Hi,
I'm trying to configure a static ipsec tunnel between an SRX240 and a Linux host (using racoon). It is now to the point where I have the security-associations showing so the tunnel seems to be active. I can ping from either side and see the ESP packets going to the other side, but neither end responds to the ping (the ESP packet is dropped maybe?). I can even use wireshark to decrypt the packets (using the keys from the Linux side) and I see that the contents are the ping packets with the correct private IPs inside.
Any ideas why the SRX side isn't responding to a ping? (If I could at least get the SRX side to respond... I can work on the Linux side from there...)
My network setup is as follows:
SRX Public IP: a.b.c.d -- Internet zone, on reth0.0
Linux Public IP: e.f.g.h
SRX VPN IP: 172.16.41.1/24 -- VPNRemote zone, on st0.0 (multipoint)
Linux VPN IP: 172.16.41.51
The goal is to set up a GRE tunnel so that several private IP ranges from the SRX side are accessible from the Linux side.
Here is my configuration so far:
interfaces {
reth0 { ... } /* Internet interface */
st0 {
unit 0 {
multipoint;
family inet {
next-hop-tunnel 172.16.41.51 ipsec-vpn ike-vpn-test;
address 172.16.41.1/24;
}
}
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy ikep1-test-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$qfF/u0IcSeuOhrlK7N"; ## SECRET-DATA
}
gateway test {
ike-policy ikep1-test-policy;
address e.f.g.h;
external-interface reth0.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy ipsec-test-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-test {
bind-interface st0.0;
ike {
gateway test;
proxy-identity {
local 172.16.41.0/24;
remote 172.16.41.51/32;
}
ipsec-policy ipsec-test-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone junos-host to-zone VPNRemote {
policy test {
match {
source-address any;
destination-address VPNNet;
application any;
}
then {
permit;
}
}
}
from-zone VPNRemote to-zone junos-host {
policy test {
match {
source-address any;
destination-address VPNNet;
application any;
}
then {
permit;
}
}
}
zones {
security-zone Internet {
screen Internet-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
reth0.0;
}
}
security-zone VPNRemote {
address-book {
address VPNNet 172.16.41.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
Linux:
ipsec.conf:
spdadd 172.16.41.51 172.16.41.0/24 any -P out ipsec
esp/tunnel/e.f.g.h-a.b.c.d/require;
spdadd 172.16.41.0/24 172.16.41.51 any -P in ipsec
esp/tunnel/a.b.c.d-e.f.g.h/require;
racoon.conf:
remote a.b.c.d [500] {
exchange_mode main;
peers_identifier_address a.b.c.d;
my_identifier_address e.f.g.h;
verify_identifier off;
nat_traversal force;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group 2;
}
}
psk.conf:
a.b.c.d secret
Security associations seem to be okay:
root@fw01> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
5116024 UP 77fa7eaeb2f0f554 280affa8d6d30521 Main e.f.g.h
----
root@fw01> show security ipsec security-associations
node0:
--------------------------------------------------------------------------
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:aes-256/sha256 fbd041eb 2538/ unlim - root 4500 e.f.g.h
>131073 ESP:aes-256/sha256 561bcf4 2538/ unlim - root 4500 e.f.g.h
When I ping from Linx to SRX, I can see the packets going out from Linux:
09:26:34.544851 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x94), length 132
09:26:35.552884 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x95), length 132
09:26:36.560938 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x96), length 132
(and once decrypted they are pings from 172.16.41.51 to 172.16.41.1)
Showing a flow trace of the above pings using basic-datapath:
root@fw01> show log tshoot_ipsec
May 8 09:26:31 09:26:31.534228:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May 8 09:26:32 09:26:31.534228:CID-1:RT: flow got session.
May 8 09:26:32 09:26:31.534228:CID-1:RT: flow session id 20459
May 8 09:26:32 09:26:31.534228:CID-1:RT: flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May 8 09:26:32 09:26:31.534228:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
May 8 09:26:32 09:26:32.542209:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May 8 09:26:32 09:26:32.542209:CID-1:RT:packet [160] ipid = 59560, @42370d9c
May 8 09:26:32 09:26:32.542209:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x42370b80, rtbl_idx = 0
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May 8 09:26:32 09:26:32.542209:CID-1:RT: reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May 8 09:26:32 09:26:32.542209:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow got session.
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow session id 99003
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow_decrypt: tun 4ee324b8(flag 10), iif 67
May 8 09:26:32 09:26:32.542209:CID-1:RT:dec vector=83bd0d8.
May 8 09:26:32 09:26:32.542209:CID-1:RT:In natt_decap Completed NATT decap
May 8 09:26:32 09:26:32.542209:CID-1:RT:In natt_decap After NATT decap, pak_ptr->src=e.f.g.h and pak_ptr->dst = a.b.c.d
May 8 09:26:32 09:26:32.542209:CID-1:RT:dec vector=83bd0d8. rc 0x0
May 8 09:26:32 09:26:32.542209:CID-1:RT: reth0.0:e.f.g.h->a.b.c.d, 50
May 8 09:26:32 09:26:32.542209:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow got session.
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow session id 20459
May 8 09:26:32 09:26:32.542209:CID-1:RT: flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May 8 09:26:32 09:26:32.542209:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
May 8 09:26:33 09:26:33.550175:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May 8 09:26:33 09:26:33.550175:CID-1:RT:packet [160] ipid = 59711, @4238839c
May 8 09:26:33 09:26:33.550175:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x42388180, rtbl_idx = 0
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May 8 09:26:33 09:26:33.550175:CID-1:RT: reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May 8 09:26:33 09:26:33.550175:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow got session.
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow session id 99003
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow_decrypt: tun 4ee324b8(flag 10), iif 67
May 8 09:26:33 09:26:33.550175:CID-1:RT:dec vector=83bd0d8.
May 8 09:26:33 09:26:33.550175:CID-1:RT:In natt_decap Completed NATT decap
May 8 09:26:33 09:26:33.550175:CID-1:RT:In natt_decap After NATT decap, pak_ptr->src=e.f.g.h and pak_ptr->dst = a.b.c.d
May 8 09:26:33 09:26:33.550175:CID-1:RT:dec vector=83bd0d8. rc 0x0
May 8 09:26:33 09:26:33.550175:CID-1:RT: reth0.0:e.f.g.h->a.b.c.d, 50
May 8 09:26:33 09:26:33.550175:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow got session.
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow session id 20459
May 8 09:26:33 09:26:33.550175:CID-1:RT: flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May 8 09:26:33 09:26:33.550175:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
May 8 09:26:33 09:26:33.944179:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May 8 09:26:33 09:26:33.944246:CID-1:RT:packet [29] ipid = 24964, @423b3c9c
May 8 09:26:33 09:26:33.944246:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x423b3a80, rtbl_idx = 0
May 8 09:26:33 09:26:33.944246:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May 8 09:26:33 09:26:33.944246:CID-1:RT: reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May 8 09:26:33 09:26:33.944320:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May 8 09:26:33 09:26:33.944381:CID-1:RT: flow got session.
May 8 09:26:33 09:26:33.944381:CID-1:RT: flow session id 99003
May 8 09:26:33 09:26:33.944381:CID-1:RT: flow_decrypt: tun 4ee324b8(flag 10), iif 67
May 8 09:26:33 09:26:33.944381:CID-1:RT:dec vector=83bd0d8.
May 8 09:26:33 09:26:33.944381:CID-1:RT:dec vector=83bd0d8. rc 0xffffffff
May 8 09:26:33 09:26:33.944443:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May 8 09:26:33 09:26:33.944443:CID-1:RT:packet [29] ipid = 24964, @423b3c9c
May 8 09:26:33 09:26:33.944496:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
So it looks like the packets are received at the SRX end, and it shows "flow_decrypt tun ..." and then that's it?