Juniper ISG 1000 ScreenOS 6.3r9 or ScreenOS 6.2r13

As part of the procedure to establish site-to-site connection your windows Azure Virtual Network, you need to run a script to configure your VPN device.

Use the script template below for Juniper ISG 1000 ScreenOS 6.3r9 or ScreenOS 6.2r13.

Note
To run the script, you need to log in with a privileged account.

Note
Parameters that start with 'SP_' are specified parameters that you get from your Virtual Network settings in the Windows Azure Management Portal. Parameters that start with 'RP_' are parameters that you name by yourself.

Configuration Script

Route-based VPN Configuration Script

ECMAScript

# Define the Tunnel Interfaces as part of a VPN Zone (For reference, most likely already created) 
# e.g. set interface "tunnel.1" zone "VPN"
# e.g. set interface "tunnel.2" zone "VPN"
set interface "tunnel.1" zone <RP_VpnZone>
set interface "tunnel.2" zone <RP_VpnZone>

# You Must have a default Route to the Internet for IKE to work (For reference, most likely already created) 
# e.g. set route 0.0.0.0/0 gateway 50.0.17.1
set route 0.0.0.0/0 gateway <IpAddressOfYourDefaultGateway>

# Create your Tunnel interfaces, one for each subnet negotiated on remote-side.
# e.g. set interface tunnel.1 ip unnumbered interface ethernet0/9
# e.g. set interface tunnel.2 ip unnumbered interface ethernet0/9
set interface tunnel.1 ip unnumbered interface <NameOfYourOutsideInterface>
set interface tunnel.2 ip unnumbered interface <NameOfYourOutsideInterface>

# Set TCP-MSS Size to 1350 for IPSec with NAT-T/UDP
set flow tcp-mss 1350

# Ensure that if it comes in on a tunnel, always return route through the tunnel
set flow reverse-route tunnel always

# Define the IKE Gateway using the Azure Gateway IP and Preshared key assigned by Azure during the VPN Setup.
# e.g. set ike gateway "Azure1" address 65.52.249.21  Main outgoing-interface "ethernet0/9" preshare abcdefg sec-level standard
set ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>  main outgoing-interface <NameOfYourOutsideInterface> preshare <SP_PresharedKey> sec-level standard
set ike gateway <RP_IkeGateway> dpd-liveness interval 10

# Define this P2 Proposal for Azure, with No-PFS enabled.
# e.g. set ike p2-proposal "p2" no-pfs esp aes128 sha-1 second 3600
set ike p2-proposal <RP_IPSecPolicy> no-pfs esp aes128 sha-1 second 3600

# e.g. set vpn "Azure-GW1" gateway "Azure1" no-replay tunnel idletime 0 proposal "p2"
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> no-replay tunnel idletime 0 proposal <RP_IPSecPolicy>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> bind interface tunnel.1

# Optional  For each additional "Remote Protected Network" Behind Azure, you should define another VPN Definition and Tunnel Interface and Route if a new SA is to be build for each network.  
# e.g. set vpn "Azure-GW2" gateway "Azure1" no-replay tunnel idletime 0 proposal "p2"
set vpn <RP_IPSecVpn> gateway <RP_IkeGateway> no-replay tunnel idletime 0 proposal <RP_IPSecPolicy>
set vpn <RP_IPSecVpn> monitor optimized rekey
set vpn <RP_IPSecVpn> bind interface tunnel.2

# Route the Remote VPN traffic through the appropriate tunnel interface.
# e.g. set route 192.168.0.0/24 interface tunnel.1
set route <SP_AzureNetworkCIDR1> interface tunnel.1

# If using multiple networks behind Azure gateway, add a route for each additional network, bound to the tunnel interface the VPN Is configured on. This will ensure traffic is routed properly into the right SA.
# set route 192.168.1.0/24 interface tunnel.2
set route <SP_AzureNetworkCIDR2> interface tunnel.2

# Security Policies (If your VPN Interface is created in the Trusted zone, you will not need security policies) However if you wish to use security policies to filter traffic, you can create your tunnel interfaces in a VPN zone and use policies to control traffic flow, as shown below
# Define the address book entries for each of our Local and Remote subnets to be negotiated.
# e.g. set address "Trust" "192.168.100.0" 192.168.100.0/24
# e.g. set address "Trust" "192.168.101.0" 192.168.101.0/24
set address "Trust" <RP_OnPremiseNetwork1> <SP_OnPremiseNetworkCIDR1>
set address "Trust" <RP_OnPremiseNetwork2> <SP_OnPremiseNetworkCIDR2>

# e.g. set address "VPN" "192.168.0.0" 192.168.0.0/24
# e.g. set address "VPN" "192.168.1.0" 192.168.1.0/24
set address <RP_VpnZone> <RP_AzureNetwork1> <SP_AzureNetworkCIDR1>
set address <RP_VpnZone> <RP_AuzreNetwork2> <SP_AzureNetworkCIDR2>
set policy id 10 from "Trust" to <RP_VpnZone>  <RP_OnPremiseNetwork1> <RP_AzureNetwork1> "ANY" permit log count 
set policy id 10
exit

set policy id 11 from <RP_VpnZone> to "Trust"  <RP_AzureNetwork1> <RP_OnPremiseNetwork1> "ANY" permit log count 
set policy id 11
exit

set policy id 12 from "Trust" to <RP_VpnZone>  <RP_OnPremiseNetwork1> <RP_AuzreNetwork2> "ANY" permit log count 
set policy id 12
exit

set policy id 13 from <RP_VpnZone> to "Trust"  <RP_AuzreNetwork2> <RP_OnPremiseNetwork1> "ANY" permit log count 
set policy id 13
exit

set policy id 14 from "Trust" to <RP_VpnZone>  <RP_OnPremiseNetwork2> <RP_AuzreNetwork2> "ANY" permit log count 
set policy id 14
exit

set policy id 15 from <RP_VpnZone> to "Trust"  <RP_AuzreNetwork2> <RP_OnPremiseNetwork2> "ANY" permit log count 
set policy id 15
exit

set policy id 16 from "Trust" to <RP_VpnZone>  <RP_OnPremiseNetwork2> <RP_AzureNetwork1> "ANY" permit log count
set policy id 16
exit

set policy id 17 from <RP_VpnZone> to "Trust"  <RP_AzureNetwork1> <RP_OnPremiseNetwork2> "ANY" permit log count 
set policy id 17
exit

Additional Information

Summary

Configuration for Route-based VPN for Juniper SSG/ISG Netscreen devices running ScreenOS. Defines a VPN Zone and uses Route-based VPN Configuration. Recommended when only a single SA (Network/Block) need to be negotiated on the Juniper-side of the VPN.

If multiple separate subnets need to be defined on the Juniper-side of the VPN, you should use an SRX or J-Series device and Policy-based VPN.

Note
NAT-T is required by Windows Azure (Responder behind NAT, SLB). As a result, UDP/500 and UDP/4500 must be opened between Juniper Device and Windows Azure Gateway in addition to ESP (Protocol 50).

Limitations

1. Policy-based VPN configuration is not supported due to some known issues. We are actively working with Juniper for a feasible solution.
   
   
2. Route-based VPN requires definition for each network or P2 SA built to remote end, but only supports a single SA definition for the Branch office network.
   
   Recommendation: Summarize on-premise CIDR ranges on Branch Devices whenever possible to create a single SA. This will allow for a route-based VPN with multiple Windows Azure subnets.
   
   

References to ScreenOS documentation regarding IPsec VPN

• Secure Services Gateway 5 Getting Started Guide
  
  
• General VPN Documentation: ScreenOS
  
  
• Route-based VPN Configuration
  
  

See Also

Concepts

About VPN Devices for Virtual Network
Windows Azure Virtual Network Overview