SRX Services Gateway
Reply
Contributor
zas71
Posts: 14
Registered: ‎03-12-2010
0

VPN SSG-to-SRX when SSG has dynamic IP

Does anyone have working configuration for such scenario ?

SSG end does work with Netscreen/ISG/SSG with no problem but SRX240 fails to unrecognize SSG with message:

 

Mar 15 17:26:10 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=srx.ip.addr.ess) p1_remote=ipv4(udp:500,[0..3]=ssg.ip.addr.ess)

 

ipsec VPN configuration of SRX end is this:

 

 

 

router# show configuration security ike 

policy ike_ER1 { mode aggressive; proposal-set standard; pre-shared-key ascii-text "secret"; ## SECRET-DATA } gateway ike_ER1 { ike-policy ike_ER1; dynamic user-at-hostname "junos@test"; external-interface ge-0/0/10.0; }

router# show configuration security ipsec
policy std_vpn_policy { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn vpn1 { bind-interface st0.0; vpn-monitor { source-interface st0.0; destination-ip 10.x.x.x; } ike { gateway ike_ER1; ipsec-policy std_vpn_policy; } }

 

 

Does anyone know what is wrong with it ?

Is there any magical statement missing ?

 

Again, I've no problem configuring VPN in following configurations:

SSG(static ip)  to SRX (static ip) in main and in aggressive modes

SRX(dynamic ip) to SSG (stattic ip) in aggessive mode (sepcifying 'local-identity' in gateway).

 

What doesn't work is connection from SSG to SRX.

 

Thanks in advance,

 

/zas

 

Juniper Employee
igort
Posts: 19
Registered: ‎02-05-2009
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

Hi Zas,

 

Can you provide the SSG config? This is working fine for me.

 

Did you try to use FQDN instead of email? Also note that the "standard" proposal-set on the SRX and SSG is not the same (wil be changed on the SRX side in the next releases), it is better to use a custom proposal matching on both sides.

 

Regards,

 

Igor

Contributor
zas71
Posts: 14
Registered: ‎03-12-2010
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

i look stupid now...

Everything works, statement "local-id "junos@test" was missing in gateway setup on SSG end. Sorry for bringing attention.

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

Can you provide me the config ??? im trying to configure the same scenario with ScreenOS version 5.4 r06 but it doesnt work to me !! (SRX Static ip and SSG dynamic ip address)

LT
Contributor
zas71
Posts: 14
Registered: ‎03-12-2010
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

 

security {
 zones {
  security-zone untrust {
   interfaces {
    ge-0/0/10.0 {
     host-inbound-traffic {
      system-services {
       ike;
       ping;
      }
     }
    }
   }
  }
 }
}


security {
 ike {
  policy ike_ER1-TOR_e2_via_ge-0-0-10-0 {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "rrr"; ## SECRET-DATA
  }

  gateway ike_ER1-TOR_e2_via_ge-0-0-10-0 {
    ike-policy ike_ER1-TOR_e2_via_ge-0-0-10-0;
    dynamic user-at-hostname "screenos@localid";
    external-interface ge-0/0/10.0;
  }
 }
}

security {
 ipsec {
  policy std_vpn_policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set standard;
  }

  vpn ER1-TOR_e2_via_ge-0-0-10-0 {
    bind-interface st0.0;
    vpn-monitor {
        source-interface st0.0;
        destination-ip x.x.x.x;   # x.x.x.x is IP on screenos tunnel interface
    }
    ike {
        gateway ike_ER1-TOR_e2_via_ge-0-0-10-0;
        ipsec-policy std_vpn_policy;
    }
  }
 }
}

 it should be enouth to configure SRX end. 

 

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

i have exactly the same, the unique difference is that i block the ping traffic in my external interface (untrust), but i permit ike.

 

I neither have the vpn monitor, can you share your ssg configuration?? im having this error on the SSG (after being a lot of time without any IKE message in the events log)

 

Retransmission limit has been reached.

 

i appreciate your help.

LT
Contributor
zas71
Posts: 14
Registered: ‎03-12-2010
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

SSG side is this:

 

 

set interface "tunnel.11" zone "Untrust"
set interface tunnel.11 ip x.x.x.x/16

set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" address y.y.y.y Aggr local-id "screenos@localid" outgoing-interface "ethernet2" preshare "rrr" sec-level standard
set ike gateway  "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal udp-checksum
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" nat-traversal keepalive-frequency 5
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" heartbeat hello 15
set ike gateway "ER2-TOR_ge-0-0-10-0_via_e2" heartbeat reconnect 60

set vpn "ER2-TOR_ge-0-0-10-0_via_e2" gateway "ER2-TOR_ge-0-0-10-0_via_e2" no-replay tunnel idletime 0 sec-level standard
set vpn "ER2-TOR_ge-0-0-10-0_via_e2" monitor rekey
set vpn "ER2-TOR_ge-0-0-10-0_via_e2" bind interface tunnel.11

 

and you should be able to make your routing across the tunnel.

 

 

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN SSG-to-SRX when SSG has dynamic IP

Which firmware does you SSG have? i have a SSG5 with the 5.4r06, i have the same configuration without the NAT-T configuration.

 

The supose that the tunnel should come up before configure any routes.

 

Regards

LT
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.