SRX Services Gateway
Reply
Contributor
tsmo
Posts: 17
Registered: ‎05-06-2010
0
Accepted Solution

Unidirectional IPSEC VPN issue

[ Edited ]

I have the following scenario:

 

{ LAN } ---> (SRX 3600) ---> { Internet } ---> (remote endpoint) ---> { Remote LAN }

 

All traffic from LAN to Remote LAN should be NAT'd and transmitted through an IPSec tunnel. I'm pretty sure my configuration is ok, at least it conforms to the application note Policy-Based VPN Configuration and Troubleshooting as well as the output of the VPN configuration tool in the KB. The relevant configuration is attached; sorry I can't supply the public IP addresses involved.

 

The output of show security ike security-associations is empty, and I am stumped. I have flag all configured under IKE traceoptions, and kmd log shows:

 

Aug 13 15:15:24 kmd_sa_cfg_free: Tunnel node for tunnel 0 (SA: 01009-vpn1) not found
Aug 13 15:15:24 Group/Shared IKE ID VPN configured: 0
Aug 13 15:15:24 kmd_diff_config_now, configuration diff complete

 

I have a suspicion that the NAT requirement/config may have something to do with my problem, but I don't really know how to proceed. Any ideas? Thanks in advance.

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Unidirectional IPSEC VPN issue

Hi Can you post the output from : show security ike securitu-association show security ipsec security-association
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
tsmo
Posts: 17
Registered: ‎05-06-2010
0

Re: Unidirectional IPSEC VPN issue

Thanks for the reply. Here's the output:

 

 

admin@srx> show security ike security-associations 

admin@srx> show security ipsec security-associations 
  Total active tunnels: 0

admin@srx> 

 

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Unidirectional IPSEC VPN issue

There is no SA built at all. Are you sure tunnel is up? Looking at your config, I only see policy for the vpn tunnel in 1 direction: from-zone customer-private to-zone public { policy 01009-vpn1-out { match { source-address 01009-cbi1; destination-address 01009-vpn1-remote; application any; } then { permit { tunnel { ipsec-vpn 01009-vpn1; } This means that the tunnel should come up when you initiate traffic from customer-private to public zone. But if you need traffic to be initiated from public to customer-private its not going to work.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
tsmo
Posts: 17
Registered: ‎05-06-2010
0

Re: Unidirectional IPSEC VPN issue

Thanks for the response. In this case, traffic is only initiated from zone customer-private to zone public, but I would be very interested to know how a bidirectional IPSEC VPN with NAT should be implemented.

 

I don't think the tunnel comes up at all. No traffic matching the policy has passed the firewall yet because I need to be sure that this tunnel works before I migrate the private network to the SRX. However, shouldn't the tunnel be established even without traffic with the establish-tunnels immediately directive?

 

I can't really derive any useful information from the KMD log or the show command output, so I'm at a loss here. The remote endpoint does get repeated IKE connection attempts from the egress interface address, so is it possible that my configuration simply doesn't match that of the remote endpoint?

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Unidirectional IPSEC VPN issue

Hi Can you clear the kmd logs and try to send some traffic that will match the policy ? From the output, SA is not up. At least we should be able to see from kmd logs where vpn is failing.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
tsmo
Posts: 17
Registered: ‎05-06-2010
0

Re: Unidirectional IPSEC VPN issue

The tunnel seems to work after all, it just needed some traffic to pass through it to be established even though I had establish-tunnels immediately configured. Thanks for your help WL, another big step taken towards moving our full production environment to the Juniper platform!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.