detection and disable NAT Traversal.
    1. Click the IKE Gateway Options tab.
    2. Select Dead Peer Detection.
      Select Always send. Set the Interval value to 10 and the Threshold value to 5.
    3. Select NAT-Traversal: Disable.
    4. Click OK.

Step 4—Define the cloud connection proposal (Phase 2) connection

  1. Select Configure > IPsec VPN > Dynamic VPN > IPSec Autokey.
  2. Click Add.
    The device displays the Configure > Dynamic VPN page.
  3. Set the dynamic Phase 2 parameters.
    1. Name the Phase 2 proposal.
    2. (Optional) Enter a Description the proposal. A descriptive name allows others in your organization to know the purpose. 
    3. Authentication Algorithm—Select hmac-sha1-96.
    4. Symantec recommends 3des-cbc for the Encryption Algorithm.
    5. Lifetime kilobytes—Symantec recommends 1000000.
    6. Lifetime seconds— Symantec recommends 14400.
    7. Protocol—Select esp, which ensures privacy (encryption) and source authentication and content integrity (authentication).
    8. Click OK.

Step 5—Define the IPsec policy

  1. Click the IPSec Policy tab.
  2. Click Add.
    The device displays the Configure > Dynamic VPN page.
  3. Define the policy.
    1. Name the policy.
    2. (Optional) Enter a Description the proposal.
      A descriptive name allows others in your organization to know the purpose for this policy. 
    3. Perfect Forward Secrecy—Symantec recommends group5.
    4. For the Proposal, select User Defined and select the proposal you defined in Step 4.
    5. Click OK.

Step 6—Create the IPsec gateway

  1. Click the IPSec AutoKey tab.
  2. Click Add.
    The device displays the Configure > Dynamic VPN page.
  3. Configure the VPN connection to use the cloud gateway and VPN policy.
    1. Name the VPN.
    2. Remote gateway—Select the gateway you created in Step 3.
    3. IPSec policy—Select the gateway you created in Step 5.
    4. Establish tunnels—Select on-traffic.
      This option consumes fewer resources, as tunnels are established only when needed. 
    5. Click OK.

Step 7—Define policy that routes HTTP traffic to the Web Security Service

  1. Select Configure > Security > Policy > FW Policies.
  2. Click Add.
    The device displays the Add Policy/Policy page.
  3. Create policy that routes HTTP traffic to the Web Security Service.
    1. Name the policy.
    2. From Zone—Select trust.
    3. To Zone—Select untrust.
    4. Source Address—Select all applicable subnets ~or~ if you created a Policy Element that contains your internal subnets, select it.
    5. Destination Address—Select any.
    6. Application—Select junos-http.
      This is the default element that includes TCP traffic on port 80.
    7. Policy Action—Select permit.
      When you select this, the SRX interface displays the Permit Action tab.
      Proceed to the next step to complete the policy.
  4. Select the Web Security Service VPN profile that you created in Step 6.3.
  5. Click OK.

Step 8—Repeat Step 7 for the HTTPS protocol

In Step 7.3.f, select junos-https.

 

Failover Configuration

If you are sending traffic to Singapore, which currently requires two IP address configurations, or you want to provide a layer of failover for other connection issues, use the CLI to add the following:
       set security ike gateway BC_Cloud_Gatewaysecondary_cloud_IP

The output is:

       gateway cloud_access_ike_gateway {
       ike-policy BC_Cloud_Gateway;
       address [ primary_cloud_IPsecondary_cloud_IP ];

Attachments