From 8e35d8263af2eaf9b4551cf10e6add13da51b7ad Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 20 Nov 2024 17:13:04 +0000 Subject: [PATCH 1/7] added content --- .../manually/third-party/juniper.mdx | 471 ++++++++++++++++++ 1 file changed, 471 insertions(+) create mode 100644 src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx new file mode 100644 index 00000000000000..64f58711a1aaab --- /dev/null +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -0,0 +1,471 @@ +--- +pcx_content_type: integration-guide +title: Juniper Networks SRX Series Firewalls + +--- + +# Magic IPSec Tunnels \- Juniper Networks SRX Series Firewalls + +This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN. + +## Prerequisites + +Confirm that you have the Cloudflare anycast IPs for your account. You should have two IPs allocated. + +The goal is to configure two IPsec tunnels for each endpoint. This provides us with tunnel redundancy and the ability to load balance ingress and egress traffic (via ECMP). + +Additionally, you will need to select two subnets (either \`/31\` or \`/30\`) for the Virtual Tunnel Interfaces (st0.x) to control what traffic is routed through the tunnels. + +## Cloudflare Magic WAN Configuration + +This section of the document will cover the configuration of: + +* Magic IPSec tunnels +* Magic static routes + +### Magic IPSec Tunnels + +1. Start by [creating the IPsec tunnels](https://developers.cloudflare.com/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare Dashboard with the following values: +* **Tunnel name**: Up to 15 characters (no spaces) +* **Description** (Optional) +* **Interface address**: This is the Virtual Tunnel Interface (VTI \= st0.x) RFC1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. +* **Customer endpoint**: This is the public IP address the tunnel will be established with on the Juniper SRX. +* **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. +* **Pre-shared key**: Choose **Add pre-shared key later**. + +2. Select **Add IPsec Tunnel** and fill in the values for the second tunnel to the same Juniper SRX: +* The IP addresses used for the Interface address must be a unique RFC1918 address (\`/31\` or \`/30\`). +* The **Customer endpoint** is the same IP specified for the first tunnel. +* The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. + +3. Select **Add tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that the correct Anycast IP addresses are specified. + +4. Because we chose to add a pre-shared key at a later stage, you will see a warning indicator next to the tunnel names after creating them. This is expected behavior and indicates there is no pre-shared key associated with the tunnel. + +5. Select **Edit** next to one of the tunnels to generate a pre-shared key. + +6. Select **Generate a new pre-shared key** \> **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. + +**NOTE**: You can update the pre-shared key at any time by repeating this step. Just make sure to add the new value of the new pre-shared key to the corresponding tunnel configuration on the Juniper device. + +7. Repeat the previous step for the second tunnel. + +8. Expand the properties of each of the first tunnel, and take note of the **Tunnel ID** and **FQDN ID** values. + +9. Repeat this step for the second tunnel. + +**NOTE:** These values are unique per tunnel and remain the same even if you update the pre-shared key. The only time these values change is if you delete and recreate the tunnel. + +### Magic Static Routes + +This document assumes that the **trust zone** behind the Juniper SRX firewall has a single subnet: + +* \`10.1.20.0/24\` + +[Magic Static Routes](https://developers.cloudflare.com/magic-wan/get-started/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. + +Cloudflare leverages [Equal Cost Multipath Routing](https://developers.cloudflare.com/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is \`100\` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. + +1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: +* **Description:** The description for the static route assigned to your first tunnel +* **Prefix**: Enter the destination subnet for which this route is intended. For this example, it is \`10.1.20.0/24\` as stated above. +* **Tunnel/Next hop:**Choose your first tunnel from the drop-down menu. +* **Priority**: Default value is 100\. +* **Region code**: Leave set to **All Regions** unless otherwise specified. + +2. Select **Add Static Route** to add a second route for the same subnet. Make sure the second tunnel is selected in **Tunnel/Next hop**. + +3. Select **Test routes** to ensure the settings will be accepted, and then select **Add Routes**. + +4. Confirm the routes were added correctly, in **Magic WAN** \> **Configuration** \> **Static Routes**. + +## Juniper SRX Configuration + +The configuration settings in this document are based on JUNOS 21.4R3-S4.9. + +There may be some differences in the syntax of the commands in the version on your SRX devices, however the principles are the same. Please refer to the Juniper product documentation for more information. + +The following elements will be configured on the Juniper SRX firewall(s): + +* Add tunnel interfaces (st0.*x*) +* Assign tunnel interfaces to a security zone +* Allow required protocols to both the tunnel and untrust security zones +* IKE configuration +* IPSec configuration +* Static routes +* Security policies + +### Tunnel Interfaces + +Add two tunnel interfaces: + +``` +set interfaces st0 unit 0 family inet address 10.252.2.21/31 +set interfaces st0 unit 1 family inet address 10.252.2.23/31 +``` + +Confirm settings: + +``` +admin@srx220> show configuration interfaces st0 +unit 0 { + family inet { + address 10.252.2.21/31; + } +} +unit 1 { + family inet { + address 10.252.2.23/31; + } +} +``` + +### Security Zone (cloudflare) \- Tunnel Interfaces + +Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to \`all**\`** for system-services and protocols should be fine. + +``` +set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic system-services all +set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic +``` + +``` +admin@srx220> show configuration security zones security-zone cloudflare +interfaces { + st0.0 { + host-inbound-traffic { + system-services { + all; + } + protocols { + all; + } + } + } + st0.1 { + host-inbound-traffic { + system-services { + all; + } + protocols { + all; + } + } + } +} +``` + +### Security Zone (untrust) \- Host-Inbound-Traffic + +Add \`ping\` and \`ike\` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping by default, you will need to create a firewall-filter to allow ICMP from the [Cloudflare IPv4 address space](https://www.cloudflare.com/ips-v4) — not covered in this tutorial. + +``` +set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping +set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ike +``` + +``` +admin@srx220> show configuration security zones security-zone untrust +interfaces { + ge-0/0/2.0 { + host-inbound-traffic { + system-services { + ping; + ike; + } + } + } +} +``` + +### IKE \- Phase 1 + +#### IKE proposal + +Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](https://developers.cloudflare.com/magic-wan/how-to/ipsec/#phase-1): + +``` +set security ike proposal cf_ike_magic_wan_prop authentication-method pre-shared-keys +set security ike proposal cf_ike_magic_wan_prop dh-group group14 +set security ike proposal cf_ike_magic_wan_prop authentication-algorithm sha-256 +set security ike proposal cf_ike_magic_wan_prop encryption-algorithm aes-256-cbc +set security ike proposal cf_ike_magic_wan_prop lifetime-seconds 28800 +``` + +#### IKE policies + +Define two IKE policies — one for each of the two Magic IPSec tunnels: + +**Tunnel 1 (SRX220\_IPSEC\_01)** + +``` +set security ike policy cf_magic_wan_pol_01 mode main +set security ike policy cf_magic_wan_pol_01 proposals cf_ike_magic_wan_prop +set security ike policy cf_magic_wan_pol_01 pre-shared-key ascii-text "$9$CnJ0tO1NwsmfTQ69" +``` + +**Tunnel 2 (SRX220\_IPSEC\_02)** + +``` +set security ike policy cf_magic_wan_pol_02 mode main +set security ike policy cf_magic_wan_pol_02 proposals cf_ike_magic_wan_prop +set security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GDHqQzIEclvL" +``` + +#### IKE gateways + +Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the \`local-identity\` hostname setting. + +**Tunnel 1 (SRX220\_IPSEC\_01)** + +``` +set security ike gateway cf_magic_wan_gw_01 ike-policy cf_magic_wan_pol_01 +set security ike gateway cf_magic_wan_gw_01 address 162.xx.xx.164 +set security ike gateway cf_magic_wan_gw_01 local-identity hostname 755339a1ffcc01.33145236.ipsec.cloudflare.com +set security ike gateway cf_magic_wan_gw_01 external-interface ge-0/0/2.0 +set security ike gateway cf_magic_wan_gw_01 version v2-only +``` + +**Tunnel 2 (SRX220\_IPSEC\_02)** + +``` +set security ike gateway cf_magic_wan_gw_02 ike-policy cf_magic_wan_pol_02 +set security ike gateway cf_magic_wan_gw_02 address 172.xx.xx.164 +set security ike gateway cf_magic_wan_gw_02 local-identity hostname abac7146c3de918e0.33145236.ipsec.cloudflare.com +set security ike gateway cf_magic_wan_gw_02 external-interface ge-0/0/2.0 +set security ike gateway cf_magic_wan_gw_02 version v2-only +``` + +### Phase 2 \- IPSec + +#### IPSec proposal + +Add an IPSec proposal that specifies the [Phase 2 Configuration Parameters](https://developers.cloudflare.com/magic-wan/how-to/ipsec/#phase-2): + +``` +set security ipsec proposal cf_ipsec_magic_wan_prop authentication-algorithm hmac-sha-256-128 +set security ipsec proposal cf_ipsec_magic_wan_prop encryption-algorithm aes-256-cbc +set security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800 +``` + +#### IPSec policies + +Define two IPSec policies — one for each of the two Magic IPSec tunnels. It is crucial to ensure that: + +* [Anti-replay](https://developers.cloudflare.com/magic-wan/reference/anti-replay-protection/) protection is disabled. + * Use [no-anti-replay](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) as the setting +* The SRX is the tunnel initiator: + * Cloudflare will not instantiate the tunnel + * If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel + * Use \`[establish-tunnels immediately](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html)\` as the setting. + +**Tunnel 1 (SRX220\_IPSEC\_01)** + +``` +set security ipsec vpn cf_magic_wan_tun_01 bind-interface st0.0 +set security ipsec vpn cf_magic_wan_tun_01 ike gateway cf_magic_wan_gw_01 +set security ipsec vpn cf_magic_wan_tun_01 ike no-anti-replay +set security ipsec vpn cf_magic_wan_tun_01 ike ipsec-policy cf_magic_wan_ipsec_pol +set security ipsec vpn cf_magic_wan_tun_01 establish-tunnels immediately +``` + +**Tunnel 2 (SRX220\_IPSEC\_02)** + +``` +set security ipsec vpn cf_magic_wan_tun_02 bind-interface st0.1 +set security ipsec vpn cf_magic_wan_tun_02 ike gateway cf_magic_wan_gw_02 +set security ipsec vpn cf_magic_wan_tun_02 ike no-anti-replay +set security ipsec vpn cf_magic_wan_tun_02 ike ipsec-policy cf_magic_wan_ipsec_pol +set security ipsec vpn cf_magic_wan_tun_02 establish-tunnels immediately +``` + +### Static Routes + +This configuration only factors in one local site (\`10.1.20.0/24\`). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (\`10.1.100.0/24\`). + +Define a static route on the SRX to route traffic to \`10.1.100.0/24\` with redundant routes that reference each of the two tunnels. There are two ways to accomplish this: + +**By adding two destinations for the same route:** + +``` +set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 +set routing-options static route 10.1.100.0/24 next-hop 10.252.2.22 +``` + +``` +admin@srx220> show configuration routing-options static +route 10.1.100.0/24 next-hop [ 10.252.2.20 10.252.2.22 ]; +``` + +**Or using the [qualified-next-hop](https://www.juniper.net/documentation/us/en/software/junos/static-routing/topics/ref/statement/qualified-next-hop-edit-routing-options.html) option:** + +``` +admin@srx220> show configuration routing-options | display set +set routing-options static route 0.0.0.0/0 next-hop 23.XX.XXX.46 +set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 +set routing-options static route 10.1.100.0/24 qualified-next-hop 10.252.2.22 +``` + +``` +static { + route 0.0.0.0/0 next-hop 23.XX.XXX.46; + route 10.1.100.0/24 { + next-hop 10.252.2.20; + qualified-next-hop 10.252.2.22; + } +} +``` + +### Security Policies + +Define security policies to permit traffic flows destined for Magic WAN protected resources. The source/destination zones will need to incorporate the zone containing the tunnel interfaces. + +There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy, then to add more stringent rules once general connectivity is established successfully. + +**From *cloudflare* to *trust*:** + +``` +set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match source-address any +set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match destination-address any +set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match application any +set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust then permit +set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust then log session-close +``` + +``` +admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +policy trust_to_cloudflare_permit { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } +} +``` + +**From *trust* to *cloudflare*:** + +``` +set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match source-address any +set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match destination-address any +set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match application any +set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit then permit +set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit then log session-close +``` + +To confirm, run: + +``` +admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +policy trust_to_cloudflare_permit { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } +} +``` + +## Troubleshooting + +### Validate tunnel connectivity + +There are several diagnostic commands available to view the status of IPsec tunnels. + +#### Phase 1 + +[show security ike active-peer](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-active-peer.html) + +``` +admin@srx220> show security ike active-peer +Remote Address Port Peer IKE-ID XAUTH username Assigned IP +162.XXX.XX.164 500 162.XX.XXX.164 not available 0.0.0.0 +172.XX.XXX.164 500 172.XX.XXX.164 not available 0.0.0.0 +``` + +[show security ike security-associations](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-security-associations.html) + +``` +admin@srx220> show security ike security-associations +Index State Initiator cookie Responder cookie Mode Remote Address +3628774 UP 51078ae37b319d23 1475e3b48ca89a9a IKEv2 162.XXX.XX.164 +3628775 UP b2d9a698b6224fc9 7fb1a9f81db0611c IKEv2 172.XX.XXX.164 +``` + +#### Phase 2 + +[show security ipsec security-associations](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ipsec-security-associations.html) + +``` +admin@srx220> show security ipsec security-associations + Total active tunnels: 2 + ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway + <131073 ESP:aes-cbc-256/sha256 d28e709e 28565/unlim - root 500 162.XXX.66.164 + >131073 ESP:aes-cbc-256/sha256 25aed8ae 28565/unlim - root 500 162.XXX.XX.164 + <131074 ESP:aes-cbc-256/sha256 3f13176d 28566/unlim - root 500 172.XX.XXX.164 + >131074 ESP:aes-cbc-256/sha256 965169e9 28566/unlim - root 500 172.XX.XXX.164 +``` + +### IKE Traceoptions + +It is very helpful to enable debug logging via \`traceoptions\` while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occuring. + +#### Enable IKE \`traceoptions\` + +``` +set security ike traceoptions file ike-debug.log +set security ike traceoptions file size 1m +set security ike traceoptions file files 3 +set security ike traceoptions file world-readable +set security ike traceoptions flag all +``` + +The log file can be viewed by doing the following: + +1. From an operational mode, run **start shell**. +2. Then use the \`tail\` command to view the contents of the log file in real-time: + +``` +tail -f /var/log/ike-debug.log +``` + +3. Press CTRL+C when finished. +4. Type \`exit\` to return to the operational mode prompt. + +Either deactivate \`traceoptions\` or delete \`traceoptions\` once debugging is complete. + +#### Deactivate IKE \`traceoptions\` + +``` +deactivate security ike traceoptions +``` + +Confirm traceoptions is deactivated with: + +``` +admin@srx220> show configuration security ike +inactive: traceoptions { + file ike-debug.log size m files 3 world-readable; + flag all; +} +``` + +#### IPsec \`traceoptions\` + +It is also possible to enable \`traceoptions\` for IPsec. However, it is not possible to specify the name of the log file. All events are logged to \`/var/log/kmd\`. + +``` +set security ipsec traceoptions flag all +``` \ No newline at end of file From 0d11c25f77ec9449f6ea6dadd6219047186dae73 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Thu, 21 Nov 2024 10:21:36 +0000 Subject: [PATCH 2/7] cleaned markdown --- .../manually/third-party/juniper.mdx | 369 +++++++++--------- 1 file changed, 194 insertions(+), 175 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index 64f58711a1aaab..cf8be0b6fbf78d 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -4,8 +4,6 @@ title: Juniper Networks SRX Series Firewalls --- -# Magic IPSec Tunnels \- Juniper Networks SRX Series Firewalls - This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN. ## Prerequisites @@ -20,23 +18,23 @@ Additionally, you will need to select two subnets (either \`/31\` or \`/30\`) fo This section of the document will cover the configuration of: -* Magic IPSec tunnels -* Magic static routes +- Magic IPSec tunnels +- Magic static routes ### Magic IPSec Tunnels -1. Start by [creating the IPsec tunnels](https://developers.cloudflare.com/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare Dashboard with the following values: -* **Tunnel name**: Up to 15 characters (no spaces) -* **Description** (Optional) -* **Interface address**: This is the Virtual Tunnel Interface (VTI \= st0.x) RFC1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. -* **Customer endpoint**: This is the public IP address the tunnel will be established with on the Juniper SRX. -* **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. -* **Pre-shared key**: Choose **Add pre-shared key later**. +1. Start by [creating the IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare Dashboard with the following values: + - **Tunnel name**: Up to 15 characters (no spaces). + - **Description** (Optional). + - **Interface address**: This is the Virtual Tunnel Interface (VTI = `st0.x`) RFC1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. + - **Customer endpoint**: This is the public IP address the tunnel will be established with on the Juniper SRX. + - **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. + - **Pre-shared key**: Choose **Add pre-shared key later**. 2. Select **Add IPsec Tunnel** and fill in the values for the second tunnel to the same Juniper SRX: -* The IP addresses used for the Interface address must be a unique RFC1918 address (\`/31\` or \`/30\`). -* The **Customer endpoint** is the same IP specified for the first tunnel. -* The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. + - The IP addresses used for the Interface address must be a unique RFC1918 address (`/31` or `/30`). + - The **Customer endpoint** is the same IP specified for the first tunnel. + - The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. 3. Select **Add tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that the correct Anycast IP addresses are specified. @@ -44,9 +42,11 @@ This section of the document will cover the configuration of: 5. Select **Edit** next to one of the tunnels to generate a pre-shared key. -6. Select **Generate a new pre-shared key** \> **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. +6. Select **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. -**NOTE**: You can update the pre-shared key at any time by repeating this step. Just make sure to add the new value of the new pre-shared key to the corresponding tunnel configuration on the Juniper device. + :::note + You can update the pre-shared key at any time by repeating this step. Just make sure to add the new value of the new pre-shared key to the corresponding tunnel configuration on the Juniper device. + ::: 7. Repeat the previous step for the second tunnel. @@ -54,30 +54,32 @@ This section of the document will cover the configuration of: 9. Repeat this step for the second tunnel. -**NOTE:** These values are unique per tunnel and remain the same even if you update the pre-shared key. The only time these values change is if you delete and recreate the tunnel. + :::note + These values are unique per tunnel and remain the same even if you update the pre-shared key. The only time these values change is if you delete and recreate the tunnel. + ::: ### Magic Static Routes This document assumes that the **trust zone** behind the Juniper SRX firewall has a single subnet: -* \`10.1.20.0/24\` +- `10.1.20.0/24` -[Magic Static Routes](https://developers.cloudflare.com/magic-wan/get-started/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. +[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. -Cloudflare leverages [Equal Cost Multipath Routing](https://developers.cloudflare.com/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is \`100\` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. +Cloudflare leverages [Equal Cost Multipath Routing](/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is `100` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. 1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: -* **Description:** The description for the static route assigned to your first tunnel -* **Prefix**: Enter the destination subnet for which this route is intended. For this example, it is \`10.1.20.0/24\` as stated above. -* **Tunnel/Next hop:**Choose your first tunnel from the drop-down menu. -* **Priority**: Default value is 100\. -* **Region code**: Leave set to **All Regions** unless otherwise specified. + - **Description:** The description for the static route assigned to your first tunnel. + - **Prefix**: Enter the destination subnet for which this route is intended. For this example, it is `10.1.20.0/24` as stated above. + - **Tunnel/Next hop**: Choose your first tunnel from the drop-down menu. + - **Priority**: Default value is `100`\`. + - **Region code**: Leave set to **All Regions** unless otherwise specified. 2. Select **Add Static Route** to add a second route for the same subnet. Make sure the second tunnel is selected in **Tunnel/Next hop**. 3. Select **Test routes** to ensure the settings will be accepted, and then select **Add Routes**. -4. Confirm the routes were added correctly, in **Magic WAN** \> **Configuration** \> **Static Routes**. +4. Confirm the routes were added correctly in **Magic WAN** > **Configuration** > **Static Routes**. ## Juniper SRX Configuration @@ -87,104 +89,110 @@ There may be some differences in the syntax of the commands in the version on yo The following elements will be configured on the Juniper SRX firewall(s): -* Add tunnel interfaces (st0.*x*) -* Assign tunnel interfaces to a security zone -* Allow required protocols to both the tunnel and untrust security zones -* IKE configuration -* IPSec configuration -* Static routes -* Security policies +- Add tunnel interfaces (`st0.x`) +- Assign tunnel interfaces to a security zone +- Allow required protocols to both the tunnel and untrust security zones +- IKE configuration +- IPSec configuration +- Static routes +- Security policies ### Tunnel Interfaces -Add two tunnel interfaces: +1. Add two tunnel interfaces: -``` +```txt set interfaces st0 unit 0 family inet address 10.252.2.21/31 set interfaces st0 unit 1 family inet address 10.252.2.23/31 ``` -Confirm settings: +2. Confirm settings: -``` +```txt admin@srx220> show configuration interfaces st0 +``` +```txt output unit 0 { - family inet { - address 10.252.2.21/31; - } + family inet { + address 10.252.2.21/31; + } } unit 1 { - family inet { - address 10.252.2.23/31; - } + family inet { + address 10.252.2.23/31; + } } ``` -### Security Zone (cloudflare) \- Tunnel Interfaces +### Security Zone (cloudflare) - Tunnel Interfaces -Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to \`all**\`** for system-services and protocols should be fine. +Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to `all` for system-services and protocols should be fine. -``` +```txt set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic system-services all set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic ``` -``` +```txt admin@srx220> show configuration security zones security-zone cloudflare +``` +```txt output interfaces { - st0.0 { - host-inbound-traffic { - system-services { - all; - } - protocols { - all; - } - } - } - st0.1 { - host-inbound-traffic { - system-services { - all; - } - protocols { - all; - } - } - } + st0.0 { + host-inbound-traffic { + system-services { + all; + } + protocols { + all; + } + } + } + st0.1 { + host-inbound-traffic { + system-services { + all; + } + protocols { + all; + } + } + } } ``` -### Security Zone (untrust) \- Host-Inbound-Traffic +### Security Zone (untrust) - Host-Inbound-Traffic -Add \`ping\` and \`ike\` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping by default, you will need to create a firewall-filter to allow ICMP from the [Cloudflare IPv4 address space](https://www.cloudflare.com/ips-v4) — not covered in this tutorial. +Add `ping` and `ike` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping by default, you will need to create a firewall-filter to allow ICMP from the [Cloudflare IPv4 address space](https://www.cloudflare.com/ips-v4) — not covered in this tutorial. -``` +```txt set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ike ``` -``` +```txt admin@srx220> show configuration security zones security-zone untrust +``` +```txt output interfaces { - ge-0/0/2.0 { - host-inbound-traffic { - system-services { - ping; - ike; - } - } - } + ge-0/0/2.0 { + host-inbound-traffic { + system-services { + ping; + ike; + } + } + } } ``` -### IKE \- Phase 1 +### IKE - Phase 1 #### IKE proposal -Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](https://developers.cloudflare.com/magic-wan/how-to/ipsec/#phase-1): +Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): -``` +```txt set security ike proposal cf_ike_magic_wan_prop authentication-method pre-shared-keys set security ike proposal cf_ike_magic_wan_prop dh-group group14 set security ike proposal cf_ike_magic_wan_prop authentication-algorithm sha-256 @@ -196,17 +204,17 @@ set security ike proposal cf_ike_magic_wan_prop lifetime-seconds 28800 Define two IKE policies — one for each of the two Magic IPSec tunnels: -**Tunnel 1 (SRX220\_IPSEC\_01)** +**Tunnel 1 (SRX220_IPSEC_01)** -``` +```txt set security ike policy cf_magic_wan_pol_01 mode main set security ike policy cf_magic_wan_pol_01 proposals cf_ike_magic_wan_prop set security ike policy cf_magic_wan_pol_01 pre-shared-key ascii-text "$9$CnJ0tO1NwsmfTQ69" ``` -**Tunnel 2 (SRX220\_IPSEC\_02)** +**Tunnel 2 (SRX220_IPSEC_02)** -``` +```txt set security ike policy cf_magic_wan_pol_02 mode main set security ike policy cf_magic_wan_pol_02 proposals cf_ike_magic_wan_prop set security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GDHqQzIEclvL" @@ -216,9 +224,9 @@ set security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GD< Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the \`local-identity\` hostname setting. -**Tunnel 1 (SRX220\_IPSEC\_01)** +**Tunnel 1 (SRX220_IPSEC_01)** -``` +```txt set security ike gateway cf_magic_wan_gw_01 ike-policy cf_magic_wan_pol_01 set security ike gateway cf_magic_wan_gw_01 address 162.xx.xx.164 set security ike gateway cf_magic_wan_gw_01 local-identity hostname 755339a1ffcc01.33145236.ipsec.cloudflare.com @@ -226,9 +234,9 @@ set security ike gateway cf_magic_wan_gw_01 external-interface ge-0/0/2.0 set security ike gateway cf_magic_wan_gw_01 version v2-only ``` -**Tunnel 2 (SRX220\_IPSEC\_02)** +**Tunnel 2 (SRX220_IPSEC_02)** -``` +```txt set security ike gateway cf_magic_wan_gw_02 ike-policy cf_magic_wan_pol_02 set security ike gateway cf_magic_wan_gw_02 address 172.xx.xx.164 set security ike gateway cf_magic_wan_gw_02 local-identity hostname abac7146c3de918e0.33145236.ipsec.cloudflare.com @@ -236,13 +244,13 @@ set security ike gateway cf_magic_wan_gw_02 external-interface ge-0/0/2.0 set security ike gateway cf_magic_wan_gw_02 version v2-only ``` -### Phase 2 \- IPSec +### Phase 2 - IPSec #### IPSec proposal -Add an IPSec proposal that specifies the [Phase 2 Configuration Parameters](https://developers.cloudflare.com/magic-wan/how-to/ipsec/#phase-2): +Add an IPSec proposal that specifies the [Phase 2 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): -``` +```txt set security ipsec proposal cf_ipsec_magic_wan_prop authentication-algorithm hmac-sha-256-128 set security ipsec proposal cf_ipsec_magic_wan_prop encryption-algorithm aes-256-cbc set security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800 @@ -252,16 +260,16 @@ set security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800 Define two IPSec policies — one for each of the two Magic IPSec tunnels. It is crucial to ensure that: -* [Anti-replay](https://developers.cloudflare.com/magic-wan/reference/anti-replay-protection/) protection is disabled. - * Use [no-anti-replay](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) as the setting -* The SRX is the tunnel initiator: - * Cloudflare will not instantiate the tunnel - * If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel - * Use \`[establish-tunnels immediately](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html)\` as the setting. +- [Anti-replay](/magic-wan/reference/anti-replay-protection/) protection is disabled. + - Use [`no-anti-replay`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) as the setting +- The SRX is the tunnel initiator: + - Cloudflare will not instantiate the tunnel + - If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel + - Use [`establish-tunnels immediately`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html) as the setting. -**Tunnel 1 (SRX220\_IPSEC\_01)** +**Tunnel 1 (SRX220_IPSEC_01)** -``` +```txt set security ipsec vpn cf_magic_wan_tun_01 bind-interface st0.0 set security ipsec vpn cf_magic_wan_tun_01 ike gateway cf_magic_wan_gw_01 set security ipsec vpn cf_magic_wan_tun_01 ike no-anti-replay @@ -269,9 +277,9 @@ set security ipsec vpn cf_magic_wan_tun_01 ike ipsec-policy cf_magic_wan_ipsec_p set security ipsec vpn cf_magic_wan_tun_01 establish-tunnels immediately ``` -**Tunnel 2 (SRX220\_IPSEC\_02)** +**Tunnel 2 (SRX220_IPSEC_02)** -``` +```txt set security ipsec vpn cf_magic_wan_tun_02 bind-interface st0.1 set security ipsec vpn cf_magic_wan_tun_02 ike gateway cf_magic_wan_gw_02 set security ipsec vpn cf_magic_wan_tun_02 ike no-anti-replay @@ -281,38 +289,39 @@ set security ipsec vpn cf_magic_wan_tun_02 establish-tunnels immediately ### Static Routes -This configuration only factors in one local site (\`10.1.20.0/24\`). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (\`10.1.100.0/24\`). +This configuration only factors in one local site (`10.1.20.0/24`). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (`10.1.100.0/24`). -Define a static route on the SRX to route traffic to \`10.1.100.0/24\` with redundant routes that reference each of the two tunnels. There are two ways to accomplish this: +Define a static route on the SRX to route traffic to `10.1.100.0/24` with redundant routes that reference each of the two tunnels. There are two ways to accomplish this: **By adding two destinations for the same route:** -``` +```txt set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 set routing-options static route 10.1.100.0/24 next-hop 10.252.2.22 ``` -``` +```txt admin@srx220> show configuration routing-options static +``` +```txt output route 10.1.100.0/24 next-hop [ 10.252.2.20 10.252.2.22 ]; ``` **Or using the [qualified-next-hop](https://www.juniper.net/documentation/us/en/software/junos/static-routing/topics/ref/statement/qualified-next-hop-edit-routing-options.html) option:** -``` +```txt admin@srx220> show configuration routing-options | display set set routing-options static route 0.0.0.0/0 next-hop 23.XX.XXX.46 set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 set routing-options static route 10.1.100.0/24 qualified-next-hop 10.252.2.22 ``` - -``` +```txt output static { - route 0.0.0.0/0 next-hop 23.XX.XXX.46; - route 10.1.100.0/24 { - next-hop 10.252.2.20; - qualified-next-hop 10.252.2.22; - } + route 0.0.0.0/0 next-hop 23.XX.XXX.46; + route 10.1.100.0/24 { + next-hop 10.252.2.20; + qualified-next-hop 10.252.2.22; + } } ``` @@ -324,7 +333,7 @@ There are two very simple rules to allow traffic bidirectionally — it is gener **From *cloudflare* to *trust*:** -``` +```txt set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match source-address any set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match destination-address any set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match application any @@ -332,26 +341,28 @@ set security policies from-zone cloudflare to-zone trust policy cloudflare_to_tr set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust then log session-close ``` -``` +```txt admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +``` +```txt output policy trust_to_cloudflare_permit { - match { - source-address any; - destination-address any; - application any; - } - then { - permit; - log { - session-close; - } - } + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } } ``` **From *trust* to *cloudflare*:** -``` +```txt set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match source-address any set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match destination-address any set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match application any @@ -361,20 +372,22 @@ set security policies from-zone trust to-zone cloudflare policy trust_to_cloudfl To confirm, run: -``` +```txt admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +``` +```txt output policy trust_to_cloudflare_permit { - match { - source-address any; - destination-address any; - application any; - } - then { - permit; - log { - session-close; - } - } + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } } ``` @@ -386,19 +399,23 @@ There are several diagnostic commands available to view the status of IPsec tunn #### Phase 1 -[show security ike active-peer](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-active-peer.html) +[`show security ike active-peer`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-active-peer.html) -``` +```txt admin@srx220> show security ike active-peer +``` +```txt output Remote Address Port Peer IKE-ID XAUTH username Assigned IP 162.XXX.XX.164 500 162.XX.XXX.164 not available 0.0.0.0 172.XX.XXX.164 500 172.XX.XXX.164 not available 0.0.0.0 ``` -[show security ike security-associations](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-security-associations.html) +[`show security ike security-associations`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-security-associations.html) -``` +```txt admin@srx220> show security ike security-associations +``` +```txt output Index State Initiator cookie Responder cookie Mode Remote Address 3628774 UP 51078ae37b319d23 1475e3b48ca89a9a IKEv2 162.XXX.XX.164 3628775 UP b2d9a698b6224fc9 7fb1a9f81db0611c IKEv2 172.XX.XXX.164 @@ -406,25 +423,27 @@ Index State Initiator cookie Responder cookie Mode Remote Address #### Phase 2 -[show security ipsec security-associations](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ipsec-security-associations.html) +[`show security ipsec security-associations`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ipsec-security-associations.html) -``` +```txt admin@srx220> show security ipsec security-associations - Total active tunnels: 2 - ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway - <131073 ESP:aes-cbc-256/sha256 d28e709e 28565/unlim - root 500 162.XXX.66.164 - >131073 ESP:aes-cbc-256/sha256 25aed8ae 28565/unlim - root 500 162.XXX.XX.164 - <131074 ESP:aes-cbc-256/sha256 3f13176d 28566/unlim - root 500 172.XX.XXX.164 - >131074 ESP:aes-cbc-256/sha256 965169e9 28566/unlim - root 500 172.XX.XXX.164 +``` +```txt output +Total active tunnels: 2 +ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway +<131073 ESP:aes-cbc-256/sha256 d28e709e 28565/unlim - root 500 162.XXX.66.164 +>131073 ESP:aes-cbc-256/sha256 25aed8ae 28565/unlim - root 500 162.XXX.XX.164 +<131074 ESP:aes-cbc-256/sha256 3f13176d 28566/unlim - root 500 172.XX.XXX.164 +>131074 ESP:aes-cbc-256/sha256 965169e9 28566/unlim - root 500 172.XX.XXX.164 ``` -### IKE Traceoptions +### IKE `traceoptions` -It is very helpful to enable debug logging via \`traceoptions\` while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occuring. +It is very helpful to enable debug logging via `traceoptions` while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occurring. -#### Enable IKE \`traceoptions\` +#### Enable IKE `traceoptions` -``` +```txt set security ike traceoptions file ike-debug.log set security ike traceoptions file size 1m set security ike traceoptions file files 3 @@ -435,37 +454,37 @@ set security ike traceoptions flag all The log file can be viewed by doing the following: 1. From an operational mode, run **start shell**. -2. Then use the \`tail\` command to view the contents of the log file in real-time: - -``` -tail -f /var/log/ike-debug.log -``` +2. Then use the `tail` command to view the contents of the log file in real-time: + ```txt + tail -f /var/log/ike-debug.log + ``` +3. Press `CTRL+C` when finished. +4. Type `exit` to return to the operational mode prompt. -3. Press CTRL+C when finished. -4. Type \`exit\` to return to the operational mode prompt. +Either deactivate `traceoptions` or delete `traceoptions` once debugging is complete. -Either deactivate \`traceoptions\` or delete \`traceoptions\` once debugging is complete. +#### Deactivate IKE `traceoptions` -#### Deactivate IKE \`traceoptions\` - -``` +```txt deactivate security ike traceoptions ``` -Confirm traceoptions is deactivated with: +Confirm `traceoptions` is deactivated with: -``` +```txt admin@srx220> show configuration security ike +``` +```txt output inactive: traceoptions { - file ike-debug.log size m files 3 world-readable; - flag all; + file ike-debug.log size m files 3 world-readable; + flag all; } ``` -#### IPsec \`traceoptions\` +#### IPsec `traceoptions` -It is also possible to enable \`traceoptions\` for IPsec. However, it is not possible to specify the name of the log file. All events are logged to \`/var/log/kmd\`. +It is also possible to enable `traceoptions` for IPsec. However, it is not possible to specify the name of the log file. All events are logged to `/var/log/kmd`. -``` +```txt set security ipsec traceoptions flag all ``` \ No newline at end of file From 98dcff79daee4f486e337d7f95e5a9da6bcad944 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Thu, 21 Nov 2024 11:05:52 +0000 Subject: [PATCH 3/7] refined page --- .../manually/third-party/juniper.mdx | 54 +++++++------------ 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index cf8be0b6fbf78d..912ec79da38580 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -12,73 +12,59 @@ Confirm that you have the Cloudflare anycast IPs for your account. You should ha The goal is to configure two IPsec tunnels for each endpoint. This provides us with tunnel redundancy and the ability to load balance ingress and egress traffic (via ECMP). -Additionally, you will need to select two subnets (either \`/31\` or \`/30\`) for the Virtual Tunnel Interfaces (st0.x) to control what traffic is routed through the tunnels. +Additionally, you will need to select two subnets (either `/31` or `/30`) for the Virtual Tunnel Interfaces (`st0.x`) to control what traffic is routed through the tunnels. -## Cloudflare Magic WAN Configuration +## Cloudflare Magic WAN configuration This section of the document will cover the configuration of: -- Magic IPSec tunnels +- Magic IPsec tunnels - Magic static routes -### Magic IPSec Tunnels +### Magic IPsec Tunnels -1. Start by [creating the IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare Dashboard with the following values: +1. Start by [creating the IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare dashboard with the following values: - **Tunnel name**: Up to 15 characters (no spaces). - **Description** (Optional). - **Interface address**: This is the Virtual Tunnel Interface (VTI = `st0.x`) RFC1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. - **Customer endpoint**: This is the public IP address the tunnel will be established with on the Juniper SRX. - **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. - **Pre-shared key**: Choose **Add pre-shared key later**. - 2. Select **Add IPsec Tunnel** and fill in the values for the second tunnel to the same Juniper SRX: - The IP addresses used for the Interface address must be a unique RFC1918 address (`/31` or `/30`). - The **Customer endpoint** is the same IP specified for the first tunnel. - The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. - 3. Select **Add tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that the correct Anycast IP addresses are specified. - 4. Because we chose to add a pre-shared key at a later stage, you will see a warning indicator next to the tunnel names after creating them. This is expected behavior and indicates there is no pre-shared key associated with the tunnel. - 5. Select **Edit** next to one of the tunnels to generate a pre-shared key. - -6. Select **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. - +6. Select **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. :::note You can update the pre-shared key at any time by repeating this step. Just make sure to add the new value of the new pre-shared key to the corresponding tunnel configuration on the Juniper device. ::: - 7. Repeat the previous step for the second tunnel. - -8. Expand the properties of each of the first tunnel, and take note of the **Tunnel ID** and **FQDN ID** values. - +8. Expand the properties of the first tunnel, and take note of the **Tunnel ID** and **FQDN ID** values. 9. Repeat this step for the second tunnel. - :::note These values are unique per tunnel and remain the same even if you update the pre-shared key. The only time these values change is if you delete and recreate the tunnel. ::: -### Magic Static Routes +### Magic static routes This document assumes that the **trust zone** behind the Juniper SRX firewall has a single subnet: - - `10.1.20.0/24` -[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. +[Magic static routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. -Cloudflare leverages [Equal Cost Multipath Routing](/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is `100` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. +Cloudflare leverages [equal-cost multi-path routing](/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is `100` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. 1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: - **Description:** The description for the static route assigned to your first tunnel. - **Prefix**: Enter the destination subnet for which this route is intended. For this example, it is `10.1.20.0/24` as stated above. - **Tunnel/Next hop**: Choose your first tunnel from the drop-down menu. - - **Priority**: Default value is `100`\`. + - **Priority**: Default value is `100`. - **Region code**: Leave set to **All Regions** unless otherwise specified. - 2. Select **Add Static Route** to add a second route for the same subnet. Make sure the second tunnel is selected in **Tunnel/Next hop**. - 3. Select **Test routes** to ensure the settings will be accepted, and then select **Add Routes**. - 4. Confirm the routes were added correctly in **Magic WAN** > **Configuration** > **Static Routes**. ## Juniper SRX Configuration @@ -124,7 +110,7 @@ unit 1 { } ``` -### Security Zone (cloudflare) - Tunnel Interfaces +### Security Zone (cloudflare) - tunnel interfaces Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to `all` for system-services and protocols should be fine. @@ -161,7 +147,7 @@ interfaces { } ``` -### Security Zone (untrust) - Host-Inbound-Traffic +### Security zone (untrust) - `host-inbound-traffic` Add `ping` and `ike` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks ping by default, you will need to create a firewall-filter to allow ICMP from the [Cloudflare IPv4 address space](https://www.cloudflare.com/ips-v4) — not covered in this tutorial. @@ -222,7 +208,7 @@ set security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GD< #### IKE gateways -Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the \`local-identity\` hostname setting. +Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the `local-identity` hostname setting. **Tunnel 1 (SRX220_IPSEC_01)** @@ -246,7 +232,7 @@ set security ike gateway cf_magic_wan_gw_02 version v2-only ### Phase 2 - IPSec -#### IPSec proposal +#### IPsec proposal Add an IPSec proposal that specifies the [Phase 2 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): @@ -256,9 +242,9 @@ set security ipsec proposal cf_ipsec_magic_wan_prop encryption-algorithm aes-256 set security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800 ``` -#### IPSec policies +#### IPsec policies -Define two IPSec policies — one for each of the two Magic IPSec tunnels. It is crucial to ensure that: +Define two IPsec policies — one for each of the two Magic IPSec tunnels. It is crucial to ensure that: - [Anti-replay](/magic-wan/reference/anti-replay-protection/) protection is disabled. - Use [`no-anti-replay`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) as the setting @@ -287,7 +273,7 @@ set security ipsec vpn cf_magic_wan_tun_02 ike ipsec-policy cf_magic_wan_ipsec_p set security ipsec vpn cf_magic_wan_tun_02 establish-tunnels immediately ``` -### Static Routes +### Static routes This configuration only factors in one local site (`10.1.20.0/24`). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (`10.1.100.0/24`). @@ -325,7 +311,7 @@ static { } ``` -### Security Policies +### Security policies Define security policies to permit traffic flows destined for Magic WAN protected resources. The source/destination zones will need to incorporate the zone containing the tunnel interfaces. @@ -458,7 +444,7 @@ The log file can be viewed by doing the following: ```txt tail -f /var/log/ike-debug.log ``` -3. Press `CTRL+C` when finished. +3. Press CTRL+C when finished. 4. Type `exit` to return to the operational mode prompt. Either deactivate `traceoptions` or delete `traceoptions` once debugging is complete. From b76cef761fc0b7c98b3bb7d88f448bb907d72df2 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Thu, 21 Nov 2024 11:17:53 +0000 Subject: [PATCH 4/7] added juniper to dev compat page --- .../reference/device-compatibility.mdx | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/src/content/docs/magic-wan/reference/device-compatibility.mdx b/src/content/docs/magic-wan/reference/device-compatibility.mdx index 8984cea8be27c0..a01a51929f82ae 100644 --- a/src/content/docs/magic-wan/reference/device-compatibility.mdx +++ b/src/content/docs/magic-wan/reference/device-compatibility.mdx @@ -10,25 +10,26 @@ Magic WAN is compatible with any device that supports