Hello,
I have a strange behavior on my SRX240 cluster with IPSEC VPN.
Or, a behavior that I don't undestand, so I need some explanation.
On Side A :
I have a cluster of SRX240 with JUNOS Software Release [10.2R3.10]
The 2 networks 10.8.0.0/13 and 192.168.38.0/24.
These networks have to be connected with the network 192.168.24.0/24 on side B.
So, I create the following configuration :
bind-interface st0.67;
ike {
gateway GW_Bourges;
proxy-identity {
local 10.8.0.0/13;
remote 192.168.24.0/24;
}
ipsec-policy AES128-SHA1-DH2;
}
bind-interface st0.80;
ike {
gateway GW_Bourges;
proxy-identity {
local 192.168.38.0/24;
remote 192.168.24.0/24;
}
ipsec-policy AES128-SHA1-DH2;
}
FW-SD1# show routing-options | match 192.168.24
route 192.168.24.0/24 next-hop st0.67;
On side B :
I have a Freebsd with racoon as IKE.
For information, I installed the following policy in the kernel.
spdadd 192.168.24.0/24 10.8.0.0/13 any -P out ipsec esp/tunnel/81.252.43.141-194.110.245.1/require;
spdadd 10.8.0.0/13 192.168.24.0/24 any -P in ipsec esp/tunnel/194.110.245.1-81.252.43.141/require;
spdadd 192.168.24.0/24 192.168.38.0/24 any -P out ipsec esp/tunnel/81.252.43.141-194.110.245.1/require;
spdadd 192.168.38.0/24 192.168.24.0/24 any -P in ipsec esp/tunnel/194.110.245.1-81.252.43.141/require;
In racoon, I had set up a sainfo anonymous.
So, after I had set up the two side, I test :
From 192.168.24.1 :
ping 192.168.38.1 -> Successful
ping 10.11.1.221 -> Successful
On the SRX, I expected to see two Security Association :
One for 10.8.0.0/13 to 192.168.24.0/24
One for 192.168.38.0/24 to 192.168.24.0/24
But there was only one Security Association :
10.8.0.0/13 to 192.168.24.0/24
I disabled the configuration for the VPN between 192.168.38.0/24 and 192.168.24.0/24 and I cleared the SA.
But after the VPN was come back up, I was able to ping 192.168.38.1 from 192.168.24.1.
I always had only one Security Association corresponding to 10.8.0.0/13 to 192.168.24.0/24.
For information, I had also only one SA on the Freebs but it's not the subject of my post.
Someone can explain why the SRX accept to use only one SA to encrypt two kind of traffic although I have two specific configuration for each ?
Thanks for your help.