SRX

I have an SRX 210 and an SRX 100. The SRX 210 is connected to a cable modem and the SRX 100 is connected off of one of the ports on the SRX 210. I have a VPN setup on the SRX 100 going to our SRX 3400.

 

If I remove the SRX 210 and just use the SRX 100 and connect it to the cable modem my VPN comes up just fine and works. However when it is behind the SRX 210 I get nothing.

 

Any quick ideas on where or what to look for? I am just trying to test a VPN before I deploy the device in a lab setup I would never chain the two in a production setup. This is more so just for validation.

Hi

Is SRX210 performing NAT? If yes, you will need to use domain name
as an ike id, not the ip address, as usual. Re-configuration of both ends
will be needed.

Yes the SRX 210 is doing NAT and I have that setup already.

can you post the kmd log section that shows the initial connection attempt when the VPN won't come up.  Logs from both SRX devices would be nice.  As well as the IKE and IPSEC policy sections from both devices.

 

software version will be helpful as well, I believe nat-t is enabled by default, at least on 10.x, but it may not be on your release.

 

also, just to make sure, the 3400 is not behind a NAT, correct? VPN with both end points behind a NAT is currently not supported as far as I know.

 

For setups like this you need:

 

- SRX100 to be configured as "dynamic" on the SRX3400

- tunnel set to aggressive mode

- Nat-T enabled on both (but that is indeed the default on srx)

 

That should do the trick, but note that you need to enable establish-immediately on the SRX100 so that it will always initiate the VPN, even if there is no traffic. This is needed because the 3400 can't initiate the VPN connection anymore.

I am confident that it is not a VPN configuration issue as if I connect the one SRX directly to the cable modem my VPN works just fine and comes up. It's only when I have it behind another SRX. I am thinking it might be a NAT type issue or maybe needing a proxy arp config of some sort from some additional reading I have done.

 

I attached a diagram I just created hoping this helps clear up what I am trying to do.

What does the nat configuration look like? Are you just doing a static nat, passing all traffic to the 100 with no firewall rules? If not, can you try that to see if it is needed a nat/firewall rule issue. Also, check the 210 to see if it is grabbing that VPN traffic. It may be trying to terminate on the 210.

I just got off the phone with support and they keep insisting this type of configuration should\would never be done. Which I agree, however my main goal is to test the SRX100 VPN configuration and my only means of simulating a "home" user in my company is to connect it through an SRX210 which then connects to a residential cable modem which we have here for testing.

 

Summary:

1) we have SRX 100-----SRX 210----internet------SRX (high end)
2) the route based tunnle is between SRX 100 and high end and only phase 1 comes up.
3) the SRX 210 is doing NAT, so we have included the no-nat traversal option on the SRX
100
4) when we bypass the SRX 210 the tunnle comes up fine

 

SRX210 NAT Config:

security {
    nat {
        source {
            rule-set interface-nat {
                from zone [ trust ];
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;

 
SRX100 NAT Config:

            rule-set workUntrust {
                from zone work;
                to zone untrust;
                rule PCNat {
                    match {
                        source-address 192.168.10.251/32;
                    }
                    then {
                        source-nat {
                            interface;

 

More important, what does the VPN configuration look like?

 

Its not because the VPN works when attached directly to the internet (with a public IP), that it will work behind NAT. An SRX behind another NAT device is quite common for home users, we have lots of them. But you need to configure the VPNs with the parameters mentioned earlier.

SRX 110 VPN config - I added no-nat-traversal in this situation when connected through a nated device)

security {
    ike {
        proposal P1VOIP {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
        }
        policy ike221-SRX_FieldSRX_VoIP {
            mode aggressive;
            proposals P1VOIP;
            pre-shared-key ascii-text "$9$yWWleW7-Vwgo-dTzFnCAWLXxVwoaUH.PX7P5F3tpM8L7-dGDikP5jiApu0IRVwsgZUq.5zn/q.fzn/tp8Xx7-wGDiq.5ZGqfTz6/Aq0O1hleWLX-fKGD"; ## SECRET-DATA
        }
        gateway vpn221-SRX_FieldSRX_VoIP {
            ike-policy ike221-SRX_FieldSRX_VoIP;
            address xx.xx.xx.xx;
            no-nat-traversal;
            nat-keepalive 5;
            local-identity hostname Test;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal P2VOIP {
            description group2;
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec221-SRX_FieldSRX_VoIP {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2VOIP;
        }
        vpn vpn221-SRX_FieldSRX_VoIP {
            bind-interface st0.0;
            df-bit clear;
            vpn-monitor {
                optimized;
            }
            ike {
                gateway vpn221-SRX_FieldSRX_VoIP;
                no-anti-replay;
                proxy-identity {
                    local 0.0.0.0/32;
                    remote xx.xx.xx.xx/32;
                    service any;
                }
                ipsec-policy ipsec221-SRX_FieldSRX_VoIP;
            }
            establish-tunnels immediately;
        }
    }

 

In the code above the xx.xx.xx.xx is the IP address of the remote side for the VPN.

Why did you include no-nat-traversal in the VPN gateway config? You should DELETE it.

Nat-T must be enabled in this setup to work!

Support told me it had to be in there since the VPN creation is on a device connected to a device that is connected to a cable modem/internet. Either way there or removed it does not work.

If you are behind NAT, do not use that command that disables NAT-T (this applies on both ends).

 

I assume that your phase 2 doesn't go up because of non-matching proxy-id. Why are you using 0.0.0.0 - xx.xx.xx.xx - any? Is it set symmetric on the other end? Proxy-ids are all zeros by default for route based VPNs and they match by default, so please delete "proxy-id" configuration on both ends and try again.

 

Please tell me the result.

 

I have removed the proxy-id section from both sides, however when I remove the nat command my phase 1 never comes up. As soon as I put the no-nat-traversal back in then the phase 1 comes back up.

Wow... Can you show me the output of "show sec ike security-associations" from both ends, when phase 1 gets up? I want to see ports that are being used.

everything in the codes sections below for xx.xx.xx.xx are all the same IP address of our VPN on the high end SRX

 

from the SRX100

root@SRX100> show security ike security-associations detail
IKE peer xx.xx.xx.xx, Index 1,
  Role: Initiator, State: UP
  Initiator cookie: 2e0dd31285632209, Responder cookie: bdff73304f4989d9
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: 192.168.253.110:500, Remote: xx.xx.xx.xx:500
  Lifetime: Expires in 28731 seconds
  Algorithms:
   Authentication        : sha1
   Encryption            : aes-cbc (128 bits)
   Pseudo random function: hmac-sha1
  Traffic statistics:
   Input  bytes  :                  372
   Output bytes  :                 2186
   Input  packets:                    1
   Output packets:                    7
  Flags: Caller notification sent, Waiting for done
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 2084390421
    Local: 192.168.253.110:500, Remote: xx.xx.xx.xx:500
    Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

 

and a security flow session on the SRX 100

root@SRX100> show security flow session destination-prefix xx.xx.xx.xx
Session ID: 271, Policy name: self-traffic-policy/1, Timeout: 40, Valid
  In: 192.168.253.110/500 --> xx.xx.xx.xx/500;udp, If: .local..0, Pkts: 6, Bytes: 2256
  Out: xx.xx.xx.xx/500 --> 192.168.253.110/500;udp, If: fe-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 1

 

 

and a security flow session on the SRX 210

root@SRX210> show security flow session destination-prefix xx.xx.xx.xx
Session ID: 32397, Policy name: default-permit/5, Timeout: 44, Valid
  In: 192.168.253.110/500 --> xx.xx.xx.xx/500;udp, If: vlan.0, Pkts: 6, Bytes: 2256
  Out: xx.xx.xx.xx/500 --> 24.158.15.70/25343;udp, If: fe-0/0/7.0, Pkts: 0, Bytes: 0
Total sessions: 1

 

 

It's strange to me that when you enable no-nat-t it works, and without it - it doesn't (I mean phase 1).

Are you sure that on SRX3000 "no-nat-traversal" is not enabled?

I am pounding my head on the keyboard as I type...............I removed the no-nat traversal from the SRX100 and went back to the high end SRX and YOU WERE RIGHT it was there as well. I deactivated it and BINGO the VPN is up.

 

Thank you for your time, I appreciate it.