Testing SRX210 IPsec with IxVPN

djk80172 · ‎03-09-2011

Hello:

I'm trying to test IPsec scalability on the SRX210 and I'm having some problems getting the desired traffic to go across the ipsec vpn tunnel.

I currently have an SRX210 connected to two IXIA ports. The IxVPN application has correclty setup the emulated gateways and protected hosts, etc.

All the tunnels I configure are coming up fine. I see the correct number of ike and ipsec tunnels in the show security ike security-associations and show security ipsec security-associations outputs.

When the IXIA sends encrypted packets to the SRX210 it properly decrypts and forwards the packets as expected. However, when the IXIA sends traffic in the other direction, the SRX210 is not encrypting the traffic (so not putting into the secure tunnel).

I have a static route configured to point this traffic to st0.0, but the route for some reason is not active. Yet the st0.0 interface is showing UP UP.

[edit]

Devin@SRX210-2# show routing-options static route 40.0.0.0/16

next-hop st0.0;

[edit]

Devin@SRX210-2# run show route 40/8

[edit]

Devin@SRX210-2#

Does anyone know why this route won't become active? I have this working just fine between two other Juniper routers, so not sure why the SRX isn't properly sending traffic through the st0.0 interface as expected.

Anyone have any ideas or has anyone had exprience getting IPsec traffic to work both ways on an SRX210 when testing with IxVPN?

Thanks,

Devin Kennedy

keithr · ‎09-10-2009

I haven't worked with the IXIA products, however if you could post your SRX config we can take a look at make sure nothing is missing or seems to be configured incorrectly.

Off the top of my head, have you made sure the st0.0 interface is bound to the correct VPN?

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

djk80172 · ‎03-09-2011

Sure. Here is the configuration I'm using on the SRX210:

The Ixia private port is connected to ge-0/0/0 and the Ixia public port is connected to ge-0/0/1.

[edit]

Devin@SRX210-2# show interfaces

ge-0/0/0 {

unit 0 {

family inet {

address 10.100.7.1/24;

}

ge-0/0/1 {

unit 0 {

family inet {

address 10.10.1.1/16;

}

fe-0/0/7 {

unit 0 {

family inet {

address 192.168.15.51/24;

}

lo0 {

hold-time up 0 down 2000;

unit 0 {

family inet {

inactive: filter {

input protect-RE;

}

address 180.1.1.7/32 {

primary;

}

address 180.1.1.120/32;

}

st0 {

unit 0 {

multipoint;

family inet;

}

[edit]

Devin@SRX210-2# show routing-options

static {

route 50.0.0.0/16 next-hop 10.10.1.2;

route 60.0.0.0/16 next-hop 10.100.7.2;

route 40.0.0.0/16 next-hop st0.0;

route 0.0.0.0/0 next-hop 10.10.1.2;

}

autonomous-system 65000;

[edit]

Devin@SRX210-2# show security

ike {

proposal ike-phase1-proposal {

authentication-method pre-shared-keys;

dh-group group2;

authentication-algorithm md5;

encryption-algorithm aes-256-cbc;

}

policy ike-phase1-policy {

mode main;

proposals ike-phase1-proposal;

pre-shared-key ascii-text "$9$7FdwgGDkTz6oJz69A1INdb"; ## SECRET-DATA

}

gateway test2 {

ike-policy ike-phase1-policy;

address 50.0.0.2;

external-interface ge-0/0/1;

}

gateway test3 {

ike-policy ike-phase1-policy;

address 50.0.0.3;

external-interface ge-0/0/1;

}

gateway test4 {

ike-policy ike-phase1-policy;

address 50.0.0.4;

external-interface ge-0/0/1;

}

gateway test5 {

ike-policy ike-phase1-policy;

address 50.0.0.5;

external-interface ge-0/0/1;

}

gateway test6 {

ike-policy ike-phase1-policy;

address 50.0.0.6;

external-interface ge-0/0/1;

}

gateway test7 {

ike-policy ike-phase1-policy;

address 50.0.0.7;

external-interface ge-0/0/1;

}

gateway test8 {

ike-policy ike-phase1-policy;

address 50.0.0.8;

external-interface ge-0/0/1;

}

gateway test9 {

ike-policy ike-phase1-policy;

address 50.0.0.9;

external-interface ge-0/0/1;

}

gateway test10 {

ike-policy ike-phase1-policy;

address 50.0.0.10;

external-interface ge-0/0/1;

}

ipsec {

inactive: vpn-monitor-options {

interval 15;

threshold 15;

}

proposal ipsec-phase2-proposal {

protocol esp;

authentication-algorithm hmac-md5-96;

encryption-algorithm 3des-cbc;

}

policy ipsec-phase2-policy {

proposals ipsec-phase2-proposal;

}

vpn test2 {

bind-interface st0.0;

ike {

gateway test2;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test3 {

bind-interface st0.0;

ike {

gateway test3;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test4 {

bind-interface st0.0;

ike {

gateway test4;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test5 {

bind-interface st0.0;

ike {

gateway test5;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test6 {

bind-interface st0.0;

ike {

gateway test6;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test7 {

bind-interface st0.0;

ike {

gateway test7;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test8 {

bind-interface st0.0;

ike {

gateway test8;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test9 {

bind-interface st0.0;

ike {

gateway test9;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test10 {

bind-interface st0.0;

ike {

gateway test10;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

zones {

security-zone trust {

tcp-rst;

host-inbound-traffic {

system-services {

any-service;

}

protocols {

all;

}

interfaces {

all;

}

policies {

default-policy {

permit-all;

}

alg {

dns disable;

ftp disable;

h323 disable;

mgcp disable;

msrpc disable;

sunrpc disable;

real disable;

rsh disable;

rtsp disable;

sccp disable;

sip disable;

sql disable;

talk disable;

tftp disable;

pptp disable;

}

flow {

allow-dns-reply;

tcp-session {

no-syn-check;

no-syn-check-in-tunnel;

no-sequence-check;

}

Devin Kennedy

djk80172 · ‎03-09-2011

Just to let you all know. I got this working by creating individual units on the st0 interface and setting static routes accordingly. From what I have read it looks like to use multipoint you have to configure next-hop tunnels, which I did not want to do in this case. Now I'm seeing traffic going through the tunnels as expected.

The configuration change I made is below:

[edit]

Devin@SRX210-2# show routing-options

static {

route 50.0.0.0/16 next-hop 10.10.1.2;

route 60.0.0.0/16 next-hop 10.100.7.2;

route 0.0.0.0/0 next-hop 10.10.1.2;

route 40.0.1.0/24 next-hop st0.1;

route 40.0.2.0/24 next-hop st0.2;

route 40.0.3.0/24 next-hop st0.3;

route 40.0.4.0/24 next-hop st0.4;

route 40.0.5.0/24 next-hop st0.5;

route 40.0.6.0/24 next-hop st0.6;

route 40.0.7.0/24 next-hop st0.7;

route 40.0.8.0/24 next-hop st0.8;

route 40.0.9.0/24 next-hop st0.9;

route 40.0.10.0/24 next-hop st0.10;

}

autonomous-system 65000;

[edit]

Devin@SRX210-2# show interfaces st0

unit 1 {

family inet;

}

unit 2 {

family inet;

}

unit 3 {

family inet;

}

unit 4 {

family inet;

}

unit 5 {

family inet;

}

unit 6 {

family inet;

}

unit 7 {

family inet;

}

unit 8 {

family inet;

}

unit 9 {

family inet;

}

unit 10 {

family inet;

}

[edit]

Devin@SRX210-2# show security ike

proposal ike-phase1-proposal {

authentication-method pre-shared-keys;

dh-group group2;

authentication-algorithm md5;

encryption-algorithm aes-256-cbc;

}

policy ike-phase1-policy {

mode main;

proposals ike-phase1-proposal;

pre-shared-key ascii-text "$9$7FdwgGDkTz6oJz69A1INdb"; ## SECRET-DATA

}

gateway test1 {

ike-policy ike-phase1-policy;

address 50.0.0.1;

external-interface ge-0/0/1;

}

gateway test2 {

ike-policy ike-phase1-policy;

address 50.0.0.2;

external-interface ge-0/0/1;

}

gateway test3 {

ike-policy ike-phase1-policy;

address 50.0.0.3;

external-interface ge-0/0/1;

}

gateway test4 {

ike-policy ike-phase1-policy;

address 50.0.0.4;

external-interface ge-0/0/1;

}

gateway test5 {

ike-policy ike-phase1-policy;

address 50.0.0.5;

external-interface ge-0/0/1;

}

gateway test6 {

ike-policy ike-phase1-policy;

address 50.0.0.6;

external-interface ge-0/0/1;

}

gateway test7 {

ike-policy ike-phase1-policy;

address 50.0.0.7;

external-interface ge-0/0/1;

}

gateway test8 {

ike-policy ike-phase1-policy;

address 50.0.0.8;

external-interface ge-0/0/1;

}

gateway test9 {

ike-policy ike-phase1-policy;

address 50.0.0.9;

external-interface ge-0/0/1;

}

gateway test10 {

ike-policy ike-phase1-policy;

address 50.0.0.10;

external-interface ge-0/0/1;

}

[edit]

Devin@SRX210-2# show security ipsec

inactive: vpn-monitor-options {

interval 15;

threshold 15;

}

proposal ipsec-phase2-proposal {

protocol esp;

authentication-algorithm hmac-md5-96;

encryption-algorithm 3des-cbc;

}

policy ipsec-phase2-policy {

proposals ipsec-phase2-proposal;

}

vpn test1 {

bind-interface st0.1;

ike {

gateway test1;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test2 {

bind-interface st0.2;

ike {

gateway test2;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test3 {

bind-interface st0.3;

ike {

gateway test3;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test4 {

bind-interface st0.4;

ike {

gateway test4;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test5 {

bind-interface st0.5;

ike {

gateway test5;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test6 {

bind-interface st0.6;

ike {

gateway test6;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test7 {

bind-interface st0.7;

ike {

gateway test7;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test8 {

bind-interface st0.8;

ike {

gateway test8;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test9 {

bind-interface st0.9;

ike {

gateway test9;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

vpn test10 {

bind-interface st0.10;

ike {

gateway test10;

ipsec-policy ipsec-phase2-policy;

}

establish-tunnels immediately;

}

Devin Kennedy

keithr · ‎09-10-2009

Yeah, you figured it out. Multipoint route-based VPNs use Next Hop Tunnel Binding, which can be done automatically between Juniper devices, or manually by configuring the next-hop bindings. It's only a couple commands to do it, so it's really not that much extra work.

I'm actually surprised you got all those tunnels to work as unnumbered st0 interfaces sharing a single physical egress interface. I've never tried to do more than 1 shared tunnel as unnumbered interfaces. Interesting.

A quick note -- in the future it would be good if you use the "Insert Code" button to paste config snippets, and for really long configurations or snippets, attach them as a file to the post. It makes reading through stuff much, much easier.

Glad you got it working. I'd be interested to know how your load testing turns out, please report back your findings!

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

msch00ley · ‎08-23-2011

similar situation, but going to cisco where same host needs to reach multiple host on my network so my proxy identity pairs all have same remote, therefore making my routes the same so instead of

40.0.1.0 to st0.1

40.0.2.0 to st0.2 etc

i really need to go

40.0.1.0 to st0.1

40.0.1.0 to st0.2, but need to differentiate by source address, i guess i am going to have to use policy vpn. hope i can still do outbound nat.

Testing SRX210 IPsec with IxVPN

Re: Testing SRX210 IPsec with IxVPN

Re: Testing SRX210 IPsec with IxVPN

Re: Testing SRX210 IPsec with IxVPN

Re: Testing SRX210 IPsec with IxVPN

Re: Testing SRX210 IPsec with IxVPN