Site to Site VPN with SRX and StrongSwan

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Site to Site VPN with SRX and StrongSwan

Jump to Best Answer

1. Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 02-21-2013 06:09

Reply Reply Privately
I have been working with an SRX650 in a lab trying to get various senarios working. I have one that I need to complete to finish up a project. Its kicking my butt big time. So there are three parts. Network Setup, Juniper Config, and StrongSwan ipsec.conf. I am unable to get this past the proposal.

Network is easy since its a lab:

Outside 172.16.206.0/24 - Juniper at 172.16.206.11 - Host at 172.16.206.50 (Host can ping and reach Juniper)

Trusted Network on the inside is 10.168.205.0/24 - Juniper at 10.168.205.11

J-WEB won't work so its all command line. Stops at the login screen.

**************

IPSEC.CONF

**************

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    #authby=ecdsasig
   auth=esp
    #esp=aes256gcm16!
   #ike=aes256-sha2_384-ecp384!
   installpolicy=yes
    type=tunnel

conn psk
   authby=psk
   left=%any
   leftid=172.20.206.50
   leftsubnet=172.20.206.0/24
   right=172.20.206.11
   rightid=172.20.206.11
   rightsubnet=10.168.205.0/24
   esp=aes256-sha256!
        ike=aes256-sha1-modp1024!
   auto=add

*************

Juniper Configuration with some logs at the end

*************

edit
Entering configuration mode

[edit]
bart@219-AIS-S650-1# show
## Last changed: 2013-02-21 05:48:25 GMT
version 12.1R4.7;
groups {
    default-deny-template {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy defult-deny {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
    log-all-policies {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}
system {
    host-name 219-AIS-S650-1;
    domain-name ainfosec.com;
    time-zone Europe/London;
    root-authentication {
        encrypted-password "$1$h7WHfMKK$5nlhbbGUl7LAYu9FkRXFl0"; ## SECRET-DATA
    }
    name-server {
        4.2.2.2;
        4.2.2.1;
    }
    login {
---(more)---                                                user bart {
            full-name "Douglas";
            uid 2002;
            class super-user;
            authentication {
                encrypted-password "$1$fXjpr4VB$DFWl6nFLgRVKtDm2i9uQc."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            management-url https://10.243.200.251/admin;
            https {
                port 443;
                system-generated-certificate;
                interface ge-0/0/2.0;
            }
            session {
                idle-timeout 1440;
                session-limit 2;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    processes {
        idp-policy disable;
    }
    ntp {
        server 10.243.200.2 prefer;
    }
}
interfaces {
---(more 31%)---                                            ge-0/0/0 {
        mtu 8992;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family inet {
                address 172.20.206.11/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.168.205.11/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            description Management;
            family inet {
                address 10.243.200.251/24;
            }
        }
    }
    ge-0/0/3 {
        disable;
        unit 0;
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.0.0.4/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                mtu 1500;
            }
        }
        unit 1 {
            family inet;
        }
    }
}
snmp {
    description Junkiper;
    location AIS;
    contact Douglas;
---(more 47%)---                                            community "WWNM!1i@";
}
security {
    pki {
        ca-profile sv_ca {
            ca-identity ais.ipsec.net;
            revocation-check {
                disable;
            }
            administrator {
                email-address "cashinp@ainfosec.com";
            }
        }
    }
    ike {
        traceoptions {
            file strong size 1m;
            flag policy-manager;
            flag ike;
            flag routing-socket;
        }
        proposal rsa-prop1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy1 {
            mode main;
            pre-shared-key ascii-text "$9$12kISevMX-b28XkPQnpu8X7Nds"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address 0.0.0.0;
            external-interface ge-0/0/0.0;
            version v2-only;
        }
    }
    ipsec {
        proposal juniper_esp {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 86400;
        }
        policy vpn-policy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals juniper_esp;
        }
---(more 63%)---                                                vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
            establish-tunnels on-traffic;
        }
    }
    flow {
        tcp-mss {
            ipsec-vpn;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy vpn {
                match {
                    source-address any-ipv4;
                    destination-address any-ipv4;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy vpn_o {
                match {
                    source-address any-ipv4;
                    destination-address any-ipv4;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            apply-groups default-deny-template;
        }
    }
    zones {
        security-zone trust {
            address-book {
                address ic3e 10.168.205.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
---(more 79%)---                                                        protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                st0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address jwics 172.20.206.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
---(more 95%)---                                                security-zone manage {
            address-book {
                address manage 10.243.200.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}

[edit]
bart@219-AIS-S650-1# exit
Exiting configuration mode

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1>

bart@219-AIS-S650-1> show log strong
Feb 21 05:48:51 219-AIS-S650-1 clear-log[2192]: logfile cleared
Feb 21 05:49:19 ikev2_packet_allocate: Allocated packet a25c00 from freelist
Feb 21 05:49:19 ikev2_decode_packet: [a25c00/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:19 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584872
Feb 21 05:49:19 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584872
Feb 21 05:49:19 ikev2_decode_packet: [a25c00/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:19 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:19 ikev2_select_sa_reply: [a25c00/a6f400] Error: SA select failed: 14
Feb 21 05:49:19 ikev2_state_error: [a25c00/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:19 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:19 IKE SA delete called for p1 sa 4584872 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:19 iked_pm_p1_sa_destroy: p1 sa 4584872 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:23 ikev2_packet_allocate: Allocated packet a26000 from freelist
Feb 21 05:49:23 ikev2_decode_packet: [a26000/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:23 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584873
Feb 21 05:49:23 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584873
Feb 21 05:49:23 ikev2_decode_packet: [a26000/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:23 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:23 ikev2_select_sa_reply: [a26000/a6f400] Error: SA select failed: 14
Feb 21 05:49:23 ikev2_state_error: [a26000/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:23 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:23 IKE SA delete called for p1 sa 4584873 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:23 iked_pm_p1_sa_destroy: p1 sa 4584873 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:30 ikev2_packet_allocate: Allocated packet a26400 from freelist
Feb 21 05:49:30 ikev2_decode_packet: [a26400/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:30 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584874
Feb 21 05:49:30 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584874
Feb 21 05:49:30 ikev2_decode_packet: [a26400/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 05:49:30 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 05:49:30 ikev2_select_sa_reply: [a26400/a6f400] Error: SA select failed: 14
Feb 21 05:49:30 ikev2_state_error: [a26400/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 05:49:30 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 05:49:30 IKE SA delete called for p1 sa 4584874 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 05:49:30 iked_pm_p1_sa_destroy: p1 sa 4584874 (ref cnt 0), waiting_for_del 0x0
Feb 21 05:49:43 ikev2_packet_allocate: Allocated packet a26800 from freelist
Feb 21 05:49:43 ikev2_decode_packet: [a26800/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 05:49:43 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 4584875
2. RE: Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 02-21-2013 12:50

Reply Reply Privately
I guess this isn't generating the interest that I would have suspected. I will keep it up to date and if anyone wants to comment I would appreciate the effort. I made a few changes to the configuration. Not too many. Logs are now a lot shorter. I have taken the shorter log file as a step in the right direction. Logs:

Remember: 172.16.206.11 is the outside interface on the SRX

172.16.206.50 is the client

219-AIS-S650-1> show log strong
Feb 21 12:42:26 219-AIS-S650-1 clear-log[1590]: logfile cleared
Feb 21 12:42:33 ikev2_packet_allocate: Allocated packet a29c00 from freelist
Feb 21 12:42:33 ikev2_decode_packet: [a29c00/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 12:42:33 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 7229882
Feb 21 12:42:33 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 7229882
Feb 21 12:42:33 ikev2_decode_packet: [a29c00/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 12:42:33 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 12:42:33 ikev2_select_sa_reply: [a29c00/a6f400] Error: SA select failed: 14
Feb 21 12:42:33 ikev2_state_error: [a29c00/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 12:42:33 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 12:42:33 IKE SA delete called for p1 sa 7229882 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 12:42:33 iked_pm_p1_sa_destroy: p1 sa 7229882 (ref cnt 0), waiting_for_del 0x0
Feb 21 12:43:15 ikev2_packet_allocate: Allocated packet a2a000 from freelist
Feb 21 12:43:15 ikev2_decode_packet: [a2a000/a6f400] Setting ed pkt ctx from VR id 65535 to VR id 0)
Feb 21 12:43:15 Received Unauthenticated notification payload NAT detection source IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 7229883
Feb 21 12:43:15 Received Unauthenticated notification payload NAT detection destination IP from local:172.20.206.11 remote:172.20.206.50 IKEv2 for P1 SA 7229883
Feb 21 12:43:15 ikev2_decode_packet: [a2a000/a6f400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP)
Feb 21 12:43:15 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
Feb 21 12:43:15 ikev2_select_sa_reply: [a2a000/a6f400] Error: SA select failed: 14
Feb 21 12:43:15 ikev2_state_error: [a2a000/a6f400] Negotiation failed because of error No proposal chosen (14)
Feb 21 12:43:15 IKE negotiation fail for local:172.20.206.11, remote:172.20.206.50 IKEv2 with status: No proposal chosen
Feb 21 12:43:15 IKE SA delete called for p1 sa 7229883 (ref cnt 1) local:<none>, remote:172.20.206.50, IKEv2
Feb 21 12:43:15 iked_pm_p1_sa_destroy: p1 sa 7229883 (ref cnt 0), waiting_for_del 0x0

-------------------------------

I find it hard to understand which proposal isn't matching since are both called proposals, I might understand it better as phase 1 and phase 2 or if the debug had expected and received. It could be that these match, but the proposal isn't referrred to correctly in the configuration :

ike proposal

dh group 2

encryption aes-256-cbc

authentication sha-256

ipsec proposal

encryption aes-256-cbc

authentication hmac-sha-256-128

ipsec.conf

esp=aes256-sha256!
ike=aes256-sha256-modp1024!

Will be back at it tomorrow.
3. RE: Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 02-22-2013 06:25

Reply Reply Privately
It seems like this would be pretty simple but I haven't been able to get past the ike proposal. Seems simple enough set both sides for encryption aes-256 and a hash at sha256. So I figured I would play with this a bit. So I set the encryption and hash at various settings. Still get the same. No ike proposal. Is there anyway to debug so that you can see why it isn't matching? Not sure anyone will answer so I will keep looking.
4. RE: Site to Site VPN with SRX and StrongSwan
Best Answer

0 Recommend
Erdem
Posted 02-26-2013 09:58

Reply Reply Privately
I worked on this off and on yesterday. I have figured out some things. Had to set:

ike-policy ike-policy1;
address 172.20.206.50

local-identity inet 172.20.206.11

Now it works. It is my understanding that dynamic tunnels are not supported? And that was what I was trying to do. Since nobody responded I guess nobody is trying to setup dynamic site to site with StrongSwan.
5. RE: Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 08-26-2014 06:22

Reply Reply Privately
Put st0 in security zone and it will work.
6. RE: Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 07-20-2015 03:23

Reply Reply Privately
I'm trying to do the same thing and having exactly the same problem. By changing "dynamic" to a fixed address did established th VPN connection. Any one can help???
7. RE: Site to Site VPN with SRX and StrongSwan

0 Recommend
Erdem
Posted 07-21-2015 18:55

Reply Reply Privately
OK I figured it out. The problem is IKEv2. If I change it to v1 it works.

On SRX under security ike gateway,
version v1-only;

Strongswan side:
keyexchange=ikev1

Hope this would help someone else in future.

SRX

Site to Site VPN with SRX and StrongSwan

Erdem02-21-2013 06:09

Erdem02-21-2013 12:50

Erdem02-22-2013 06:25

Erdem02-26-2013 09:58Best Answer

Erdem08-26-2014 06:22

Erdem07-20-2015 03:23

Erdem07-21-2015 18:55

1. Site to Site VPN with SRX and StrongSwan

2. RE: Site to Site VPN with SRX and StrongSwan

3. RE: Site to Site VPN with SRX and StrongSwan

4. RE: Site to Site VPN with SRX and StrongSwan Best Answer

5. RE: Site to Site VPN with SRX and StrongSwan

6. RE: Site to Site VPN with SRX and StrongSwan

7. RE: Site to Site VPN with SRX and StrongSwan

4. RE: Site to Site VPN with SRX and StrongSwan
Best Answer