Juniper Networks SRX Series Firewalls
This tutorial provides information and examples of how to configure Juniper Networks SRX Series Firewalls with Magic WAN.
The configuration settings in this document are based on JUNOS 23.4R2.13.
Confirm that you have two Cloudflare anycast IPs allocated to your account. You will establish IPsec tunnels to the two anycast IPs irrespective of the location of your Juniper SRX devices (from now on referred to as endpoint) — traffic will be naturally attracted to the closest Cloudflare colocation facility via BGP anycast.
Cloudflare recommends that customers configure two IPsec tunnels (one to each of the two anycast IPs allocated to you Cloudflare account) per Internet service provider per endpoint. This provides tunnel redundancy.
Equal-cost multi-path routing (ECMP) ensures traffic is load-balanced across the tunnels, and you can control traffic steering across the tunnels through route prioritization.
Cloudflare supports route-based site-to-site IPsec tunnels, which require the creation of virtual tunnel interfaces (VTIs). We recommend you select one subnet per Magic IPsec tunnel with either a /30
or /31
netmask.
Using a /31
netmask is a more efficient use of IP addresses as it doubles the number of available subnets compared to a /30
netmask. This is possible because with a /31
netmask there is no need to reserve IP addresses for the subnet and broadcast addresses, as there would be if you opt to use a /30
netmask. Additional details can be found in RFC 3021 - Using 31-Bit Prefixes on IPv4 Point-to-Point Links ↗.
This section of the document will cover the configuration of:
- Magic IPsec tunnels
- Magic static routes
This documentation assumes there are two locations connected via Magic WAN:
Site | Local/Remote | Security Zone | Subnet |
---|---|---|---|
A | Local | trust | 10.1.20.0/24 |
B | Remote | Cloudflare | 10.1.100.0/24 |
- Start by creating the IPsec tunnels in the Cloudflare dashboard with the following values:
- Tunnel name: Up to 15 characters (no spaces).
- Description (Optional).
- Interface address: This is the Virtual Tunnel Interface (VTI =
st0.x
) RFC 1918 address — the IP address specified in this dialog box is the address on the Cloudflare side of the tunnel. - Customer endpoint: Specify the Internet IP address on the untrust side of the SRX firewall.
- Cloudflare endpoint: One of the two Cloudflare anycast IP addresses.
- Pre-shared key: Choose Add pre-shared key later.
- Select Add IPsec Tunnel and fill in the values for the second tunnel to the same Juniper SRX:
- Ensure you use a unique RFC 1918 IP address for the Interface Address (
/31
or/30
). - Once again, specify the Internet IP address on the untrust side of the SRX firewall for the Customer Endpoint.
- The Cloudflare Endpoint for the second tunnel will be the second Cloudflare anycast IP provisioned for your account.
- Ensure you use a unique RFC 1918 IP address for the Interface Address (
- Select Add Tunnels. We also recommend selecting Test Tunnels to ensure that the settings do not conflict with any other tunnels defined in your account and that you specified the correct anycast IP addresses.
- You will see a warning indicator next to the tunnel names after creating them because we chose to add a pre-shared key later. This is expected behavior and indicates that a pre-shared key has not been generated yet for the associated tunnel.
- Select Edit next to one of the tunnels to generate a pre-shared key.
- Select Generate a new pre-shared key > Update and generate a pre-shared key. Make a note of the pre-shared key and store it somewhere safe.
- Repeat the previous step for the second tunnel.
- Expand the first tunnel's properties and note the Tunnel ID and FQDN ID values.
- Repeat the previous steps for the second tunnel.
Refer to the Magic WAN Topology section above for more details on the IP subnet scheme.
Magic static routes effectively tell Magic WAN which tunnels to route traffic destined for a given Magic WAN site.
Since two tunnels are configured to each endpoint, it is necessary to configure two static routes.
Cloudflare leverages equal-cost multi-path routing to control traffic steering across the tunnels. The default priority for each route is 100 — traffic will be load-balanced across the two tunnels equally via ECMP. You can modify the priorities as needed, however best practices dictate leaving the default values in place.
- Create a static route with the following values. Make sure you select the first tunnel in Tunnel/Next hop:
- Description: The description for the static route assigned to your first tunnel.
- Prefix: Enter the destination subnet for which this route is intended. For this example, it is
10.1.20.0/24
as stated above. - Tunnel/Next hop: Choose your first tunnel from the drop-down menu.
- Priority: The default value is
100
. - Region code: Leave set to All Regions unless otherwise specified.
- Select Add Static Route to add a second route for the same subnet. Make sure the second tunnel is selected in Tunnel/Next hop.
- Select Test Routes to ensure the settings are accepted, then select Add Routes.
- Confirm the routes were added correctly in Magic WAN > Configuration > Static Routes.
There may be some differences in the syntax of the commands in the version on your SRX devices. However, the principles are the same. Refer to the Juniper product documentation for more information.
The interface naming convention for VTI interfaces (also known as Secure Tunnel Interfaces) in Junos is st0.x
.
Secure Tunnel Interface in a Virtual Router - Juniper IPsec VPN User Guide ↗
The following elements will be configured on the Juniper SRX firewall(s):
- Ensure the LAN interface is in the
trust
zone - Add virtual tunnel Interfaces (
st0.0
andst0.1
) - Assign tunnel interfaces to the
cloudflare
security zone - Allow required protocols to both the tunnel and untrust security zones
- IKE configuration
- IPsec configuration
- Policy-based routing (filter-based forwarding)
- Security policies
- Add two tunnel interfaces:
Define a security zone and add both tunnel interfaces to it. At a minimum, the interfaces should allow ping
, but this zone only contains point-to-point connections between the firewall and the customer network namespace. Setting it to all
for system-services and protocols should be fine.
Add ping
and ike
to the security zone containing the external interface used to establish the IPsec tunnels to Cloudflare.
Add an IKE proposal that specifies the Phase 1 Configuration Parameters:
Define two IKE policies - one for each of the two Magic IPsec tunnels:
*Tunnel 1 (SRX300_IPSEC_01)
Tunnel 2 (SRX300_IPSEC_02)
Define two IKE gateways — one for each of the two Magic IPsec tunnels. In the examples below, note the use of the FQDN ID value obtained from the Cloudflare dashboard in the local-identity
hostname setting.
Tunnel 1 (SRX300_IPSEC_01)
Tunnel 2 (SRX300_IPSEC_02)
Add an IPsec proposal that specifies the Phase 2 Configuration Parameters:
Add an IPsec proposal that specifies the Phase 2 Configuration Parameters:
Define one IPsec policy — reference the IPsec proposal created above.
Define two IPsec policies - one for each of the two Magic IPsec tunnels. It is crucial to ensure that:
- Anti-replay protection is disabled.
- Use the
no-anti-replay
↗ option.
- Use the
- The SRX is the tunnel initiator:
- Cloudflare will not instantiate the tunnel
- If the SRX does not initiate the tunnel, then the tunnel will not be established until there is an attempt to connect to resources through the tunnel
- Use
establish-tunnels immediately
↗ to ensure the SRX is the tunnel initiator.
VPN Tunnel 1 (cf_magic_wan_ipsec_tun_01)
VPN Tunnel 2 (cf_magic_wan_ipsec_tun_02)
The SRX platform provides policy-based routing functionality, which Juniper refers to as filter-based forwarding ↗.
Filter-based forwarding is implemented by configuring the following:
- Routing Instance: Specify the routing table(s) to which a packet is forwarded and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level.
- Firewall Filter: Use a stateless firewall filter to specify the source and destination addresses in conjunction with a routing instance that forwards traffic across the Magic IPsec tunnels, then bind the firewall filter to the ingress interface (trust zone).
- RIB Group: Share interface routes with the forwarding routing instances used in filter-based forwarding (FBF).
This configuration only factors in one local site (10.1.20.0/24
). In this example, we assume devices in the trust zone must route traffic to a remote subnet at another Magic WAN-protected site (10.1.100.0/24
).
Define a static route on the SRX to route traffic to 10.1.100.0/24
with redundant routes referencing each of the two tunnels.
Routing Instance:
Routing Instances ↗ effectively add additional routing tables to the SRX platform.
As mentioned earlier, any traffic destined for other Magic WAN protected sites must be routed over the Magic IPsec tunnels.
The example includes two static routes - one to each of the two VTIs on the Cloudflare side of the Magic IPsec Tunnels (10.252.2.20
and 10.252.2.22
).
While it is possible to be more prescriptive in terms of the destination subnets, we simply use 0.0.0.0/0
as the firewall filter ensures only traffic destined for 10.1.100.0/24
will be forwarded to the routing instance. Any other traffic not destined for 10.1.100.0/24
will continue to the primary routing table (inet.0
) as it falls outside the scope of the firewall filter configured in the next section below.
Leaving the destination subnet as 0.0.0.0/0
eases some administrative burden as you only need to modify the firewall filter to specify which traffic is destined for Magic WAN.
Firewall Filter:
In this step, we create a stateless firewall filter to ensure only packets from 10.1.20.0/24
destined for 10.1.100.0/24
are sent to the MAGIC_WAN_RI
routing instance.
- Term 1 -
MAGIC_WAN_NETS
ensures only packets from10.1.20.0/24
destined for10.1.100.0/24
are sent to theMAGIC_WAN_RI
routing instance. Take note of thecount
statement defined in this term. Count ↗ allows you to view how many packets are processed by this term in the firewall filter. An example of how to view the Counter is included below. - Term 2 -
ALLOW_EVERYTHING_ELSE
ensures all other traffic continues to the primary routing table (inet.0
).
View Firewall Filter Counters
To view the firewall filter counter:
Bind Firewall Filter to the interface in the trust zone:
RIB Group:
RIB Groups allow you to concatenate the contents of multiple routing tables into a routing table group.
The primary routing table in the RIB group should be inet.0
followed by the secondary routing table MAGIC_WAN_RI.inet.0
which is the MAGIC_WAN_RI
routing-instance created above.
Interface Routes ↗ referenced below by the interface-routes
statement determines which interfaces and Routing Instances are bound to the RIB Group.
Define security policies to permit traffic flows destined for Magic WAN-protected resources. The source/destination zones must incorporate the zone containing the tunnel interfaces.
There are two very simple rules to allow traffic bidirectionally — it is generally recommended to start with a similar policy and then add more stringent rules once general connectivity is established successfully.
From Zone: Cloudflare To Zone: trust
From Zone: trust To Zone: Cloudflare
There are several diagnostic commands available to view the status of IPsec tunnels.
Use ping to test connectivity from the SRX side of the tunnel to the Cloudflare side of the tunnel. Ensure you use the source option to specify the IP address associated with tunnel interfaces st0.0
and st0.1
, respectively:
Tunnel 1 - st0.0 - 10.252.2.21
Tunnel 2 - st0.1 - 10.252.2.23
show security ike active-peer
↗
show security ike security-associations
↗
show security ipsec security-associations
↗
It can be very helpful to enable debug logging via traceoptions while setting up the tunnels. The log data can help determine if there are issues and, if so, where they might be occurring.
Please note that some errors in the log are benign. The types of errors to look for are those related to authentication or encryption/integrity (that is, no proposal chosen).
The log file can be viewed by doing the following:
-
From an operational mode, run start shell.
-
Use the
tail
command to view the contents of the log file in real-time: -
Press CTRL + C when finished.
-
Type
exit
to return to the operational mode prompt.
Either deactivate traceoptions
or delete traceoptions
once debugging is complete.
Confirm traceoptions
is deactivated with:
Refer to traceoptions (Security IPsec) ↗ for more information on this topic.
To view the log file:
- From an operational mode, run
start shell
. - Use the tail command to view the contents of the log file in real time:
tail -f /var/log/ipsec-debug.log
- Press
CTRL + C
when finished. - Type
exit
to return to the operational mode prompt.
Either deactivate traceoptions
or delete traceoptions
once debugging is complete.
Confirm traceoptions
is deactivated: