Juniper J-Series J6350 JunOS 11.2r6 or JunOS 10.4r9

As part of the procedure to establish site-to-site connection your windows Azure Virtual Network, you need to run a script to configure your VPN device.

Use the script template below for Juniper J-Series J6350 JunOS 11.2r6 or JunsOS 10.4r9.

Note
To run the script, you need to log in with a privileged account.

Note
Parameters that start with 'SP_' are specified parameters that you get from your Virtual Network settings in the Windows Azure Management Portal. Parameters that start with 'RP_' are parameters that you name by yourself.

Configuration Scripts

This section has the following scripts:

• Policy-based VPN Configuration Script
  
  
• Route-based VPN Configuration Script
  
  

Policy-based VPN Configuration Script

ECMAScript

# Two RVI (routed-vlan-interfaces) are created for our internal block
# e.g. set interfaces vlan unit 0 family inet address 192.168.100.1/24
# e.g. set interfaces vlan unit 1 family inet address 192.168.101.1/24
set interfaces vlan unit 0 family inet address <SP_VirtualInterfaceIpAddress1>
set interfaces vlan unit 1 family inet address <SP_VirtualInterfaceIpAddress2>

# Public IP Configured here, this may be already configured more typically on a physical interface at customer site.
# e.g. set interfaces <inrerface-name> family inet address 50.0.17.248/24 <-- SRX Public IP
set interfaces <inrerface-name> family inet address <SP_OnPremiseVpnDeviceIpAddress>

# Set the TCP-MSS for IPSec traffic to 1350 for IPSec/UDP with NAT-Traversal
set security flow tcp-mss ipsec-vpn mss 1350

# e.g. set security ike policy ike-policy1 mode main
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposal-set standard
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>

# e.g. set security ike gateway Azure1 address 65.52.249.21 <-- Remote Azure Gateway IP
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>

# Always use this IPv4 identity and use this external interface to talk IKE to this peer.
# e.g. set security ike gateway Azure1 local-identity inet 50.0.17.248 <-- Same as our Public IP
set security ike gateway <RP_IkeGateway> local-identity inet <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>

# e.g. set security ipsec policy vpn-policy1 proposal-set compatible
set security ipsec policy <RP_IPSecPolicy> proposal-set compatible

# Define the first VPN SA and bind it to the IKE gateway and tunnel interface
# e.g. set security ipsec vpn Azure1 ike gateway Azure1
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>

# Enable this to always start the tunnel (from the Juniper device) 
set security ipsec vpn <RP_IPSecVpn> establish-tunnels immediately

# Enable IKE and PING on the External (public IP) interface facing the Azure cloud. 
set security zones security-zone untrust interfaces <NameOfYourOutsideInterface> host-inbound-traffic system-services ike

# Make sure you have a default Route to the Internet if you don't already.
# e.g. set routing-options static route 0.0.0.0/0 next-hop 50.0.17.1 <-- default gateway IP
set routing-options static route 0.0.0.0/0 next-hop <IpAddressOfYourDefaultGateway>

# In this configuration you MUST define the security policies. For each Network/Block or SA negotiated will required one policy in each direction. 
# The following defines 8 policies to match 4 SAs for 4 Network/Blocks used in this configuration. 
# First we define the address book entries for each network/block.
# e.g. set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
# e.g. set security zones security-zone trust address-book address 192.168.101.0/24 192.168.101.0/24
set security zones security-zone trust address-book address <RP_OnPremiseNework1> <SP_OnPremiseNetworkCIDR1>
set security zones security-zone trust address-book address <RP_OnPremiseNework2> <SP_OnPremiseNetworkCIDR2>

# e.g. set security zones security-zone Untrust address-book address 192.168.0.0/24 192.168.0.0/24
# e.g. set security zones security-zone Untrust address-book address 192.168.1.0/24 192.168.1.0/24
set security zones security-zone Untrust address-book address <RP_AzureNetwork1> <SP_AzureNetworkCIDR1>
set security zones security-zone Untrust address-book address <RP_AzureNetwork2> <SP_AzureNetworkCIDR2>

# Next the Policies, note: the policies are used to build the IKE SAs to the remote gateway, a single SA is created per policy.
# These security policies should sit above any existing rules you may already have!
# e.g. set security policies from-zone trust to-zone untrust policy vpn1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy1> match source-address <SP_OnPremiseNetworkCIDR1>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy1> match destination-address <SP_AzureNetworkCIDR1>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy1> match application any
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy1> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy1> then permit tunnel pair-policy <RP_UntrustToTrustPolicy1>

# e.g. set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> match source-address 192.168.0.0/24
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> match source-address <SP_AzureNetworkCIDR1>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> match destination-address <SP_OnPremiseNetworkCIDR1>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> match application any
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy1> then permit tunnel pair-policy <RP_TrustToUntrustPolicy1>

# e.g. set security policies from-zone trust to-zone untrust policy vpn3 match source-address 192.168.101.0/24
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy2> match source-address <SP_OnPremiseNetworkCIDR2>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy2> match destination-address <SP_AzureNetworkCIDR1>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy2> match application any
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy2> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy2> then permit tunnel pair-policy <RP_UntrustToTrustPolicy2>

# e.g. set security policies from-zone untrust to-zone trust policy vpn4 match source-address 192.168.0.0/24
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy2> match source-address <SP_AzureNetworkCIDR1>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy2> match destination-address <SP_OnPremiseNetworkCIDR2>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy2> match application any
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy2> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy2> then permit tunnel pair-policy <RP_TrustToUntrustPolicy2>

# e.g. set security policies from-zone trust to-zone untrust policy vpn5 match source-address 192.168.101.0/24
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy3> match source-address <SP_OnPremiseNetworkCIDR2>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy3> match destination-address <SP_AzureNetworkCIDR2>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy3> match application any
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy3> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy3> then permit tunnel pair-policy <RP_UntrustToTrustPolicy3>

# e.g. set security policies from-zone untrust to-zone trust policy vpn6 match source-address 192.168.1.0/24
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy3> match source-address <SP_AzureNetworkCIDR2>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy3> match destination-address <SP_OnPremiseNetworkCIDR2>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy3> match application any
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy3> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy3> then permit tunnel pair-policy <RP_TrustToUntrustPolicy3>

# e.g. set security policies from-zone trust to-zone untrust policy vpn7 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy4> match source-address <SP_OnPremiseNetworkCIDR1>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy4> match destination-address <SP_AzureNetworkCIDR2>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy4> match application any
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy4> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone trust to-zone untrust policy <RP_TrustToUntrustPolicy4> then permit tunnel pair-policy <RP_UntrustToTrustPolicy4>

# e.g. set security policies from-zone untrust to-zone trust policy vpn8 match source-address 192.168.1.0/24
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy4> match source-address <SP_AzureNetworkCIDR2>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy4> match destination-address <SP_OnPremiseNetworkCIDR1>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy4> match application any
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy4> then permit tunnel ipsec-vpn <RP_IPSecVpn>
set security policies from-zone untrust to-zone trust policy <RP_UntrustToTrustPolicy4> then permit tunnel pair-policy <RP_TrustToUntrustPolicy4>

# Note, additional networks may be added by adding a pair of security policies between the trust and untrust zones.

Route-based VPN Configuration Script

msdos

# Two RVI (routed-vlan-interfaces) were created for our internal block, in this case they can be summarized into: 192.168.100.0/23
# e.g. set interfaces vlan unit 0 family inet address 192.168.100.1/24
# e.g. set interfaces vlan unit 1 family inet address 192.168.101.1/24
set interfaces vlan unit 0 family inet address <SP_VirtualInterfaceIpAddress1>
set interfaces vlan unit 1 family inet address <SP_VirtualInterfaceIpAddress2>

# Public IP Configured here, this may be already configured more typically on a physical interface at customer site.
# e.g. set interfaces <inrerface-name> family inet address 50.0.17.248/24 <-- SRX Public IP
set interfaces <inrerface-name> family inet address <SP_OnPremiseVpnDeviceIpAddress>
# Define the Two Tunnel Interface for each remote protected network, enable IPv4 on these interfaces.
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet

# Set the TCP-MSS for IPSec traffic to 1350 for IPSec/UDP with NAT-Traversal
set security flow tcp-mss ipsec-vpn mss 1350

# e.g. set security ike policy ike-policy1 mode main
set security ike policy <RP_IkePolicy> mode main
set security ike policy <RP_IkePolicy> proposal-set standard
set security ike policy <RP_IkePolicy> pre-shared-key ascii-text <SP_PresharedKey>
set security ike gateway <RP_IkeGateway> ike-policy <RP_IkePolicy>

# e.g. set security ike gateway Azure1 address 65.52.249.21 <Remote IP of Azure Gateway>
set security ike gateway <RP_IkeGateway> address <SP_AzureGatewayIpAddress>

# Always use this IPv4 identity and use this external interface to talk IKE to this peer.
# e.g. set security ike gateway Azure1 local-identity inet 50.0.17.248 <-- Same as our Public IP
set security ike gateway <RP_IkeGateway> local-identity inet <SP_AzureGatewayIpAddress>
set security ike gateway <RP_IkeGateway> external-interface <NameOfYourOutsideInterface>

# e.g. set security ipsec policy vpn-policy1 proposal-set compatible
set security ipsec policy <RP_IPSecPolicy> proposal-set compatible
# Define the first VPN SA and bind it to the IKE gateway and tunnel interface
# e.g. set security ipsec vpn Azure1 ike gateway Azure1
set security ipsec vpn <RP_IPSecVpn> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn> ike ipsec-policy <RP_IPSecPolicy>
set security ipsec vpn <RP_IPSecVpn> bind-interface st0.0 

# Enable this to always start the tunnel (from the Juniper device) 
set security ipsec vpn <RP_IPSecVpn> establish-tunnels immediately

# Define the IPSec Proxy IDs (the networks or cidr blocks negotiated for IPSec)
# e.g. set security ipsec vpn <RP_IPSecVpn> ike proxy-identity local 192.168.100.0/23
# e.g. set security ipsec vpn <RP_IPSecVpn> ike proxy-identity remote 192.168.0.0/24
set security ipsec vpn <RP_IPSecVpn> ike proxy-identity local <SP_OnPremiseNetworkCIDR>
set security ipsec vpn <RP_IPSecVpn> ike proxy-identity remote <SP_AzureNetworkCIDR1>
set security ipsec vpn <RP_IPSecVpn> ike proxy-identity service any

# Add the Tunnel Interfaces to the VPN Security Zone. 
# Note: If you add these to the Trust security zone, no policies will be needed for traffic going from Trust->Trust. 
# e.g. set security zones security-zone VPN interfaces st0.0 
# e.g. set security zones security-zone VPN interfaces st0.1
set security zones security-zone <RP_VpnZone> interfaces st0.0 
set security zones security-zone <RP_VpnZone> interfaces st0.1

# Default Route to the Internet, make sure you have one.
# e.g. set routing-options static route 0.0.0.0/0 next-hop 50.0.17.1 <-- default gateway IP
set routing-options static route 0.0.0.0/0 next-hop <IpAddressOfYourDefaultGateway>

# Route for each IPSec SA to each Remote network behind Azure Gateway
# set routing-options static route 192.168.0.0/24 next-hop st0.0
set routing-options static route <SP_AzureNetworkCIDR1> next-hop st0.0

# Enable IKE and PING on the External (public IP) interface facing the Azure cloud. 
set security zones security-zone untrust interfaces <NameOfYourOutsideInterface> host-inbound-traffic system-services ike

# Optionally define the security polices, unless a default permit all rule is in place, or the st interfaces are assigned to the trusted zone. 
# In these case policies are not required but optional. Here we give an example of using a VPN Zone with Policies
# e.g. set security zones security-zone trust address-book address 192.168.100.0/23 192.168.100.0/23
# e.g. set security zones security-zone VPN address-book address 192.168.0.0/24 192.168.0.0/24
set security zones security-zone trust address-book address <RP_OnPremiseNework> <SP_OnPremiseNetworkCIDR>
set security zones security-zone <RP_VpnZone> address-book address <RP_AzureNetwork1> <SP_AzureNetworkCIDR1>

# e.g. set security policies from-zone trust to-zone VPN policy vpn-out match source-address 192.168.100.0/23
set security policies from-zone trust to-zone <RP_VpnZone> policy <RP_TrustToVpnPolicy> match source-address <SP_OnPremiseNetworkCIDR>
set security policies from-zone trust to-zone <RP_VpnZone> policy <RP_TrustToVpnPolicy> match destination-address <SP_AzureNetworkCIDR1>
set security policies from-zone trust to-zone <RP_VpnZone> policy <RP_TrustToVpnPolicy> match application any
set security policies from-zone trust to-zone <RP_VpnZone> policy <RP_TrustToVpnPolicy> then permit 
set security policies from-zone <RP_VpnZone> to-zone trust policy <RP_VpnToTrustPolicy> match source-address <SP_AzureNetworkCIDR1>
set security policies from-zone <RP_VpnZone> to-zone trust policy <RP_VpnToTrustPolicy> match destination-address <SP_OnPremiseNetworkCIDR>
set security policies from-zone <RP_VpnZone> to-zone trust policy <RP_VpnToTrustPolicy> match application any
set security policies from-zone <RP_VpnZone> to-zone trust policy <RP_VpnToTrustPolicy> then permit 

# Optionally Define additional VPN SA and bind it to the IKE gateway and a unique tunnel interface
# This is only required if Multiple separate Subnets behind the Azure Gateway! 
set security ipsec vpn <RP_IPSecVpn2> ike gateway <RP_IkeGateway>
set security ipsec vpn <RP_IPSecVpn2> ike ipsec-policy <RP_IPSecPolicy>
set security ipsec vpn <RP_IPSecVpn2> bind-interface st0.1

# Enable this to always start the tunnel (from the Juniper device) 
set security ipsec vpn <RP_IPSecVpn2> establish-tunnels immediately

# Define the IPSec Proxy IDs (the networks or cider blocks negotiated for IPSec)
set security ipsec vpn <RP_IPSecVpn2> ike proxy-identity local <SP_OnPremiseNetworkCIDR>
set security ipsec vpn <RP_IPSecVpn2> ike proxy-identity remote <SP_AzureNetworkCIDR2>
set security ipsec vpn <RP_IPSecVpn2> ike proxy-identity service any

Additional Information

Summary

There are two types of VPN configuration described here:

1. Branch SRX Configuration for Policy-based VPN. Uses the Untrust zone for VPN Connectivity and a policy-based or route-based VPN to build 4 IPsec SAs per direction. When multiple SAs or (Network/Block) need to be negotiated on the Juniper-side of the VPN, policy-based VPN configuration is recommended. If a single network/block set of SAs are required, you may also use a route-based VPN configuration for simplicity.
   
   
2. Branch SRX / J-Series Configuration for Route-based VPN. Defines a VPN Zone and uses Route-based VPN Configuration.
   
   Recommended when only a single SA (Network/Block) needs to be negotiated on the Juniper-side of the VPN. If multiple separate subnets need to be defined on the Juniper-side of the VPN, you should use a Policy-based VPN.
   
   

Note
NAT-T is required by Azure (Responder behind NAT, SLB). As a result, UDP/500 and UDP/4500 must be opened between Juniper Device and Windows Azure Gateway in addition to ESP (Protocol 50).

Limitations

• We currently do not support JunOS 11.4r1.9 due to some known issue. We are actively working with Juniper for a feasible solution.
  
  
• Route-based VPN requires definition for each network or P2 SA built to remote end, but only supports a single SA definition for the Branch office network.
  
  Recommendation: Summarize on-premise CIDR ranges on Branch Devices whenever possible to create a single SA. This will allow for a route-based VPN with multiple Windows Azure subnets.
  
  

References to JunOS documentation regarding IPsec VPN

• Initial device Setup (quick start): Juniper Networks - Quickstart Guide for Branch SRX Series Gateways
  
  
• VPN Configurations
  
  
• Policy-based VPNs: Implementing Policy-Based IPsec VPN Using SRX Series Services Gateways
  
  
• Route-based VPNs: J Series / SRX Series Route-Based VPN Configuration and Troubleshooting
  
  

See Also

Concepts

About VPN Devices for Virtual Network
Windows Azure Virtual Network Overview