SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  [SRX] - OSPF via IPSEC tunnnel

    Posted 06-25-2015 03:37

    Hello all,

     

    I'm familiar using ScreenOS on SSG before but now am new into Junos (SRX) which I have to do some familiarization. I need some advices on OSPF routing troubleshooting via IPSEC tunnel. Am working on a lab set up using multipoint VPN tunnelling. My lab set up is shown in the diagram including two SRX configuration as attached with this message. A few problem that I encountered as follow;

     

    i. OSPF routing via IPSEC tunnel is working but not all routing from both sides are in.

    ii. My laptop (with the IP address: 10.88.2.2/24) unable to 'ping' to another laptop (10.45.2.4/24) on the other segment and vice versa.

    iii. Both L3 switches are running using OSPF routing and it works fine.

    iv. Am unable to 'ping' tunnel interface on the other firewall down to each interface connected to the other firewall.

     

    From here my conclusion is: It might something to do with security policies. Am new to this and I don't know what else I should looking into to solve this problem.

     

    I hope anyone of you with good experience of OSPF routing via IPSEC tunnel could advise and share your knowlegde with me.

     

    Thank you very much for your advice 😄

     

    Alex

    Attachment(s)

    txt
    LAB-SRX-CONFG.txt   8 KB 1 version
    txt
    LAB-DCHQ-CONFG.txt   8 KB 1 version


  • 2.  RE: [SRX] - OSPF via IPSEC tunnnel

    Posted 06-25-2015 14:03

    By just looking at your first graph, you seem to have a non-continuous OSPF area 0, a continous OSPF area 0 is required for proper route sumarization.



  • 3.  RE: [SRX] - OSPF via IPSEC tunnnel

    Posted 06-25-2015 23:38

    Hi,

     

    Thanks for pointing it out. I had fixed it and the routing works as expected but I still unable to get ping response from 10.88.2.0 network to 10.45.2.0 network and vice versa. Is this due to security policy not properly defined?

     

    Thanks and regards,

     

    Alex



  • 4.  RE: [SRX] - OSPF via IPSEC tunnnel
    Best Answer

    Posted 06-26-2015 03:51

    Ping from network node to network node would be controled by your security policies.

     

    Ping to the interface addresses on the firewall are controlled by  zone settings for

     

    host-inbound-traffic system-services ping

     

    thse can be applied for the whole zone or by interface in the zone.

     

    For policy troubleshooting I would add logging to all the policies and create an explicit deny rule with logging on session initiation at the end.

     

    Then attempt the ping and look at the traffic logs seeing how the traffic is being matched.



  • 5.  RE: [SRX] - OSPF via IPSEC tunnnel

    Posted 06-27-2015 00:23

    Hi Steve,

     

    Thank you for your explanation. My issues solved after changing the policy as per your advised as follow.

     

           }
            from-zone trust to-zone trust {
                policy policy_out_KGHH-VPN {
                    match {
                        source-address any-ipv4;
                        destination-address any-ipv4;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy_in_KGHH-VPN {
                    match {
                        source-address any-ipv4;
                        destination-address any-ipv4;
                        application any;
                    }
                    then {
                        permit;
                    }

     

    I had changed these on the other firewall as well.

     

    Thank you very much!

     

    Alex



  • 6.  RE: [SRX] - OSPF via IPSEC tunnnel

    Posted 06-27-2015 03:44

    Glad you have it all working now.  Welcome to Junos.