SRX

Recently I did changes on one of our SRX devices which introduced the need of NAT-T enabled on other devices.

I dont get why this is needed with the new configuration.

Let me explain 😃

Source NAT has changed from:

"from zone Local_Office zone Users to Untrust"

To

set security nat source rule-set SNAT_use_interface from routing-instance default
set security nat source rule-set SNAT_use_interface to zone Untrust
set security nat source rule-set SNAT_use_interface rule snat_on_interface match source-address 0.0.0.0/0
set security nat source rule-set SNAT_use_interface rule snat_on_interface match destination-address 0.0.0.0/0
set security nat source rule-set SNAT_use_interface rule snat_on_interface then source-nat interface

After this change NAT-T was needed for the following IPSEC:

set security ike proposal ike-proposal-company-hq authentication-method pre-shared-keys
set security ike proposal ike-proposal-company-hq dh-group group5
set security ike proposal ike-proposal-company-hq authentication-algorithm sha1
set security ike proposal ike-proposal-company-hq encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-company-hq lifetime-seconds 28800
set security ike policy ike-policy-Local_Office mode main
set security ike policy ike-policy-Local_Office proposals ike-proposal-company-hq
set security ike policy ike-policy-Local_Office pre-shared-key ascii-text "XXX"
set security ike gateway remoteoffice ike-policy ike-policy-Local_Office
set security ike gateway remoteoffice address 10.1.1.1
set security ike gateway remoteoffice external-interface reth5.0
set security ipsec proposal ipsec-proposal-company-hq protocol esp
set security ipsec proposal ipsec-proposal-company-hq authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-company-hq encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal-company-hq lifetime-seconds 3600
set security ipsec policy ipsec-policy-Local_Office perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-Local_Office proposals ipsec-proposal-company-hq
set security ipsec vpn remoteoffice-ipsec-vpn bind-interface st0.1
set security ipsec vpn remoteoffice-ipsec-vpn ike gateway remoteoffice
set security ipsec vpn remoteoffice-ipsec-vpn ike ipsec-policy ipsec-policy-Local_Office
set interfaces st0 unit 1 family inet mtu 1500
set interfaces st0 unit 1 family inet address 172.31.3.90/29
set security zones security-zone Local_Office interfaces st0.1

Where reth5.0 is Untrust.

If i dont enable NAT-T on the remote device. The SRX is logging:

[Jan 25 11:01:22]<none>:500 (Initiator) <-> 10.1.1.1:500 { 97d97d5d d3375535 - 33591868 346af7ff [0] / 0x65c29767 } QM; Error = Timeout (8197)
[Jan 25 11:01:22]ike_send_notify: Private notification, do not send notification
[Jan 25 11:01:22]ike_delete_negotiation: Start, SA = { 97d97d5d d3375535 - 33591868 346af7ff}, nego = 0
[Jan 25 11:01:22]ike_free_negotiation_qm: Start, nego = 0
[Jan 25 11:01:22]ike_free_negotiation: Start, nego = 0
[Jan 25 11:01:22]ike_free_id_payload: Start, id type = 4
[Jan 25 11:01:22]ike_free_id_payload: Start, id type = 4
[Jan 25 11:01:22]  IKEv1 Error : Timeout

The only thing I can think of is that the SRX SNAT rule has changed the behavior so the st0.1 that is bound to the Local_Office zone is getting SNATed in the negotiating process.

Maybe some SRX guru has a good idea what the SRX is doing with this traffic that is causing it to use NAT-T instead?

Thanks in advance

Robert

Hi

The NAT rule that you created,

set security nat source rule-set SNAT_use_interface from routing-instance default
set security nat source rule-set SNAT_use_interface to zone Untrust

is very general, I suspect it pertains also to the locally generated IKE traffic. Then it makes SRX to change (due to PAT) the default IKE 500 port of the outgoing IKE session. (Not sure if IP changes as well in your setup.) The other device will ignore such packets if NAT-T is not enabled on it.

You can check "show security flow session destination-port 500" command at the time of IKE re-negotiation to see what really happens to the port.

I have been digging a bit deeper into this but im not yet there....

This fixes it but it's a wide rule that I dont like....

set security nat source rule-set SNAT_use_interface from routing-instance default

set security nat source rule-set SNAT_use_interface to zone CORE_Internet_WAN

set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match source-address 0.0.0.0/0

set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match destination-address 172.31.3.105/32 <-- st interface at destination

set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match destination-address <remote-gw>/32

set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec then source-nat off

set security nat source rule-set SNAT_use_interface rule snat_on_interface match source-address 0.0.0.0/0

set security nat source rule-set SNAT_use_interface rule snat_on_interface match destination-address 0.0.0.0/0

set security nat source rule-set SNAT_use_interface rule snat_on_interface then source-nat interface

I've tried the same rule but adding the local st interface IP as the match source-adress instead of 0.0.0.0. But then it didnt hit the rule.

How the h... does srx handle this traffic and how do I make a "by pass rule" as the one above but more specific?

//Rob

Hi

It the exception rule, you need to use not local st interface but local physical interface on which IKE terminates.

Thanks!

This seems to work and not make a mess of everything else 🙂

set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match source-address <Local-Public-IP-external-int>/32
set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match destination-address <remote-GW-public-IP>/32
set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec match application junos-ike
set security nat source rule-set SNAT_use_interface rule snat_exclude_ipsec then source-nat off

//Robert