SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Problem with SRX to SRX route-based VPN

    Posted 08-30-2015 02:24

    Hi all,

     

    I setup a route based vpn in between SRX3400 and SRX240. It seems to work fine, I can ping from both sides, however when I make SSH connection and try to do some stuff connection drops and I have to relogin to SSH.

     

    What do you think the problem can be ? Or how can I trace the problem ?

     

    Thanks



  • 2.  RE: Problem with SRX to SRX route-based VPN

     
    Posted 08-30-2015 02:33

    Hello,

     

    Is it SSH connection through VPN to the box other than two peers or SSH to the peer through VPN?

     

    If you send 100 pings with a size of 1450 through the VPN, what is the result?

     

    Regards,

     

    Rushi



  • 3.  RE: Problem with SRX to SRX route-based VPN

    Posted 08-30-2015 03:02

    Hi Rushi,

     

    SSH connection is from a Zone-A at SRX3400 to Zone-B at SRX240.

     

    There is not packet loss in ping test either.

     

    There is another symptom. Same thing happens when I try to make http request also.

     

    My setup on both sides is;

     

    set security ike proposal IKE-PROP-MN-DGN-1 lifetime-seconds 3600
set security ike proposal IKE-PROP-MN-DGN-1 authentication-method pre-shared-keys
set security ike proposal IKE-PROP-MN-DGN-1 authentication-algorithm sha1
set security ike proposal IKE-PROP-MN-DGN-1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP-MN-DGN-1 dh-group group5
set security ike policy IKE-POL-MN-DGN-1 proposals IKE-PROP-MN-DGN-1
set security ike policy IKE-POL-MN-DGN-1 mode main
set security ike policy IKE-POL-MN-DGN-1 pre-shared-key ascii-text {SOMEPASS}
set security ike gateway IKE-GW-MN-DGN-1 ike IKE-POL-MN-DGN-1
set security ike gateway IKE-GW-MN-DGN-1 address {IP}
set security ike gateway IKE-GW-MN-DGN-1 external-interface ge
set security zones security-zone untrust host-inbound-traffic system-services ike


set security ipsec proposal IPSEC-PROP-MN-DGN-1 lifetime-seconds 3600
set security ipsec proposal IPSEC-PROP-MN-DGN-1 protocol esp
set security ipsec proposal IPSEC-PROP-MN-DGN-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP-MN-DGN-1 encryption-algorithm aes-128-cbc
set security ipsec policy IPSEC-POL-MN-DGN-1 proposals IPSEC-PROP-MN-DGN-1
set security ipsec policy IPSEC-POL-MN-DGN-1 perfect-forward-secrecy keys group5
set security ipsec vpn IPSEC-VPN-MN-DGN-1 ike gateway IKE-GW-MN-DGN-1
set security ipsec vpn IPSEC-VPN-MN-DGN-1 ike ipsec-policy IPSEC-POL-MN-DGN-1
set security ipsec vpn IPSEC-VPN-MN-DGN-1 vpn-monitor
set security ipsec vpn IPSEC-VPN-MN-DGN-1 establish-tunnels immediately
set security ipsec vpn IPSEC-VPN-MN-DGN-1 bind-interface st0.1


set interfaces st0 unit 1 family inet
set security zone security-zone VPN-MN-DGN1 interfaces st0.1
set routing-options static route 10.9.0.0/22 next-hop

    on security zone policy, any source to any destination with any application is permitted.

     

    Thanks



  • 4.  RE: Problem with SRX to SRX route-based VPN
    Best Answer

     
    Posted 08-30-2015 03:37

    Hello,

     

    Can you set tcp-mss for the traffic going through tunnel as below:

     

    set security flow tcp-mss ipsec-vpn mss 1300

     

    Note:- Do this change on both peers.

     

    Regards,

     

    Rushi



  • 5.  RE: Problem with SRX to SRX route-based VPN

    Posted 08-30-2015 05:47

    Wow it worked like a charm 🙂

     

    Thank you very much