SRX

All,

I hate to start another thread with a similar subject, but so far I have yet to find an answer to my issue (perhaps there isn't one).

My Scenario:

Local|SRX                           Remote | Non-Juniper

10.0/24         <--->                172.0/24

10.2/24         <--->                172.0/24

IPSEC-VPN1

Proxy-id:  Local:10.0/24 | Remote: 172.0/24

Bind-IF:  st0.0

IPSEC-VPN2

Proxy-id:  Local: 10.2/24 | Remote: 172.0/24

Bind-IF:  st0.0

ST0.0

Multipoint

Family Inet address:  192.168.0.1/24

NHTB:  192.168.0.2 --> IPSEC-VPN1

Routing-Options

-static route 172.0/24 next-hop 192.168.0.2

•SRX3400 has multiple networks (non-contiguous) that the remote side needs to have access to over the VPN

•Remote side is a non-Juniper device (Cisco / Checkpoint / whatever - any vendor who's VPN's resemble that of policy based VPN's)

•I realize that you can bind two (or more) phase 2 SA's (with different proxy-id's) to a single phase 1 gateway, but in my scenario, routing only works between 10.0/24 and 172.0/24 because of how NHTB and the static route is defined. There will be no way for traffic to pass between 10.2/24 and 172.0/24 since NHTB and routing are bound to the SA associated with 10.0/24.

Can anyone tell me how to get around this?  I'll go to any length to avoid having to do policy based VPN's as they are a thing of the past and I hate them more than life - I migrated away from policy based VPN's more than 10 years ago and I don't want to go back - ugghh!  I'm a ScreenOS veteran and we were able to get around this scenario in 6.3+ code where they added support for multiple proxy-id's per SA.  Unfortunately, Junos (11.4.x) doesn't support this feature yet.  My SRX3400's are turning into big (expensive) paper weights due to a handful of shortcomings in Junos (just venting).

Anywho - any assistance would be hugely appreciated!

nstroh

I'm also searching an answer to the same question, due to the same reasons.

Is there any chance that multiple proxy-id support would be coming to Junos also? There has been rumours about that, but haven't seen it on any official roadmap or article.

We are migrating our production firewalls from SSG to SRX, which we already use everywhere else. Unfortunately there are customers/operators with those braindead Cisco / Sonicwall devices, which we have to interoperate with. We are also having multiple trusted networks behind our SRX cluster needing to pass the VPN tunnels and policy-based VPN tunnels are really not an option. They are ugly, difficult to maintain and everything else..

I'm starting to see leaving our SSG alive to run those VPN tunnels as the only valid option.. Not that it would be a good one.

The process requires that you create additional phase 2 objects and tunnel interfaces on the Junos side in order to generate the multiple proxy id.  The process is outlined in kb20543.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20543

spuluka - Thanks for taking the time to respond, but unfortunately the scenario outlined in the KB article does not pertain to my scenario.  The KB article that you provided discusses the scenario where there are multiple subnets on the Cisco side.  In my scenario, multiple subnets reside behind my SRX and only a single subnet behind the Cisco side.

As stated in my original post, I understand it's possible to bind two phase 2 SA's to a single phase 1 gateway, however the issue comes down to routing and/or NHTB to the remote subnet.  My original post outlines routing / NHTB using a single tunnel interface.  As you can see in that example, routing to the 172.0/24 net is sent to 192.168.0.2 (st0.0 NHTB) which is bound to IPSEC VPN1 that has a proxy-id of 10.0/24 and 172.0/24.  This works for traffic between 10.0/24 and 172.0/24, however it will not allow for traffic to pass between 10.2/24 and 172.0/24.

Now, if you choose to use different tunnel interfaces for each phase 2 SA, a similar thing will occur with routing.

IPSEC-VPN1

Proxy-id:  Local: 10.0/24 | Remote:  172.0/24

Bind-IF:  st0.0

IPSEC-VPN2

Proxy-id:  Local: 10.2/24  |  Remote:  172.0/24

Bind-IF:  st0.1

Routing-Options

-static route 172.0/24 next-hop ? st0.0 or st0.1?  (No matter what you choose, routing will only work from one network on the SRX side)

This has to be a known design flaw because the very same thing existed in ScreenOS until they fixed it in 6.3+ code.  I've got an email into our sales engineer on if there's anything on the roadmap to correct this deficiency - haven't heard anything back yet.  If I hear anything concrete back from him, I'll be sure to share.

Yep, share if you hear anything.

Our problem is the same, there are multiple networks behind our firewall and usually only one subnet at the customer sites. Or multiple subnets at both sides of the tunnel.

Just heard back from our sales engineer and he indicated that support for multiple proxy-id's per single SA is slated for 2013T3.  Not exactly what I wanted to hear, but it is what it is I guess.

Welcome back policy based VPN - you demented ugly little thing you!  [CRINGE!!!!!]

Well, at least that is better than "never". Thanks for the info.

This can be achieved using Filter based forwarding. FBF will decide which source/destination to route into specific tunnel interfaces. You could create multiple routing instances for each tunnel interface. One tunnel interface each for a combination. All tunnel interfaces will be bound to external interface in the default routing instance. Configure routes accordingly in each routing instance.

Thanks a lot for your post!

I was looking around on how to do route based vpn when multiple subnets are on the SRX side and the peer is non-juniper using route based vpn (since nat doesn't really work well with policy based vpn)

I was able to do it as follows without using NHTB

[edit security zones security-zone vpn-zone]
sadm@SRX240# show | find interface
interfaces {
st0.0;
}

******

[edit security zones security-zone untrust]
sadm@SRX240# show | find interfaces
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
ge-0/0/15.0;  ---->untrust interface
st0.1;
}

*******

[edit routing-instances]
sadm@SRX240# show
vpn-route-instance {
instance-type virtual-router;
interface st0.0;
routing-options {
static {
route 172.16.130.150/32 next-hop st0.0;
}
}
}

*********

[edit]
sadm@SRX240# show routing-options
static {
route 0.0.0.0/0 next-hop 10.102.100.1;
route 172.16.130.150/32 next-hop st0.1;
}

*********

[edit firewall filter Blah]
sadm@SRX240# show
term capture {
from {
source-address {
172.19.22.50/32;
}
destination-address {
172.16.130.150/32;
}
}
then {
routing-instance vpn-route-instance;
}
}
term capture2 {
then accept;
}

*********

[edit]
sadm@SRX240# show interfaces ge-0/0/14 ----> Trust interface
unit 0 {
family inet {
filter {
input Blah;
}
address 172.19.22.1/24;
}
}

In addition you'll need policies from trust-vpn zone and vice-versa as well as policies from trust-untrust and vice-versa 

Thanks!

Multiple Proxy ID is going to be supported in 12.1x46-d20.  In this release, only IKEv1 will be supported, not IKEv2.  The current scheduled release for this is early May 2014.  Currently it is available only in beta.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28198

I followed that and was able to get FBF to route my traffic correctly. This is not the solution we want, but it did work. I have 8 different subnets that a vendor monitors for me, and they are using a Cisco ASA with just one subnet on their side.

I look forward to the release where I can just configure multiple proxy-ids on my end and just have a much cleaner config.

Would using traffic-selectors in 12.1x46-D15 solve this problem?

12.1X46-D20.5 just was released last week.  I upgraded one of my boxes to it last night, and while the release notes SAY it supports multi proxy IDs, I can't figure out how to actually make that config work.  The GUI still only has one line for Local/Remote proxy.  The CLI still only appears to take a single argument for remote/local. 

Anyone know how to enable this feature?

Don't use proxy-ids, replace them with traffic selectors. See this:

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipsec-vpn-traffic-selector-configuring.html

We've set it up for a VPN with an ASA and it works great.

Have you had any instability issues? Juniper hasn't updated its recommended list of JunOS versions beyond 12.1x44

escapehere wrote:

Don't use proxy-ids, replace them with traffic selectors. See this:

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipsec-vpn-traffic-selector-configuring.html

We've set it up for a VPN with an ASA and it works great.

I second that, though your code must support it : ) 

whats more it means less lines of code, and thats always welcomed when it comes to Junos 

testing now, at first glance seems good. the scenario i'm currently workiing on is route-based VPNs, multiple subnets, SRXhub-and-ASAspokes, three sites in total. will post diagram and results in due course. 

limitiations noted thus far, lack of dynamic routing options, though still awaiting customer requirements if indeed that is going to be needed.

Thank you for your help! i`ll try!

ok cool just take note of the limitations:

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/ipsec-vpn-traffic-selector-understanding.html

• Policy-based VPNs
• Group or shared IKE IDs
• IKE version 2
• Point-to-multipoint secure tunnel (st0) interfaces
• VPNs on which VPN monitoring is configured
• Different address families configured for the local and remote IP addresses
• VPNs configured with proxy identity values used in negotiation
• Remote address value 0.0.0.0/0 (IPv4) or 0::0 (IPv6)

hth,

Use 12.1X46D-10.2 which implements traffic selectors. That will allow you to create a single st0 tunnel with multiple SA between two sites on multiple subnets using an SRX on site A and a Cisco on site B.  Make sure that both sites use route based VPN and both define the same proxy IDs (local and remote subnets).  I believe Cisco defines that in ACLs and Juniper uses traffic selectors - check article;

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/concept/ipsec-vpn-traffic-selector-understanding.html

Ron I

Did any one try this article?

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28833

From other side, our client use ASA. I have srx 650

When i`m initiating ipsec negotiation - everything is ok. My icmp test work perfect. Meanwhile icmp from ASA failed, and in log on ASA we see 

The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.x.x.x, its source as 0.0.0.0, and its protocol as icmp. The SA specifies its local proxy as 10.x.x.x/255.255.255.255/ip/0 and its remote_proxy as 10.y.y.y/255.255.255.255/ip/0.

If ipsec is down, and we try to negotiate it from ASA - we fail. And on juniper i even didn`t see any attemp.

Hi Burner,

Configuring Ipsec vpn between SRX and Cisco is tricky  when more than one subnets are involved in the vpn .

for example :

2 subnets behind SRX and 3 subnets behind Cisco.

now there should 6 Ipsec SA built for each subnets.

Issue comes as how the proxy-id's are derived on SRX and Cisco device.

On Cisco , it is derived from security policy.

On SRX , it is derived from security policy but you should not group more than 1 source and 1 destination .

if you group more than one subnet then proxy-id's are derived as 0.0.0.0 which cisco device may not accept.

so if it is policy based vpn , then  you need 6 security policies with 1 source and 1 destination on each policy  for ( 2 SRX subnets and 3 Cisco subnets ) senario.

For Route based VPN , then you need 6 Phase 2 configuration with 6 st0 interfaces .

if you upgrade to 12.1X46 version , then you have Traffic selector configuration to map each local subnet with remote subnet under one ipsec vpn configuration with one St0 interface.

I would like to know as how many subnets are involved on SRX and Cisco and type of vpn configured on SRX and Cisco.

Regards

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi  rparthi,

We use policy based ipsec at first, but it was very unstable and we decide to try route based.

I`ve never used route based ipsec with multiple subnets from both side before, thats why at first, we decide to build test one with 2subnets from SRX side and 2 from ASA. 

In result i  have:

4 st subinterface (for each sa)

2 vri

2 rib

All as explained in KB.

Hi Burner,

Kindly share the following:

1. Are you using proxy-ID configuration under ipsec vpn vpn-name under each 4 ipsec vpn for remote vpn?

2. Do you have problem with Phase 1 or Phase 2 tunnel or Traffic?

3. Do you get ICMP reply for the ICMP request that was sent from SRX side to Cisco?

4. What vpn is configured in Cisco ASA ? Is it policy based?

5. When Policy based VPN was not working , did you create 4 security policy with 1 specific source and 1 specific destination?

Regards

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

1) Like this (subnets ip was replaced):

set security ipsec vpn IPSEC_TEST-1 bind-interface st0.10
set security ipsec vpn IPSEC_TEST-1 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity local 100.100.100.100/32
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-1 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-1 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-2 bind-interface st0.11
set security ipsec vpn IPSEC_TEST-2 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity local 100.100.100.100/32
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-2 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-2 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-3 bind-interface st0.19
set security ipsec vpn IPSEC_TEST-3 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity local 200.200.200.200/32
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-3 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-3 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-4 bind-interface st0.20
set security ipsec vpn IPSEC_TEST-4 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity local 200.200.200.200/32
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-4 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-4 establish-tunnels immediately

2) if srx initiator - no problems at all, if ASA- no phase 1, and no attemps in log on srx

3) yes

4) policy based, afaik

5) correct, every sa has it`s own policy (afaik, it will not work with one policy and multiple source\dest)

Thank you for your help!

Hi Burner,

Configuraration on SRX looks good.

The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.x.x.x, its source as 0.0.0.0, and its protocol as icmp. The SA specifies its local proxy as 10.x.x.x/255.255.255.255/ip/0 and its remote_proxy as 10.y.y.y/255.255.255.255/ip/0.

But looking on the Cisco error, it decrypts the ESP packet from SRX but after that it is not able to select the proxy-id's of the vpn.

Is there any NAT rules interfering on either SRX or Cisco?

Try pinging remote cisco network for one phase 2 sa subnet and share the following.

1. show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y
verify if this traffic is natted ?

2. Do similar tests on Cisco to SRX vpn traffic testing.

Regards
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

hi Rparthi,

my first guess was that traffic is natted, so i`ve verify this allready

1) No, traffic not natted

2) i don`t see any packets from cisco side in show security flow. Also, i`ve checked for logs - no blocks for cisco side subnet.

I`ve find information, that vpn monitor can give such result, but i dont turn it on in my ipsec config (only DPD)

Hi

Flow traceoptions must have packet filter with external ip address of SRX and Cisco device for capturing IKE and ESP packets.

Since the vpn tunnel is up and passing traffic from SRX to Cisco , i am still not able to understand why you do not see any packets from cisco.

Are you getting ICMP reply for the ping request initated from SRX ?

please share the following:

show security flow session source-prefix  x.x.x.x destination-prefix y.y.y.y

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Here it is (ip replaced with examples) 

Session ID: 29762, Policy name: POLICY-OUT-TEST-10/266, Timeout: 2, Valid
In: 200.200.200.200/773 --> 1.1.1.1/30;icmp, If: ge-0/0/3.4, Pkts: 1, Bytes: 100
Out: 1.1.1.1/30 --> 200.200.200.200/773;icmp, If: st0.19, Pkts: 1, Bytes: 100

Hi Burner,

As per your last update , tunnel traffic from srx to cisco is working fine.

Now on the cisco side , ask them ping from 1.1.1.1 to 200.200.200.200 and update the status.

may be they are pinging from different source ip address which are not part of source proxy-id and not from 1.1.1.1

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

No, they pinging from correct source (asked earlier).

Looks like this is one of the reason, why RB ipsec is not prefered between ASA and SRX 🙂

Hi Burner,

Thanks for the update.

From the Cisco Error message and SRX capturing ( NO packet received) it is clear that vpn destination was not accessed from the correct proxy-id source networks.

That could be the only reason as why cisco device is reporting that error.

if not , then ESP packet will definetely will be received by SRX.

Please confirm

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

Totally agree with you! But i can`t find any clues what can couse this.

For now, it is not so important, cause RB ipsec has the same issue as PB in my case - 2nd phase stocking after some time and gets up only if i clear 2nd phase SA.

So, i`ve rolled back to PB ipsec, and do research, why this tunnel is so unstable. In PB ipsec, all pings work fine.

Thank you for your help!