SRX

last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Service in proxy-id for route-based VPN

    Posted 09-10-2012 09:16

    Hi All

     

    I'm trying to bring up a very simple route-based VPN with no luck. Can anyone tell if the below behavior is by design or not?

     

    One end

     

    vpn vpn1 {
    bind-interface st0.0;
    vpn-monitor;
    ike {
        gateway gw1;
        proxy-identity {
            local 10.10.0.0/24;
            remote 10.11.0.0/24;
            service junos-http;
        }
        ipsec-policy ipsec-pol;
    }
    establish-tunnels immediately;
}

     other end

    vpn vpn1 {
    bind-interface st0.0;
    vpn-monitor;
    ike {
        gateway gw1;
        proxy-identity {
            local 10.11.0.0/24;
            remote 10.10.0.0/24;
            service junos-http;
        }
        ipsec-policy ipsec-pol;
    }
    establish-tunnels immediately;
}

     The result is tha VPN not going up with the following in trace

    lab@jsrxA-1# run show log kmd | match selectors    
Sep 10 20:28:52 Peer's proposed traffic selectors is his local: ipv4(tcp,10.11.0.0-10.11.0.255) his remote: ipv4(tcp:80,10.10.0.0-10.10.0.255)
Sep 10 20:28:52 Configured traffic selectors is local: ipv4(tcp,10.10.0.0-10.10.0.255)  Remote: ipv4(tcp:80,10.11.0.0-10.11.0.255)
Sep 10 20:28:52 Remote traffic selectors do not match for sa-cfg vpn1

     Using Junos 12.1R3.5. If I remove proxy-identity knobs, everything works fine.

     

    Actually I was aware of this behavior for a long time but never could understand why it works (doesn't work) this way?



  • 2.  RE: Service in proxy-id for route-based VPN
    Best Answer

    Posted 09-17-2012 15:57

    This was identify with recent esclation and fix will be available in upcoming releases.

     

    If you want a workaround for now, don't use the built-in junos service

    but use explicit user-defined service

     

    thanks,

    raheel



  • 3.  RE: Service in proxy-id for route-based VPN

    Posted 09-18-2012 09:58

    Hi Raheel,

     

    Thanks, good to know it is a bug that is going to be fixed. Your workaround also works, e.g.

     

    vpn cert-vpn {
    bind-interface st0.0;
    ike {
        gateway cert-gw;
        proxy-identity {
            local 2.2.2.2/32;
            remote 1.1.1.1/32;
            service myapp;
        }
        ipsec-policy ipsec-pol;
    }
    establish-tunnels immediately;
}

[edit]
lab@srxB-2# show applications 
application myapp {
    protocol tcp;
    destination-port 1300;
}

     

    in this case, VPN goes up

     

    Sep 18 16:51:01 KMD_PM_SA_ESTABLISHED: Local gateway: 1.4.1.2, Remote gateway: 1.3.1.2, Local ID: ipv4(tcp:0,[0..3]=2.2.2.2), Remote ID: ipv4(tcp:1300,[0..3]=1.1.1.1), Direction: inbound, SPI: b138d754, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Sep 18 16:51:01 KMD_PM_SA_ESTABLISHED: Local gateway: 1.4.1.2, Remote gateway: 1.3.1.2, Local ID: ipv4(tcp:0,[0..3]=2.2.2.2), Remote ID: ipv4(tcp:1300,[0..3]=1.1.1.1), Direction: outbound, SPI: 5ff68599, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Sep 18 16:51:01 Quick mode negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=1.4.1.2) p1_remote=ipv4(udp:500,[0..3]=1.3.1.2) p2_local=ipv4(tcp:0,[0..3]=2.2.2.2) p2_remote=ipv4(tcp:0,[0..3]=1.1.1.1)

     

    However I still don't completely understand why it sometimes writes tcp:0 and in other places tcp:1300.

    Anyway, thanks a lot.