SRX

Hey Everyone,

I am working on setting up a Group VPN as part of a Proof of Concept as well as my JNCIE-SEC concepts refresher.

In this case I have 3x SRX100's in which one is the Key Server, and the other two are members. I can get the IKE, IPSEC, KEK, and dynamic policies to come up, but the hosts I am trying send traffic to/from are not able to do so.

All SRX's are running 11.1R6.4; configs are attached. It looks like I am just missing a config statement but after poring over the configs for the past few hours I am unable to find the missing piece. If any can provide some insight I would be extremely grateful.

I do have debug logs from key server as well as the members, but I did not attach them because I did not find anything unusual in them. I would be more than happy to attach them if you would like.

A rough diagram is attached below:

chaynes@srx100-1> show security dynamic-policies detail

Policy: allow-in-0001, action-type: permit, State: enabled, Index: 1048583, Scope Policy: 7
Policy Type: Dynamic
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
N/A: 0.0.0.0/0
Destination addresses:
N/A: 0.0.0.0/0
Application: Unknown
Application: Unknown
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: INSTANCE-group-vpn_133955585, Type: IPSec, Index: 133955585
Policy: allow-out-0001, action-type: permit, State: enabled, Index: 1048584, Scope Policy: 8
Policy Type: Dynamic
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
N/A: 0.0.0.0/0
Destination addresses:
N/A: 0.0.0.0/0
Application: Unknown
Application: Unknown
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: INSTANCE-group-vpn_133955585, Type: IPSec, Index: 133955585

chaynes@srx100-1> show security group-vpn member ike security-associations

chaynes@srx100-1> show security group-vpn member ipsec security-associations
Total active tunnels: 1
ID Server Port Algorithm SPI Life:sec/kb GId vsys
>133955585 10.0.0.4 848 ESP:aes-128/sha1 a678566f 2021/ unlim 1 root
<133955585 10.0.0.4 848 ESP:aes-128/sha1 a678566f 2021/ unlim 1 root

chaynes@srx100-1> show security group-vpn member kek security-associations
Index Remote Address State Initiator cookie Responder cookie GroupId
3214130 10.0.0.4 UP c8b022d822b75563 90b11b50cc4b6278 1

Attachment(s)

gvpn-member-srx2.txt   5 KB 1 version

gvpn-member-1.txt   5 KB 1 version

gvpn-server.txt   4 KB 1 version

Hi

Looks like a routing issue to me. E.g. member-1 doesn't have the route to net 172.60.30/24
Yes it has a default route, but to some other router .254, not member-2.

Unfortunately that did not help, although I though the SRX's wouldn't need routes as it is supposed to be a policy-based route?

I did add routes to the loopback interfaces (where the GVPN terminates) on both the default gateway and the SRX's to see if that would help (to no avail).

Hi

according to my understanding, you should add routes to the remote networks (not loopbacks) (and do it on each of the members). In G-VPN, the same routing is used if it were no VPN at all. So if you delete your VPN config, can networks communicate? If not, G-VPN will also not work.

Aha! You made me think of something... Pings were working when I shut down the tunnels, but I had the routing done on the upstream router (172.16.100.254) instead of each individual SRX. Just for grins I turned on OSPF on each SRX:

chaynes@srx100-1> show configuration protocols 
ospf {
    area 0.0.0.0 {
        interface lo0.0;
        interface fe-0/0/0.100;
        interface fe-0/0/0.10 {
            passive;
        }
    }
}

And tried again. Lo and behold it works now! So this tells me that the SRX's need to explicitly have the routes in their route table before traffic can flow.

Thank you for the help!