SRX

Hi,

 

I was going through SRX ipsec-vpn and have the below policy in place for the zone

 

root@SRX2# show security policies | display set
set security policies from-zone internal2 to-zone untrust policy itou match source-address any
set security policies from-zone internal2 to-zone untrust policy itou match destination-address any
set security policies from-zone internal2 to-zone untrust policy itou match application any
set security policies from-zone internal2 to-zone untrust policy itou then permit tunnel ipsec-vpn ipsec-vpn2
set security policies from-zone internal2 to-zone untrust policy itou then permit tunnel pair-policy utoi
set security policies from-zone untrust to-zone internal2 policy utoi match source-address any
set security policies from-zone untrust to-zone internal2 policy utoi match destination-address any
set security policies from-zone untrust to-zone internal2 policy utoi match application any
set security policies from-zone untrust to-zone internal2 policy utoi then permit tunnel ipsec-vpn ipsec-vpn2
set security policies from-zone untrust to-zone internal2 policy utoi then permit tunnel pair-policy itou

[edit]
root@SRX2# show security zones | display set
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone internal2 interfaces ge-0/0/1.222 host-inbound-traffic system-services ping

 

What i do not understand is under the zone level i have not allowed any protocol respective to ike, but it still forms a ike association and works fine ? is ike not a host-inbound service ? or the policy written will overtake the below one ?

 

Kindly Explain

 

ps. ipsec vpn has formed below

 

root@SRX2# ...222 host-inbound-traffic system-services ping                  

[edit]
root@SRX2# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
5976827 UP     a5477ea1d168bb86  eb58a3c288f0380f  Main           9.9.12.11    

 

Thanks

Hello ,

 

If we are the initiator of the VPN , there is no need for host inbound service "IKE" in security zone .  If we are responder , then only we need to have this , else it will work without the host inbound services ike  in security zones.

Hi Joses,

 

Thanks for the revert. I have identical configuration on both the SRX boxes. I suppose it is like there will be only one requestor in this case, am i wrong or missing something here ?

 

Thanks

Hello ,

 

Can you make sure that you have not enabled the "host-inbound-services"  in any of the zone level Globally  ( even thought if its not enabled in the interface level ) .

If its not enabled in global zone level on both end of the SRX ,  Can you share the Junos version that you are running .

Hello ,

 

Your understanding is correct that its recommended that the "host-inbound service " need to be enabled on Zone/Interface level for bringing up the IKE .  Neven seen this come up without enabling host inbound services .

hi,

 

please find it below

 

lab@SRX1# show security zones | display set

 

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0

 

set security zones security-zone internal1 host-inbound-traffic system-services ping
set security zones security-zone internal1 host-inbound-traffic system-services all
set security zones security-zone internal1 host-inbound-traffic protocols all
set security zones security-zone internal1 interfaces ge-0/0/1.111

 

set security zones security-zone v1 host-inbound-traffic system-services all
set security zones security-zone v1 host-inbound-traffic protocols all
set security zones security-zone v1 interfaces st0.0

 

[edit]
lab@SRX1# run show version
Hostname: SRX1
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D10.4]

 

Found it same either for route-based or policy-based VPN services

 

Thanks

Rakesh M

https://r2079.wordpress.com

Hello ,

 

Thanks for the output . So there is no host inbound service IKE enabled on the external Zone/Interface .  Not sure about Firefly , but in SRX doccumentations , host inbound service IKE is mandatory for the IKE to comeup .  Maybe in Firefly , the establish tunnel part takes care of this .

I checked in SRX devices in my lab and it needed host inbound service IKE to bring the VPN up . 

Hi, I should have mentioned that I was using vsrx in first place. May be a glitch in VSRX coding I guess. Thanks for the input, I will give it a try on real device and see how it goes. Thanks

Hello ,

 

It looks be the same . Please let us know the outcome from the actual SRXs .

Hello Rakesh ,

 

I have recreated the issue with vSRX and found the same that you have found . My VPN also came up without any Host inbound services .

It looks like a bug . Also there is an open PR for the same .

Hi Joses,

 

Thanks for the information about the PR.

 

Cheers

Rakesh