SALES: 1-800-867-1380

Juniper SSG templates

Updated: July 2, 2014

The templates below are for devices in the Juniper SSG device family. For a list of all available device templates, see About VPN Devices for Virtual Network. For information about configuring a device template for your environment, see About configuring VPN device templates.

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# !!! 2. Only 1 subnet is allowed for your on-premises network.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike p1-proposal <RP_IkeProposal> preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> proposal <RP_IkeProposal>
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set ike p2-proposal <RP_IPSecProposal> no-pfs esp aes256 sha-1 seconds 3600
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 proposal <RP_IPSecProposal>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> proxy-id local-ip <SP_OnPremiseNetworkCIDR> remote-ip <SP_AzureNetworkCIDR> "ANY"
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

# Microsoft Corporation
# Windows Azure Virtual Network

# This configuration template applies to Juniper SSG Series Secure Services Gateway running ScreenOS 6.2.
# It configures an IPSec VPN tunnel connecting your on-premises VPN device with the Azure gateway.

# ---------------------------------------------------------------------------------------------------------------------
# Virtual tunnel interface configuration
set interface <RP_Tunnel> zone untrust
set interface <RP_Tunnel> ip unnumbered interface <NameOfYourOutsideInterface>
set route <SP_AzureNetworkCIDR> interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# Internet Key Exchange (IKE) configuration
# 
# This section specifies the authentication, encryption, hashing, and lifetime parameters for the Phase 1 negotiation
# and the main mode security association. We also specify the IP address of the peer of your on-premise VPN device 
# (which is the Azure Gateway) here.
set ike gateway ikev2 <RP_IkeGateway> address <SP_AzureGatewayIpAddress> main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level compatible
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# ---------------------------------------------------------------------------------------------------------------------
# IPSec configuration
# 
# This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick
# mode security association. We also bind the IPSec policy to the virtual tunnel interface, through which cross-premise
# traffic will be transmitted.
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> tunnel idletime 0 sec-level compatible
set vpn <RP_IPSecVpn> bind interface <RP_Tunnel>

# ---------------------------------------------------------------------------------------------------------------------
# ACL rules
# 
# Proper ACL rules are needed for permitting cross-premise network traffic.
# You should also allow inbound UDP/ESP traffic for the interface which will be used for the IPSec tunnel.
set address trust <RP_OnPremiseNetwork> <SP_OnPremiseNetworkCIDR>
set address untrust <RP_AzureNetwork> <SP_AzureNetworkCIDR>
set policy top from trust to untrust <RP_OnPremiseNetwork> <RP_AzureNetwork> any permit
set policy top from untrust to trust <RP_AzureNetwork> <RP_OnPremiseNetwork> any permit

# ---------------------------------------------------------------------------------------------------------------------
# TCPMSS clamping
#
# Adjust the TCPMSS value properly to avoid fragmentation
set flow vpn-tcp-mss 1350

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft