SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX 100 rouete based VPN behind NAT

    Posted 02-25-2015 08:03
    Hi experts,

    I'm having a hard configuring a route based vpn between 2 SRX 100.
    In the middle we have an Watchguard firewall who does one to one NAT to VPN IP.

    Toplogy is

    SRX1 ---- Internet ---- Watchguard (one to one NAT) ---- SRX2

    Can ping from Srx1 to Srx2 public ip successfully .
    All policies are configured to permit vpn traffic .

    On the SRX behind the nat box we have security Ike policy POLICY local-address PrivateIP.
    With this config Ike as on the SRX1 it's not firmed, also no IPSec sa.

    If I change local-address from private IP to the public IP Ike and IPSec are forming but cannot send any traffic on the tunnel.

    I did a debug on the Nat firewall on the lan side and saw that the packets are sourced by SRx2 from the public IP.

    Can you please share a working config for a route based VPN when one SRX it's behind a NAT box?

    Thank yiu.





  • 2.  RE: SRX 100 rouete based VPN behind NAT

    Posted 02-25-2015 12:23

    Try using aggressive mode, as below. 

    security {
    ike {
        proposal P1-AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
        }
        policy ike-policy-1 {
            mode aggressive;
            proposals P1-AES;
            pre-shared-key ascii-text "$xxxxxxx"; ## SECRET-DATA
        }
        gateway wishard {
            ike-policy ike-policy-1;
            dynamic user-at-hostname "foo@example.com";
            external-interface ge-0/0/0.0;
        }
    }
    And the other end (this was set up to be behind a dynamic IP, so it always initiated the connection):
    security {
    ike {
        proposal P1-AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
        }
        policy ike-policy-1 {
            mode aggressive;
            proposals P1-AES;
            pre-shared-key ascii-text "$xxxx"; ## SECRET-DATA
        }
        gateway gw1 {
            ike-policy ike-policy-1;
            address 10.1.2.3;
            dead-peer-detection {
                always-send;
                interval 60;
                threshold 5;
            }
            local-identity user-at-hostname "foo@example.com";
            external-interface ge-0/0/0.0;
        }
    }


  • 3.  RE: SRX 100 rouete based VPN behind NAT

    Posted 02-25-2015 15:06
    Hi Mike,

    Thanks for the reply.

    I tried aggressive but still the same.

    How can we make the device behind the bat box be the responder all the time?

    Thanks.



  • 4.  RE: SRX 100 rouete based VPN behind NAT

     
    Posted 02-26-2015 03:09

    Hi,

     

    Not a setup I've come across before but I think NAT traversal needs to be enabled to acomplish this.

     

    http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/ipsec-nat-traversal-understanding.html

     

    Cheers.

    Mas



  • 5.  RE: SRX 100 rouete based VPN behind NAT
    Best Answer

    Posted 02-26-2015 23:09

    Hello,

     

    One of the my remore sites sits behind one-to-one NAT. Working config is:

    1) Aggressive VPN

            policy ike-pol-a {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "$xxxxx";
        }
        gateway gw-primary {
            ike-policy ike-pol-a;
            address 93.xxx.xxx.1; 
            local-identity hostname no-tam-pri;
            external-interface ge-0/0/0.0;
        }
        gateway gw-secondary {
            ike-policy ike-pol-a;
            address 194.xxx.xxx.2;
            local-identity hostname no-tam-sec;
            external-interface ge-0/0/0.0;
        }

     2)  Zone untrust accepts ike - this is key condition. Without it nat traversal doesn't work.

            security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                    https;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }

    The other side in my setup is SSG140 but I hope it will work with your SRX in the both sides.

     

    Dmitry



  • 6.  RE: SRX 100 rouete based VPN behind NAT

    Posted 02-27-2015 15:03
    Hello Dmitry,

    Thanks for the message and config.
    It helped me.

    I got it working.
    After applied local-identity ( global ip of one to one nat) to the security Ike gateway on the SRX behind the NAT it started working.

    #set security ike gateway GATEWAY local-identity inet NATGLOBALIP

    Without setting the local-identity the SRX behind the NAT will send the identity as outgoing IP ( PRIVATE IP) and SRX 1 will be confused because as it knows the gateway,s IP is the GLOBAL IP .

    Thank you everyone.