SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 08:22

    Hello Everyone

     

    Recently I've started using a Juniper SRX240 as part of my job, and my first task was to find a way for our machines to directly connect to it using IPSEC. So I've managed to get a vpn tunnel between Linux/FreeBSD machines running Shrew (I'm using both on different setups) and a Juniper SRX240 started and connected without too many problems but I've run into an issue where the connection drops after about two minutes. I've dug throught the forums but the last thing I could find was about 3 years old with a note saying it was a bug the shrewsoft devs intended to fix. Has the bug been fixed? Do I just have something wrong with my configurations? I've already tried little fixes like setting my phase1 lifetime to 180 seconds,

     

    Thank You

     

    Tepafray

    ---

    Juniper Config:

     

    Spoiler

     

    ## Last changed: 2015-05-12 21:37:43 UTC
version 12.1X44-D45.2;
system {
    host-name juniper;
    root-authentication {
        encrypted-password "***";
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.1;
            }
        }
        dhcp {
            name-server {
                8.8.8.8;
            }
            router {
                192.168.5.1;
            }
            pool 192.168.5.0/24 {
                address-range low 192.168.5.30 high 192.168.5.75;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file traffic-log {
            any any;
            match RT_FLOW;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
        unit 1 {
            family inet {
                address 44.128.0.1/24;
            }
            family inet6;
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
security {
    ike {
        traceoptions {
            flag all;
        }
        proposal RemoteVPNPolicy1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 180;
        }
        policy RemoteVPNIKE {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "***";
        }
        policy t400-ike-policy {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "***";
        }
        inactive: gateway RemoteVPN {
            ike-policy RemoteVPNIKE;
            dynamic user-at-hostname "remote@domain.com";
            external-interface ge-0/0/0.0;
        }
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                hostname vpn.example.com;
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            dead-peer-detection;
            nat-keepalive 20;
            external-interface ge-0/0/0.0;
            xauth access-profile t400-access;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal RemoteVPNIPSec {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy RemoteVPNIPSec {
            proposals RemoteVPNIPSec;
        }
        policy t400-ipsec-policy {
            proposals RemoteVPNIPSec;
        }
        inactive: vpn RemoteVPN {
            ike {
                gateway RemoteVPN;
                ipsec-policy RemoteVPNIPSec;
            }
            establish-tunnels on-traffic;
        }
        vpn t400-vpn {
            df-bit set;
            ike {
                gateway t400-ike-gw;
                idle-time 600;
                proxy-identity {
                    local 44.128.0.1/24;
                    remote 44.128.0.1/24;
                    service any;
                }
                ipsec-policy t400-ipsec-policy;
            }
            establish-tunnels immediately;
        }
    }
    dynamic-vpn {
        access-profile t400-access;
        clients {
            Test-Dynamic {
                remote-protected-resources {
                    44.128.0.0/24;
                }
                ipsec-vpn t400-vpn;
                user {
                    tepafray;
                }
            }
        }
    }
    nat {
        source {
            rule-set InternetAddress {
                from zone trust;
                to zone untrust;
                rule To-Public {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy To_internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy VPN_Out {
                match {
                    source-address any;
                    destination-address 44.128.0.0/24;
                    application [ junos-ike junos-ike-nat ];
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                            pair-policy RemoteVPN;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone trust {
            policy RemoteVPN {
                match {
                    source-address 44.128.0.0/24;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                            pair-policy VPN_Out;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address hq-net-10-4-4 10.4.4.0/24;
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address 44.128.0.0/24 44.128.0.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            ike;
                            http;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client tepafray {
            firewall-user {
                password "***";
            }
        }
        address-assignment {
            pool MyIPs;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.40.0/24;
                range t400-range {
                    low 192.168.40.101;
                    high 192.168.40.149;
                }
                xauth-attributes {
                    primary-dns 10.4.4.85/32;
                }
            }
        }
        pool MyIPs {
            family inet {
                network 44.128.0.0/24;
                range Main {
                    low 44.128.0.2;
                    high 44.128.0.50;
                }
                xauth-attributes {
                    primary-dns 8.8.8.8/32;
                }
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}

    Shrew Config:

    Spoiler

     

     

    n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:10
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:180
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:1
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
n:client-dns-suffix-auto:1
b:auth-mutual-psk:Y2FueW91ZmVlbHRoZXdvbmRlcmZ1bA==
n:phase1-keylen:0
n:phase2-keylen:256
n:phase2-pfsgroup:-1
s:client-dns-suffix:<yourdomainsuffix.org>
s:network-host:10.90.3.25
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-client-data&colon;vpn.example.com
s:ident-server-type:address
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:require
s:policy-list-include:0.0.0.0 / 0.0.0.0

     

    Attachment(s)

    txt
    juniperlogs.txt   33 KB 1 version
    txt
    shrewlogs.txt   30 KB 1 version


  • 2.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 09:40

    Hello,

    Do You have DPD enabled on Shrew client side?

    https://www.shrew.net/static/help-2.0.x/files/%7B02E59A39-242E-454C-AC78-B54E6E8C52F5%7D.htm

    What You have on SRX side is

     

            gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                hostname vpn.example.com;
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            dead-peer-detection;

    and

     

    [May 12 22:48:35]Deleted (spi=0xba2670b1, protocol=ESP dst=10.90.3.25) entry from the peer hash table. Reason: VPN monitoring

    Please disable DPD on both sides, re-test and report back.

    HTH

    Thanks

    Alex



  • 3.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 10:04

    @aarseniev

     

    Yes I did, disabled DPD on both sides, still dropping after a minute or two.

     

    @joses

     

    I'm aware. I was refering to the Shrew developement side of things.

     

     

     

    Attachment(s)

    txt
    juniperlogs 2.txt   25 KB 1 version
    txt
    shrewlogs 2.txt   23 KB 1 version


  • 4.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 10:57

    Hi there,

    1stly, Your Shrew side timestamps are way off which makes it extremely difficult to analyse:

     

    15/05/11 20:55:32 ii : received peer DELETE message
15/05/11 20:55:32 ii : - 10.90.3.25:500 -> 10.90.3.53:500
15/05/11 20:55:32 ii : - isakmp spi = 9db9e285a948b664:77011ca392420f1f

    Same from SRX side:

     

    [May 13 00:20:41]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 13 00:20:41]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 13 00:20:41]ike_sa_delete: Start, SA = { 9db9e285 a948b664 - 77011ca3 92420f1f }

    The timestamps are off by ~27.5 hours which cannot be explained by timezone difference.

     

    If You want to be helped, please make it easier to others, not harder.

     

    Anyway, now You have a different problem and Shrew is at fault because it ignores CFG messages and does not respond with anything at all, hence SRX deletes the IKE SA on no reply after 5 retransmits.

     

    SRX side:

     

    [May 13 00:19:51]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:19:51]ike_send_packet: Start, retransmit previous packet SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2, dst = 10.90.3.53:500 routing table id = 0
[May 13 00:20:01]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:20:01]ike_send_packet: Start, retransmit previous packet SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2, dst = 10.90.3.53:500 routing table id = 0
[May 13 00:20:11]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:20:11]ike_send_packet: Start, retransmit previous packet SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2, dst = 10.90.3.53:500 routing table id = 0
[May 13 00:20:21]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:20:21]ike_send_packet: Start, retransmit previous packet SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2, dst = 10.90.3.53:500 routing table id = 0
[May 13 00:20:31]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:20:31]ike_send_packet: Start, retransmit previous packet SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2, dst = 10.90.3.53:500 routing table id = 0
[May 13 00:20:41]ike_retransmit_callback: Start, retransmit SA = { 9db9e285 a948b664 - 77011ca3 92420f1f}, nego = 2
[May 13 00:20:41]ike_retransmit_callback: Isakmp query retry limit reached, deleting

      Shrew side:

     

    15/05/11 20:54:42 <- : recv IKE packet 10.90.3.25:500 -> 10.90.3.53:500 ( 92 bytes )
15/05/11 20:54:42 DB : phase1 found
15/05/11 20:54:42 ii : processing config packet ( 92 bytes )
15/05/11 20:54:42 DB : config found
15/05/11 20:54:42 !! : config packet ignored ( config already mature )
15/05/11 20:54:52 <- : recv IKE packet 10.90.3.25:500 -> 10.90.3.53:500 ( 92 bytes )
15/05/11 20:54:52 DB : phase1 found
15/05/11 20:54:52 ii : processing config packet ( 92 bytes )
15/05/11 20:54:52 DB : config found
15/05/11 20:54:52 !! : config packet ignored ( config already mature )
15/05/11 20:55:02 <- : recv IKE packet 10.90.3.25:500 -> 10.90.3.53:500 ( 92 bytes )
15/05/11 20:55:02 DB : phase1 found
15/05/11 20:55:02 ii : processing config packet ( 92 bytes )
15/05/11 20:55:02 DB : config found
15/05/11 20:55:02 !! : config packet ignored ( config already mature )
15/05/11 20:55:12 <- : recv IKE packet 10.90.3.25:500 -> 10.90.3.53:500 ( 92 bytes )
15/05/11 20:55:12 DB : phase1 found
15/05/11 20:55:12 ii : processing config packet ( 92 bytes )
15/05/11 20:55:12 DB : config found
15/05/11 20:55:12 !! : config packet ignored ( config already mature )
15/05/11 20:55:22 <- : recv IKE packet 10.90.3.25:500 -> 10.90.3.53:500 ( 92 bytes )
15/05/11 20:55:22 DB : phase1 found
15/05/11 20:55:22 ii : processing config packet ( 92 bytes )
15/05/11 20:55:22 DB : config found
15/05/11 20:55:22 !! : config packet ignored ( config already mature )

    Few minutes of Googling brought me this nugget where Shrew developer initially blames JNPR but then agrees to rewrite own code

    https://lists.shrew.net/pipermail/vpn-help/2012-December/009381.html

     

    HTH

    Thanks

    Alex

     

     

     



  • 5.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 11:55

    Very sorry about that, Shrew is running on a VM right now so it tends to get thrown off. Either way...crud...and it doesn't look like there's gonna be a new version of Shrew coming out to fix the issue (I'm using the latest version). I take it you wouldn't know of any other linux/bsd command line programs that would be compatible?

     

    Thanks

    Tepafray 



  • 6.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

     
    Posted 05-12-2015 12:29

    Hi,

     

    There is a somewhat dirty hack you could try: set the phase 1 key lifetime to 180 seconds or less. This forces a rekey every 3 minutes. Not very elegant, but maybe you can get it to work.

     

    Regards,

    Steven

     



  • 7.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 12:40

    @Ianman

     

    Sadly I've already tried that to no avail. My connection drops before the rekey.

     

    Thanks

    Tepafray



  • 8.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-12-2015 12:50

    Hello,

    You can make Shrew compatible if You can live with static VPN client policy config on Shrew.

    This article has the working Shrew config

    http://www.networkredux.com/blog/platform-development/connecting-shrewsoft-vpn-client-juniper-srx

    Alternatively, there is a whole array of paid IPSec VPN clients, and free VPNC for Linux

    http://www.jlaundry.com/2014/juniper-srx-dynamic-vpn-with-vpnc-ubuntu-13-10/

    or You could use Racoon

    http://rtoodtoo.net/2011/08/03/ipsec-vpn-between-srx-and-linux/

    HTH

    Thanks

    Alex

     

     



  • 9.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

     
    Posted 05-12-2015 09:43

    Hello ,

     

    Shrew Client is not an officially supported client  by Juniper . So there is no specific bug fixes related to this perticular client .

    But  there are general bug fixes in latest version of Junos .



  • 10.  RE: Shrew Tunnel "Terminated by Gateway" after a minute or two

    Posted 05-14-2015 10:39

    Hello Again

     

    First of all, thank you all for your help, I'm glad to say I managed to get a stable connection with Strongswan out of all things, didn't even have to modify the juniper side that much. Racoon I'd tried in the past with no luck getting much else than a no proposials found in return, and VPNC while setting up and working quite nicely on linux quickly became a nightmare to get running correctly on Freebsd. So yeah, right now I have PSK XAUTH working correctly and have now been tasked with upgrading to certificates. Once I get that up and running I'll be sure to see about posting what I can of my configs for everyone.

     

    Thanks

    Tepafray