SRX

last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX Route-based VPN - almost working

    Posted 10-12-2012 06:12

    Hi,

     

    I've setup a route-based VPN between a SRX240 and SRX210. The VPN is up (both Phase1 and Phase2 are OK), but I can't reach anything on the other side of the VPN. I suspect that something is wrong in my routing or some policy somewhere, but I feel a bit lost at the moment. My network looks like this:

     

    vpn.jpg

     

    When I'm logged in to the SRX210 on the remote office, I should be able to ping the interface in the int zone (10.101.13.15) on the local office SRX240, but I can't (I have lots of hosts behind the SRX240, but I can't reach any of them. Trying to access this interface seems like the best start though). Can anyone see what the problem is?

     

    I've included my configuration below.

     

    SRX240 - local office:

     

    version 11.4R5.5;
system {
    host-name local;
    services {
        ssh;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 10;
}
interfaces {
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 1.1.1.5/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 10.101.13.15/24;
            }                           
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/24;
            }
        }
    }
    st0 {
        unit 0 {
            multipoint;
            family inet {
                address 172.19.19.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.1;
        route 10.101.0.0/16 next-hop 10.101.13.1;
        route 10.120.0.0/16 next-hop st0.0;
    }
}
security {
    ike {
        proposal Remote-Office-PSK {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy Remote-Office-Static {
            mode main;
            proposals Remote-Office-PSK;
            pre-shared-key ascii-text "BLAHA"; ## SECRET-DATA
        }
        gateway Remote-Office {
            ike-policy Remote-Office-Static;
            address 2.2.2.2;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/4.0;
        }
    }
    ipsec {
        proposal Remote-Offices {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Remote-Offices {
            proposals Remote-Offices;
        }
        vpn Remote {
            bind-interface st0.0;
            ike {
                gateway Remote-Office;
                proxy-identity {
                    local 0.0.0.0/0;
                    remote 0.0.0.0/0;
                    service any;
                }
                ipsec-policy Remote-Offices;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone int to-zone vpn {
            policy Remote-Offices {
                match {
                    source-address 10.101.0.0/16;
                    destination-address Remote-network;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone int {
            policy Remote-Offices {
                match {
                    source-address Remote-network;
                    destination-address 10.101.0.0/16;
                    application any;
                }                       
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ext {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/4.0;
            }
        }
        security-zone int {
            address-book {
                address 10.101.0.0/16 10.101.0.0/16;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
        security-zone vpn {
            address-book {
                address Remote-network 10.120.0.0/16;
            }
            interfaces {
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                        }
                    }
                }
            }
        }
    }
}

     

    SRX210 - remote office:

     

    version 11.4R5.5;
system {
    host-name remote;
    services {
        ssh;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 10;
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 2.2.2.5/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {                  
                    members [ ACCNET101 ];
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 172.19.19.120/24;
            }
        }
    }
    vlan {
        unit 101 {
            family inet {
                address 10.120.101.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
        route 10.101.0.0/16 next-hop st0.0;
    }
}
security {
    ike {
        proposal Remote-Office-PSK {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy Remote-Office-Static {
            mode main;
            proposals Remote-Office-PSK;
            pre-shared-key ascii-text "BLAHA"; ## SECRET-DATA
        }
        gateway Main-Office {
            ike-policy Remote-Office-Static;
            address 1.1.1.5;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal Remote-Offices {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Remote-Offices {
            proposals Remote-Offices;
        }
        vpn Main {
            bind-interface st0.0;
            ike {
                gateway Main-Office;
                proxy-identity {
                    local 0.0.0.0/0;
                    remote 0.0.0.0/0;
                    service any;
                }
                ipsec-policy Remote-Offices;
            }
        }
    }
    policies {
        from-zone int to-zone vpn {
            policy Remote-Offices {
                match {
                    source-address 10.120.0.0/16;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone int {
            policy Remote-Offices {
                match {
                    source-address any;
                    destination-address 10.120.0.0/16;
                    application any;
                }
                then {
                    permit;
                }
            }
        }                               
    }
    zones {
        security-zone ext {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ike;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone vpn {
            interfaces {
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                        }
                    }
                }
            }
        }
        security-zone int {
            address-book {
                address 10.120.0.0/16 10.120.0.0/16;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ssh;
                }
            }
            interfaces {
                vlan.101;
            }
        }
    }
}
vlans {
    ACCNET101 {
        vlan-id 101;
        l3-interface vlan.101;
    }
}

     

     



  • 2.  RE: SRX Route-based VPN - almost working

    Posted 10-12-2012 10:46

    Try setting the routes to point to the L3 address on the st0 interfaces instead of just the interface address. Since you're using a /24 for the subnet the SRX will not treat it as a P2P connection.

     

    Another thing to test - add ping to the st0.0's host-inbound-traffic system-services and see if you can ping between the st0's interfaces directly. That will tell you that the VPN is ok.



  • 3.  RE: SRX Route-based VPN - almost working

    Posted 10-12-2012 12:15

    Hm, interesting. I started with adding ping to st0.0's host-inbound-traffic system-services on both routers as you suggested. I can ping 172.19.19.1 from 172.19.19.120 and vice versa, so the VPN seems to be fine.

     

    So, on the SRX240 I continued with replacing:

     

    route 10.120.0.0/16 next-hop st0.0;

     with

    route 10.120.0.0/16 next-hop 172.19.19.120;

     With this in place, I can ping anything on the network behind the SRX210 from the SRX240.

     

    However, pinging the SRX240 internal interface (the int zone, 10.101.13.15) from the SRX210 does not work. So I did the same thing on the SRX210, I replaced:

     

    route 10.101.0.0/16 next-hop st0.0

     with

    route 10.101.0.0/16 next-hop 172.19.19.1;

     But that didn't work. I still cannot ping the interface in the int zone on the SRX240 from the SRX210.

     

    Any ideas?



  • 4.  RE: SRX Route-based VPN - almost working

    Posted 10-12-2012 12:57

    Ok, so I did a few more tests...

     

    A client behind the SRX210 (on the 10.120.101.0/24 network) can ping a client behind the SRX240 (on the 10.101.13.0/24 network) and vice versa.

     

    A client behind the SRX210 (on the 10.120.101.0/24 network) can ping the internal interface on the SRX240 (the 10.101.13.15 interface).

     

    The SRX210 can NOT ping the internal interface on the SRX240 (the 10.101.13.15 interface).

     

    Any ideas?



  • 5.  RE: SRX Route-based VPN - almost working
    Best Answer

    Posted 10-13-2012 05:25

    Hi,

     

    Try ping with source 10.120.101.1 it should reply



  • 6.  RE: SRX Route-based VPN - almost working

    Posted 10-13-2012 14:33

    Thank you. It's working. I didn't know about the "ping source" functionality.