IPsec RA VPN server configuration example
Example IPsec RA VPN server configuration, with explanatory inline comments.
Typically, a tunnel consists of an IKE SA and a pair of IPsec SAs. In total, the server's support limit is 1000 tunnels — that is, 1000 pairs of IPsec SAs. The server supports multiple tunnels per client but, regardless of how many IPsec RA VPN server profiles are installed, the total tunnel support limit system-wide is 1000 tunnels.
The IPsec RA VPN server needs only these certificate files:
- Host/end-entity certificate for the server itself
- The corresponding private key and the root certificate
Note: For best security practice, store only the RA VPN server's private key on the server. Do not store private keys for other devices on the server.
# On re-authentication IKEv2 creates a overlapping set of IKE SAs and IPsec SAs, to prevent tunnel interruptions.
# This is a global setting apply to all IKEv2/IPsec tunnels.
set security vpn ike make-before-break
# IPsec ESP group proposal. For guidance on selection of the ESP algorithms please refer to RFC 8221 (or successor IETF documents)
set security vpn ipsec esp-group ESP1 proposal 1 encryption aes128gcm128
set security vpn ipsec esp-group ESP1 proposal 1 hash null
# Enable IKE dead-peer-detection. In case a dead peer is detected, clear all stale IKE and IPsec SAs.
set security vpn ipsec ike-group IKE1 dead-peer-detection action clear
# The IPsec RA VPN server only supports IKEv2
set security vpn ipsec ike-group IKE1 ike-version 2
# IKE group proposal. For guidance on selection of the IKE algorithms please refer to RFC 8247 (or successor IETF documents)
set security vpn ipsec ike-group IKE1 proposal 1 dh-group 19
set security vpn ipsec ike-group IKE1 proposal 1 encryption aes128gcm128
set security vpn ipsec ike-group IKE1 proposal 1 hash sha2_256
# Configure a Virtual IP address pools, used to assign inner-tunnels address for the RA VPN clients.
# The network range for the pool needs to be appropriated size. If thee pool runs out of free IP addresses,
# the server will reject new client connections for remote-access-server profiles using this pool.
#
# Pools can be shared between different remotee-access-server profiles
set security vpn ipsec remote-access-server pool POOL1 subnet 10.100.0.0/24
# User ordered list of (VPN) internal DNS server addresses, which get pushed down to the RA VPN client
set security vpn ipsec remote-access-server pool POOL1 attributes dns 172.16.1.1
# User ordered list of (VPN) internal subnets. Some client implementation may require the traffic-selector
set security vpn ipsec remote-access-server pool POOL1 attributes subnet 172.16.1.0/24
# Second server pool
set security vpn ipsec remote-access-server pool POOL2 subnet 10.200.0.0/24
set security vpn ipsec remote-access-server pool POOL2 attributes dns 10.90.9.1
set security vpn ipsec remote-access-server pool POOL2 attributes subnet 10.90.9.0/24
# X.509 authentication configuation
set security vpn ipsec remote-access-server profile ROADWARRIOR authentication mode x509
# End-entity/Host certificate of the server
set security vpn ipsec remote-access-server profile ROADWARRIOR authentication x509 cert-file /config/auth/server.vpn.am.crt
# Private key of the server certificate
set security vpn ipsec remote-access-server profile ROADWARRIOR authentication x509 key file /config/auth/server.vpn.am.key
# Limit the access to this remote-access-server profiles only to clients with a particular certifcate subject.
# Wildcards are represented by the asterisks character.
#
# !!! WARNING: without any remote-id defined, all client certificate are accepted which are issued by a trusted CA !!!
# (unless they got revoked by the CA (OCSP/CRL) OR they expired OR are not yet valid)
set security vpn ipsec remote-access-server profile ROADWARRIOR authentication x509 remote-id 'O=Tenant1, CN=*'
# Controls the revocation behavior of the server if none of the CRL-servers nor OCSP responders were
# reachable or able to provide any status on the a to be checked client certificate chain.
#
# If configured "strict", client authentication/verification will fail if none of the CRL/OCSP revocation
# checks were executed without failure.
#
# If configured "relaxed", client authentication/verification will not fail due to the unavailability of a
# CRL/OCSP status.
set security vpn ipsec remote-access-server profile ROADWARRIOR authentication x509 revocation-policy strict
# Assign ESP/IKE group definition to the remote-access-server profile
set security vpn ipsec remote-access-server profile ROADWARRIOR esp-group ESP1
set security vpn ipsec remote-access-server profile ROADWARRIOR ike-group IKE1
# This remote-access-server profiles listens only to following local-address
# Typically your Public IP termination point (e.g. VRRP VIP address)
set security vpn ipsec remote-access-server profile ROADWARRIOR local-address 10.10.2.3
# Assign the Virtual IP pool to the remote-access-server profile
set security vpn ipsec remote-access-server profile ROADWARRIOR pools POOL1
# Only a local traffic-selector gets defined, which represents to protected-network to provide access to.
# By default the remote traffic-selector gets negotiated down to the assigned Virtual IP address of the client.
set security vpn ipsec remote-access-server profile ROADWARRIOR tunnel 1 local network 172.16.1.0/24
# Second Server Profile
set security vpn ipsec remote-access-server profile DEVCLOUD authentication mode x509
set security vpn ipsec remote-access-server profile DEVCLOUD authentication x509 cert-file /config/auth/server.vpn.am.crt
set security vpn ipsec remote-access-server profile DEVCLOUD authentication x509 key file /config/auth/server.vpn.am.key
set security vpn ipsec remote-access-server profile DEVCLOUD authentication x509 remote-id 'O=Tenant2, CN=*'
set security vpn ipsec remote-access-server profile DEVCLOUD authentication x509 revocation-policy strict
set security vpn ipsec remote-access-server profile DEVCLOUD esp-group ESP1
set security vpn ipsec remote-access-server profile DEVCLOUD ike-group IKE1
set security vpn ipsec remote-access-server profile DEVCLOUD local-address 10.10.2.3
set security vpn ipsec remote-access-server profile DEVCLOUD pools POOL2
set security vpn ipsec remote-access-server profile DEVCLOUD tunnel 1 local network 10.90.9.0/24
# Third Server Profile
set security vpn ipsec remote-access-server profile DEVCLOUD2 authentication mode x509
set security vpn ipsec remote-access-server profile DEVCLOUD2 authentication x509 cert-file /config/auth/server.vpn.am.crt
set security vpn ipsec remote-access-server profile DEVCLOUD2 authentication x509 key file /config/auth/server.vpn.am.key
set security vpn ipsec remote-access-server profile DEVCLOUD2 authentication x509 revocation-policy strict
set security vpn ipsec remote-access-server profile DEVCLOUD2 esp-group ESP1
set security vpn ipsec remote-access-server profile DEVCLOUD2 ike-group IKE1
set security vpn ipsec remote-access-server profile DEVCLOUD2 local-address 10.10.2.3
set security vpn ipsec remote-access-server profile DEVCLOUD2 pools POOL2
set security vpn ipsec remote-access-server profile DEVCLOUD2 tunnel 1 local network 10.90.9.0/24
# Global IPsec CA trust-store. Will be used to verify and trust all peer certificate chains
set security vpn x509 ca-certs /config/auth/RootCA.pem
# A static host mapping is used for the crl server in lieu of DNS server
set system static-host-mapping host-name crl.vpn.am inet 10.20.2.6
# The remainder of the configuration unrelated directly to IPsec
set interfaces bonding dp0bond0 address 10.100.1.3/24
set interfaces bonding dp0bond0 address 172.16.1.10/24
set interfaces bonding dp0bond0 firewall in private_fw_in
set interfaces bonding dp0bond0 firewall out private_fw_out
set interfaces bonding dp0bond0 lacp-options activity active
set interfaces bonding dp0bond0 mode lacp
set interfaces bonding dp0bond0 vrrp vrrp-group 1 advertise-interval 1
set interfaces bonding dp0bond0 vrrp vrrp-group 1 preempt false
set interfaces bonding dp0bond0 vrrp vrrp-group 1 priority 254
set interfaces bonding dp0bond0 vrrp vrrp-group 1 rfc-compatibility
set interfaces bonding dp0bond0 vrrp vrrp-group 1 sync-group vgroup1
set interfaces bonding dp0bond0 vrrp vrrp-group 1 virtual-address 10.100.1.1/24
set interfaces bonding dp0bond1 address 10.10.2.4/29
set interfaces bonding dp0bond1 firewall in public_fw_in
set interfaces bonding dp0bond1 firewall out public_fw_out
set interfaces bonding dp0bond1 lacp-options activity active
set interfaces bonding dp0bond1 mode lacp
set interfaces bonding dp0bond1 vrrp vrrp-group 1 advertise-interval 1
set interfaces bonding dp0bond1 vrrp vrrp-group 1 notify ipsec
set interfaces bonding dp0bond1 vrrp vrrp-group 1 preempt false
set interfaces bonding dp0bond1 vrrp vrrp-group 1 priority 254
set interfaces bonding dp0bond1 vrrp vrrp-group 1 rfc-compatibility
set interfaces bonding dp0bond1 vrrp vrrp-group 1 sync-group vgroup1
set interfaces bonding dp0bond1 vrrp vrrp-group 1 virtual-address 10.10.2.3/29
set interfaces dataplane dp0s4 address dhcp
set interfaces dataplane dp0s5 bond-group dp0bond0
set interfaces dataplane dp0s6 bond-group dp0bond0
set interfaces dataplane dp0s7 bond-group dp0bond1
set interfaces dataplane dp0s8 bond-group dp0bond1
set protocols static route 0.0.0.0/0 next-hop 10.10.2.1
set protocols static route 10.90.9.0/24 next-hop 10.100.1.2
set security firewall name private_fw_in rule 10 action accept
set security firewall name private_fw_out rule 10 action accept
set security firewall name public_fw_in rule 10 action accept
set security firewall name public_fw_out rule 10 action accept