Configure IPsec tunnels

Configure 2 active tunnels to the Private Access service.

Steps

  1. Configure the IKE cipher, DH group, and security association lifetime parameters:
    set security ike proposal ike_proposal authentication-method pre-shared-keys
    set security ike proposal ike_proposal dh-group <supported_dh_group>
    set security ike proposal ike_proposal authentication-algorithm sha-256
    set security ike proposal ike_proposal encryption-algorithm <supported_ike_cipher>
    set security ike proposal ike_proposal lifetime-seconds 86400
  2. Define IKE policy with the pre-shared key.
    set security ike policy ike_policy mode main
    set security ike policy ike_policy proposals ike_proposal
    set security ike policy ike_policy pre-shared-key ascii-text <pre-shared_key>
  3. Define the first cloud gateway and associate it with the egress interface:
    set security ike gateway PAgateway1 ike-policy ike_policy
    set security ike gateway PAgateway1 address <tunnel1_destination_address>
    set security ike gateway PAgateway1 dead-peer-detection always-send
    set security ike gateway PAgateway1 dead-peer-detection interval 10
    set security ike gateway PAgateway1 dead-peer-detection threshold 3
    set security ike gateway PAgateway1 external-interface <outgoing_interface>
    set security ike gateway PAgateway1 local-identity hostname <local_fqdn_id> 
    set security ike gateway PAgateway1 remote-identity hostname <forcepoint_ike_id>
    set security ike gateway PAgateway1 version v2-only
                        

    The example local-identity line in the paragraph above uses a local IKE ID of type FQDN. If you would like to use a local IKE ID of type IP address, replace the local-identity line with the following line:

    set security ike gateway PAgateway1 local-identity inet <public_ip>
  4. Define the second cloud gateway.
    set security ike gateway PAgateway2 ike-policy ike_policy                        
    set security ike gateway PAgateway2 address <tunnel2_destination_address>
    set security ike gateway PAgateway2 dead-peer-detection always-send
    set security ike gateway PAgateway2 dead-peer-detection interval 10
    set security ike gateway PAgateway2 dead-peer-detection threshold 3
    set security ike gateway PAgateway2 external-interface <outgoing_interface>
    set security ike gateway PAgateway2 local-identity hostname <local_fqdn_id>
    set security ike gateway PAgateway2 remote-identity hostname <forcepoint_ike_id>
    set security ike gateway PAgateway2 version v2-only

    The example local-identity line in the paragraph above uses a local IKE ID of type FQDN. If you would like to use a local IKE ID of type IP address, replace the local-identity line with the following line:

    set security ike gateway PAgateway2 local-identity inet <public_ip>
  5. Define the IPsec proposal and policy:
    set security ipsec proposal ipsec_proposal protocol esp
    set security ipsec proposal ipsec_proposal authentication-algorithm <supported_ike_cipher>
    set security ipsec proposal ipsec_proposal encryption-algorithm <supported_ipsec_cipher>
    set security ipsec proposal ipsec_proposal lifetime-seconds 28800
    set security ipsec policy ipsec_policy proposals ipsec_proposal
  6. Configure 2 tunnel interfaces and set them to "zone vpn":
    set interfaces st0 unit 0 family inet
    set interfaces st0 unit 1 family inet
    set security zones security-zone vpn interfaces st0.0
    set security zones security-zone vpn interfaces st0.1
  7. Allow all traffic from "zone trust" (LAN) to "zone vpn":
    Note: In this example, "trust" is the name given to the security zone that includes the incoming LAN interface for the private application network.
    set security policies from-zone trust to-zone vpn policy vpn_policy match source-address any 
    set security policies from-zone trust to-zone vpn policy vpn_policy match destination-address any 
    set security policies from-zone trust to-zone vpn policy vpn_policy match application any
    set security policies from-zone trust to-zone vpn policy vpn_policy then permit
  8. Allow all traffic from the Private Access NAT IP addresses in "zone vpn" to "zone trust" (LAN):
    set security policies from-zone vpn to-zone trust policy vpn_policy match source-address any 
    set security policies from-zone vpn to-zone trust policy vpn_policy match destination-address any 
    set security policies from-zone vpn to-zone trust policy vpn_policy match application any 
    set security policies from-zone vpn to-zone trust policy vpn_policy then permit
  9. Define the first tunnel:
    set security ipsec vpn tunnel1 bind-interface st0.0
    set security ipsec vpn tunnel1 ike gateway PAgateway1
    set security ipsec vpn tunnel1 ike ipsec-policy ipsec_policy
    set security ipsec vpn tunnel1 establish-tunnels immediately
  10. Define the second tunnel:
    set security ipsec vpn tunnel2 bind-interface st0.1
    set security ipsec vpn tunnel2 ike gateway PAgateway2
    set security ipsec vpn tunnel2 ike ipsec-policy ipsec_policy
    set security ipsec vpn tunnel2 establish-tunnels immediately
  11. Private Access gateways apply network address translation (NAT) to remote traffic before forwarding it to the hosting site. The first tunnel uses 116.50.59.232 as the source NAT IP address, and the second tunnel uses 116.50.59.234 as the source NAT IP address.
    Configure a routing-instance for traffic forwarded to the tunnel interface and define two static routes to each tunnel source NAT IP:
    set routing-instances route_to_vpn1 instance-type forwarding
    set routing-instances route_to_vpn1 routing-options static route 116.50.59.232/32 next-hop st0.0
    set routing-instances route_to_vpn2 instance-type forwarding
    set routing-instances route_to_vpn2 routing-options static route 116.50.59.234/32 next-hop st0.1 
  12. Create routing table group for interface routes, and import routing tables inet.0, route_to_vpn1.inet.0, and route_to_vpn2.inet.0 to it:
    set routing-options interface-routes rib-group inet route_via_vpn
    set routing-options rib-groups route_via_vpn import-rib inet.0
    set routing-options rib-groups route_via_vpn import-rib route_to_vpn1.inet.0
    set routing-options rib-groups route_via_vpn import-rib route_to_vpn2.inet.0
  13. Create static routes to the two source NAT IP addresses to direct the traffic to the IPsec tunnels:
    set routing-options static route 116.50.59.232/32 next-table route_to_vpn1.inet.0 
    set routing-options static route 116.50.59.234/32 next-table route_to_vpn2.inet.0