SRX

Hi,

I try to set up the site to site VPN (Policy-based VPN)  between SRX550 and our branch Fortigate firewall.

I have done the connection based on the below link:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-policy-based-vpn-configuring.html#jd0e1615

Now the issue is : internal user behind SRX550 can not access the resource in branch office behind Fortigate firewall, but the end user behind the Fortigate firewall can access the resource behind SRX550 firewall.


Both firewall have created the security policy to access the opposite site internal resource.

Refer to below some information that i taked from my SRX550.

root@FW# run show security ike security-associations      
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address    
216402  UP     25538ef1ff0e1247  d4de05e93fa56d98  Main           Hidden here  
 

root@FW# run show security ike security-associations index 216402 detail 
IKE peer xx.xx.xx.xx, Index 216402, Gateway Name: Wuxi-Office-Gateway
  Role: Responder, State: UP
  Initiator cookie: 25538ef1ff0e1247, Responder cookie: d4de05e93fa56d98
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: XXX.XXX.XXX.XXX:500, Remote: 5XX.XXX.XX.XX:500
  Lifetime: Expires in 76315 seconds
  Peer ike-id: XXX.XXX.XX.XXX
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :               187380
   Output bytes  :               171744
   Input  packets:                 2032
   Output packets:                 2040
  Flags: IKE SA is created 
  IPSec security associations: 4 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: XXX.XXX.XX.XXX:500, Remote: XXX.XXX.XX.XXX:500
    Local identity: XXX.XXX.XX.XXX
    Remote identity: XXX.XXX.XX.XXX
    Flags: IKE SA is created


root@FW# run show security ipsec security-associations   
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <2    ESP:3des/sha1   9ff32e2  2189/ unlim   -   root 500   xx.xx.xx.xx   
  >2    ESP:3des/sha1   ba7501ed 2189/ unlim   -   root 500   xx.xx.xx.xx 


root@FW# run show security ipsec security-associations index 2 detail    
  ID: 2 Virtual-system: root, VPN Name: Wuxi-Office
  Local Gateway: xx.xx.xx.xx, Remote Gateway: xx.xx.xx.xx
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.11.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.7.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy-name: Wuxi-office-Outbound
  Port: 500, Nego#: 8, Fail#: 0, Def-Del#: 0 Flag: 600821 
  Tunnel Down Reason: Lifetime expired
    Direction: inbound, SPI: 9ff32e2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2060 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1422 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled
    Direction: outbound, SPI: ba7501ed, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2060 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1422 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: disabled

 Thanks.

Just IKE and IPSec SA details does not suffice.

Since it is a policy based VPN, I reckon you might not have policy configured for traffic from users behind SRX to users behind fortigate.

At this point, complete SRX configuration is required.

Regards,

Raveen

Hi,
The policy is configured from users behind SRX to users behind fortigate.

Take a example, the subnet behind SRX550 is 192.168.11.0/24 and the subnet behind Fortigate Firewall is 192.168.7.0/24.

The result: Usping Ping(ping 192.168.11.1) from PC behind Fortigate will work.
                    Using  Ping (ping 192.168.7.1)  from PC behind SRX550 will not work.

the services is opened on boths firewall.

[edit security ike]
root@FW# show
proposal Wuxi-Office-PSK {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
}
policy Wuxi-Office-Static {
    mode main;
    proposals Wuxi-Office-PSK;
    pre-shared-key ascii-text "$9$mP5Q/Cu01h9CK8Lx-d24aUDkmfQ/9pIEbY"; ## SECRET-DATA
}
gateway Wuxi-Office-Gateway {
    ike-policy Wuxi-Office-Static;
    address XX.XX.XX.XX;
    dead-peer-detection {
        interval 10;
        threshold 3;
    }
    external-interface ge-0/0/6.0;
}



[edit security ipsec]
root@FW# show
proposal Wuxi-Office-Client {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy Wuxi-Office-Client {
    proposals Wuxi-Office-Client;
}
vpn Wuxi-Office {
    df-bit clear;
    ike {
        gateway Wuxi-Office-Gateway;
        no-anti-replay;
        ipsec-policy Wuxi-Office-Client;
    }
    establish-tunnels immediately;
}


root@FW# show policy Wuxi-office-Outbound
match {
    source-address 192.168.11.0/24;
    destination-address 192.168.7.0/24;
    application any;
}
then {
    permit {
        tunnel {
            ipsec-vpn Wuxi-Office;
            pair-policy Wuxi-Office-Inbound;
        }
    }
    log {
        session-close;
    }
}


root@FW# show policy Wuxi-Office-Inbound
match {
    source-address 192.168.7.0/24;
    destination-address 192.168.11.0/24;
    application any;
}
then {
    permit {
        tunnel {
            ipsec-vpn Wuxi-Office;
            pair-policy Wuxi-office-Outbound;
        }
    }
    log {
        session-close;
    }
}



root@FW# show nat source
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

Would it be possible for you to attach complete configuration or RSI?

Regards,

Raveen

Hi,

refer to below complete one.

i also try to do the VPN connection to our another branch using Juniper SSG320M, the result is the same.

User behind the SSG320M can access the resource behind SRX550.
User behind the SRX550 can not accesss the resoure behind SSG320M.

root@FW> show configuration | no-more
## Last commit: 2013-11-13 16:11:27 SGT by root
version 12.1X44.3;
system {
    host-name FW;
    domain-name X.X.X;
    time-zone Asia/Singapore;
    root-authentication {
        encrypted-password "$1$67wKToyX$NZCCn0nihL3qGdJoqGQvf"; ## SECRET-DATA
    }
    name-server {
        192.168.0.10;
        192.168.0.13;
    }
    login {
        user peilin {
            uid 2000;
            class operator;
            authentication {
                encrypted-password "$1$l1gxONSa$PRgNQBuZeJCFWwI5.1530"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/1.0 ge-0/0/6.0 ge-0/0/2.0 ];
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        boot-server 203.174.83.202;
        server 27.114.150.10;
        server 123.108.200.163;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                filter {
                    input-list classify;
                }
                address 192.168.0.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.11.1/24;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 192.168.8.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.50.1/24;
            }
        }
    }
    ge-0/0/6 {
        per-unit-scheduler;
        unit 0 {
            family inet {
                address XXX.XXX.XX.155/28;
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.120.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop XXX.XXX.XX.145;
    }
}
protocols {
    stp;
}
policy-options {
    policy-statement from_blue_to_red {
        term term1 {
            from instance traffic;
            then accept;
        }
    }
}
class-of-service {
    forwarding-classes {
        queue 4 web;
        queue 5 mail;
        queue 6 wireless;
        queue 7 others;
    }
    interfaces {
        ge-0/0/6 {
            unit 0 {
                scheduler-map cos-map;
                shaping-rate 4m;
            }
        }
    }
    scheduler-maps {
        cos-map {
            forwarding-class web scheduler web-scheduler;
            forwarding-class mail scheduler mail-scheduler;
            forwarding-class wireless scheduler wireless-scheduler;
            forwarding-class others scheduler others-scheduler;
        }
    }
    schedulers {
        web-scheduler {
            transmit-rate 1m;
            buffer-size percent 25;
            priority medium-high;
        }
        mail-scheduler {
            transmit-rate 2m;
            buffer-size percent 50;
            priority high;
        }
        wireless-scheduler {
            transmit-rate {
                500k;
                exact;
            }
            buffer-size percent 13;
            priority medium-low;
        }
        others-scheduler {
            transmit-rate {
                500k;
                exact;
            }
            buffer-size percent 12;
            priority low;
        }
    }
}
security {
    pki;
    ike {
        proposal Wuxi-Office-PSK {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Wuxi-Office-Static {
            mode main;
            proposals Wuxi-Office-PSK;
            pre-shared-key ascii-text "$9$mP5Q/Cu01h9CK8Lx-d24aUDkmfQ/9pIEbY"; ## SECRET-DATA
        }
        gateway Wuxi-Office-Gateway {
            ike-policy Wuxi-Office-Static;
            address XXX.XXX.221.50;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/6;
        }
        gateway bangi-office-gateway {
            ike-policy Wuxi-Office-Static;
            address XXX.XXX.29.82;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface ge-0/0/6;
        }
    }
    ipsec {
        proposal Wuxi-Office-Client {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Wuxi-Office-Client {
            proposals Wuxi-Office-Client;
        }
        vpn Wuxi-Office {
            df-bit clear;
            ike {
                gateway Wuxi-Office-Gateway;
                no-anti-replay;
                ipsec-policy Wuxi-Office-Client;
            }
            establish-tunnels immediately;
        }
        vpn bangi-office {
            df-bit clear;
            ike {
                gateway bangi-office-gateway;
                no-anti-replay;
                ipsec-policy Wuxi-Office-Client;
            }
            establish-tunnels immediately;
        }
    }
    address-book {
        global {
            address internal-clients 192.168.0.0/24;
            address a-adm62 192.168.1.20/32;
            address temp01 192.168.1.21/32;
            address temp02 192.168.0.20/32;
            address 192.168.10.0/24 192.168.10.0/24;
            address 192.168.7.0/24 192.168.7.0/24;
            address 192.168.10.20 192.168.10.20/32;
            address DC02 192.168.0.13/32;
            address 192.168.11.0/24 192.168.11.0/24;
            address 192.168.11.20 192.168.11.20/32;
            address bangi-192.168.5.0 192.168.5.0/24;
        }
        trust {
            address trust-client 192.168.1.0/24;
            address trust-client10 192.168.10.20/32;
            attach {
                zone trust;
            }
        }
    }
    application-firewall {
        rule-sets Testing {
            rule testing {
                match {
                    dynamic-application junos:163;
                }
                then {
                    deny;
                }
            }
            default-rule {
                permit;
            }
        }
        rule-sets testing02 {
            rule testing02 {
                match {
                    dynamic-application junos:2CH;
                }
                then {
                    deny;
                }
            }
            default-rule {
                permit;
            }
        }
        rule-sets Facebook-Games {
            rule 1 {
                match {
                    dynamic-application junos:FACEBOOK-FARMVILLE;
                }
                then {
                    deny;
                }
            }
            rule 2 {
                match {
                    dynamic-application-group junos:gaming;
                }
                then {
                    deny;
                }
            }
            default-rule {
                permit;
            }
        }
        rule-sets Allow-Web {
            rule 1 {
                match {
                    dynamic-application-group junos:web;
                }
                then {
                    permit;
                }
            }
            default-rule {
                deny;
            }
        }
    }
    utm {
        feature-profile {
            anti-virus {
                kaspersky-lab-engine {
                    profile Etla-Client {
                        fallback-options {
                            default log-and-permit;
                            corrupt-file block;
                            password-file block;
                            decompress-layer block;
                        }
                        scan-options {
                            scan-mode all;
                            content-size-limit 20;
                            decompress-layer-limit 2;
                        }
                    }
                }
            }
        }
        utm-policy Basic_UTM {
            web-filtering {
                http-profile junos-wf-enhanced-default;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool server {
                address {
                    XXX.XXX.XX.157/32;
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool client {
                address 192.168.0.20/32;
            }
            rule-set remote {
                from zone untrust;
                rule remote {
                    match {
                        destination-address XXX.XXX.XX.156/32;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool client;
                    }
                }
                rule remote02 {
                    match {
                        destination-address XXX.XXX.XX.156/32;
                        destination-port 3389;
                    }
                    then {
                        destination-nat pool client;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/6.0 {
                address {
                    XXX.XXX.XX.156/32;
                    XXX.XXX.XX.157/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy Wuxi-office-Outbound {
                match {
                    source-address 192.168.11.0/24;
                    destination-address 192.168.7.0/24;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Wuxi-Office;
                            pair-policy Wuxi-Office-Inbound;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
            policy bangi-outbound {
                match {
                    source-address 192.168.11.0/24;
                    destination-address bangi-192.168.5.0;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn bangi-office;
                            pair-policy bangi-inbound;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone trust {
            policy sunnet0-to-1 {
                match {
                    source-address [ trust-client 192.168.11.20 ];
                    destination-address internal-clients;
                    application [ junos-smtp junos-imap junos-imaps junos-pop3 junos-telnet junos-dns-udp junos-dns-tcp junos-http junos-https junos-ping ];
                }
                then {
                    permit;
                }
            }
            inactive: policy subnet1-to-others {
                match {
                    source-address internal-clients;
                    destination-address [ trust-client trust-client10 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy Wuxi-Office-Inbound {
                match {
                    source-address 192.168.7.0/24;
                    destination-address 192.168.11.0/24;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Wuxi-Office;
                            pair-policy Wuxi-office-Outbound;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
            policy bangi-inbound {
                match {
                    source-address bangi-192.168.5.0;
                    destination-address 192.168.11.0/24;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn bangi-office;
                            pair-policy bangi-outbound;
                        }
                    }
                    log {
                        session-close;
                    }
                }
            }
            policy remote {
                match {
                    source-address any;
                    destination-address [ a-adm62 temp02 ];
                    application [ etla-remote junos-ftp ];
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
        }
    }
    zones {
        functional-zone management;
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                ge-0/0/3.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/6.0;
            }
        }
    }
}
firewall {
    family inet {
        filter classify {
            term 10 {
                from {
                    source-address {
                        192.168.0.4/32;
                        192.168.0.10/32;
                        192.168.0.13/32;
                    }
                }
                then {
                    forwarding-class mail;
                    accept;
                }
            }
            term 20 {
                from {
                    source-address {
                        192.168.0.0/24;
                        192.168.1.0/24;
                    }
                }
                then {
                    forwarding-class web;
                    accept;
                }
            }
            term 30 {
                from {
                    source-address {
                        192.168.7.0/24;
                        192.168.8.0/24;
                    }
                }
                then {
                    forwarding-class wireless;
                    accept;
                }
            }
            term 40 {
                then {
                    forwarding-class others;
                    accept;
                }
            }
        }
        filter limit-user {
            term 10 {
                from {
                    destination-address {
                        192.168.0.10/32;
                        192.168.0.13/32;
                        192.168.0.4/32;
                        192.168.1.4/32;
                    }
                }
                then policer p3M;
            }
            term 20 {
                from {
                    destination-address {
                        192.168.0.0/24;
                        192.168.1.0/24;
                    }
                }
                then policer p1M;
            }
            term else {
                then policer p500K;
            }
        }
    }
    policer p1M {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer p3M {
        if-exceeding {
            bandwidth-limit 3m;
            burst-size-limit 15k;
        }
        then discard;
    }
    policer p500K {
        if-exceeding {
            bandwidth-limit 500k;
            burst-size-limit 15k;
        }
        then discard;
    }
}
routing-instances {
    traffic {
        instance-type virtual-router;
    }
}
applications {
    application etla-remote {
        protocol tcp;
        destination-port 3389;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Hi

I assume source NAT may be the problem. Try to add an exception rule
to rule-set trust-to-untrust BEFORE the rule source-nat-rule,
something like ~~ from source-address <internal-net> then source-nat off.