SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Policy based VPN SRX and PIX

here is my attached configuration Policy base VPN   kinldy guide where im getting wrong when i do

 

run show secuirty flow session

Session ID: 106750, Policy name: trust-to-untrust/4, Timeout: 8, Valid
  In: 172.16.1.2/1615 --> 172.21.135.203/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 172.21.135.203/1 --> 172.16.1.2/1615;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

 

Its showing me traffic from my side going to other side but  not coming from other side to mine

 

 

root@Bayanat_FW# run show security ike security-associations

[edit]
root@Bayanat_FW#


root@Bayanat_FW# run show security ipsec security-associations
  Total active tunnels: 0

[edit]
root@Bayanat_FW#

Faizan
Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

Is this the the exact config you have running?

 

policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy Bayant-to-Mdc {
                match {
                    source-address Local-Subnet;
                    destination-address MDC-Remote-Subnet;
                    application any;          }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Bayan-VPN;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }

 

If so, the first thing that you need to do is re-order you trust-untrust security policy rules.  Your rule with the permit tunnel IPSEC needs to be at the top.

Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

i done this re-ordering what is feel  i m missinf something in policies

 

then {
                    permit {
                        tunnel {
                            ipsec-vpn Bayan-VPN;
                        }

 

there should be pair-policy also what u guys suggest there is no pair-policy for traffic going  from trusy to untrust

and untrust to trust

Faizan
Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

[ Edited ]

Once you do your reodering is traffic passing through the IPSEC tunnel?

 

I skipped over this in your first post:

 

root@Bayanat_FW# run show security ike security-associations 

[edit]
root@Bayanat_FW#


root@Bayanat_FW# run show security ipsec security-associations
  Total active tunnels: 0

 

If this is still  the current output of the these command then your IPSEC tunnel is not up.  You will need to troubleshoot the Phase 1 IKE proposals/policy first.  Do you know how to do that?

 

The pair-policy command aids in requires one SA for the IPSEC and changes the way the Proxy-ID is deduced.

 

Refer to this link for the full details:

 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-referenc...

Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

 i did re-ordering i can see traffic flow from my side to other side  but not coming from untrust to trust

 

what did i say regarding pair-policy are u acknowleding it 

Faizan
Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

i made dumy configuration on MY SRX  with pair-policy  when i do

 

run show security ike security-associations it showing me  peer address state is down while in real environment

 

run show security ike security-associations   is showing emtpy below is my config and result

 

 

 

root# show
policy Trust-to-Untrsut {
    match {
        source-address 192.168.10.0;
        destination-address 192.168.11.1;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn Remote-VPN;
                pair-policy Untrust-to-Trust;
            }
        }
    }
}

 

 

oot# show
policy Untrust-to-Trust {
    match {
        source-address 192.168.11.1;
        destination-address 192.168.10.0;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn Remote-VPN;
                pair-policy Trust-to-Untrsut;
            }
        }
    }
}

 

 

root# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
3       58.64.73.2      DOWN   42531db884ce4738  0000000000000000  Main

 

 

Faizan
Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

I commented on the pair-policy in my previous post.

 

What is the output of these commands:

 

root@Bayanat_FW# run show security ike security-associations 

root@Bayanat_FW# run show security ipsec security-associations

 

If you see an established SA then run this command:

 

run show security ipsec statistics 

 

This command will show if packets are being encrypted and decrypted.

 

From you previous post you displayed the output from a session flow, remember a session flow doesn't mean that the IPSEC tunnel is up and that traffic is being encrypted.  Also a flow will show a return line based on the originating packet, it doesn't mean that traffic has really returned.


 

 

Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

root# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
3       58.64.73.2      DOWN   42531db884ce4738  0000000000000000  Main

 

This needs to show UP not DOWN for the IKE/ISAKMP communication to be working correctly.  You need to double check with the admin of the PIX on the settings in your IKE proposals/policy.  Something is not matching.

 

Take a look at this guide for methods of debuging / viewing IKE issues.

 

http://computerlink.se/se/downloads/datasheets/SRX_Troubleshooting.pdf

Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

no actually what did iay the last config whihc i have snet is dummy config whihc i have done on SRX for practice

whne i do 

run show security ike security-associations  

 

Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
7       58.64.73.2      DOWN   1cc9f31a6ebc8b71  0000000000000000  Main       

 

it giving me a  status as i add pair-policy 

 

when i do same thing in my real envirormnetn VPN

 

run show security ike security-associations  

               
showing me empty  in real environment i didnt configure pair-policy so i m asking is it necessary  to configure pair-policy because im doing  interface nat as well

 

 

Faizan
Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

I do pair-policy as a matter of standard practice.  So yes implement pair-policy.

 

This probably will not solve the issue of IKE SA establishment.  This most likely an issue with the proposals.

 

 

Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

im stuck in either my config is wrong or something with proposal becuase if proposal is wrong 

 

why run show security ike security-associations  showing empty no status it must show status down thats why im asking did i make anything  wrong


for sure i will do pair-policy  thanks for your input

 

 

Faizan
Highlighted
Contributor
Posts: 103
Registered: ‎09-21-2010
0 Kudos

Re: Policy based VPN SRX and PIX

i also heard that ike life-time value of juniper must be less than Cisco is it right because other peer configuring 86400

 

ipsec-lifetime 3600 seconds what should i configure at my end  kinldy suggest if this is tha case

Faizan
Visitor
Posts: 7
Registered: ‎12-07-2010
0 Kudos

Re: Policy based VPN SRX and PIX

 

Your lifetime should be equal or lesser for the negotiation of the tunnel to succeed.

 

I have a IPSEC tunnel between a SRX and a ASA 5505 (very similar to a PIX) and I have the following settings:

 

Cisco ASA:

IKE/ISAKMP lifetime 86400 (default for Cisco)

IPSEC SA lifetime 28800 (default for Cisco)

 

SRX:

IKE lifetime 28800

IPSEC SA lifetime 3600

 

Tunnel works just fine and I see the that Cisco device accepted my lower lifetime values during the negotiation because my lifetime are counting down from 28800 and 3600 respectively on both devices (SRX and ASA).

 

To know for sure what part of the negotiation is failing you will need to implement the trace options oultine in the PDF I referenced and then review the log file.