SRX

Hi guys, we need to setup a VPN between SRX and PaloAlto. We have already Phase1 and Phase2 up and running but the problem is that we get no traffic through the tunnel. Where can i look to see what happens or what can i post that somebody of you can help me through that problem. here are some config and detailed outputs from my srx side. show security ipsec statistics index 131078 node0: -------------------------------------------------------------------------- ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 930972 Encrypted packets: 0 Decrypted packets: 11083 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 node1: -------------------------------------------------------------------------- ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 show security ike security-associations 88.XXX.XXX.XXX detail node0: -------------------------------------------------------------------------- IKE peer 88.XXX.XXX.XXXX, Index 7898554, Role: Initiator, State: UP Initiator cookie: 05fc4b4bcf536e33, Responder cookie: 9833688f187823a5 Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 213.XXX.XXX.XXXX:500, Remote: 88.XXX.XXX.1XXX:500 Lifetime: Expires in 27756 seconds Peer ike-id: 88.XXX.XXX.XXX Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 708 Output bytes : 992 Input packets: 3 Output packets: 4 Flags: Caller notification sent IPSec security associations: 1 created, 1 deleted Phase 2 negotiations in progress: 0 show security ike security-associations node0: -------------------------------------------------------------------------- Index Remote Address State Initiator cookie Responder cookie Mode 7898554 88.XXX.XXX.XXX UP 05fc4b4bcf536e33 9833688f187823a5 Aggressive show security ipsec security-associations node0: -------------------------------------------------------------------------- Total active tunnels: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <131078 88.XXX.XXX.XXX 500 ESP:3des/sha1 acca02 2465/ unlim - root >131078 88.XXX.XXX.XXX 500 ESP:3des/sha1 bc72d934 2465/ unlim - root show configuration security ike { inactive: traceoptions { file ike-trace; flag all; } policy MIT-XXX-650 { mode aggressive; proposal-set standard; pre-shared-key ascii-text "$9$Tz6CAt0cSeCXXXXXXXXtpOIEleY24JDH"; ## SECRET-DATA } policy MIT-PaloAlto-AT { mode aggressive; proposal-set standard; pre-shared-key ascii-text "$9$MWXXXXXXXO87dVbYGUHdbw2oJiHCApORc"; ## SECRET-DATA } gateway MIT-SOHO-XXX-AT { ike-policy MIT-XXX-650; dynamic hostname MIT-SOHO-XXX-AT; external-interface reth0.0; } gateway MIT-PaloAlto-AT { ike-policy MIT-PaloAlto-AT; address 88.XXX.XXX.XXX; dead-peer-detection { always-send; interval 10; } local-identity inet 213.XXX.XXX.XXX; external-interface reth0.0; } } ipsec { inactive: traceoptions { flag all; } policy MIT-XXX-650 { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn MIT-SOHO-XXX-AT { bind-interface st0.0; ike { gateway MIT-SOHO-XXX-AT; ipsec-policy MIT-XXX-650; } establish-tunnels immediately; } vpn MIT-PaloAlto-AT { bind-interface st0.0; ike { gateway MIT-PaloAlto-AT; ipsec-policy MIT-XXX-650; } establish-tunnels immediately; } Policies are on both side any any in the apropriate zones and interfaces. If you need more informations please let me know. regards

Hi

Your post is very hard to read, but can you post your full config as an attachment.

Uh **bleep** it i didnt saw this pain in the ass i just copied all from my terminal session to the webpage and id looked very fine. i will do that next while i be in the office. regards

HI please check my textfile for the related info to the Tunnel Problem. if you need more informations please let me know. We have setuped a couple of other VPN Tunnels to other SRX Devices withtout a problem regards

Hi

 

You may need to setup the IKE policy to include the proxy identity to make sure the tunnel can pass traffic.  Here is my excerpt.

 

IKE

        proposal ike-proposal-aes-256 {
            authentication-method pre-shared-keys;
            dh-group group14;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 14400;
        }

        policy ike-policy-cfgr {
            mode main;
            proposals ike-proposal-aes-256;
            pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
        }

        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address xxx.xxx.xxx.xx9;
            dead-peer-detection {
                interval 30;
                threshold 2;
            }
            local-identity inet xxx.xxx.xxx.xx5;
            external-interface at-1/0/0.0;
           }


IPSEC

        vpn-monitor-options {
            interval 10;
            threshold 10;
        }


        proposal ipsec-proposal-aes-256 {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 14400;
        }

        policy ipsec-policy-cfgr {
            perfect-forward-secrecy {
                keys group14;
            }
            proposals ipsec-proposal-aes-256;
        }

        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            ike {
                gateway ike-gate-cfgr;
                idle-time 120;
                proxy-identity {
                    local 192.168.253.0/24;
                    remote 192.168.0.0/24;
                }
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels on-traffic;
        }





POLICY

        from-zone trust to-zone jbvpn {
            policy trust-jbvpn-cfgr {
                match {
                    source-address addr_192_168_253_0_24;
                    destination-address addr_192_168_0_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone jbvpn to-zone trust {
            policy jbvpn-trust-cfgr {
                match {
                    source-address addr_192_168_0_0_24;
                    destination-address addr_192_168_253_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }


My VPN network is called jbvpn.  my LAN IP range is 192.168.253.0/24 my remote network is 192.168.0.0/24

 

I am using my ADSL 2+ interface.

 

Nah, proxy-IDs aren't necessary between a Juniper and a PA.

 

OP, can you make sure you have a valid route to the remote network via the tunnel interface? What about the security policy? Maybe post these up too and we'll have a look...

HI

 

yes we have configured the tunnel interface on both devices in the same subnet 10.16.251.0/24

 

SRX: 10.16.251.1/24

PA: 10.16.251.20/24

 

so i need no special routing entry for the directconnect network isnt it?

 

 

 

Hey Spud,

 

as you mentioned that it isnt necessary to setup a PROXYID between SRX and PA from where did you get this information?

 

Do you have a howto or a best practice document to setup VPN between SRX and PALOALTO?

 

thx in advance

Ok

 

i get traffic flow working from PALO ALTO to the SRX i think, because if i start a ping on PALO Alto side

 

ping source 10.16.251.20 host 10.16.251.1

 

i can see increase decrypting packets and bytes in the SRX

 

show security ipsec statistics index 131078
node0:
--------------------------------------------------------------------------

ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:           943236
  Encrypted packets:              0
  Decrypted packets:          11229
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

but if iam starting the ping from the SRX to the PALO ALto nothing happens.

 

Any ideas where i can look into?

 

 

Hi

 

when you run show security ipsec security-associations detail

 

Can you see the local and remote identity?

 

Also you should see encrypted and decrypted bytes on your ipsec statistics

 

This may be a config issues at the remote end.

 

do you have a ST interface defined, along with a route for the remote network?

 

    st0 {
        unit 0 {
            family inet {
            }
        }
    }

 

    static {

        route 192.168.0.0/24 next-hop st0.0;

    }

 

 

HI

 

Yes i think i can see that

 

show security ipsec security-associations detail
node0:
--------------------------------------------------------------------------
  Virtual-system: root
  Local Gateway: 213.XX, Remote Gateway: 88.XXXX
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    DF-bit: clear
    Direction: inbound, SPI: 323ef1ed, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3026 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2397 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: d0a4534c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3026 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2397 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

 

and no at the moment i have no route configured to the LAN behind the PALOALTO because at the moment i want to just ping the ip address of the remote-tunnel-interface on the PALO ALTO which are in the same subnet so i dont have to setup an own route for it.

 

I have another SRX box connected to the 650 and i can ping the tunnel interface from the 650 to the SRX100.

 

rather than ping, can you do a trace route.  You may find that your packets from the remote site are being sent out from a differnet route and address.

 

You need to define the remote network and route in order to send the traffic through it. 

 

Regarding the pining from the remote end.  The SRX will not, unless configured, respond to ICMP.

 

You will need to add it to the host inboud or system services on the zone that your externally facing interface (one closets to the PA200). 

HI

 

show route 10.16.251.20

inet.0: 1206 destinations, 2256 routes (1054 active, 152 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.16.251.0/24     *[Direct/0] 04:00:25
                    > via st0.0

 

traceroute 10.16.251.20
traceroute to 10.16.251.20 (10.16.251.20), 30 hops max, 40 byte packets
traceroute: sendto: No route to host
 1 traceroute: wrote 10.16.251.20 40 chars, ret=-1
 *traceroute: sendto: No route to host
traceroute: wrote 10.16.251.20 40 chars, ret=-1

 

show interfaces st0.0
  Logical interface st0.0 (Index 80) (SNMP ifIndex 540)
    Flags: No-Multicast SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 18176982
    Output packets: 13748884
    Security: Zone: vpn
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
    ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
    lsping ntp sip r2cp
    Protocol inet, MTU: 9192
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.16.251/24, Local: 10.16.251.1

it is all allowed on the interface and also on the zone. for this interface and for testing porposes.

OP, can you try creating a security policy on the SRX from the vpn zone to the vpn zone and see if this allows you to ping?

 

If I recall correctly, JunOS does not permit intra-zone traffic by default, whereas PAN OS does.

Hi

 

we have this policy already in place

 

vpn to vpn any

 

any other ideas?

 

maybe you can send me screenshots of your configurations of your srx and palo alto firewalls that would be very helpful.

 

regards

HI

 

i think i have solved my problem.

 

We had just one Tunnel Interface wiht multi-point configuration on our SRX650 Cluster that was the problem for my VPN Tunnel to my PaloAlto Firewall. I have no problems if more than 1 SRX is also connected over or to this tunnel interface.

 

so the solution was create a new tunnel if insert it to the appropriate zone create a new transfernetwork und voila the tunnel is up again and the traffic is going through.

 

so maybe somebody of you has an explanaition for that behaviour.

 

thx

onedread

---

onedread23 wrote:

as you mentioned that it isnt necessary to setup a PROXYID between SRX and PA from where did you get this information?

Do you have a howto or a best practice document to setup VPN between SRX and PALOALTO?

---

I'm not sure if I've seen any official documentation; this is just going off my personal experience working with Juniper and PAN firewalls.

 

The PAN firewalls can only do route-based VPNs; there is no policy-based VPN capability. So if you also configure the Juniper side to be route-based, proxy-IDs are not needed. The only situation where you might need to configure proxy-IDs between a Juniper and a PA is if you configure the Juniper side to be policy-based (in that situation, the PA must be configured with proxy-IDs to match the Juniper VPN policy).