Junos
Reply
Contributor
NDCool
Posts: 243
Registered: ‎11-26-2007
0

HTTPS and POP3 can not go through site to site IPSec VPN

Hi all,

 

I try to activate site to site IPSec VPN on J6350 (HQ) and J2300 ( Branch ).

After the tunnel established, HTTP, ping, and DNS work fine, but HTTPS and pop3 traffic doesn't. 

 

Here the IPSec configuration  :

 

1. Router HO (J6350)

 

set services ipsec-vpn ipsec proposal ph2-des-sha-esp protocol esp

set services ipsec-vpn ipsec proposal ph2-des-sha-esp authentication-algorithm hmac-sha1-96

set services ipsec-vpn ipsec proposal ph2-des-sha-esp encryption-algorithm aes-256-cbc

set services ipsec-vpn ipsec policy phase2 perfect-forward-secrecy keys group1

set services ipsec-vpn ipsec policy phase2 proposals ph2-des-sha-esp

set services ipsec-vpn ike proposal ike-des-sha-dh1 dh-group group1

set services ipsec-vpn ike proposal ike-des-sha-dh1 authentication-algorithm sha1

set services ipsec-vpn ike proposal ike-des-sha-dh1 encryption-algorithm aes-256-cbc

set services ipsec-vpn ike policy ike-preshare proposals ike-des-sha-dh1

set services ipsec-vpn ike policy ike-preshare pre-shared-key ascii-text smmfjaya

 

set services ipsec-vpn establish-tunnels immediately

 

set interfaces sp-0/0/0 unit 10 family inet

set interfaces sp-0/0/0 unit 10 service-domain inside

set interfaces sp-0/0/0 unit 10 description "Tunnel inside to Branch"

 

set interfaces sp-0/0/0 unit 11 family inet

set interfaces sp-0/0/0 unit 11 service-domain outside

set interfaces sp-0/0/0 unit 11 description "Tunnel outside to Branch"

 

 

set service service-set ipsec-tunnel next-hop-service inside-service-interface sp-0/0/0.10

set service service-set ipsec-tunnel next-hop-service outside-service-interface sp-0/0/0.11

set service service-set ipsec-tunnel ipsec-vpn-options local-gateway 10.172.9.170

 

set services ipsec-vpn rule ike-tunnel1 term ike-term then remote-gateway 10.172.11.102

 

set services ipsec-vpn rule ike-tunnel1 term ike-term then dynamic ike-policy ike-preshare

set services ipsec-vpn rule ike-tunnel1 term ike-term then dynamic ipsec-policy phase2

set services ipsec-vpn rule ike-tunnel1 match-direction input

set service service-set ipsec-tunnel ipsec-vpn-rules ike-tunnel1

 

set routing-options static route 192.168.16.0/24 next-hop sp-0/0/0.10

 

 

2. Router Branch (J2300)

 

set services ipsec-vpn ipsec proposal ph2-des-sha-esp protocol esp

set services ipsec-vpn ipsec proposal ph2-des-sha-esp authentication-algorithm hmac-sha1-96

set services ipsec-vpn ipsec proposal ph2-des-sha-esp encryption-algorithm aes-256-cbc

set services ipsec-vpn ipsec policy phase2 perfect-forward-secrecy keys group1

set services ipsec-vpn ipsec policy phase2 proposals ph2-des-sha-esp

set services ipsec-vpn ike proposal ike-des-sha-dh1 dh-group group1

set services ipsec-vpn ike proposal ike-des-sha-dh1 authentication-algorithm sha1

set services ipsec-vpn ike proposal ike-des-sha-dh1 encryption-algorithm aes-256-cbc

set services ipsec-vpn ike policy ike-preshare proposals ike-des-sha-dh1

set services ipsec-vpn ike policy ike-preshare pre-shared-key ascii-text smmfjaya

 

set services ipsec-vpn establish-tunnels immediately

 

set interfaces sp-0/0/0 unit 10 family inet

set interfaces sp-0/0/0 unit 10 service-domain inside

set interfaces sp-0/0/0 unit 10 description "Tunnel inside to HQ"

set interfaces sp-0/0/0 unit 11 family inet

set interfaces sp-0/0/0 unit 11 service-domain outside

set interfaces sp-0/0/0 unit 11 description "Tunnel outside to HQ"

 

set service service-set ipsec-tunnel next-hop-service inside-service-interface sp-0/0/0.10

set service service-set ipsec-tunnel next-hop-service outside-service-interface sp-0/0/0.11

set service service-set ipsec-tunnel ipsec-vpn-options local-gateway 10.172.11.102

 

set services ipsec-vpn rule ike-tunnel1 term ike-term then remote-gateway 10.172.9.170

 

set services ipsec-vpn rule ike-tunnel1 term ike-term then dynamic ike-policy ike-preshare

set services ipsec-vpn rule ike-tunnel1 term ike-term then dynamic ipsec-policy phase2

set services ipsec-vpn rule ike-tunnel1 match-direction input

set service service-set ipsec-tunnel ipsec-vpn-rules ike-tunnel1

 

set routing-options static route 192.168.10.0/24 next-hop sp-0/0/0.10 

 

Any suggestion what must i do ? 

Regards,

ND
Distinguished Expert
mikep
Posts: 483
Registered: ‎06-30-2009
0

Re: HTTPS and POP3 can not go through site to site IPSec VPN

Hi,

 

could it be that you run in fragmentation problem if you test with HTTPS and POP3?

 

Kind Regards

Michael Pergament

 

Contributor
NDCool
Posts: 243
Registered: ‎11-26-2007
0

Re: HTTPS and POP3 can not go through site to site IPSec VPN

Hi Michael,

 

So how to fix this fragmantation problem? Any idea?

Sorry i'm newbie on junos. 

Regards,

ND
Distinguished Expert
mikep
Posts: 483
Registered: ‎06-30-2009

Re: HTTPS and POP3 can not go through site to site IPSec VPN

Hi,

 

first you can try to reduce MTU size on your client and server (e.g. to 1300 bytes). Then check if the problem is still there.

 

Kind Regards

Michael Pergament

Contributor
NDCool
Posts: 243
Registered: ‎11-26-2007
0

Re: HTTPS and POP3 can not go through site to site IPSec VPN

Hi,

 

We already try to reduce MTU size to 1300, but user still cannot access HTTPS and POP3. 

Any ide ?

Regards,

ND
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: HTTPS and POP3 can not go through site to site IPSec VPN

First of all, what JUNOS version do you have on each router? I would suggesting enabling packet-capture on both sides as the issue could be with either side. Here's a link on how to configure packet-capture on J-series.

 

http://www.juniper.net/techpubs/software/jseries/junos93/jseries-admin-guide/configuring-packet-capt...

 

I would suggest enabling this on both your inside ge/fe interface as well as on the interface that you would be sending ESP traffic. See if you are able to see both sides of the data capture and see which side is losing the traffic.

 

-Richard

Contributor
NDCool
Posts: 243
Registered: ‎11-26-2007
0

Re: HTTPS and POP3 can not go through site to site IPSec VPN

[ Edited ]

Hi Richard,

 

Btw, sorry for late reply.

For your info, at HO using junos version 8.4 (J6350), some branch using junos 8.x can established the ipsec vpn and all traffic can pass thru. But, when some branch using junos 9.x, HTTPS, POP3 and IMAP etc, traffic cannot pass thru.

Is there have limitation on both junos software for ipsec vpn? 

Message Edited by NDCool on 09-30-2009 05:55 PM
Regards,

ND
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.