SRX

Hello! Help, please, to understand why there is no ping from source address to destination address over ipsec vpn(here, route-based).

I have such schema:

Phase1 and Phase2 of IPSec are up.

cisco1811:

Router#show crypto session 
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE     
Peer: 1.1.1.2 port 500 
 IKEv1 SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active 
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
    Active SAs: 2, origin: crypto map

 SRX210:

[edit]
root# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
507742  UP     e4ce17853e784b75  686afe9bad0c6831  Main           1.1.1.1  

[edit]
root# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 f7797ad5 3409/  4608000 -  root 500   1.1.1.1         
  >131073 ESP:3des/sha1 f4f78f65 3409/  4608000 -  root 500   1.1.1.1 

 But there is no connection from cisco loopback 10.10.10.1 to srx fe-0/0/4 dest 20.20.20.1. Ping faild.

To my mind all routing and security zones, policies.... has configured correct. But pings failed. ( Ping from tunnel0 to st0.1 failed too).

output cisco1811:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
memory-size iomem 20
!
!
dot11 syslog
ip source-route
!         
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811W-AG-A/K9 sn FHK0930507W
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile VPN_P2
 set transform-set TS 
!
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 ip mtu 1400
 tunnel source 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.2
 tunnel protection ipsec profile VPN_P2
!
interface FastEthernet0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1
 ip vrf forwarding vrf1
 ip address 5.5.5.1 255.255.255.0
 duplex auto
 speed auto

interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!

!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 20.20.20.0 255.255.255.0 Tunnel0

 output srx210:

version 12.1X44-D35.5;
system {
    root-authentication {
        encrypted-password "$1$APbBS19g$N1umrpu1sUcdWCb7RUyLa1"; ## SECRET-DATA
    }
    services {
        ssh;
    }
    syslog {
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
}
interfaces {                                  
    fe-0/0/4 {
        unit 0 {
            family inet {
                address 20.20.20.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet {
                address 1.1.1.2/24;
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                mtu 1400;
                address 172.16.0.2/30;
            }
        }
    }
}
routing-options {
    static {                            
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.10.10.0/24 next-hop 172.16.0.1;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$.fF/u0IleWTzSevMN-.Pfz9AIEc"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 1.1.1.1;
            external-interface fe-0/0/5;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set standard;      
        }
        vpn My_VPN {
            bind-interface st0.1;
            ike {
                gateway ike_gate;
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Untrust {
            address-book {              
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/5.0;
                st0.1;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }                       
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/4.0;
            }
        }
    }
}

Hi,

Maybe this:

routing-options {
    static {                            
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.10.10.0/24 next-hop st0.1;
    }
}

And are you sure you ping from your Cisco device with the source address 10.10.10.1 ?

--
Click the star for kudos if you think I earned it.
If this post solves your problem, please mark this post as "Accepted Solution".

Initially I was doing exactly. st0.1 instead ip prefix (no results)

Router#ping 20.20.20.1 source 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1 
.....
Success rate is 0 percent (0/5)
Router#

Hi,

• could it be a MTU problem?
• does it work the other way around?
• what is the result if you ping another host on the 20.20.20.0/24 subnet but 20.20.20.1 ?

Also could you try and add a policy to permit any application from-zone Trust to-zone Trust ?

, I have added two policies . 

another problem, that i have no any device behind srx and must use itself interface. Maybe security policies must usually be applied to transit traffic.  (Following your logic )( ???). Not for itself interface.

though, it seems, I did so many time without any problems.

Also,depresses me, that I cannot ping direct connected tunnel interfaces from each other( Tunnel0 and st0.1),  though both have up state 

Router#show int tunnel0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 172.16.0.1/30
  MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 1.1.1.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1446 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "VPN_P2")
  Last input 04:28:24, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     114 packets output, 9234 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

root# run show interfaces st0.1 terse 
Interface               Admin Link Proto    Local                 Remote
st0.1                   up    up   inet     172.16.0.2/30   

from-zone Trust to-zone Trust {
    policy 105 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone Trust to-zone junos-host {
    policy 106 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }                                   
}

 no result! ( no ping from 10.10.10.1 to 20.20.20.1)

Hi vlazarev ,

VPN configuration looks good.

On SRX , confure st0.1 as next-hop  for the route for cisco network  as someone mentioned earlier.

Then try the following:

1. Initate ping from any pc's from 20.20.20.0/24 to cisco loopback

2. from the cli , run this command , show security flow session source-prefix 20.20.20.x destination-prefix cisco-loopback

3, share the show security ipsec sa detail and show security ipsec statistics index id

if you see the session on SRX , there are 2 wings inbound and output , if the packet counter is 0 for any wing , then return packets are not coming through.

4. you need to verify SPI value for inbound and outbound phase 2 sa/

share the show security ipsec sa output for SRX and Cisco outputs showing SPI values/

5. Inbound SPI of SRX should match output SPI of Cisco and vise versa

6. if the SPI values different , then clear the Ipsec and Ike sa and test again.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi, rparthi!

Thanks for your troubleshooting!But Ihave done some changes in my schema, before saw your answer. So, Added a router behind the srx , setup dynamic routing protocol (bgp).

Now it works well. (routing, security ike, ipsec, policies). Here I use crypto map instead VTI on cisco router. ( VTI have tried too. Works good.)

cisco1811:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key regata577 address 172.16.0.2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSECPROFILE
 set transform-set TS 
!
!
crypto map PI-IPSEC 1 ipsec-isakmp 
 description **TEST-IPSEC**
 set peer 172.16.0.2
 set security-association lifetime seconds 28800
 set transform-set TS 
 match address TEST-IPSEC
!
!
!
ip tcp synwait-time 5
!
policy-map FOO
 class class-default
  shape average 128000
!
!
!
!
!
interface Loopback5
 ip address 5.5.5.1 255.255.255.255
!
interface Loopback10
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback33
 description **for IPSEC-PI**
 ip address 33.33.33.33 255.255.255.255
 ip nat outside
 ip virtual-reassembly
 ip policy route-map REROUTE
 crypto map PI-IPSEC
!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 172.16.0.2 remote-as 200
 !
 address-family ipv4
  redistribute connected
  neighbor 172.16.0.2 activate
  no auto-summary
  no synchronization
 exit-address-family
!
ip local policy route-map REROUTE
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip route 20.20.20.0 255.255.255.0 Loopback33
!
!
no ip http server
no ip http secure-server
!
ip access-list extended TEST-IPSEC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
!
!
!
route-map REROUTE permit 6
 description **for IPSEC-PI**
 match ip address REROUTE
 set default interface Loopback33
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

 srx:

system {
    root-authentication {
        encrypted-password "$1$XTjfjhv5$vXlOzT/W4kK6nj4fHfxvY/"; ## SECRET-DATA
    }
    login {
        user vlazarev {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$KN2wmboA$co8aH/Q1nZfBQ1oO81HLv0"; ## SECRET-DATA
            }
        }
    }
    services {
        telnet;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.16.0.2/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.0.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 131.131.131.100/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop st0.0;
    }
    autonomous-system 200;
}
protocols {
    bgp {
        group eBGP {
            type external;
            neighbor 172.16.0.1 {
                export send-direct;
                peer-as 100;
            }
            neighbor 192.168.0.1 {
                export [ send-direct send-static ];
                peer-as 300;
            }
        }
    }
}
policy-options {
    policy-statement send-direct {
        term term1 {
            from protocol direct;
            then accept;
        }
    }
    policy-statement send-static {
        from protocol static;
        then accept;
    }
}
security {
    ike {
        policy ike_policy {
            mode main;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$wP2JD.mT9Cu4anCtpREwY2ajHTz3"; ## SECRET-DATA
        }
        gateway ike_gate {
            ike-policy ike_policy;
            address 33.33.33.33;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        policy ipsec_policy {
            proposal-set compatible;
        }
        vpn IPSEC_VPN {
            bind-interface st0.0;       
            ike {
                gateway ike_gate;
                proxy-identity {
                    local 20.20.20.0/24;
                    remote 10.10.10.0/24;
                    service any;
                }
                ipsec-policy ipsec_policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone Untrust to-zone Trust {
            policy 100 {
                match {
                    source-address MOSCOW;
                    destination-address KRASNODAR;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy 101 {
                match {
                    source-address KRASNODAR;
                    destination-address MOSCOW;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ACCESS {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {                
                ge-0/0/2.0;
            }
        }
        security-zone Trust {
            address-book {
                address KRASNODAR 20.20.20.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
                protocols {
                    bgp;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone Untrust {
            address-book {
                address MOSCOW 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
    }
}

Hi vlazarev ,

Thanks for the update.

Please mark this as resolved so that we can close this thread.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too