From df050f7e8e17881f780b063cce95b682515f77ca Mon Sep 17 00:00:00 2001 From: Jeff Hochberg Date: Thu, 5 Dec 2024 09:21:22 -0500 Subject: [PATCH 1/4] Updated Juniper SRX docs for Magic WAN --- .../manually/third-party/juniper.mdx | 628 +++++++++++++----- 1 file changed, 471 insertions(+), 157 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index 748cbdbe422120..3c287d3d4c8343 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -3,22 +3,26 @@ pcx_content_type: integration-guide title: Juniper Networks SRX Series Firewalls --- -This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN. +This tutorial provides information and examples of configuring Juniper Networks SRX Series Firewalls with Magic WAN. + +The configuration settings in this document are based on JUNOS 23.4R2.13. ## Prerequisites -Confirm that you have the Cloudflare anycast IPs for your account. You should have two IPs allocated. +Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be routed via BGP Anycast to the closest Cloudflare Point-of-Presence. + +Cloudflare recommends customers configure two IPsec tunnels per Internet Service Provider per endpoint. This provides tunnel redundancy and tunnel diversity. Equal Cost Multipath Routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. -The goal is to configure two IPsec tunnels for each endpoint. This provides you with tunnel redundancy and the ability to load balance ingress and egress traffic (via ECMP). +Cloudflare supports Route-Based site-to-site IPsec tunnels, which require the creation of Virtual Tunnel Interfaces (VTIs). We recommend you select one subnet with either a /30 or /31 netmask (the latter makes more efficient use of IP addresses). -Additionally, you will need to select two subnets (either `/31` or `/30`) for the Virtual Tunnel Interfaces (`st0.x`) to control what traffic is routed through the tunnels. +The interface naming convention for VTI interfaces in Junos is st0.x. ## Cloudflare Magic WAN configuration This section of the document will cover the configuration of: -- Magic IPsec tunnels -- Magic static routes +- Magic IPsec Tunnels +- Magic Static Routes ### Magic IPsec tunnels @@ -26,25 +30,25 @@ This section of the document will cover the configuration of: - **Tunnel name**: Up to 15 characters (no spaces). - **Description** (Optional). - **Interface address**: This is the Virtual Tunnel Interface (VTI = `st0.x`) RFC 1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. - - **Customer endpoint**: This is the public IP address the tunnel will be established with on the Juniper SRX. + - **Customer endpoint**: Specify the Internet IP address on the untrust side of the SRX firewall. - **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. - **Pre-shared key**: Choose **Add pre-shared key later**. 2. Select **Add IPsec Tunnel** and fill in the values for the second tunnel to the same Juniper SRX: - - The IP addresses used for the Interface address must be a unique RFC 1918 address (`/31` or `/30`). - - The **Customer endpoint** is the same IP specified for the first tunnel. + - Ensure you use a unique RFC1918 IP address for the Interface Address (`/31` or `/30`). + - Once again, specify the Internet IP address on the untrust side of the SRX firewall for the **Customer Endpoint**. - The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. -3. Select **Add tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses. -4. Because we chose to add a pre-shared key at a later stage, you will see a warning indicator next to the tunnel names after creating them. This is expected behavior and indicates there is no pre-shared key associated with the tunnel. +3. Select **Add Tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses. +4. You will see a warning indicator next to the tunnel names after creating them because we chose to add a pre-shared key later. This is expected behavior and indicates that a pre-shared key has not been generated yet for the associated tunnel. 5. Select **Edit** next to one of the tunnels to generate a pre-shared key. -6. Select **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Make note of the pre-shared key and store it somewhere safe. +6. Select **Generate a new pre-shared key** > **Update and generate a pre-shared key**. Make a note of the pre-shared key and store it somewhere safe. :::note You can update the pre-shared key at any time by repeating this step. Just make sure to add the new value of the new pre-shared key to the corresponding tunnel configuration on the Juniper device. ::: 7. Repeat the previous step for the second tunnel. -8. Expand the properties of the first tunnel, and take note of the **Tunnel ID** and **FQDN ID** values. -9. Repeat this step for the second tunnel. +8. Expand the first tunnel's properties and note the **Tunnel ID** and **FQDN ID** values. +9. Repeat the previous steps for the second tunnel. :::note - These values are unique per tunnel and remain the same even if you update the pre-shared key. The only time these values change is if you delete and recreate the tunnel. + These values are unique per tunnel and remain the same even if you update the pre-shared key. These values change only if you delete and recreate the tunnel. ::: ### Magic static routes @@ -52,25 +56,23 @@ This section of the document will cover the configuration of: This document assumes that the **trust zone** behind the Juniper SRX firewall has a single subnet: - `10.1.20.0/24` -[Magic static routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a given subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. +[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. -Cloudflare leverages [equal-cost multi-path routing](/magic-wan/reference/traffic-steering/) to control steering of traffic across the tunnels. The default priority for each route is `100` — traffic will be load-balanced across the two tunnels equally. You can modify the priorities as needed. +Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steering/#equal-cost-multi-path-routing) routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed. 1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: - **Description:** The description for the static route assigned to your first tunnel. - **Prefix**: Enter the destination subnet for which this route is intended. For this example, it is `10.1.20.0/24` as stated above. - **Tunnel/Next hop**: Choose your first tunnel from the drop-down menu. - - **Priority**: Default value is `100`. + - **Priority**: The default value is `100`. - **Region code**: Leave set to **All Regions** unless otherwise specified. 2. Select **Add Static Route** to add a second route for the same subnet. Make sure the second tunnel is selected in **Tunnel/Next hop**. -3. Select **Test routes** to ensure the settings will be accepted, and then select **Add Routes**. +3. Select **Test Routes** to ensure the settings are accepted, then select **Add Routes**. 4. Confirm the routes were added correctly in **Magic WAN** > **Configuration** > **Static Routes**. ## Juniper SRX configuration -The configuration settings in this document are based on JUNOS 21.4R3-S4.9. - -There may be some differences in the syntax of the commands in the version on your SRX devices, however the principles are the same. Please refer to the Juniper product documentation for more information. +There may be some differences in the syntax of the commands in the version on your SRX devices; however, the principles are the same. Please refer to the Juniper product documentation for more information. The following elements will be configured on the Juniper SRX firewall(s): @@ -79,7 +81,7 @@ The following elements will be configured on the Juniper SRX firewall(s): - Allow required protocols to both the tunnel and untrust security zones - IKE configuration - IPsec configuration -- Static routes +- Policy-Based Routing (Filter-Based Forwarding) - Security policies ### Tunnel interfaces @@ -94,32 +96,34 @@ set interfaces st0 unit 1 family inet address 10.252.2.23/31 2. Confirm settings: ```txt -admin@srx220> show configuration interfaces st0 +admin@srx300> show configuration interfaces st0 ``` ```txt output unit 0 { - family inet { - address 10.252.2.21/31; - } + family inet { + address 10.252.2.21/31; + } } unit 1 { - family inet { - address 10.252.2.23/31; - } + family inet { + address 10.252.2.23/31; + } } ``` ### Security Zone (Cloudflare) - tunnel interfaces -Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow `ping`, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to `all` for system-services and protocols should be fine. +Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. You can always set the values for system services and protocols to all, as the intrazone traffic is from a trusted network. ```txt set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic system-services all set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic +set security zones security-zone cloudflare interfaces st0.1 host-inbound-traffic system-services all +set security zones security-zone cloudflare interfaces st0.1 host-inbound-traffic ``` ```txt -admin@srx220> show configuration security zones security-zone cloudflare +admin@srx300> show configuration security zones security-zone cloudflare ``` ```txt output interfaces { @@ -148,26 +152,25 @@ interfaces { ### Security zone (untrust) - `host-inbound-traffic` -Add `ping` and `ike` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. If your security policy blocks `ping` by default, you will need to create a firewall-filter to allow ICMP from the [Cloudflare IPv4 address space](https://www.cloudflare.com/ips-v4) — not covered in this tutorial. +Add ike to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. ```txt -set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping -set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services ike +set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike ``` ```txt -admin@srx220> show configuration security zones security-zone untrust +admin@srx300> show configuration security zones security-zone untrust ``` ```txt output +screen untrust-screen; interfaces { - ge-0/0/2.0 { - host-inbound-traffic { - system-services { - ping; - ike; - } - } - } + ge-0/0/0.0 { + host-inbound-traffic { + system-services { + ike; + } + } + } } ``` @@ -178,55 +181,106 @@ interfaces { Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): ```txt -set security ike proposal cf_ike_magic_wan_prop authentication-method pre-shared-keys -set security ike proposal cf_ike_magic_wan_prop dh-group group14 -set security ike proposal cf_ike_magic_wan_prop authentication-algorithm sha-256 -set security ike proposal cf_ike_magic_wan_prop encryption-algorithm aes-256-cbc -set security ike proposal cf_ike_magic_wan_prop lifetime-seconds 28800 +set security ike proposal cf_magic_wan_ike_prop authentication-method pre-shared-keys +set security ike proposal cf_magic_wan_ike_prop dh-group group14 +set security ike proposal cf_magic_wan_ike_prop authentication-algorithm sha-256 +set security ike proposal cf_magic_wan_ike_prop encryption-algorithm aes-256-cbc +set security ike proposal cf_magic_wan_ike_prop lifetime-seconds 28800 +``` + +```txt +admin@srx300> show configuration security ike proposal cf_magic_wan_ike_prop +``` +```txt output +authentication-method pre-shared-keys; +dh-group group14; +authentication-algorithm sha-256; +encryption-algorithm aes-256-cbc; +lifetime-seconds 28800; ``` #### IKE policies Define two IKE policies — one for each of the two Magic IPsec tunnels: -**Tunnel 1 (SRX220_IPSEC_01)** +**Tunnel 1 (SRX300_IPSEC_01)** + +```txt +set security ike policy cf_magic_wan_tun_01_pol mode main +set security ike policy cf_magic_wan_tun_01_pol proposals cf_magic_wan_ike_prop +set security ike policy cf_magic_wan_tun_01_pol pre-shared-key ascii-text "$9$GRjPTFWZUjHPT" +``` ```txt -set security ike policy cf_magic_wan_pol_01 mode main -set security ike policy cf_magic_wan_pol_01 proposals cf_ike_magic_wan_prop -set security ike policy cf_magic_wan_pol_01 pre-shared-key ascii-text "$9$CnJ0tO1NwsmfTQ69" +admin@srx300> show configuration security ike policy cf_magic_wan_tun_01_pol ``` +```txt output +mode main; +proposals cf_magic_wan_ike_prop; +pre-shared-key ascii-text "$9$GRjPTFWZUjHPT"; ## SECRET-DATA +``` + +**Tunnel 2 (SRX300_IPSEC_02)** -**Tunnel 2 (SRX220_IPSEC_02)** +```txt +set security ike policy cf_magic_wan_tun_02_pol mode main +set security ike policy cf_magic_wan_tun_02_pol proposals cf_magic_wan_ike_prop +set security ike policy cf_magic_wan_tun_02_pol pre-shared-key ascii-text "$9$f536tpSrH.fT/9Lx7-bY" +``` ```txt -set security ike policy cf_magic_wan_pol_02 mode main -set security ike policy cf_magic_wan_pol_02 proposals cf_ike_magic_wan_prop -set security ike policy cf_magic_wan_pol_02 pre-shared-key ascii-text "$9$sH4GDHqQzIEclvL" +admin@srx300> show configuration security ike policy cf_magic_wan_tun_02_pol +``` +```txt output +mode main; +proposals cf_magic_wan_ike_prop; +pre-shared-key ascii-text "$9$f536tpSrH.fT/9Lx7-bY"; ## SECRET-DATA ``` #### IKE gateways -Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the `local-identity` hostname setting. +Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the **FQDN ID** value obtained from the Cloudflare dashboard in the `local-identity` hostname setting. -**Tunnel 1 (SRX220_IPSEC_01)** +**Tunnel 1 (SRX300_IPSEC_01)** ```txt -set security ike gateway cf_magic_wan_gw_01 ike-policy cf_magic_wan_pol_01 -set security ike gateway cf_magic_wan_gw_01 address 162.xx.xx.164 -set security ike gateway cf_magic_wan_gw_01 local-identity hostname 755339a1ffcc01.33145236.ipsec.cloudflare.com -set security ike gateway cf_magic_wan_gw_01 external-interface ge-0/0/2.0 -set security ike gateway cf_magic_wan_gw_01 version v2-only +set security ike gateway cf_magic_wan_gw_tun_01 ike-policy cf_magic_wan_tun_01_pol +set security ike gateway cf_magic_wan_gw_tun_01 address 162.159.68.68 +set security ike gateway cf_magic_wan_gw_tun_01 local-identity hostname 1663e5e706555.ipsec.cloudflare.com +set security ike gateway cf_magic_wan_gw_tun_01 external-interface ge-0/0/0.0 +set security ike gateway cf_magic_wan_gw_tun_01 version v2-only ``` -**Tunnel 2 (SRX220_IPSEC_02)** +```txt +admin@srx300> show configuration security ike gateway cf_magic_wan_gw_tun_01 +``` +```txt output +ike-policy cf_magic_wan_tun_01_pol; +address 162.159.68.68; +local-identity hostname 1663e5e706555.ipsec.cloudflare.com; +external-interface ge-0/0/0.0; +version v2-only; +``` + +**Tunnel 2 (SRX300_IPSEC_02)** ```txt -set security ike gateway cf_magic_wan_gw_02 ike-policy cf_magic_wan_pol_02 -set security ike gateway cf_magic_wan_gw_02 address 172.xx.xx.164 -set security ike gateway cf_magic_wan_gw_02 local-identity hostname abac7146c3de918e0.33145236.ipsec.cloudflare.com -set security ike gateway cf_magic_wan_gw_02 external-interface ge-0/0/2.0 -set security ike gateway cf_magic_wan_gw_02 version v2-only +set security ike gateway cf_magic_wan_gw_tun_02 ike-policy cf_magic_wan_tun_02_pol +set security ike gateway cf_magic_wan_gw_tun_02 address 172.64.244.68 +set security ike gateway cf_magic_wan_gw_tun_02 local-identity hostname b5ee53036555.ipsec.cloudflare.com +set security ike gateway cf_magic_wan_gw_tun_02 external-interface ge-0/0/0.0 +set security ike gateway cf_magic_wan_gw_tun_02 version v2-only +``` + +```txt +admin@srx300> show configuration security ike gateway cf_magic_wan_gw_tun_02 +``` +```txt output +ike-policy cf_magic_wan_tun_02_pol; +address 172.64.244.68; +local-identity hostname b5ee53036555.ipsec.cloudflare.com; +external-interface ge-0/0/0.0; +version v2-only; ``` ### Phase 2 - IPsec @@ -236,87 +290,266 @@ set security ike gateway cf_magic_wan_gw_02 version v2-only Add an IPsec proposal that specifies the [Phase 2 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): ```txt -set security ipsec proposal cf_ipsec_magic_wan_prop authentication-algorithm hmac-sha-256-128 -set security ipsec proposal cf_ipsec_magic_wan_prop encryption-algorithm aes-256-cbc -set security ipsec proposal cf_ipsec_magic_wan_prop lifetime-seconds 28800 +set security ipsec proposal cf_magic_wan_ipsec_prop protocol esp +set security ipsec proposal cf_magic_wan_ipsec_prop authentication-algorithm hmac-sha-256-128 +set security ipsec proposal cf_magic_wan_ipsec_prop encryption-algorithm aes-256-cbc +set security ipsec proposal cf_magic_wan_ipsec_prop lifetime-seconds 28800 +``` + +```txt +admin@srx300> show configuration security ipsec proposal cf_magic_wan_ipsec_prop +``` +```txt output +protocol esp; +authentication-algorithm hmac-sha-256-128; +encryption-algorithm aes-256-cbc; +lifetime-seconds 28800; +``` + +#### IPsec Policy + +Define one IPsec policy — reference the IPsec proposal created above. + +```txt +set security ipsec policy cf_magic_wan_ipsec_pol proposals cf_magic_wan_ipsec_prop ``` -#### IPsec policies +```txt +admin@srx300> show configuration security ipsec policy cf_magic_wan_ipsec_pol +``` +```txt output +proposals cf_magic_wan_ipsec_prop; +``` + +#### **IPsec VPN Tunnels** Define two IPsec policies — one for each of the two Magic IPsec tunnels. It is crucial to ensure that: - [Anti-replay](/magic-wan/reference/anti-replay-protection/) protection is disabled. - - Use [`no-anti-replay`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) as the setting + - Use the [`no-anti-replay`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) option. - The SRX is the tunnel initiator: - - Cloudflare will not instantiate the tunnel + - Cloudflare will not initiate the tunnel - If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel - - Use [`establish-tunnels immediately`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html) as the setting. + - Use [`establish-tunnels immediately`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html) to ensure the SRX is the tunnel initiator. -**Tunnel 1 (SRX220_IPSEC_01)** +**VPN Tunnel 1 (cf_magic_wan_ipsec_tun_01)** ```txt -set security ipsec vpn cf_magic_wan_tun_01 bind-interface st0.0 -set security ipsec vpn cf_magic_wan_tun_01 ike gateway cf_magic_wan_gw_01 -set security ipsec vpn cf_magic_wan_tun_01 ike no-anti-replay -set security ipsec vpn cf_magic_wan_tun_01 ike ipsec-policy cf_magic_wan_ipsec_pol -set security ipsec vpn cf_magic_wan_tun_01 establish-tunnels immediately +set security ipsec vpn cf_magic_wan_ipsec_tun_01 bind-interface st0.0 +set security ipsec vpn cf_magic_wan_ipsec_tun_01 ike gateway cf_magic_wan_gw_tun_01 +set security ipsec vpn cf_magic_wan_ipsec_tun_01 ike no-anti-replay +set security ipsec vpn cf_magic_wan_ipsec_tun_01 ike ipsec-policy cf_magic_wan_ipsec_pol +set security ipsec vpn cf_magic_wan_ipsec_tun_01 establish-tunnels immediately ``` -**Tunnel 2 (SRX220_IPSEC_02)** +```txt +admin@srx300> show configuration security ipsec vpn cf_magic_wan_ipsec_tun_01 +``` +```txt output +bind-interface st0.0; +ike { + gateway cf_magic_wan_gw_tun_01; + no-anti-replay; + ipsec-policy cf_magic_wan_ipsec_pol; +} +establish-tunnels immediately; +``` + +**VPN Tunnel 2 (cf_magic_wan_ipsec_tun_02)** + +```txt +set security ipsec vpn cf_magic_wan_ipsec_tun_02 bind-interface st0.1 +set security ipsec vpn cf_magic_wan_ipsec_tun_02 ike gateway cf_magic_wan_gw_tun_02 +set security ipsec vpn cf_magic_wan_ipsec_tun_02 ike no-anti-replay +set security ipsec vpn cf_magic_wan_ipsec_tun_02 ike ipsec-policy cf_magic_wan_ipsec_pol +set security ipsec vpn cf_magic_wan_ipsec_tun_02 establish-tunnels immediately +``` ```txt -set security ipsec vpn cf_magic_wan_tun_02 bind-interface st0.1 -set security ipsec vpn cf_magic_wan_tun_02 ike gateway cf_magic_wan_gw_02 -set security ipsec vpn cf_magic_wan_tun_02 ike no-anti-replay -set security ipsec vpn cf_magic_wan_tun_02 ike ipsec-policy cf_magic_wan_ipsec_pol -set security ipsec vpn cf_magic_wan_tun_02 establish-tunnels immediately +admin@srx300> show configuration security ipsec vpn cf_magic_wan_ipsec_tun_02 ``` +```txt output +bind-interface st0.1; +ike { + gateway cf_magic_wan_gw_tun_02; + no-anti-replay; + ipsec-policy cf_magic_wan_ipsec_pol; +} +establish-tunnels immediately; +``` + +### Policy-Based Routing -### Static routes -This configuration only factors in one local site (`10.1.20.0/24`). In this example, we assume devices in the trust zone need to route traffic to a remote subnet that is at another Magic WAN-protected site (`10.1.100.0/24`). +The SRX platform allows policy-based routing, which Juniper refers to as filter-based forwarding. -Define a static route on the SRX to route traffic to `10.1.100.0/24` with redundant routes that reference each of the two tunnels. There are two ways to accomplish this: +[Filter-Based Forwarding Overview](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html) + +Filter-based forwarding is implemented by configuring the following: + +1. Routing Instance: Specify the routing table(s) to which a packet is forwarded and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level. +2. Firewall Filter: Use a stateless firewall filter to specify the source and destination addresses in conjunction with a routing instance that forwards traffic across the Magic IPsec Tunnels, then bind the firewall filter to the ingress interface (trust zone). +3. RIB Group: Share interface routes with the forwarding routing instances used in filter-based forwarding (FBF). + +Note: Firewall filters must incorporate at least two terms: + +1. Term 1: Classify the traffic to forward to Magic WAN +2. Term 2: Permit all other traffic - otherwise, the firewall filters will discard any traffic not intended for Magic WAN destinations. + +This configuration only factors in one local site (10.1.20.0/24). In this example, we assume devices in the trust zone must route traffic to a remote subnet at another Magic WAN-protected site (10.1.100.0/24). + +Define a static route on the SRX to route traffic to 10.1.100.0/24 with redundant routes referencing each of the two tunnels. + +**Routing Instance:** + +[Routing Instances](https://www.juniper.net/documentation/us/en/software/junos/routing-overview/topics/concept/routing-instances-overview.html) effectively add additional routing tables to the SRX platform. + +As mentioned earlier, any traffic destined for other Magic WAN protected sites must be routed over the Magic IPsec tunnels. + +The example includes two static routes - one to each of the two VTIs on the Cloudflare side of the Magic IPsec Tunnels (`10.252.2.20` and `10.252.2.22`). + +While it is possible to be more prescriptive in terms of the destination subnets, we simply use 0.0.0.0/0 as the Firewall Filter ensures only traffic destined for 10.1.100.0/24 will be forwarded to the Routing Instance. Any other traffic not destined for 10.1.100.0/24 will continue to the Primary Routing Table (`inet.0`) as it falls outside the scope of the Firewall Filter configured in the next section below. + +Leaving the destination subnet as 0.0.0.0/0 eases some administrative burden as you only need to modify the Firewall Filter to specify which traffic is destined for Magic WAN. -**By adding two destinations for the same route:** ```txt -set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 -set routing-options static route 10.1.100.0/24 next-hop 10.252.2.22 +set routing-instances MAGIC_WAN_RI instance-type forwarding +set routing-instances MAGIC_WAN_RI routing-options static route 0.0.0.0/0 next-hop 10.252.2.20 +set routing-instances MAGIC_WAN_RI routing-options static route 0.0.0.0/0 next-hop 10.252.2.22 ``` ```txt -admin@srx220> show configuration routing-options static +admin@srx300> show configuration routing-instances ``` ```txt output -route 10.1.100.0/24 next-hop [ 10.252.2.20 10.252.2.22 ]; +MAGIC_WAN_RI { + instance-type forwarding; + routing-options { + static { + route 0.0.0.0/0 next-hop [ 10.252.2.20 10.252.2.22 ]; + } + } +} ``` -**Or using the [qualified-next-hop](https://www.juniper.net/documentation/us/en/software/junos/static-routing/topics/ref/statement/qualified-next-hop-edit-routing-options.html) option:** +**Firewall Filter:** + +In this step, we create a stateless firewall filter to ensure only packets from 10.1.20.0/24 destined for 10.1.100.0/24 are sent to the `MAGIC_WAN_RI` Routing Instance. + +- Term 1 - `MAGIC_WAN_NETS` ensures only packets from 10.1.20.0/24 destined for 10.1.100.0/24 are sent to the `MAGIC_WAN_RI` Routing Instance. Take note of the `count` statement defined in this term. [Count](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-act-on-sampling.html) allows you to view how many packets are processed by this term in the Firewall Filter. An example of how to view the Counter is included below. + +- Term 2 - `ALLOW_EVERYTHING_ELSE` ensures all other traffic continues to the Primary Routing Table (`inet.0`). ```txt -admin@srx220> show configuration routing-options | display set -set routing-options static route 0.0.0.0/0 next-hop 23.XX.XXX.46 -set routing-options static route 10.1.100.0/24 next-hop 10.252.2.20 -set routing-options static route 10.1.100.0/24 qualified-next-hop 10.252.2.22 +set firewall family inet filter MAGIC_WAN_FBF term MAGIC_WAN_NETS from source-address 10.1.20.0/24 +set firewall family inet filter MAGIC_WAN_FBF term MAGIC_WAN_NETS from destination-address 10.1.100.0/24 +set firewall family inet filter MAGIC_WAN_FBF term MAGIC_WAN_NETS then count MAGIC_WAN_GATEWAY_FBF_count +set firewall family inet filter MAGIC_WAN_FBF term MAGIC_WAN_NETS then routing-instance MAGIC_WAN_RI +set firewall family inet filter MAGIC_WAN_FBF term ALLOW_EVERYTHING_ELSE then accept +``` + +```txt +admin@srx300> show configuration firewall ``` ```txt output +family inet { + filter MAGIC_WAN_FBF { + term MAGIC_WAN_NETS { + from { + source-address { + 10.1.20.0/24; + } + destination-address { + 10.1.100.0/24; + } + } + then { + count MAGIC_WAN_FBF_count; + routing-instance MAGIC_WAN_RI; + } + } + term ALLOW_EVERYTHING_ELSE { + then accept; + } + } +} +``` + +**View Firewall Filter Counters** + +To view the firewall filter counter: + +```txt +admin@srx300> show firewall filter MAGIC_WAN_FBF counter MAGIC_WAN_FBF_count +``` +```txt output +Filter: MAGIC_WAN_FBF + +Counters: + +Name Bytes Packets +MAGIC_WAN_FBF_count 760174478 1940954 +``` + +**Bind Firewall Filter to the interface in the** **trust** **zone:** + +```txt +set interfaces ge-0/0/7 unit 0 family inet filter input MAGIC_WAN_FBF +set interfaces ge-0/0/7 unit 0 family inet address 10.1.20.1/24 +``` + +```txt +admin@srx300> show configuration interfaces ge-0/0/7 unit 0 +``` +```txt output +family inet { + filter { + input MAGIC_WAN_FBF; + } + address 10.1.20.1/24; +} +``` + +**RIB Group:** + +RIB Groups allow you to concatenate the contents of multiple routing tables into a Routing Table Group. + +The primary routing table in the RIB group should be `inet.0` followed by the secondary routing table `MAGIC_WAN_RI.inet.0` which is the `MAGIC_WAN_RI` routing-instance created above. + +[Interface Routes](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/interface-routes-edit-routing-options.html) referenced below by the `interface-routes` statement determines which interfaces and Routing Instances are bound to the RIB Group. + +```txt +set routing-options static route 0.0.0.0/0 next-hop +set routing-options rib-groups MAGIC_WAN_RG import-rib [ inet.0 MAGIC_WAN_RI.inet.0 ] +set routing-options interface-routes rib-group inet MAGIC_WAN_RG +set routing-options interface-routes rib-group inet MAGIC_WAN_RG +``` + +```txt +admin@srx300> show configuration routing-options +``` +```txt output +interface-routes { + rib-group inet MAGIC_WAN_GW_RG; +} static { - route 0.0.0.0/0 next-hop 23.XX.XXX.46; - route 10.1.100.0/24 { - next-hop 10.252.2.20; - qualified-next-hop 10.252.2.22; - } + route 0.0.0.0/0 next-hop ; +} +rib-groups { + MAGIC_WAN_GW_RG { + import-rib [ inet.0 MAGIC_WAN_RI.inet.0 ]; + } } ``` ### Security policies -Define security policies to permit traffic flows destined for Magic WAN protected resources. The source/destination zones will need to incorporate the zone containing the tunnel interfaces. +Define security policies to permit traffic flows destined for Magic WAN-protected resources. The source/destination zones must incorporate the zone containing the tunnel interfaces. -There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy, then to add more stringent rules once general connectivity is established successfully. +There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy and then add more stringent rules once general connectivity is established successfully. -**From Cloudflare to *trust*:** +**From Zone:** *cloudflare* **To Zone:** *trust* ```txt set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match source-address any @@ -327,25 +560,25 @@ set security policies from-zone cloudflare to-zone trust policy cloudflare_to_tr ``` ```txt -admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +admin@srx300> show configuration security policies from-zone cloudflare to-zone trust ``` ```txt output -policy trust_to_cloudflare_permit { - match { - source-address any; - destination-address any; - application any; - } - then { - permit; - log { - session-close; - } - } +policy cloudflare_to_trust_permit { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } } ``` -**From *trust* to *Cloudflare*:** +**From Zone:** *trust* **To Zone:** *cloudflare* ```txt set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match source-address any @@ -355,24 +588,22 @@ set security policies from-zone trust to-zone cloudflare policy trust_to_cloudfl set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit then log session-close ``` -To confirm, run: - ```txt -admin@srx220> show configuration security policies from-zone trust to-zone cloudflare +admin@srx300> show configuration security policies from-zone trust to-zone cloudflare ``` ```txt output policy trust_to_cloudflare_permit { - match { - source-address any; - destination-address any; - application any; - } - then { - permit; - log { - session-close; - } - } + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + log { + session-close; + } + } } ``` @@ -382,12 +613,45 @@ policy trust_to_cloudflare_permit { There are several diagnostic commands available to view the status of IPsec tunnels. -#### Phase 1 +#### **Ping Across Virtual Tunnel Interfaces** + +Use ping to test connectivity from the SRX side of the tunnel to the Cloudflare side of the tunnel. Ensure you use the source option to specify the IP address associated with tunnel interfaces st0.0 and st0.1, respectively: -[`show security ike active-peer`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-active-peer.html) +Tunnel 1 - `st0.0 - 10.252.2.21` ```txt -admin@srx220> show security ike active-peer +admin@srx300> ping source 10.252.2.21 10.252.2.20 +``` +```txt output +PING 10.252.2.20 (10.252.2.20): 56 data bytes +64 bytes from 10.252.2.20: icmp_seq=0 ttl=64 time=8.429 ms +64 bytes from 10.252.2.20: icmp_seq=1 ttl=64 time=4.134 ms +64 bytes from 10.252.2.20: icmp_seq=2 ttl=64 time=4.028 ms +64 bytes from 10.252.2.20: icmp_seq=3 ttl=64 time=3.855 ms +64 bytes from 10.252.2.20: icmp_seq=4 ttl=64 time=3.811 ms +``` + +Tunnel 2 - `st0.1 - 10.252.2.23` + +```txt +admin@srx300> ping source 10.252.2.23 10.252.2.22 +``` +```txt output +PING 10.252.2.22 (10.252.2.22): 56 data bytes + +64 bytes from 10.252.2.22: icmp_seq=0 ttl=64 time=7.405 ms +64 bytes from 10.252.2.22: icmp_seq=1 ttl=64 time=3.685 ms +64 bytes from 10.252.2.22: icmp_seq=2 ttl=64 time=3.666 ms +64 bytes from 10.252.2.22: icmp_seq=3 ttl=64 time=3.888 ms +64 bytes from 10.252.2.22: icmp_seq=4 ttl=64 time=3.814 ms +``` + +#### Phase 1 - View Active Peers + +[`show security ike active-peer`](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-security-ike-active-peer.html) + +```txt +admin@srx300> show security ike active-peer ``` ```txt output Remote Address Port Peer IKE-ID XAUTH username Assigned IP @@ -395,23 +659,25 @@ Remote Address Port Peer IKE-ID XAUTH username Assigned IP 172.XX.XXX.164 500 172.XX.XXX.164 not available 0.0.0.0 ``` -[`show security ike security-associations`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ike-security-associations.html) +#### Phase 1 - View IKE Security Associations + +[`show security ike security-associations`](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-security-ike-security-associations.html) ```txt -admin@srx220> show security ike security-associations +admin@srx300> show security ike security-associations ``` ```txt output -Index State Initiator cookie Responder cookie Mode Remote Address -3628774 UP 51078ae37b319d23 1475e3b48ca89a9a IKEv2 162.XXX.XX.164 -3628775 UP b2d9a698b6224fc9 7fb1a9f81db0611c IKEv2 172.XX.XXX.164 +Index State Initiator cookie Responder cookie Mode Remote Address +3628774 UP 51078ae37b319d23 1475e3b48ca89a9a IKEv2 162.XXX.XX.164 +3628775 UP b2d9a698b6224fc9 7fb1a9f81db0611c IKEv2 172.XX.XXX.164 ``` -#### Phase 2 +#### Phase 2 - View IPsec Security Associations [`show security ipsec security-associations`](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/command/show-security-ipsec-security-associations.html) ```txt -admin@srx220> show security ipsec security-associations +admin@srx300> show security ipsec security-associations ``` ```txt output Total active tunnels: 2 @@ -424,10 +690,14 @@ ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway ### IKE `traceoptions` -It is very helpful to enable debug logging via `traceoptions` while setting up the tunnels. The log data can be exceptionally useful in determining if there are issues and, if so, where they might be occurring. +It can be very helpful to enable debug logging via traceoptions while setting up the tunnels. The log data can help determine if there are issues and, if so, where they might be occurring. + +Please note that some errors in the log are benign. The types of errors to look for are those related to authentication or encryption/integrity (i.e. no proposal chosen). #### Enable IKE `traceoptions` +[traceoptions (Security IKE)](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-edit-traceoptions-ike.html) + ```txt set security ike traceoptions file ike-debug.log set security ike traceoptions file size 1m @@ -440,9 +710,11 @@ The log file can be viewed by doing the following: 1. From an operational mode, run **start shell**. 2. Use the `tail` command to view the contents of the log file in real-time: + ```txt tail -f /var/log/ike-debug.log ``` + 3. Press CTRL + C when finished. 4. Type `exit` to return to the operational mode prompt. @@ -457,19 +729,61 @@ deactivate security ike traceoptions Confirm `traceoptions` is deactivated with: ```txt -admin@srx220> show configuration security ike +admin@srx300> show configuration security ike traceoptions ``` ```txt output -inactive: traceoptions { - file ike-debug.log size m files 3 world-readable; - flag all; -} +## +## inactive: security ike traceoptions +## +file ike-debug.log size 1m files 3 world-readable; +flag all; ``` -#### IPsec `traceoptions` +### **IPsec** **traceoptions** + +[traceoptions (Security IPsec)](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-edit-traceoptions-ipsec.html) -It is also possible to enable `traceoptions` for IPsec. However, it is not possible to specify the name of the log file. All events are logged to `/var/log/kmd`. +#### **Enable IPsec** **traceoptions** ```txt +set security ipsec traceoptions file ipsec-debug.log +set security ipsec traceoptions file size 1m +set security ipsec traceoptions file files 3 +set security ipsec traceoptions file world-readable set security ipsec traceoptions flag all -``` \ No newline at end of file +``` + +The log file can be viewed by doing the following: + +1. From an operational mode, run **start shell**. +2. Use the tail command to view the contents of the log file in real time: + `tail -f /var/log/ipsec-debug.log` +3. Press CTRL + C when finished. +4. Type exit to return to the operational mode prompt. + +Either deactivate traceoptions or delete traceoptions once debugging is complete. + +#### **Delete IPsec** **traceoptions** + +```txt +delete security ipsec traceoptions +``` + +#### **Deactivate IPsec** **traceoptions** + +```txt +deactivate security ipsec traceoptions +``` + +Confirm traceoptions is deactivated: + +```txt +admin@srx300> show configuration security ipsec traceoptions +``` +```txt output +## +## inactive: security ipsec traceoptions +## +file ipsec-debug.log size 1m files 3 world-readable; +flag all; +``` From 7e33ef9ce7f753d580c9fc3effab5096b458518b Mon Sep 17 00:00:00 2001 From: Jeff Hochberg Date: Thu, 5 Dec 2024 15:50:50 -0500 Subject: [PATCH 2/4] Lots of changes --- .../manually/third-party/juniper.mdx | 61 ++++++++++++------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index 3c287d3d4c8343..d8f0810e1e545d 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -9,13 +9,15 @@ The configuration settings in this document are based on JUNOS 23.4R2.13. ## Prerequisites -Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be routed via BGP Anycast to the closest Cloudflare Point-of-Presence. +Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP Anycast. -Cloudflare recommends customers configure two IPsec tunnels per Internet Service Provider per endpoint. This provides tunnel redundancy and tunnel diversity. Equal Cost Multipath Routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. +Cloudflare recommends customers configure two IPsec tunnels (one to each of the two Anycast IPs allocated to you Cloudflare account) per Internet Service Provider per endpoint. This provides tunnel redundancy diversity. -Cloudflare supports Route-Based site-to-site IPsec tunnels, which require the creation of Virtual Tunnel Interfaces (VTIs). We recommend you select one subnet with either a /30 or /31 netmask (the latter makes more efficient use of IP addresses). +Equal Cost Multipath Routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. -The interface naming convention for VTI interfaces in Junos is st0.x. +Cloudflare supports Route-Based site-to-site IPsec tunnels, which require the creation of Virtual Tunnel Interfaces (VTIs). We recommend you select one subnet per Magic IPsec Tunnel with either a /30 or /31 netmask. + +Using a /31 netmask makes more efficient use of IP addresses as it doubles the number of available subnets as it is unnecessary to reserve IPs for the subnet and broadcast addreses as there would be if you opt to use a /30 netmask. Additional details can be found in [RFC3021 - Using 31-Bit Prefixes on IPv4 Point-to-Point Links](https://datatracker.ietf.org/doc/html/rfc3021). ## Cloudflare Magic WAN configuration @@ -24,6 +26,15 @@ This section of the document will cover the configuration of: - Magic IPsec Tunnels - Magic Static Routes +### Magic WAN Topology + +This documentation assumes there are two locations connected via Magic WAN: + +| Site | Local/Remote | Security Zone | Subnet | +| ---- | ------------ | ------------- | ------------- | +| A | Local | trust | 10.1.20.0/24 | +| B | Remote | cloudflare | 10.1.100.0/24 | + ### Magic IPsec tunnels 1. Start by [creating the IPsec tunnels](/magic-wan/configuration/manually/how-to/configure-tunnels/#add-tunnels) in the Cloudflare dashboard with the following values: @@ -48,17 +59,18 @@ This section of the document will cover the configuration of: 8. Expand the first tunnel's properties and note the **Tunnel ID** and **FQDN ID** values. 9. Repeat the previous steps for the second tunnel. :::note - These values are unique per tunnel and remain the same even if you update the pre-shared key. These values change only if you delete and recreate the tunnel. + The **Tunnel ID** and **FQDN ID** values are unique per tunnel and remain unchanged unless you delete and recreate the tunnel. Generating a new Pre-Shared Key will not change the values. ::: -### Magic static routes +### Magic Static Routes -This document assumes that the **trust zone** behind the Juniper SRX firewall has a single subnet: -- `10.1.20.0/24` +Refer to the Magic WAN Topology section above for more details on the IP subnet scheme. -[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) define which tunnel(s) to route traffic through for a subnet. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. +[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) effectively tell Magic WAN which tunnels to route traffic destined for a given Magic WAN site. -Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steering/#equal-cost-multi-path-routing) routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed. +Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. + +Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steering/) routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed, however best practices dictate leaving the default values in place. 1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: - **Description:** The description for the static route assigned to your first tunnel. @@ -70,14 +82,19 @@ Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steeri 3. Select **Test Routes** to ensure the settings are accepted, then select **Add Routes**. 4. Confirm the routes were added correctly in **Magic WAN** > **Configuration** > **Static Routes**. -## Juniper SRX configuration +## Juniper SRX Configuration There may be some differences in the syntax of the commands in the version on your SRX devices; however, the principles are the same. Please refer to the Juniper product documentation for more information. +The interface naming convention for VTI interfaces (aka Secure Tunnel Interfaces) in Junos is st0.x. + +[Secure Tunnel Interface in a Virtual Router - Juniper IPsec VPN User Guide](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-secure-tunnel-interface-in-a-virtual-router.html) + The following elements will be configured on the Juniper SRX firewall(s): -- Add tunnel interfaces (`st0.x`) -- Assign tunnel interfaces to a security zone +- Ensure the LAN interface is in the `trust` zone () +- Add Virtual Tunnel Interfaces (`st0.0` and `st0.1`) +- Assign tunnel interfaces to the `cloudflare` security zone - Allow required protocols to both the tunnel and untrust security zones - IKE configuration - IPsec configuration @@ -93,8 +110,6 @@ set interfaces st0 unit 0 family inet address 10.252.2.21/31 set interfaces st0 unit 1 family inet address 10.252.2.23/31 ``` -2. Confirm settings: - ```txt admin@srx300> show configuration interfaces st0 ``` @@ -113,7 +128,7 @@ unit 1 { ### Security Zone (Cloudflare) - tunnel interfaces -Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping, but this zone only contains point-to-point connections between the firewall and the customer network namespace. You can always set the values for system services and protocols to all, as the intrazone traffic is from a trusted network. +Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow `ping`, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to `all` for system-services and protocols should be fine. ```txt set security zones security-zone cloudflare interfaces st0.0 host-inbound-traffic system-services all @@ -123,7 +138,7 @@ set security zones security-zone cloudflare interfaces st0.1 host-inbound-traffi ``` ```txt -admin@srx300> show configuration security zones security-zone cloudflare +admin@srx220> show configuration security zones security-zone cloudflare ``` ```txt output interfaces { @@ -152,7 +167,7 @@ interfaces { ### Security zone (untrust) - `host-inbound-traffic` -Add ike to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. +Add ping and ike to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. ```txt set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike @@ -203,7 +218,7 @@ lifetime-seconds 28800; Define two IKE policies — one for each of the two Magic IPsec tunnels: -**Tunnel 1 (SRX300_IPSEC_01)** +***Tunnel 1 (SRX300_IPSEC_01)** ```txt set security ike policy cf_magic_wan_tun_01_pol mode main @@ -289,6 +304,8 @@ version v2-only; Add an IPsec proposal that specifies the [Phase 2 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): +Add an IPsec proposal that specifies the [Phase 2 Configuration Parameters](/magic-wan/reference/tunnels/#supported-configuration-parameters): + ```txt set security ipsec proposal cf_magic_wan_ipsec_prop protocol esp set security ipsec proposal cf_magic_wan_ipsec_prop authentication-algorithm hmac-sha-256-128 @@ -328,7 +345,7 @@ Define two IPsec policies — one for each of the two Magic IPsec tunnels. It is - [Anti-replay](/magic-wan/reference/anti-replay-protection/) protection is disabled. - Use the [`no-anti-replay`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/no-anti-replay-edit-services.html) option. - The SRX is the tunnel initiator: - - Cloudflare will not initiate the tunnel + - Cloudflare will not instantiate the tunnel - If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel - Use [`establish-tunnels immediately`](https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/establish-tunnels-edit-services-ipsec-vpn.html) to ensure the SRX is the tunnel initiator. @@ -380,8 +397,7 @@ establish-tunnels immediately; ### Policy-Based Routing - -The SRX platform allows policy-based routing, which Juniper refers to as filter-based forwarding. +The SRX platform provides policy-based routing functionality, which Juniper refers to as filter-based forwarding. [Filter-Based Forwarding Overview](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html) @@ -412,7 +428,6 @@ While it is possible to be more prescriptive in terms of the destination subnets Leaving the destination subnet as 0.0.0.0/0 eases some administrative burden as you only need to modify the Firewall Filter to specify which traffic is destined for Magic WAN. - ```txt set routing-instances MAGIC_WAN_RI instance-type forwarding set routing-instances MAGIC_WAN_RI routing-options static route 0.0.0.0/0 next-hop 10.252.2.20 From 95aada35ef7e1f4f852b5299308dc35b1405d1bb Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Fri, 6 Dec 2024 09:48:35 +0000 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- .../configuration/manually/third-party/juniper.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index a90fb23a5053cc..d90968d09afc05 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -9,9 +9,9 @@ The configuration settings in this document are based on JUNOS 23.4R2.13. ## Prerequisites -Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP Anycast. +Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP anycast. -Cloudflare recommends customers configure two IPsec tunnels (one to each of the two Anycast IPs allocated to you Cloudflare account) per Internet Service Provider per endpoint. This provides tunnel redundancy diversity. +Cloudflare recommends customers configure two IPsec tunnels (one to each of the two anycast IPs allocated to you Cloudflare account) per Internet Service Provider per endpoint. This provides tunnel redundancy diversity. Equal Cost Multipath Routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. @@ -33,7 +33,7 @@ This documentation assumes there are two locations connected via Magic WAN: | Site | Local/Remote | Security Zone | Subnet | | ---- | ------------ | ------------- | ------------- | | A | Local | trust | 10.1.20.0/24 | -| B | Remote | cloudflare | 10.1.100.0/24 | +| B | Remote | Cloudflare | 10.1.100.0/24 | ### Magic IPsec tunnels @@ -564,7 +564,7 @@ Define security policies to permit traffic flows destined for Magic WAN-protecte There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy and then add more stringent rules once general connectivity is established successfully. -**From Zone:** *cloudflare* **To Zone:** *trust* +**From Zone:** *Cloudflare* **To Zone:** *trust* ```txt set security policies from-zone cloudflare to-zone trust policy cloudflare_to_trust match source-address any @@ -593,7 +593,7 @@ policy cloudflare_to_trust_permit { } ``` -**From Zone:** *trust* **To Zone:** *cloudflare* +**From Zone:** *trust* **To Zone:** *Cloudflare* ```txt set security policies from-zone trust to-zone cloudflare policy trust_to_cloudflare_permit match source-address any @@ -707,7 +707,7 @@ ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway It can be very helpful to enable debug logging via traceoptions while setting up the tunnels. The log data can help determine if there are issues and, if so, where they might be occurring. -Please note that some errors in the log are benign. The types of errors to look for are those related to authentication or encryption/integrity (i.e. no proposal chosen). +Please note that some errors in the log are benign. The types of errors to look for are those related to authentication or encryption/integrity (that is, no proposal chosen). #### Enable IKE `traceoptions` From 86921f9d3cd8f8778d044a447573c5f9883beef0 Mon Sep 17 00:00:00 2001 From: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:22:15 +0000 Subject: [PATCH 4/4] Apply suggestions from code review --- .../manually/third-party/juniper.mdx | 111 +++++++++--------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx index d90968d09afc05..288f8c0b4ad5b2 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx @@ -3,37 +3,37 @@ pcx_content_type: integration-guide title: Juniper Networks SRX Series Firewalls --- -This tutorial provides information and examples of configuring Juniper Networks SRX Series Firewalls with Magic WAN. +This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN. The configuration settings in this document are based on JUNOS 23.4R2.13. ## Prerequisites -Confirm that you have the two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (hereon in "endpoint") - traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP anycast. +Confirm that you have two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (from now on referred to as endpoint) — traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP anycast. -Cloudflare recommends customers configure two IPsec tunnels (one to each of the two anycast IPs allocated to you Cloudflare account) per Internet Service Provider per endpoint. This provides tunnel redundancy diversity. +Cloudflare recommends that customers configure two IPsec tunnels (one to each of the two anycast IPs allocated to you Cloudflare account) per Internet service provider per endpoint. This provides tunnel redundancy. -Equal Cost Multipath Routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. +Equal-cost multi-path routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization. -Cloudflare supports Route-Based site-to-site IPsec tunnels, which require the creation of Virtual Tunnel Interfaces (VTIs). We recommend you select one subnet per Magic IPsec Tunnel with either a /30 or /31 netmask. +Cloudflare supports route-based site-to-site IPsec tunnels, which require the creation of virtual tunnel interfaces (VTIs). We recommend you select one subnet per Magic IPsec tunnel with either a `/30` or `/31` netmask. -Using a /31 netmask makes more efficient use of IP addresses as it doubles the number of available subnets as it is unnecessary to reserve IPs for the subnet and broadcast addreses as there would be if you opt to use a /30 netmask. Additional details can be found in [RFC3021 - Using 31-Bit Prefixes on IPv4 Point-to-Point Links](https://datatracker.ietf.org/doc/html/rfc3021). +Using a `/31` netmask is a more efficient use of IP addresses as it doubles the number of available subnets compared to a `/30`netmask. This is possible because with a `/31`netmask there is no need to reserve IP addresses for the subnet and broadcast addresses, as there would be if you opt to use a `/30` netmask. Additional details can be found in [RFC 3021 - Using 31-Bit Prefixes on IPv4 Point-to-Point Links](https://datatracker.ietf.org/doc/html/rfc3021). ## Cloudflare Magic WAN configuration This section of the document will cover the configuration of: -- Magic IPsec Tunnels -- Magic Static Routes +- Magic IPsec tunnels +- Magic static routes -### Magic WAN Topology +### Magic WAN topology This documentation assumes there are two locations connected via Magic WAN: | Site | Local/Remote | Security Zone | Subnet | | ---- | ------------ | ------------- | ------------- | -| A | Local | trust | 10.1.20.0/24 | -| B | Remote | Cloudflare | 10.1.100.0/24 | +| A | Local | trust | `10.1.20.0/24` | +| B | Remote | Cloudflare | `10.1.100.0/24` | ### Magic IPsec tunnels @@ -45,7 +45,7 @@ This documentation assumes there are two locations connected via Magic WAN: - **Cloudflare endpoint**: One of the two Cloudflare anycast IP addresses. - **Pre-shared key**: Choose **Add pre-shared key later**. 2. Select **Add IPsec Tunnel** and fill in the values for the second tunnel to the same Juniper SRX: - - Ensure you use a unique RFC1918 IP address for the Interface Address (`/31` or `/30`). + - Ensure you use a unique RFC 1918 IP address for the Interface Address (`/31` or `/30`). - Once again, specify the Internet IP address on the untrust side of the SRX firewall for the **Customer Endpoint**. - The **Cloudflare Endpoint** for the second tunnel will be the second Cloudflare anycast IP provisioned for your account. 3. Select **Add Tunnels**. We also recommend selecting **Test Tunnels** to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses. @@ -62,15 +62,15 @@ This documentation assumes there are two locations connected via Magic WAN: The **Tunnel ID** and **FQDN ID** values are unique per tunnel and remain unchanged unless you delete and recreate the tunnel. Generating a new Pre-Shared Key will not change the values. ::: -### Magic Static Routes +### Magic static routes Refer to the Magic WAN Topology section above for more details on the IP subnet scheme. -[Magic Static Routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) effectively tell Magic WAN which tunnels to route traffic destined for a given Magic WAN site. +[Magic static routes](/magic-wan/configuration/manually/how-to/configure-static-routes/) effectively tell Magic WAN which tunnels to route traffic destined for a given Magic WAN site. Since two tunnels are configured to each endpoint, it is necessary to configure two static routes. -Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steering/) routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed, however best practices dictate leaving the default values in place. +Cloudflare leverages [equal-cost multi-path](/magic-wan/reference/traffic-steering/) routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed, however best practices dictate leaving the default values in place. 1. Create a static route with the following values. Make sure you select the first tunnel in **Tunnel/Next hop**: - **Description:** The description for the static route assigned to your first tunnel. @@ -82,23 +82,23 @@ Cloudflare leverages [Equal-Cost Multi-Path](/magic-wan/reference/traffic-steeri 3. Select **Test Routes** to ensure the settings are accepted, then select **Add Routes**. 4. Confirm the routes were added correctly in **Magic WAN** > **Configuration** > **Static Routes**. -## Juniper SRX Configuration +## Juniper SRX configuration -There may be some differences in the syntax of the commands in the version on your SRX devices; however, the principles are the same. Please refer to the Juniper product documentation for more information. +There may be some differences in the syntax of the commands in the version on your SRX devices. However, the principles are the same. Refer to the Juniper product documentation for more information. -The interface naming convention for VTI interfaces (aka Secure Tunnel Interfaces) in Junos is st0.x. +The interface naming convention for VTI interfaces (also known as Secure Tunnel Interfaces) in Junos is `st0.x`. [Secure Tunnel Interface in a Virtual Router - Juniper IPsec VPN User Guide](https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-secure-tunnel-interface-in-a-virtual-router.html) The following elements will be configured on the Juniper SRX firewall(s): -- Ensure the LAN interface is in the `trust` zone () -- Add Virtual Tunnel Interfaces (`st0.0` and `st0.1`) +- Ensure the LAN interface is in the `trust` zone +- Add virtual tunnel Interfaces (`st0.0` and `st0.1`) - Assign tunnel interfaces to the `cloudflare` security zone - Allow required protocols to both the tunnel and untrust security zones - IKE configuration - IPsec configuration -- Policy-Based Routing (Filter-Based Forwarding) +- Policy-based routing (filter-based forwarding) - Security policies ### Tunnel interfaces @@ -167,7 +167,7 @@ interfaces { ### Security zone (untrust) - `host-inbound-traffic` -Add ping and ike to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. +Add `ping` and `ike` to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare. ```txt set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike @@ -338,7 +338,7 @@ admin@srx300> show configuration security ipsec policy cf_magic_wan_ipsec_pol proposals cf_magic_wan_ipsec_prop; ``` -#### **IPsec VPN Tunnels** +#### IPsec VPN tunnels Define two IPsec policies - one for each of the two Magic IPsec tunnels. It is crucial to ensure that: @@ -397,24 +397,24 @@ establish-tunnels immediately; ### Policy-Based Routing -The SRX platform provides policy-based routing functionality, which Juniper refers to as filter-based forwarding. - -[Filter-Based Forwarding Overview](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html) +The SRX platform provides policy-based routing functionality, which Juniper refers to as [filter-based forwarding](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html). Filter-based forwarding is implemented by configuring the following: -1. Routing Instance: Specify the routing table(s) to which a packet is forwarded and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level. -2. Firewall Filter: Use a stateless firewall filter to specify the source and destination addresses in conjunction with a routing instance that forwards traffic across the Magic IPsec Tunnels, then bind the firewall filter to the ingress interface (trust zone). -3. RIB Group: Share interface routes with the forwarding routing instances used in filter-based forwarding (FBF). +1. **Routing Instance**: Specify the routing table(s) to which a packet is forwarded and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level. +2. **Firewall Filter**: Use a stateless firewall filter to specify the source and destination addresses in conjunction with a routing instance that forwards traffic across the Magic IPsec tunnels, then bind the firewall filter to the ingress interface (trust zone). +3. **RIB Group**: Share interface routes with the forwarding routing instances used in filter-based forwarding (FBF). -Note: Firewall filters must incorporate at least two terms: +:::note +Firewall filters must incorporate at least two terms: -1. Term 1: Classify the traffic to forward to Magic WAN -2. Term 2: Permit all other traffic - otherwise, the firewall filters will discard any traffic not intended for Magic WAN destinations. +- **Term 1**: Classify the traffic to forward to Magic WAN +- **Term 2**: Permit all other traffic — otherwise, the firewall filters will discard any traffic not intended for Magic WAN destinations. +::: -This configuration only factors in one local site (10.1.20.0/24). In this example, we assume devices in the trust zone must route traffic to a remote subnet at another Magic WAN-protected site (10.1.100.0/24). +This configuration only factors in one local site (`10.1.20.0/24`). In this example, we assume devices in the trust zone must route traffic to a remote subnet at another Magic WAN-protected site (`10.1.100.0/24`). -Define a static route on the SRX to route traffic to 10.1.100.0/24 with redundant routes referencing each of the two tunnels. +Define a static route on the SRX to route traffic to `10.1.100.0/24` with redundant routes referencing each of the two tunnels. **Routing Instance:** @@ -424,9 +424,9 @@ As mentioned earlier, any traffic destined for other Magic WAN protected sites m The example includes two static routes - one to each of the two VTIs on the Cloudflare side of the Magic IPsec Tunnels (`10.252.2.20` and `10.252.2.22`). -While it is possible to be more prescriptive in terms of the destination subnets, we simply use 0.0.0.0/0 as the Firewall Filter ensures only traffic destined for 10.1.100.0/24 will be forwarded to the Routing Instance. Any other traffic not destined for 10.1.100.0/24 will continue to the Primary Routing Table (`inet.0`) as it falls outside the scope of the Firewall Filter configured in the next section below. +While it is possible to be more prescriptive in terms of the destination subnets, we simply use `0.0.0.0/0` as the firewall filter ensures only traffic destined for `10.1.100.0/24` will be forwarded to the routing instance. Any other traffic not destined for `10.1.100.0/24` will continue to the primary routing table (`inet.0`) as it falls outside the scope of the firewall filter configured in the next section below. -Leaving the destination subnet as 0.0.0.0/0 eases some administrative burden as you only need to modify the Firewall Filter to specify which traffic is destined for Magic WAN. +Leaving the destination subnet as `0.0.0.0/0` eases some administrative burden as you only need to modify the firewall filter to specify which traffic is destined for Magic WAN. ```txt set routing-instances MAGIC_WAN_RI instance-type forwarding @@ -450,11 +450,10 @@ MAGIC_WAN_RI { **Firewall Filter:** -In this step, we create a stateless firewall filter to ensure only packets from 10.1.20.0/24 destined for 10.1.100.0/24 are sent to the `MAGIC_WAN_RI` Routing Instance. - -- Term 1 - `MAGIC_WAN_NETS` ensures only packets from 10.1.20.0/24 destined for 10.1.100.0/24 are sent to the `MAGIC_WAN_RI` Routing Instance. Take note of the `count` statement defined in this term. [Count](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-act-on-sampling.html) allows you to view how many packets are processed by this term in the Firewall Filter. An example of how to view the Counter is included below. +In this step, we create a stateless firewall filter to ensure only packets from `10.1.20.0/24` destined for `10.1.100.0/24` are sent to the `MAGIC_WAN_RI` routing instance. -- Term 2 - `ALLOW_EVERYTHING_ELSE` ensures all other traffic continues to the Primary Routing Table (`inet.0`). +- **Term 1** - `MAGIC_WAN_NETS` ensures only packets from `10.1.20.0/24` destined for `10.1.100.0/24` are sent to the `MAGIC_WAN_RI` routing instance. Take note of the `count` statement defined in this term. [Count](https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-act-on-sampling.html) allows you to view how many packets are processed by this term in the firewall filter. An example of how to view the Counter is included below. +- **Term 2** - `ALLOW_EVERYTHING_ELSE` ensures all other traffic continues to the primary routing table (`inet.0`). ```txt set firewall family inet filter MAGIC_WAN_FBF term MAGIC_WAN_NETS from source-address 10.1.20.0/24 @@ -528,7 +527,7 @@ family inet { **RIB Group:** -RIB Groups allow you to concatenate the contents of multiple routing tables into a Routing Table Group. +RIB Groups allow you to concatenate the contents of multiple routing tables into a routing table group. The primary routing table in the RIB group should be `inet.0` followed by the secondary routing table `MAGIC_WAN_RI.inet.0` which is the `MAGIC_WAN_RI` routing-instance created above. @@ -628,11 +627,11 @@ policy trust_to_cloudflare_permit { There are several diagnostic commands available to view the status of IPsec tunnels. -#### **Ping Across Virtual Tunnel Interfaces** +#### Ping across virtual tunnel interfaces -Use ping to test connectivity from the SRX side of the tunnel to the Cloudflare side of the tunnel. Ensure you use the source option to specify the IP address associated with tunnel interfaces st0.0 and st0.1, respectively: +Use ping to test connectivity from the SRX side of the tunnel to the Cloudflare side of the tunnel. Ensure you use the source option to specify the IP address associated with tunnel interfaces `st0.0` and `st0.1`, respectively: -Tunnel 1 - `st0.0 - 10.252.2.21` +**Tunnel 1** - `st0.0 - 10.252.2.21` ```txt admin@srx300> ping source 10.252.2.21 10.252.2.20 @@ -646,7 +645,7 @@ PING 10.252.2.20 (10.252.2.20): 56 data bytes 64 bytes from 10.252.2.20: icmp_seq=4 ttl=64 time=3.811 ms ``` -Tunnel 2 - `st0.1 - 10.252.2.23` +**Tunnel 2** - `st0.1 - 10.252.2.23` ```txt admin@srx300> ping source 10.252.2.23 10.252.2.22 @@ -754,11 +753,11 @@ file ike-debug.log size 1m files 3 world-readable; flag all; ``` -### **IPsec** **traceoptions** +### IPsec `traceoptions` -[traceoptions (Security IPsec)](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-edit-traceoptions-ipsec.html) +Refer to [traceoptions (Security IPsec)](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-edit-traceoptions-ipsec.html) for more information on this topic. -#### **Enable IPsec** **traceoptions** +#### Enable IPsec `traceoptions` ```txt set security ipsec traceoptions file ipsec-debug.log @@ -768,29 +767,29 @@ set security ipsec traceoptions file world-readable set security ipsec traceoptions flag all ``` -The log file can be viewed by doing the following: +To view the log file: -1. From an operational mode, run **start shell**. +1. From an operational mode, run `start shell`. 2. Use the tail command to view the contents of the log file in real time: `tail -f /var/log/ipsec-debug.log` -3. Press CTRL + C when finished. -4. Type exit to return to the operational mode prompt. +3. Press `CTRL + C` when finished. +4. Type `exit` to return to the operational mode prompt. -Either deactivate traceoptions or delete traceoptions once debugging is complete. +Either deactivate `traceoptions` or delete `traceoptions` once debugging is complete. -#### **Delete IPsec** **traceoptions** +#### Delete IPsec `traceoptions` ```txt delete security ipsec traceoptions ``` -#### **Deactivate IPsec** **traceoptions** +#### Deactivate IPsec `traceoptions` ```txt deactivate security ipsec traceoptions ``` -Confirm traceoptions is deactivated: +Confirm `traceoptions` is deactivated: ```txt admin@srx300> show configuration security ipsec traceoptions