SlideShare a Scribd company logo

AWS VPN with Juniper SRX- Lab Sheet

Download as DOCX, PDF
Kimberly Macias
Kimberly Macias

This document provides configuration instructions for setting up an IPSec VPN tunnel between a Juniper SRX firewall and an AWS Virtual Private Cloud (VPC). It involves creating necessary entities within the VPC like a Customer Gateway, Virtual Private Gateway and VPN connection. The Juniper SRX is then configured with an IKE proposal, policy and gateway to establish the VPN tunnel. BGP routing is also configured to exchange routes between the SRX and VPC over the IPSec tunnel.

Software
1 of 13
AWS VPN with Juniper SRX http://bluechiptek.com/ Prerequisites  Juniper SRX running JunOS  Amazon Web Services account  Internet connectivity for the Juniper SRX device  Familiarity with JunOS More often than not in the current technology business industries organizations are finding themselves in situations that require the agility and cost control features of the cloud while leveraging their existing private infrastructure. These types of network configurations are commonly referred to as Hybrid Cloud deployments, or Hybrid for short when used in the context of discussing cloud related architectures. There are several options available when designing connectivity between an existing private network facility and the AWS cloud platform. The two most common are direct Ethernet connections and Virtual Private Networks (VPNs). The direct connection approach involves deploying physical hardware to a location where Amazon offers 1G or 10G Ethernet ports directly on their devices for linking their network to yours. A VPN connection allows you the ability to provision a tunnel over your existing Internet connectivity into a specific AWS Virtual Private Cloud (VPC). Many, if not most, organizations have already invested in a firewall security appliance. These firewalls typically protect sensitive corporate data while also preventing unauthorized external access to network resources. The Juniper SRX series firewall appliances are a common choice for this vital role in the network architecture. The SRX product shares the same JunOS configuration language and commands as the Juniper router and switch products, making administration tasks across the network as a whole much less complicated. One of the basic features of most firewall appliances is the ability to terminate VPN tunnels. This is the feature we will focus on for this article.
AWS VPN Configuration The first step is to create the necessary configuration entities within the AWS VPC where the VPN tunnel will terminate. The three necessary entities are the Customer Gateway, Virtual Private Gateway and the VPN connection itself. The Customer Gateway is a representation of the public IP address assigned to the SRX Internet interface. This IP address cannot be behind a NAT. The Virtual Private Gateway is the logical router within the AWS VPC. The VPN connection defines the tunnel between the Virtual Private Gateway and the Customer Gateway. Customer Gateway Configuration 1. Login to the AWS Management Console with a use that possess the proper permissions to administer VPC configurations. 2. Navigate to the appropriate region for the VPN configuration. 3. Select the VPC item from the Services pull-down menu. 4. Select the Customer Gateways item from the left navigation panel. 5. Select the blue “Create Customer Gateway” button at the top of the main input panel. 6. In the dialog box that is presented on the screen, provide a descriptive name for the Customer Gateway. Internet ISP Router Inside the Juniper SRX VPC1 VPC2 Primary VPN / BGP Peer Backup VPN / BGP Peer VPN Zone Trust Zone DMZ Zone WAN Zone Etc... Zone BGP ASst0.101 10.1.2.2/30 st0.100 10.1.1.2/30 L3 Interface L3 Interface VPN Interface WAN Interface
7. Select the appropriate routing type. This will most likely be dynamic since most organizations will want multiple VPN tunnels for redundancy. 8. Provide the external public IP address for the SRX Internet connected interface. 9. Provide the BGP ASN if dynamic routing was selected in step #7. 10. Click on the blue “Yes, Create” button. Virtual Private Gateway Configuration 1. Select the Virtual Private Gateways item from the left navigation panel. 2. Click on the blue “Create Virtual Private Gateway” button at the top of the main input panel. 3. Provide a descriptive name for the new Virtual Private Gateway. 4. Click on the blue “Yes, Create” button. 5. Ensure that the newly created Virtual Private Gateway is selected from the list and click on the “Attach VPC” button at the top. 6. Select the appropriate VPC to attach the Virtual Private Gateway (router). 7. Click on the blue “Yes, Attach” button.
VPN Tunnel Configuration 1. Select the VPN Connections item from the left navigation panel. 2. Click on the blue “Create VPN Connection” button at the top of the main input panel. 3. Provide a descriptive name for the new VPN connection. 4. Select the Virtual Private Gateway defined above. 5. Select the existing Customer Gateway defined above. 6. Select the appropriate Routing Option 7. Click on the blue “Yes, Create” button. The VPN Connection state will show pending until the systemhas completed the configuration. Once the State changes to available, it is ready for use. After selecting the newly created VPN connection from the list, click on the Tunnel Details tab below to retrieve the AWS public IP address for the VPC. These will be used in the SRX configuration below.
Juniper SRX Configuration The next step in the process is to complete the necessary configuration on the SRX to establish the VPN tunnel into the AWS VPC. Amazon will download a configuration file for your device if you select Juniper J-Series Routers with JunOS 9.5+ below is an example file output from AWS. Below is a sample configuration for our example VPC from the Download. # Amazon Web Services # Virtual Private Cloud # # AWS utilizes unique identifiers to manipulate the configuration of # a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier # and is associated with two other identifiers, namely the # Customer Gateway Identifier and the Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-4f6b755d # Your Virtual Private Gateway ID : vgw-815c829f # Your Customer Gateway ID : cgw-e437e9fa # # This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway. # # # -------------------------------------------------------------------------------- # IPSec Tunnel #1 # -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. #
set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-4f6b755d-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-4f6b755d-1 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-4f6b755d-1 mode main set security ike policy ike-pol-vpn-4f6b755d-1 proposals ike-prop-vpn-4f6b755d-1 set security ike policy ike-pol-vpn-4f6b755d-1 pre-shared-key ascii-text ZnxevWnXVaVxY9fZ7ogYcfo67j1FCNYv # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address 1.2.3.4 is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recreated. # set security ike gateway gw-vpn-4f6b755d-1 ike-policy ike-pol-vpn-4f6b755d-1 set security ike gateway gw-vpn-4f6b755d-1 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-4f6b755d-1 address 52.24.14.229 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPSec Configuration # # The IPSec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPSec security association. # set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 protocol esp set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 lifetime-seconds 3600 # The IPSec policy incorporates the Diffie-Hellman group and the IPSec # proposal. # set security ipsec policy ipsec-pol-vpn-4f6b755d-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-4f6b755d-1 proposals ipsec-prop-vpn-4f6b755d-1 # A security association is defined here. The IPSec Policy and IKE gateways # are associated with a tunnel interface (st0.1). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-4f6b755d-1 bind-interface st0.1 set security ipsec vpn vpn-4f6b755d-1 ike gateway gw-vpn-4f6b755d-1 set security ipsec vpn vpn-4f6b755d-1 ike ipsec-policy ipsec-pol-vpn-4f6b755d-1 set security ipsec vpn vpn-4f6b755d-1 df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-4f6b755d-1 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.1 family inet address 169.254.12.166/30 set interfaces st0.1 family inet mtu 1436 set security zones security-zone trust interfaces st0.1 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp
# This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.12.165 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.12.165 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.12.165 hold-time 30 set protocols bgp group ebgp neighbor 169.254.12.165 local-as 65000 # # -------------------------------------------------------------------------------- # IPSec Tunnel #2
# -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-4f6b755d-2 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-4f6b755d-2 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-4f6b755d-2 mode main set security ike policy ike-pol-vpn-4f6b755d-2 proposals ike-prop-vpn-4f6b755d-2 set security ike policy ike-pol-vpn-4f6b755d-2 pre-shared-key ascii-text t2CBKxE71diOCcORGe.KGFYtYDAyBSQM # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address 1.2.3.4 is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recreated. # set security ike gateway gw-vpn-4f6b755d-2 ike-policy ike-pol-vpn-4f6b755d-2 set security ike gateway gw-vpn-4f6b755d-2 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-4f6b755d-2 address 52.37.31.163 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPSec Configuration
# # The IPSec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPSec security association. # set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 protocol esp set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 lifetime-seconds 3600 # The IPSec policy incorporates the Diffie-Hellman group and the IPSec # proposal. # set security ipsec policy ipsec-pol-vpn-4f6b755d-2 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-4f6b755d-2 proposals ipsec-prop-vpn-4f6b755d-2 # A security association is defined here. The IPSec Policy and IKE gateways # are associated with a tunnel interface (st0.2). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-4f6b755d-2 bind-interface st0.2 set security ipsec vpn vpn-4f6b755d-2 ike gateway gw-vpn-4f6b755d-2 set security ipsec vpn vpn-4f6b755d-2 ike ipsec-policy ipsec-pol-vpn-4f6b755d-2 set security ipsec vpn vpn-4f6b755d-2 df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-4f6b755d-2 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.2 family inet address 169.254.12.194/30 set interfaces st0.2 family inet mtu 1436 set security zones security-zone trust interfaces st0.2 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. #
set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.12.193 export EXPORT-DEFAULT
set protocols bgp group ebgp neighbor 169.254.12.193 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.12.193 hold-time 30 set protocols bgp group ebgp neighbor 169.254.12.193 local-as 65000 # # Additional Notes and Questions # - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide # - Amazon Virtual Private Cloud Network Administrator Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide # - XSL Version: 2009-07-15-1119716 Make the necessary changes to your configuration in Notepad or Text Editor. You may wish to change your tunnel interface unit numbers (if st0.1 and st0.2 are already used) Then perform the following steps to load and commit the configuration above onto your device. , Ssh to SRX Device Start shell Vi aws.cfg <paste text configlet> :wq! Exit Edit Load merge aws.cfg Commit The security policies for the trusted and VPN zones must be defined, as they are not included in the Configuration downloaded from AWS. Security Zone Policy Configuration set security zones security-zone vpn address-book address net-cfgr_172-31-0- 0--16 172.31.0.0/16 set security zones security-zone trust address-book address net-cfgr_191-168- 254-0--24 192.168.254.0/24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-254-0--24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_172-31-0-0--16 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_172-31-0-0--16 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-254-0--24 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit Based upon the example subnets used in the security policy statements above, once the VPN tunnel is established, communication between the 192.168.254.0/24 subnet in the private datacenter should be allowed to the AWS VPC subnet of 172.31.0.0/16. Show commands: • Show security ike security-associations • Show security ipsec security-associations • Show bgp summary • Ping <BGP Peer> • Show route receive-protocol bgp <neighbor> • Show route advertise-protocol bgp <neighbor> • Show route <vpc-network>/<mask> To fully test the end to end connectivity, simply launch an instance within your AWS VPC and execute a ping from that instance to a systemwithin your private datacenter network.

Recommended

OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月
OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月
OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonightAmazon Web Services Japan
 
How We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfHow We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfRakuten Group, Inc.
 
Data Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesData Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesCisco Canada
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
oVirt and OpenStack
oVirt and OpenStackoVirt and OpenStack
oVirt and OpenStackDave Neary
 
Cisco Firepower Next-Generation Firewall (NGFW).pdf
Cisco Firepower Next-Generation Firewall (NGFW).pdfCisco Firepower Next-Generation Firewall (NGFW).pdf
Cisco Firepower Next-Generation Firewall (NGFW).pdfTaherAzzam2
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 

Recommended

OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月
OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月
OpenStackを利用したNFVの商用化 - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonight
[CTO Night & Day 2019] 高可用性アーキテクチャについて考える #ctonightAmazon Web Services Japan
 
How We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfHow We Defined Our Own Cloud.pdf
How We Defined Our Own Cloud.pdfRakuten Group, Inc.
 
Data Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesData Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesCisco Canada
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
oVirt and OpenStack
oVirt and OpenStackoVirt and OpenStack
oVirt and OpenStackDave Neary
 
Cisco Firepower Next-Generation Firewall (NGFW).pdf
Cisco Firepower Next-Generation Firewall (NGFW).pdfCisco Firepower Next-Generation Firewall (NGFW).pdf
Cisco Firepower Next-Generation Firewall (NGFW).pdfTaherAzzam2
 
CCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyCCNAv5 - S3: Chapter2 Lan Redundancy
CCNAv5 - S3: Chapter2 Lan RedundancyVuz Dở Hơi
 
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...kds850
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingZivaro Inc
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
Cisco DCACI
Cisco DCACICisco DCACI
Cisco DCACIabdelilahBoumendil
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツ大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツTomoya Hashimoto
 
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW ClusteringCisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clusteringib_cims
 
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成Yahoo!デベロッパーネットワーク
 
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)シスコシステムズ合同会社
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門VirtualTech Japan Inc.
 
Oracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデートOracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデートオラクルエンジニア通信
 
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスS13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスMicrosoft Azure Japan
 
今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術悟 宮崎
 
SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?Haris Chughtai
 
はじめてのAWS CLI
はじめてのAWS CLIはじめてのAWS CLI
はじめてのAWS CLINobuhiro Nakayama
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Azure stack all you need to know
Azure stack all you need to knowAzure stack all you need to know
Azure stack all you need to knowSusantha Silva
 
Windows Deployment Services Tutorial
Windows Deployment Services TutorialWindows Deployment Services Tutorial
Windows Deployment Services TutorialTravis Kench
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Kimberly Macias
 
Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Kimberly Macias
 

More Related Content

What's hot

Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...kds850
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingZivaro Inc
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesGerryJamisola1
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Canada
 
大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツ大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツTomoya Hashimoto
 
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW ClusteringCisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clusteringib_cims
 
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)シスコシステムズ合同会社
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門VirtualTech Japan Inc.
 
Oracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデートOracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデートオラクルエンジニア通信
 
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスS13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスMicrosoft Azure Japan
 
今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術悟 宮崎
 
SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?Haris Chughtai
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Azure stack all you need to know
Azure stack all you need to knowAzure stack all you need to know
Azure stack all you need to knowSusantha Silva
 
Windows Deployment Services Tutorial
Windows Deployment Services TutorialWindows Deployment Services Tutorial
Windows Deployment Services TutorialTravis Kench
 

What's hot (20)

Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release Notes
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN Technology
 
Cisco DCACI
Cisco DCACICisco DCACI
Cisco DCACI
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
 
大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツ大規模環境のOpenStack アップグレードの考え方と実施のコツ
大規模環境のOpenStack アップグレードの考え方と実施のコツ
 
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW ClusteringCisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
 
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成
[dbts-2014-tokyo] 目指せExadata!! Oracle DB高速化を目指した構成
 
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
Cisco Modeling Labs (CML)を使ってネットワークを学ぼう!(DevNet編)
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門OpenStackで始めるクラウド環境構築入門
OpenStackで始めるクラウド環境構築入門
 
Oracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデートOracle Cloud Infrastructure:2022年4月度サービス・アップデート
Oracle Cloud Infrastructure:2022年4月度サービス・アップデート
 
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスS13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
 
今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術今もう一度知ろう。 Solarisのコンテナ型仮想化技術
今もう一度知ろう。 Solarisのコンテナ型仮想化技術
 
SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?SDWAN vs MPLS: What Enterprises need?
SDWAN vs MPLS: What Enterprises need?
 
はじめてのAWS CLI
はじめてのAWS CLIはじめてのAWS CLI
はじめてのAWS CLI
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Azure stack all you need to know
Azure stack all you need to knowAzure stack all you need to know
Azure stack all you need to know
 
Windows Deployment Services Tutorial
Windows Deployment Services TutorialWindows Deployment Services Tutorial
Windows Deployment Services Tutorial
 

Viewers also liked

Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Kimberly Macias
 
Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Kimberly Macias
 
Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Kimberly Macias
 

Viewers also liked (9)

Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
 
Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1
 
Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2
 
Rinjo-Resume
Rinjo-ResumeRinjo-Resume
Rinjo-Resume
 
Bct Aws-VPC-Training
Bct Aws-VPC-TrainingBct Aws-VPC-Training
Bct Aws-VPC-Training
 
MarkH-CV 2015
MarkH-CV 2015MarkH-CV 2015
MarkH-CV 2015
 
Contrail Basics
Contrail BasicsContrail Basics
Contrail Basics
 
Aws Autoscaling
Aws AutoscalingAws Autoscaling
Aws Autoscaling
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flow
 

Similar to AWS VPN with Juniper SRX- Lab Sheet

Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Netgear Italia
 
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 Classic
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 ClassicCohesive Networks Support Docs: VNS3 Configuration for AWS EC2 Classic
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 ClassicCohesive Networks
 
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWSAmazon Web Services
 
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455ytrui
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAmazon Web Services
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Neeraj Kumar
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersDevOps.com
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data CenterAmazon Web Services
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...Amazon Web Services
 

Similar to AWS VPN with Juniper SRX- Lab Sheet (20)

Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
Vpn
VpnVpn
Vpn
 
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 Classic
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 ClassicCohesive Networks Support Docs: VNS3 Configuration for AWS EC2 Classic
Cohesive Networks Support Docs: VNS3 Configuration for AWS EC2 Classic
 
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASACohesive Networks Support Docs: VNS3 Setup for Cisco ASA
Cohesive Networks Support Docs: VNS3 Setup for Cisco ASA
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
Cohesive Networks Support Docs: VNS3 Configuration for CenturyLink Cloud
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
 
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
Cohesive Networks Support Docs: VNS3 Configuration for Amazon VPC
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
 
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
GPSTEC322-GPS Creating Your Virtual Data Center VPC Fundamentals Connectivity...
 

Recently uploaded

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

AWS VPN with Juniper SRX- Lab Sheet

  • 1. AWS VPN with Juniper SRX http://bluechiptek.com/ Prerequisites  Juniper SRX running JunOS  Amazon Web Services account  Internet connectivity for the Juniper SRX device  Familiarity with JunOS More often than not in the current technology business industries organizations are finding themselves in situations that require the agility and cost control features of the cloud while leveraging their existing private infrastructure. These types of network configurations are commonly referred to as Hybrid Cloud deployments, or Hybrid for short when used in the context of discussing cloud related architectures. There are several options available when designing connectivity between an existing private network facility and the AWS cloud platform. The two most common are direct Ethernet connections and Virtual Private Networks (VPNs). The direct connection approach involves deploying physical hardware to a location where Amazon offers 1G or 10G Ethernet ports directly on their devices for linking their network to yours. A VPN connection allows you the ability to provision a tunnel over your existing Internet connectivity into a specific AWS Virtual Private Cloud (VPC). Many, if not most, organizations have already invested in a firewall security appliance. These firewalls typically protect sensitive corporate data while also preventing unauthorized external access to network resources. The Juniper SRX series firewall appliances are a common choice for this vital role in the network architecture. The SRX product shares the same JunOS configuration language and commands as the Juniper router and switch products, making administration tasks across the network as a whole much less complicated. One of the basic features of most firewall appliances is the ability to terminate VPN tunnels. This is the feature we will focus on for this article.
  • 2. AWS VPN Configuration The first step is to create the necessary configuration entities within the AWS VPC where the VPN tunnel will terminate. The three necessary entities are the Customer Gateway, Virtual Private Gateway and the VPN connection itself. The Customer Gateway is a representation of the public IP address assigned to the SRX Internet interface. This IP address cannot be behind a NAT. The Virtual Private Gateway is the logical router within the AWS VPC. The VPN connection defines the tunnel between the Virtual Private Gateway and the Customer Gateway. Customer Gateway Configuration 1. Login to the AWS Management Console with a use that possess the proper permissions to administer VPC configurations. 2. Navigate to the appropriate region for the VPN configuration. 3. Select the VPC item from the Services pull-down menu. 4. Select the Customer Gateways item from the left navigation panel. 5. Select the blue “Create Customer Gateway” button at the top of the main input panel. 6. In the dialog box that is presented on the screen, provide a descriptive name for the Customer Gateway. Internet ISP Router Inside the Juniper SRX VPC1 VPC2 Primary VPN / BGP Peer Backup VPN / BGP Peer VPN Zone Trust Zone DMZ Zone WAN Zone Etc... Zone BGP ASst0.101 10.1.2.2/30 st0.100 10.1.1.2/30 L3 Interface L3 Interface VPN Interface WAN Interface
  • 3. 7. Select the appropriate routing type. This will most likely be dynamic since most organizations will want multiple VPN tunnels for redundancy. 8. Provide the external public IP address for the SRX Internet connected interface. 9. Provide the BGP ASN if dynamic routing was selected in step #7. 10. Click on the blue “Yes, Create” button. Virtual Private Gateway Configuration 1. Select the Virtual Private Gateways item from the left navigation panel. 2. Click on the blue “Create Virtual Private Gateway” button at the top of the main input panel. 3. Provide a descriptive name for the new Virtual Private Gateway. 4. Click on the blue “Yes, Create” button. 5. Ensure that the newly created Virtual Private Gateway is selected from the list and click on the “Attach VPC” button at the top. 6. Select the appropriate VPC to attach the Virtual Private Gateway (router). 7. Click on the blue “Yes, Attach” button.
  • 4. VPN Tunnel Configuration 1. Select the VPN Connections item from the left navigation panel. 2. Click on the blue “Create VPN Connection” button at the top of the main input panel. 3. Provide a descriptive name for the new VPN connection. 4. Select the Virtual Private Gateway defined above. 5. Select the existing Customer Gateway defined above. 6. Select the appropriate Routing Option 7. Click on the blue “Yes, Create” button. The VPN Connection state will show pending until the systemhas completed the configuration. Once the State changes to available, it is ready for use. After selecting the newly created VPN connection from the list, click on the Tunnel Details tab below to retrieve the AWS public IP address for the VPC. These will be used in the SRX configuration below.
  • 5. Juniper SRX Configuration The next step in the process is to complete the necessary configuration on the SRX to establish the VPN tunnel into the AWS VPC. Amazon will download a configuration file for your device if you select Juniper J-Series Routers with JunOS 9.5+ below is an example file output from AWS. Below is a sample configuration for our example VPC from the Download. # Amazon Web Services # Virtual Private Cloud # # AWS utilizes unique identifiers to manipulate the configuration of # a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier # and is associated with two other identifiers, namely the # Customer Gateway Identifier and the Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-4f6b755d # Your Virtual Private Gateway ID : vgw-815c829f # Your Customer Gateway ID : cgw-e437e9fa # # This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway. # # # -------------------------------------------------------------------------------- # IPSec Tunnel #1 # -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. #
  • 6. set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-4f6b755d-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-4f6b755d-1 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-4f6b755d-1 mode main set security ike policy ike-pol-vpn-4f6b755d-1 proposals ike-prop-vpn-4f6b755d-1 set security ike policy ike-pol-vpn-4f6b755d-1 pre-shared-key ascii-text ZnxevWnXVaVxY9fZ7ogYcfo67j1FCNYv # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address 1.2.3.4 is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recreated. # set security ike gateway gw-vpn-4f6b755d-1 ike-policy ike-pol-vpn-4f6b755d-1 set security ike gateway gw-vpn-4f6b755d-1 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-4f6b755d-1 address 52.24.14.229 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPSec Configuration # # The IPSec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPSec security association. # set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 protocol esp set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 authentication-algorithm hmac-sha1-96
  • 7. set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-4f6b755d-1 lifetime-seconds 3600 # The IPSec policy incorporates the Diffie-Hellman group and the IPSec # proposal. # set security ipsec policy ipsec-pol-vpn-4f6b755d-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-4f6b755d-1 proposals ipsec-prop-vpn-4f6b755d-1 # A security association is defined here. The IPSec Policy and IKE gateways # are associated with a tunnel interface (st0.1). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-4f6b755d-1 bind-interface st0.1 set security ipsec vpn vpn-4f6b755d-1 ike gateway gw-vpn-4f6b755d-1 set security ipsec vpn vpn-4f6b755d-1 ike ipsec-policy ipsec-pol-vpn-4f6b755d-1 set security ipsec vpn vpn-4f6b755d-1 df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-4f6b755d-1 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.1 family inet address 169.254.12.166/30 set interfaces st0.1 family inet mtu 1436 set security zones security-zone trust interfaces st0.1 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp
  • 8. # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.12.165 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.12.165 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.12.165 hold-time 30 set protocols bgp group ebgp neighbor 169.254.12.165 local-as 65000 # # -------------------------------------------------------------------------------- # IPSec Tunnel #2
  • 9. # -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-4f6b755d-2 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-4f6b755d-2 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-4f6b755d-2 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-4f6b755d-2 mode main set security ike policy ike-pol-vpn-4f6b755d-2 proposals ike-prop-vpn-4f6b755d-2 set security ike policy ike-pol-vpn-4f6b755d-2 pre-shared-key ascii-text t2CBKxE71diOCcORGe.KGFYtYDAyBSQM # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address 1.2.3.4 is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recreated. # set security ike gateway gw-vpn-4f6b755d-2 ike-policy ike-pol-vpn-4f6b755d-2 set security ike gateway gw-vpn-4f6b755d-2 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-4f6b755d-2 address 52.37.31.163 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPSec Configuration
  • 10. # # The IPSec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPSec security association. # set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 protocol esp set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-4f6b755d-2 lifetime-seconds 3600 # The IPSec policy incorporates the Diffie-Hellman group and the IPSec # proposal. # set security ipsec policy ipsec-pol-vpn-4f6b755d-2 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-4f6b755d-2 proposals ipsec-prop-vpn-4f6b755d-2 # A security association is defined here. The IPSec Policy and IKE gateways # are associated with a tunnel interface (st0.2). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-4f6b755d-2 bind-interface st0.2 set security ipsec vpn vpn-4f6b755d-2 ike gateway gw-vpn-4f6b755d-2 set security ipsec vpn vpn-4f6b755d-2 ike ipsec-policy ipsec-pol-vpn-4f6b755d-2 set security ipsec vpn vpn-4f6b755d-2 df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-4f6b755d-2 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.2 family inet address 169.254.12.194/30 set interfaces st0.2 family inet mtu 1436 set security zones security-zone trust interfaces st0.2 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. #
  • 11. set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.12.193 export EXPORT-DEFAULT
  • 12. set protocols bgp group ebgp neighbor 169.254.12.193 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.12.193 hold-time 30 set protocols bgp group ebgp neighbor 169.254.12.193 local-as 65000 # # Additional Notes and Questions # - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide # - Amazon Virtual Private Cloud Network Administrator Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide # - XSL Version: 2009-07-15-1119716 Make the necessary changes to your configuration in Notepad or Text Editor. You may wish to change your tunnel interface unit numbers (if st0.1 and st0.2 are already used) Then perform the following steps to load and commit the configuration above onto your device. , Ssh to SRX Device Start shell Vi aws.cfg <paste text configlet> :wq! Exit Edit Load merge aws.cfg Commit The security policies for the trusted and VPN zones must be defined, as they are not included in the Configuration downloaded from AWS. Security Zone Policy Configuration set security zones security-zone vpn address-book address net-cfgr_172-31-0- 0--16 172.31.0.0/16 set security zones security-zone trust address-book address net-cfgr_191-168- 254-0--24 192.168.254.0/24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-254-0--24 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_172-31-0-0--16 set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
  • 13. set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_172-31-0-0--16 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-254-0--24 set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit Based upon the example subnets used in the security policy statements above, once the VPN tunnel is established, communication between the 192.168.254.0/24 subnet in the private datacenter should be allowed to the AWS VPC subnet of 172.31.0.0/16. Show commands: • Show security ike security-associations • Show security ipsec security-associations • Show bgp summary • Ping <BGP Peer> • Show route receive-protocol bgp <neighbor> • Show route advertise-protocol bgp <neighbor> • Show route <vpc-network>/<mask> To fully test the end to end connectivity, simply launch an instance within your AWS VPC and execute a ping from that instance to a systemwithin your private datacenter network.