SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 7
Registered: ‎03-23-2017
0 Kudos

Not working:Site-to-Site VPN with SRX300 and Vyatta behind NAT on the firewall

Hi, PLS can someone take a look and shed some light why SRX is not reply on port 4500 when devices tring to establish VPN. Vyatta perfectly works with other devices been behind NAT, also Juniper works well with outhter parties but not when it behind NAT. 

here is security flow :

In: y.y.y.y/4500 --> x.x.x.x/4500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 20398, Bytes: 7866950,
Out: x.x.x.x/4500 --> y.y.y.y/4500;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0,

dont see in debug log sending port 4500:

[Mar 23 20:00:37]ike_send_packet: <-------- sending SA = { b468f4c1 59eefb62 - 00000000 00000000}, len = 288, nego = -1, local ip= x.x.x.x, dst = y.y.y.y:500, routing table id = 0
[Mar 23 20:00:37]ike_send_packet: <-------- sending SA = { df86bb50 971495e5 - 00000000 00000000}, len = 288, nego = -1, local ip= x.x.x.x, dst = y.y.y.y:500, routing table id = 0

========================================

here also Security rule:

From zone: internet, To zone: junos-host
Policy: HOST-ACCESS, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: HOST-ACCESS
Destination addresses: any
Applications: snmp, junos-ssh, junos-ospf, junos-ike, junos-ike-nat, junos-https
Action: permit

 

Also I can ping remote VPN endpoints without problems 

Visitor
Posts: 7
Registered: ‎03-23-2017
0 Kudos

Re: Not working:Site-to-Site VPN with SRX300 and Vyatta behind NAT on the firewall

Here is sample config for SRX if anyone interested to look at it

Recognized Expert
Posts: 199
Registered: ‎04-03-2015
0 Kudos

Re: Not working:Site-to-Site VPN with SRX300 and Vyatta behind NAT on the firewall

Hi,

 

Please attach the ike traceoptions with per tunnel debug for further aalysis :-

 

>request security ike debu-enable local x.x.x.x remote y.y.y.y level 10

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Distinguished Expert
Posts: 906
Registered: ‎11-18-2014
0 Kudos

Re: Not working:Site-to-Site VPN with SRX300 and Vyatta behind NAT on the firewall

Hello  ,

 

Here are some pointers  :

 

1) Since the SRX is behind the NAT device , its recommended that SRX acts as initiator and not responder  ( Since we do not have an public IP . As per your configuration , SRX is the initiator , but make sure that Vyatta device is responder .

 

2) Try configuring  " local" and " remote" in SRX  identity  in SRX  .

 

gateway IKE1-ln2-dc-rtvpn01 {
    address 1.2.3.4;
    local-identity inet <SRX IP> ;
    remote-identity inet < peer  IP > ;

}

 The same settings should be enabled in the peer device , this is to match the ID validation .

 

If this also does not help , please follow the instruction mentioned by Sahil and provide the per tunnel debugging output .

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Distinguished Expert
Posts: 4,944
Registered: ‎03-30-2009
0 Kudos

Re: Not working:Site-to-Site VPN with SRX300 and Vyatta behind NAT on the firewall

One difference I see in your configuration than what I have typically used is setting the local-identity to the ip address format instead off user@ format.

 

When using the ip address the Juniper documentation is not clear whether you should have the NAT address or physical address.  So you could start by switching to the opposite of what you have also.

 

https://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/security-edit-...

 

Generally, the config does look like a match for the NAT-T docs otherwise.

https://www.juniper.net/techpubs/en_US/junos/topics/concept/ipsec-nat-traversal-understanding.html

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home