SRX Services Gateway
Reply
Contributor
kullnd
Posts: 28
Registered: ‎06-30-2010
0

Re: VPN is still not working --- SRX to ASA

Thank you for the response --- I still am having issues after making the above changes, and am currently working with JTAC, which despite all of the bad things I've seen here about support, I have been very impressed with on this issue... Biggest thing slowing me down now is being in communication with the guys on the other side of this tunnel.

 

I will post all of the findings / fixes that I make inside of this thread once I have the tunnel up and running.

 

Contributor
kullnd
Posts: 28
Registered: ‎06-30-2010

Re: VPN is still not working --- SRX to ASA

The problem has been resolved, --- There are a couple not-so-obvious issues that I ran into while setting this up, and hopefully I can save someone some bang-head-against-wall moments by posting my working configuration as well as an overview of what was wrong.

 

First, the obvious, make sure your policies are in the right order, as noted by

 

SomeITGuy noted that I needed to use my vlan interface, for whatever reason I thought I had tried that already and it would not let me, but I must not have done it correctly because that did work...     Further on that note, there is no issue with running IPSEC VPN over a group of interfaces configured with family ethernet-switching.

 

Here is a big killer that had me screwed all along:

 

You can NOT combine multiple subnets into the same policy for a IPSEC-VPN policy...   This is something that Junos will let you do, it will pass commit checks, but it does not work, at all.     While I understand why this is failing, as proxy-addresses are pulled from this, it would be REALLY NICE if junos was able to handle this a bit better...

In my case, I had the following problem:

I had 3 IP addresses on MY SIDE (ex. 10.1.1.100 - 10.1.1.102) that needed to be allowed on this VPN policy, on the other side I had a total of NINE addresses that needed to be allowed (10.2.1.21 - 10.2.1.25 and 10.3.1.241 -244) , there was no clean-cut subnets available for this.   The remote site was NOT able to allow me access to the subnet(s) that could be generated to allow me to access all of those addresses... For this tunnel I HAVE to use /32 addresses.

I was able on my side to allow access to the subnet of 10.1.1.96/29 because I do not have any other equipment that falls into that subnet range... Doing this enabled me to save ALOT of work because for each combination of addresses that you have (remote and local) you have to create a whole new policy.   Because I was able to combine mine into a subnet this saved me a TON of work, and I was able to get this VPN tunnel up with only 9 polices.... (which is really stupid crazy compared to what I'm used to with cisco, sorry, have to point that out)

So, I created an address book entry in my trust zone for that subnet 10.1.1.96/29 called Local-10_1_1_96-29

Then I created 9 address book entries for all of the /32 addresses on the remote side using the same type of naming

Then I created 9 policies which all look something like this:  (had I not used a subnet on my side, this would be 27 polices!!!)

from-zone trust to-zone untrust {
    policy ARIS-1 {
        match {
            source-address Local-10_1_1_96-29;
            destination-address remote_10_1_1_21-32;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn remote;
                }
            }
        }
    }
}

 

Once the other side was changed in their configuration to use my local /29 subnet, everything started working.

I have alot of VPNs here that are provided for VENDOR SUPPORT, and these vendors typically have access to only very specific IPs on my network... This is NOT uncommon in my configuration, I don't actually have a single Site to Site VPN setup that allows access to a large subnet... THIS IS A PAIN IN THE A** and I am not looking forward to moving the rest of my VPN tunnels off of Cisco equipment.   It would be great to see this made just a little bit easier.     JUNOS will allow you to make the policy statement to read something like "source-address [ address-1-32 address-2-32 ]   Why the hell can't it figure out that those are all seperate and just deal with it rather than making me put in 9 polices for 1 VPN tunnel which makes looking at my configuration a complete mess?

Contributor
kullnd
Posts: 28
Registered: ‎06-30-2010
0

Re: VPN is still not working --- SRX to ASA

One more thing, the person I worked with at JTAC was awesome, it was truely a pleasure to work with her on this case and I appreciate everything that she did to help me out, I learned alot working with her as she was always willing to explain what I did not understand coming from a cisco world.     I, personally, am very happy with my service from JTAC.   I just wanted to say that since I kind of ranted a bit above.   :smileyhappy:

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VPN is still not working --- SRX to ASA

This was posted on this other post. But I think worth repeating.

 

 

Mainly the restriction of having to use multiple security policies for each proxy-id pair is needed when we need to interop with other vendors that do not have option for equivalent of Juniper route-based VPN. Actually for Juniper to Juniper VPNs this is extremely simple to have any number of subnets on each side of a LAN-to-LAN VPN with route-based VPN. And with route-based approach we only use a single SA pair for however number of subnets pairs that are needed. This approach uses far less SA resources than having to break each subnet pair into unique SAs. So for instance, if there were 3 subnets on one LAN and 4 subnets on the other LAN, that would mean 12 unique subnet pairs and hence 12 SAs on the VPN device. Route-based by comparison would need only 1 SA to do the same.

Having said that, I do understand that we cannot assume that we are always building tunnels between Juniper devices. We do actually have a VPN Configurator tool accessible from our KnowledgeBase site. With this tool you can select policy-based and actually add however number of subnets on each side of the tunnel. The VPN configurator would output complete VPN configs including ALL policies needed to accomplish the task. You would just need to copy and paste the configs on your device.

Here is the link to the VPN Configurator tool.
https://www.juniper.net/customers/support/configtools/vpnconfig.html

The below link also is useful for other configuration and/or troubleshooting of VPNs on JUNOS devices.
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_SRX_VPN_Config_or_Trblsh.htm

Hope this helps.
-Richard

Distinguished Expert
spuluka
Posts: 2,232
Registered: ‎03-30-2009
0

Re: VPN is still not working --- SRX to ASA

I understand what you are saying but this is really a user interface issue and not a technical one.

 

If you use policy vpn on other vendors like Sonicwall or Cisco, they provide a single user interface location to automatically create and associate these multiple tunnels that are required for operation.  There are multiple tunnel connections being created, they are just simplifying the user interface to get there.

 

When you look at the tunnel status and other areas of their interface you do see them as the actual separate tunnels that they are.  But they organize it to make the configuration easier and the review of the configuration easier.

 

And they also only count unique gateways towards your licensed number of ipsec vpn limit.  So even if you are creating three of these segment tunnels your license count for vpn tunnels only gets decremented by one.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
kullnd
Posts: 28
Registered: ‎06-30-2010
0

Re: VPN is still not working --- SRX to ASA

Agreeed --- I realize that there is scripts and the configuration tool that I can use --- the biggest issue is now that with all of the tunnels I have like this my configuration file is becoming a monster that is very difficult to look at, audit, and troubleshoot... It's HUGE.... And for the most part we HAVE to assume that we are not linking to any other Juniper equipment because frankly the market share for Juniper equipment is not anywhere close to what Cisco has.    It's nice that if I was connecting to Juniper on both sides it's easier, it's just not today's reality as I am the FIRST person that I know directly that has started using Juniper equipment, and I had to fight hard to make that happen citing along with other things that I liked the way the configuration was layed out, it seemed to make more sense than cisco's flat layouts... This process of connecting to multiple vendors has to be simplified...    All of the other vendors I have worked with have figured out how to make policy VPNs work with 1 combined policy and can figure out that if you have seperate subnets (or IPs with /32) that they need to adjust accordingly with the Proxy IDs so that Phase 2 doesnt vomit.

 

I also agree with the poster that it is slightly crazy that what I consider to be 1 VPN tunnel is counting as 9 on the device.

 

Visitor
gagoo
Posts: 1
Registered: ‎08-02-2010
0

Re: VPN is still not working --- SRX to ASA

There is another approach you could use which might simplify your life. I've had exactly this problem building an IPSEC VPN between a Cisco 876 and an SRX210, with multiple subnets in unrelated address spaces on the SRX side.

 

I solved it by building a GRE tunnel and then stuffing that into the IPSEC VPN tunnel. Clearly this involves encapsulation overheads but it works very well since all the IPSEC tunnel sees are the end-point ip addresses of the GRE tunnel. These remain constant no matter what traffic you stuff through it and which subnets are involved at either end; that's all controlled by directing whatever traffic you want into the GRE tunnel.

 

 

 

Contributor
Steffen
Posts: 74
Registered: ‎04-03-2008
0

Re: VPN is still not working --- SRX to ASA

Hello Kullnd,

first of all: Thanks! You helped me out of a lot of trouble. I had the same issue and was absolutely stuck.

Second: I agree to your opinion that this behavior is an absolute no go. All major vendors of VPN equipment can handle policies with multiple subnetworks on each side and can create the n*m SAs from it.

A tool like the Juniper Configurator which generates the permuted policies will help to create the configuration, but that configuration cannot be handled afterwards. It will get much too big to change or debug.

 

The configuration must stay as simple as possible not only at creation time but also afterwards. For other vendors this seems not to be a problem, so why for Juniper?

To use GRE tunnels for each VPN like Gagoo suggests will add unnecessary complexity and sources for errors.

Furthermore it will waste a lot of bandwidth and/or will slow connections down. For small packets like in interactive communication imagine the overhead produced by PPPoE-header + IPsec-header + GRE-header.

 

Route based VPNs are nice if you have only Juniper boxes, but like you we have lots of VPN to other vendors.

 

We are evaluation Juniper SRX to substitute a 100+ location VPN currently run with Lucent Bricks - Alcatel-Lucent will stop selling them :-( - but if Juniper will not add this a better VPN-policy handling  ...

- Steffen

Visitor
rcintron
Posts: 2
Registered: ‎08-17-2010
0

Re: VPN is still not working --- SRX to ASA

Hi, I'm trying to config a VPN tunnel between an ASA and an SRX240. I was wondering if you could post your working config.

Contributor
kullnd
Posts: 28
Registered: ‎06-30-2010
0

Re: VPN is still not working --- SRX to ASA

VPN Configurations can very greatly depending on what exactly your trying to do --- What I would recommend is using the configuration tool at https://www.juniper.net/customers/support/configto​ols/vpnconfig.html , make sure you use a Policy VPN config as the Routed VPN only works between juniper devices (that I'm aware of).  

 

If you can't get it up after that point, posting your config will allow us to view it and let you know what we see wrong.  Promise you this will be much easier than you trying to pick my configs apart, and will take less time on my side as well as pulling the config and filtering out my internal information takes time.

 

Nate

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.