SRX Services Gateway
Reply
Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Policy based VPN SRX and PIX

here is my attached configuration Policy base VPN   kinldy guide where im getting wrong when i do

 

run show secuirty flow session

Session ID: 106750, Policy name: trust-to-untrust/4, Timeout: 8, Valid
  In: 172.16.1.2/1615 --> 172.21.135.203/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 172.21.135.203/1 --> 172.16.1.2/1615;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0

 

Its showing me traffic from my side going to other side but  not coming from other side to mine

 

 

root@Bayanat_FW# run show security ike security-associations

[edit]
root@Bayanat_FW#


root@Bayanat_FW# run show security ipsec security-associations
  Total active tunnels: 0

[edit]
root@Bayanat_FW#

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

Is this the the exact config you have running?

 

policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy Bayant-to-Mdc {
                match {
                    source-address Local-Subnet;
                    destination-address MDC-Remote-Subnet;
                    application any;          }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Bayan-VPN;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }

 

If so, the first thing that you need to do is re-order you trust-untrust security policy rules.  Your rule with the permit tunnel IPSEC needs to be at the top.

Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

i done this re-ordering what is feel  i m missinf something in policies

 

then {
                    permit {
                        tunnel {
                            ipsec-vpn Bayan-VPN;
                        }

 

there should be pair-policy also what u guys suggest there is no pair-policy for traffic going  from trusy to untrust

and untrust to trust

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

[ Edited ]

Once you do your reodering is traffic passing through the IPSEC tunnel?

 

I skipped over this in your first post:

 

root@Bayanat_FW# run show security ike security-associations 

[edit]
root@Bayanat_FW#


root@Bayanat_FW# run show security ipsec security-associations
  Total active tunnels: 0

 

If this is still  the current output of the these command then your IPSEC tunnel is not up.  You will need to troubleshoot the Phase 1 IKE proposals/policy first.  Do you know how to do that?

 

The pair-policy command aids in requires one SA for the IPSEC and changes the way the Proxy-ID is deduced.

 

Refer to this link for the full details:

 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-referenc...

Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

 i did re-ordering i can see traffic flow from my side to other side  but not coming from untrust to trust

 

what did i say regarding pair-policy are u acknowleding it 

Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

i made dumy configuration on MY SRX  with pair-policy  when i do

 

run show security ike security-associations it showing me  peer address state is down while in real environment

 

run show security ike security-associations   is showing emtpy below is my config and result

 

 

 

root# show
policy Trust-to-Untrsut {
    match {
        source-address 192.168.10.0;
        destination-address 192.168.11.1;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn Remote-VPN;
                pair-policy Untrust-to-Trust;
            }
        }
    }
}

 

 

oot# show
policy Untrust-to-Trust {
    match {
        source-address 192.168.11.1;
        destination-address 192.168.10.0;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn Remote-VPN;
                pair-policy Trust-to-Untrsut;
            }
        }
    }
}

 

 

root# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
3       58.64.73.2      DOWN   42531db884ce4738  0000000000000000  Main

 

 

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

I commented on the pair-policy in my previous post.

 

What is the output of these commands:

 

root@Bayanat_FW# run show security ike security-associations 

root@Bayanat_FW# run show security ipsec security-associations

 

If you see an established SA then run this command:

 

run show security ipsec statistics 

 

This command will show if packets are being encrypted and decrypted.

 

From you previous post you displayed the output from a session flow, remember a session flow doesn't mean that the IPSEC tunnel is up and that traffic is being encrypted.  Also a flow will show a return line based on the originating packet, it doesn't mean that traffic has really returned.


 

 

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

root# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
3       58.64.73.2      DOWN   42531db884ce4738  0000000000000000  Main

 

This needs to show UP not DOWN for the IKE/ISAKMP communication to be working correctly.  You need to double check with the admin of the PIX on the settings in your IKE proposals/policy.  Something is not matching.

 

Take a look at this guide for methods of debuging / viewing IKE issues.

 

http://computerlink.se/se/downloads/datasheets/SRX_Troubleshooting.pdf

Contributor
ssuet
Posts: 101
Registered: ‎09-21-2010
0

Re: Policy based VPN SRX and PIX

no actually what did iay the last config whihc i have snet is dummy config whihc i have done on SRX for practice

whne i do 

run show security ike security-associations  

 

Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
7       58.64.73.2      DOWN   1cc9f31a6ebc8b71  0000000000000000  Main       

 

it giving me a  status as i add pair-policy 

 

when i do same thing in my real envirormnetn VPN

 

run show security ike security-associations  

               
showing me empty  in real environment i didnt configure pair-policy so i m asking is it necessary  to configure pair-policy because im doing  interface nat as well

 

 

Visitor
norgetek
Posts: 7
Registered: ‎12-07-2010
0

Re: Policy based VPN SRX and PIX

I do pair-policy as a matter of standard practice.  So yes implement pair-policy.

 

This probably will not solve the issue of IKE SA establishment.  This most likely an issue with the proposals.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.