SRX

I have some installations of cisco and mikrotik with IPIP tunnel between.

Cisco with following config:

Now i need to add Juniper SRX650  to my network.

I made following config:

and i get bidirectional connectivity over IPIP tunnel

How i can setup ipsec on junos IPSEC in transport(?!) mode?

All of docs which i find in KB, tells about IPSEC in tunnel mode over st0 interface. 

Problem in that I have src=sa-src=109.126.111.111 and dst = sa-dst = 213.85.222.222 (Transport mode)

Anybody can help me?
Thanks for advice!

Some update: I have OSPF routing inside IPIP tunnel and do not need in static routes

State of IPIP tunnel:

Hi Mistiq,

The SRX only supports Tunnel mode I'm afraid.

Thanks! Ok what i may do to solve my problem?

I need secure VPN between Cisco, Juniper and Mikrotik with OSPF routing over

Problem:

1) Mikrotik doesn't support LSA refresh over sham links

2) Mikrotik doesn't support creation of virtual ipsec tunnels hence doesn't support OSPF timers

3) I have Trunk with some vlans on GE interface But when i try to adjust Public IP on Loopback it does not work.

set interfaces lo0 unit 0 family inet address 109.126.111.111/32 can`t reach default gateway behind vlan 600

4) When i try to adjust  ge-0/0/2 into l2 mode (and physically move WAN Uplink to it):

[edit interfaces ge-0/0/2 unit 0]
'family'
Ethernet-switching family not allowed on srx650:On-board Gig-E

It is possible to make secure VPN with OSPF in my situation?

---

@mistiq wrote:

Thanks! Ok what i may do to solve my problem?

 

I need secure VPN between Cisco, Juniper and Mikrotik with OSPF routing over

 

Problem:

1) Mikrotik doesn't support LSA refresh over sham links

2) Mikrotik doesn't support creation of virtual ipsec tunnels hence doesn't support OSPF timers

3) I have Trunk with some vlans on GE interface But when i try to adjust Public IP on Loopback it does not work.

set interfaces lo0 unit 0 family inet address 109.126.111.111/32 can`t reach default gateway behind vlan 600

4) When i try to adjust  ge-0/0/2 into l2 mode (and physically move WAN Uplink to it):

[edit interfaces ge-0/0/2 unit 0]
'family'
Ethernet-switching family not allowed on srx650:On-board Gig-E

 

It is possible to make secure VPN with OSPF in my situation?

 

Without knowing all of your topology it's hard to say, but with regards to the loopback issue you mention, have you assigned the loopback interface to a security zone? You will require this if you are to source traffic from it.

I'm not sure what you mean in 2 - what does virtual IPSEC tunnels mean with regards to OSPF Timers?  You mean Mikrotik doesn't support "route-based" VPN in Juniper terminology?

Topology in simple example:

                                         tunnel1 OSPF cost 10 (Area0)

area1 -- (J SRX)=== ============== ==================(Mikrotik rou) -- area2

                                         tunnel2 OSPF cost 40 (Area0)

Between Juniper and Mikrotik two IPIP or GRE tunnel (main and backup) over different isp`s.

Now Juniper has one ISP connection and one Public IP. (Endpoint to tunnel interface)

Mikrotik has two ISP connections and two public IPs.

I need to secure both tunnel. 

In Knowlege Base mentioned that SRX can`t  have two encapsulation (IPSEC + GRE) on physical interface i.e. GE.

For GRE Tunnel require some private IPs on loopback (lo0) as SRC tunnel address.

I can make static route to tunnel DST (private) address of tunnel over st0 and DST be reachable.

But Mikrotik haven`t virtual ipsec interface like st0 and i can`t make the route to IP on lo0 (Junipers tunnel src) and it can`t be reachable.

Or i misunderstood this?

Ok! I solve 1st problem with double encapsulation on phisical interface.

I have PI and assign PI address on lo0.

Here is my config:

On Mikrotik Side:

 ip ipsec policy:

And i can see error in log:

Ike status:

what i am doing wrong?

Thanks!

I think the problem is you are trying to source the IPSEC tunnel from your loopback interface, when it's actually egressing via ge-0/0/3.600, so it will source from 109.126.111.111, which the mikrotik should be pointed at as well.

You will then also need to put the ge-0/0/3.600 in the untrust zone too and make sure it can receive host-inbound-traffic system-service ike.

As a side hint - if you click the Insert Code icon instead of the Insert Spoiler button when posting, your config will keep it's indentation formatting - it's heaps easier to read 😉

I start a sniffer on Mikrotik WAN

And see only a packet with src=194.1.444.444 dst = 213.85.111.111 proto 47 (GRE),

Seems like IPSEC encapsulation are not working but I have no idea why

PS: When i disable IPSEC encryption on both side (i.e del routing-options static route 213.85.111.111/32 next-hop st0.0 on juniper and disable ipsec policy om microtik) - GRE tunnel is work perfect.

PPS: From Juniper:

root@SRX650_1% tcpdump -i ge-0/0/3.600 host 213.85.222.222
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3.600, capture size 96 bytes

Reverse lookup for 213.85.222.222 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

19:54:17.540920  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:54:27.539505  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:54:37.545242  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:54:47.542296  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:54:57.615436  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:54:57.619961 Out IP truncated-ip - 80 bytes missing! 194.1.444.444.isakmp > 213.85.222.222.isakmp: [|isakmp]
19:55:03.899490 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:04.906241 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:05.913314 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:06.920301 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:07.616541  In IP 213.85.222.222.isakmp > 194.1.444.444.isakmp: isakmp: phase 1 I ident: [|sa]
19:55:07.930860 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:08.937500 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)
19:55:09.944593 Out IP truncated-ip - 58 bytes missing! 194.1.444.444 > 213.85.222.222: IP 172.23.0.5 > 172.23.0.6: [|icmp] (gre encap)

I will try and diagram this a bit better, but the reason it's not working is you are trying to launch the tunnel from your loopback instead of the actual external interface on the SRX, and on the Mikrotik side, you are trying to terminat the GRE tunnel on the same IP address as the IPSEC tunnel.  On the SRX side, you need to set it up like this:

    lo0.0            ge-0/0/3.600    |           |   untrust
194.1.444.444       109.126.111.111  |           |213.85.222.222
      |                    |         |           |     |
      |                    |         |           |     |
      |                    ===st0.0================vpn==
      |                              |           |     |
      ====gr-0/0/0.0===============================gre==
                                SRX  |           |  Mikrotik
_____________________________________|           |_______________

 You have correctly put a route in that says to send traffic to the GRE endpoint, next-hop st0.0, so the GRE goes OVER the IPSEC tunnel and not directly via the internet.  The problem you have though is that if you are terminating both the IPSEC tunnel AND the GRE tunnel on the same IP on the Mikrotic, then this route will not work (because the route-lookup for the tunnel endpoint 213.85.222.222 will have the next-hop of the tunnel which isn't up yet).

I think you need to configure a loopback interface on the Mikrotik and source your GRE tunnel from that interface, and then have a next-hop for it on the SRX side via the st0.0 interface.

Does this make sense?  Hopefully I've explained it properly.

Thaks for answer!

You draw correct diagram that i try realize.

But two problem in there:

1) On Mikrotik i have provider assigned network (/30 for example) on physical wan interface and i cant`t reassign Public IP to loopback because i lost connectivity.

2) In case when i use some private address as a source for GRE tunnel on Mikrotik i can`t create route to tunnel destination (Address on Juniper) over "somethig", because Mikrotik does not have virtual interface for ipsec (like st0 on Juniper) 

Route like "routing-options static route 213.85.222.222/32 next-hop st0." fully impossible on Mikrotik.

Ok i fully modify my Juniper config:

interfaces {
    ge-0/0/0 {
        unit 0;
    }
    gr-0/0/0 {
        unit 10302 {
            clear-dont-fragment-bit;
            tunnel {
                source 172.16.0.1;
                destination 172.16.0.2;
                allow-fragmentation;
            }
            family inet {
                mtu 1436;
                address 172.23.0.10/31;
            }                           
        }
        unit 600 {
            vlan-id 600;
            family inet {
                address 109.126.111.111/28 {
                    primary;
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.0.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    graceful-restart;
    static {
        route 10.0.29.0/24 next-hop 172.20.3.254;
        route 0.0.0.0/0 next-hop 109.126.111.123;
        route 194.1.240.0/24 discard;
        route 172.16.0.2/32 next-hop st0.0;
        route 172.23.0.11/32 next-hop gr-0/0/0.10302;
    }
    router-id 172.20.3.253;
security {
    ike {
        traceoptions {
            file vpn-debug-ike;
            flag all;
        }
        respond-bad-spi;
        proposal IKE-PROP-DNS {
            description DNS-IPSEC-Prop;
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 500;
        }
        policy ike-pol {
            mode main;
            proposals IKE-PROP-DNS;
            pre-shared-key ascii-text "KEY"; ## SECRET-DATA
        }
        gateway msk-mt2 {
            ike-policy ike-pol;
            address 213.85.222.222;
            no-nat-traversal;
            local-identity inet 109.126.111.111;
            external-interface ge-0/0/3.600;
        }
    }
    ipsec {
        proposal DNS-PROP {             
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 500;
        }
        policy ipsec-pol {
            proposals DNS-PROP;
        }
        vpn vpn1 {
            bind-interface st0.0;
            ike {
                gateway msk-mt2;
                proxy-identity {
                    local 172.16.0.1/32;
                    remote 172.16.0.2/32;
                    service any;
                }
                ipsec-policy ipsec-pol;
            }
            establish-tunnels immediately;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;             
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    traceoptions {
        file secur;
        flag all;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/3.71 {
                    host-inbound-traffic {
                        protocols {
                            ospf;
                        }
                    }
                }
                ge-0/0/3.73;
                lo0.0;
                st0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                ge-0/0/2.0;
                ge-0/0/3.600;
                gr-0/0/0.10302;
            }
        }
    }
}
vlans {
    vlan-600 {
        vlan-id 600;
    }                                   
    vlan-71 {
        vlan-id 71;
    }
    vlan-73 {
        vlan-id 73;
    }
}

[edit]

 IPsec are Wokring:

SRX650_1# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
6462781 UP     4aa13822cef1af1e  27d215f5106e41ec  Main           213.85.222.222 

SRX650_1# run show security ipsec security-associations  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:3des/md5  84a541e9 288/  unlim   -   root 500   213.85.222.222  
  >131073 ESP:3des/md5  24bb2e1  288/  unlim   -   root 500   213.85.222.222  

I can ping everthing exept tunnel IPs:

myst@VL_SRX650_1# run ping 213.85.222.222 
PING 213.85.222.222 (213.85.222.222): 56 data bytes
64 bytes from 213.85.222.222: icmp_seq=0 ttl=54 time=120.096 ms
^C
--- 213.85.222.222 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 120.096/120.096/120.096/0.000 ms

[edit]
myst@VL_SRX650_1# run ping 172.16.0.2        
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: icmp_seq=0 ttl=64 time=116.688 ms
^C
--- 172.16.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 116.688/116.688/116.688/0.000 ms

[edit]
myst@VL_SRX650_1# run ping 172.23.0.11   
PING 172.23.0.11 (172.23.0.11): 56 data bytes
^C
--- 172.23.0.11 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

[edit]

Problem solved.

I put interface gr-0/0/0.10302 onto untrust zone and set security to 

 untrust host-inbound-traffic system-services all
 untrust host-inbound-traffic protocols all

Thanks for all!

Hi Mistiq, I deal with the same problem. Please can you attach a Mikrotik configuration also?

Thanks a lot!