SRX240 / IPSEC behavior explanation

Duga · ‎10-11-2010

Hello,

I have a strange behavior on my SRX240 cluster with IPSEC VPN.

Or, a behavior that I don't undestand, so I need some explanation.

On Side A :

I have a cluster of SRX240 with JUNOS Software Release [10.2R3.10]

The 2 networks 10.8.0.0/13 and 192.168.38.0/24.

These networks have to be connected with the network 192.168.24.0/24 on side B.

So, I create the following configuration :

bind-interface st0.67;

ike {

gateway GW_Bourges;

proxy-identity {

local 10.8.0.0/13;

remote 192.168.24.0/24;

}

ipsec-policy AES128-SHA1-DH2;

}

bind-interface st0.80;

ike {

gateway GW_Bourges;

proxy-identity {

local 192.168.38.0/24;

remote 192.168.24.0/24;

}

ipsec-policy AES128-SHA1-DH2;

}

FW-SD1# show routing-options | match 192.168.24

route 192.168.24.0/24 next-hop st0.67;

On side B :

I have a Freebsd with racoon as IKE.

For information, I installed the following policy in the kernel.

spdadd 192.168.24.0/24 10.8.0.0/13 any -P out ipsec esp/tunnel/81.252.43.141-194.110.245.1/require;

spdadd 10.8.0.0/13 192.168.24.0/24 any -P in ipsec esp/tunnel/194.110.245.1-81.252.43.141/require;

spdadd 192.168.24.0/24 192.168.38.0/24 any -P out ipsec esp/tunnel/81.252.43.141-194.110.245.1/require;

spdadd 192.168.38.0/24 192.168.24.0/24 any -P in ipsec esp/tunnel/194.110.245.1-81.252.43.141/require;

In racoon, I had set up a sainfo anonymous.

So, after I had set up the two side, I test :

From 192.168.24.1 :

ping 192.168.38.1 -> Successful

ping 10.11.1.221 -> Successful

On the SRX, I expected to see two Security Association :

One for 10.8.0.0/13 to 192.168.24.0/24

One for 192.168.38.0/24 to 192.168.24.0/24

But there was only one Security Association :

10.8.0.0/13 to 192.168.24.0/24

I disabled the configuration for the VPN between 192.168.38.0/24 and 192.168.24.0/24 and I cleared the SA.

But after the VPN was come back up, I was able to ping 192.168.38.1 from 192.168.24.1.

I always had only one Security Association corresponding to 10.8.0.0/13 to 192.168.24.0/24.

For information, I had also only one SA on the Freebs but it's not the subject of my post.

Someone can explain why the SRX accept to use only one SA to encrypt two kind of traffic although I have two specific configuration for each ?

Thanks for your help.

aweck · ‎07-24-2009

The route for the side-B network points out the ST interface bound to the VPN with the local proxy-id of 10.8/13, so that is why that VPN is used.

Also, remember that proxy-id's do not dicate what traffic can traverse a tunnel, they only come into play when the VPN is being established between the two sites. Since you are using route-based VPN's on the SRX, what traffic traverses the VPN is controlled by a combination of routing (static routes in your case) and security policies.

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL

Duga · ‎10-11-2010

Thanks for the reply.

This is the first time I configure, on Junos, Two VPN with two different subnet, on junos side, and one subnet on the other side.

So, I thought it need to create one SA for each VPN. It's what is happening when we have one subnet on junos side and two subnet on the other. Indeed, we have two different route.

I understand that is, in fact, cause by the used of route based VPN.

Thank You for the explanation.

SRX240 / IPSEC behavior explanation

Re: SRX240 / IPSEC behavior explanation

Re: SRX240 / IPSEC behavior explanation