SRX

I tried to do this, but the peer is reporting that the SRX is proposing 0.0.0.0/0.  This seems consistent with what I see in the log (but then again, I am not sure how to read this

 


Jul 23 23:40:28 Phase-2 [initiator] failed with error(Invalid ID information) for p1_local=ipv4(udp:500,[0..3]=x.x.x.70) p1_remote=ipv4(udp:500,[0..3]=x.x.x.140) p2_local=ipv4_subnet(any:0,[0..7]=0.0.0.0/0) p2_remote=ipv4_subnet(any:0,[0..7]=192.168.172.0/25)?


  security-zone trust {
            address-book {
                address net-cfgr_192-168-70-0--24 192.168.70.0/24;
                address accounting 10.20.30.0/28;
                address-set accounting-net {
                    address accounting;
                    address net-cfgr_192-168-70-0--24;
                }
            }?

security-zone untrust{

   address-book {
                address net-cfgr_192-168-172-0--25 192.168.172.0/25;
            }

}


  from-zone trust to-zone untrust {
            policy vpnpolicy-trust-untrust-cfgr {
                match {
                    source-address accounting-net;
                    destination-address net-cfgr_192-168-172-0--25;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ipsec-vpn-cfgr;
                            pair-policy vpnpolicy-untrust-trust-cfgr;
                        }
                    }
                }
            }


from-zone untrust to-zone trust {
            policy vpnpolicy-untrust-trust-cfgr {
                match {
                    source-address net-cfgr_192-168-172-0--25;
                    destination-address accounting-net;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ipsec-vpn-cfgr;
                            pair-policy vpnpolicy-trust-untrust-cfgr;
                        }
                    }
                }
            }
        }

Hi

This is normal. SRX currently supports only one proxy-id for each phase2, so if
you specify address set in a policy, it will always use "any"=0.0.0.0 (same if
you use multiple applications in the same policy, it will be "any"). Note
that it is just proxy-id = any, your policies will use whatever addresses or
address-sets you configured, so traffic will be processed as you would normally
expect.

If you want to have several phase2 tunnels, just create several policies,
each with 1 src, 1 dst, 1 application.

Anyway, for your tunnel to work, proxy-ids must "match" on both sides (local=remote,
same application). If you can't make it work, let us see other tunnel end's
config.

Please tell me if this answers your question.

Thank you for your reply.

I was able to bring up the tunnel  by creating a security policy for each pair of remote/local networks.  A little bit clunky, but if it works it works (I have not been able to fully test yet)

The other side is not a Juniper.  I tried to put in 0.0.0.0/0 but it complained because this address overlapped with other VPNs' destination networks.

(After thinking about it a little bit, the only function agreeing on the destination network really offers is a little added security as a would be intruder would need to know what addresses to use.  But if they were able to figure our your pre-shared key, odds are they will be able to figure the networks too...)

You can manual configure the Proxy-ID so it is not derived from the address-set.  You will do this for the respective VPN which is causing you issue under the [edit security ipsec vpn vpn-name ike] stanza within the configuration.

The syntax of the configuration takes the following form:

security ipsec vpn vpn-name ike proxy-identity local ipv4-prefix
security ipsec vpn vpn-name ike proxy-identity remote ipv4-prefix
security ipsec vpn vpn-name ike proxy-identity service service-name

HTHs.