VNS3 Setup Guides for Popular Security Appliances (IPsec Configuration Instructions) Learn how to set up VNS3 with SSG IPsec devices to get the most out of your VNS3 virtual network device.

1. © 2016
VNS3 to Junpier
Instructions
SSG IPsec Configuration Guide
2016

2. © 2016
Site-to-Site IPsec Tunnel
2
IPsec protocol allows you to securely connect two sites together over the
public internet using cryptographically secured services. IPsec ensure private
and secure communication between two devices. This type of VPN has many
use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often
used with VNS3 to build Hybrid Clouds.
• Many network hardware devices support IPsec tunneling functionality.
Check your device's data sheet to see if it is compatible with VNS3. The
requirements are:
• IKE1 or IKE2
• AES256 or AES128 or 3DES
• SHA1 or MD5
• NAT-Traversal capability (some clouds require NAT-Traversal encapsulation -
AWS Generic EC2, Microsoft Azure, etc.)
A diagram of the typical secure hybrid cloud setup using VNS3 is provided on
the right. The IPsec tunnel provides secure and encrypted connectivity
between the office subnet (192.169.3.0/24) and the VNS3 Overlay Network
(172.31.1.0/24).
This guide will provide steps to setup the Juniper SSG side of the IPsec
configuration.
The most important thing in any IPsec configuration is to make sure all
settings match on both devices that are going to connect to each other.
Mismatches are the primary cause for tunnel failure or instability.
Public Cloud
Overlay Network
Subnet: 172.31.1.0/24
Cloud Server
Overlay IP: 172.31.1.1
Server B
LAN IP: 192.168.3.100
Server A
LAN IP: 192.168.3.50
Customer Remote Office
Remote subnet: 192.168.3.0/24
VNS3
public IP: 184.73.174.250
overlay IP: 172.31.1.250
Firewall / IPsec
Juniper SSG
Active IPsec tunnel
192.168.3.0/24 - 172.31.1.0/24

3. © 2016
Create Tunnel Interface
3
The first step in setting up an IPsec tunnel is to create a
tunnel interface the Juniper will use for the connection, if
one is not already created and ready for use.
Click Network>Interface>List from the right column menu.
Click New in the top right of the resulting Interfaces List
page next to the drop down menu with Tunnel IF selected.
Enter a tunnel integer in the Tunnel Interface Name field.
In this example we use 1 as no other tunnel interfaces are
configured.
Select Trust from the Zone (VR) drop down menu.
Select the Unnumbered radio button and select the
outside or public interface from the drop down list. In our
example we use ethernet0/0 (trust-vr) as that is the port
that is being used to access the public Internet through out
Network Lab edge.
Click OK.

4. © 2016
Create Phase 1 Proposal Object
4
It is recommended best practices to create a specific Phase 1
proposal definition for the VNS3 configuration and specify only that
proposal in the Gateway setup. This prevents the tunnel from being
negotiated with other parameters.
Click VPNs>AutoKey Advanced>P1 Proposal.
Click New.
Enter a Name in the Name field. In this example we use VNS3 P1.
Select Preshare from the Authentication Method drop down.
Select Group 5 from the DH Group drop down.
Select AES-CBC(256 Bits) from the Encryption Algorithm drop down.
Select SHA-1 from the Hash Algorithm drop down.
Enter 3600 in the Lifetime field and click the Sec radio button.
Click OK.
NOTE: these are the default and recommended VNS3 settings for
Phase 1. You can use whatever settings you choose, just remember
they need to match exactly with the VNS3 side of the configuration.

5. © 2016
Create Phase 2 Proposal Object
5
It is recommended best practices to create a specific Phase 2
proposal definition for the VNS3 configuration and specify only that
proposal in the Auto IKE setup. This prevents the tunnel from being
negotiated with other parameters.
Click VPNs>AutoKey Advanced>P2 Proposal.
Click New.
Enter a Name in the Name field. In this example we use VNS3 P1.
Select DH Group 5 from the Perfect Forward Secrecy drop down.
Select AES-CBC(256 Bits) from the Encryption Algorithm drop down.
Select SHA-1 from the Hash Algorithm drop down.
Enter 2800 in the Lifetime field and click the Sec radio button.
Click OK.
NOTE: these are the default and recommended VNS3 settings for
Phase 2. You can use whatever settings you choose, just remember
they need to match exactly with the VNS3 side of the configuration.

6. © 2016
Create Gateway (Phase 1)
6
Create a Gateway configuration for the VNS3 Controller on the
Juniper to provide details about IPsec Phase 1 negotiation.
Click VPNs>AutoKey Advanced>Gateway.
Enter a Name for the Gateway.
Select Remote Gateway and Static IP Address.
Enter the Public IP of the VNS3 Controller in the IP Address/
Hostname field.
*If using NAT-Traversal Encapsulation you will need to enter the VNS3
Local Private IP (default 192.0.2.254) in the Peer ID field.
Click Advanced.
Enter a PSK in the Preshared Key field. In our example we use test.
If the Juniper is not in the network edge, enter it's NAT'd IP in the
Local ID field.
Click on the Custom User Defined radio button under Security Level
then select the custom VNS3 Phase 1 proposal created earlier.
Click Enable NAT-Traversal if using NAT-Traversal Encapsulation.
Click Return then OK.

7. © 2016
Add VPN: Proposals
7
Now that the remote Gateway (VNS3) is defined and Phase 1
settings are configured, Phase 2 parameters can be entered.
Click VPNs>AutoKey IKE
Enter a Name for the AutoKey IKE Object in the VPN Name
field.
Click the Remote Gateway radio button.
Click Predefined and select the Gateway that was just
created.
Click Advanced.
Click on the Custom User Defined radio button under
Security Level then select the custom VNS3 Phase 2 proposal
created earlier.
Click Tunnel Interface then select the tunnel.1 interface
previously created under Bind to.
Click Return then OK.

8. © 2016
Add Policies
8
Now that the Gateway, Phase1 and Phase2 definitions have been added
to the Juniper, the next step is to setup the appropriate policies to allow
traffic from the Local and Remote subnets to pass.
Two rules are required for each tunnel.
1.Rule from Trust Zone to Untrust Zone - this rule allows traffic from
the local subnet (Juniper subnet - in our example 192.168.5.0/24) to
the remote subnet (VNS3 Overlay subnet - in our example
172.31.1.0/24).
2.Rule from Untrust Zone to Trust Zone - this rule allows traffic from
remote subnet (VNS3 Overlay subnet - in our example 172.31.1.0/24)
to the local subnet (Juniper subnet - in our example 192.168.5.0/24).
For Rule #1 Above select Trust on the From drop down and Untrust on
the To drop down, then click New.
Enter the Source (192.168.5.0/24) and Destination Addresses
(172.31.1.0/24) select ANY in the Service drop down and click OK.
For Rule #1 Above select Untrust on the From drop down and Trust on
the To drop down, then click New.
Enter the Source (172.31.1.0/24) and Destination Addresses
(192.168.5.0/24) select ANY in the Service drop down and click OK.

9. © 2016
IPsec Review
9
Finally we need to add the appropriate route
to allow traffic to flow from the Juniper subnet
through the appropriate tunnel interface to
the VNS3 remote Overlay subent.
Click Routing>Destination.
Enter the VNS3 remote Overlay subnet
(172.31.1.0/24 in our example) in the IP
Address/Netmask field.
Click the Gateway radio button and select
tunnel.1 from the Interface drop down.
Click OK.

10. © 2016
Troubleshooting
10

11. © 2016
Tunnel Traffic
11
Depending on your network architecture, tunnel traffic may need to be passed from the
Sonicwall side of the connection to start the initial IPsec negotiation. Ping the VNS3
Controller instance's Overlay IP address (listed on the Runtime Status page) from a device
on the Sonicwall local subnet.

12. © 2016
Peer ID
12
If VNS3 has NAT-Traversal enabled (VNS3
default setting), you will need to enter in the
Peer ID in the Gateway definition. Without this
entered, there will be INVALID_ID errors in the
VNS3 IPsec logs and the tunnel will not
negotiate.
If VNS3 has NAT-Traversal disabled, you will
not need to enter the Peer ID>

13. © 2016
VPN Monitor
13
Juniper recommends enabling VPN Monitor in
all Policy-based VPN setup guides. VPN
Monitor is not supported in connections to
VNS3 Managers. It prevents traffic from
traversing the tunnel.
Make sure VPN Monitor is disabled on the
VPNs>AutoKey IKE>Advanced page.

14. © 2016
VNS3 Document Links
14
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Document
Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology.
Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building
IPsec tunnels, and connecting client servers to the Overlay Network.
VNS3 Docker Instructions
Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting
application containers.
VNS3 Troubleshooting
Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.