SRX

Hi srx experts,

I have the following error but can't find why I have an issue:

 

adm@srx# commit
error: Failed to build dop for policy 102
error: configuration check-out failed

The same configuration used to work in 11.4R4.4 but is not valid in 12.1X44-D25.5.

If I change the application to (let's say) junos-ping or any, commit succeed (but this is not an option, I need to use the self-defined application).

Here is the complete configuration:

 

set security zones security-zone trust address-book address LAN_A 192.168.1.0/24
set security zones security-zone untrust address-book address LAN_B 192.168.2.0/24

set interfaces ae1 unit 4001 vlan-id 4001
set interfaces ae1 unit 4001 family inet address 172.16.0.1/30

set security zones security-zone untrust interface ae1.4001

set security ipsec proposal IPSec_Proposal1 protocol esp
set security ipsec proposal IPSec_Proposal1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSec_Proposal1 encryption-algorithm aes-256-cbc
set security ipsec proposal IPSec_Proposal1 lifetime-seconds 3600

set applications application APP_TCP5800 protocol tcp
set applications application APP_TCP5800 destination-port 5008

set security ipsec policy IPSec_PolicyA perfect-forward-secrecy keys group5
set security ipsec policy IPSec_PolicyA proposals IPSec_Proposal1

set security ipsec vpn IPSec_VPN_A ike gateway IKE_GwCust1
set security ipsec vpn IPSec_VPN_A ike ipsec-policy IPSec_PolicyA
set security ipsec vpn IPSec_VPN_A establish-tunnels immediately

set security ike gateway IKE_GwCust1 ike-policy IKE_PolicyA
set security ike gateway IKE_GwCust1 address 172.16.0.1
set security ike gateway IKE_GwCust1 local-identity inet 172.16.0.2
set security ike gateway IKE_GwCust1 external-interface ae1.4001

set security ike policy IKE_PolicyA mode main
set security ike policy IKE_PolicyA proposals pre-g5-aes256-sha
set security ike policy IKE_PolicyA pre-shared-key ascii-text MyPSK

set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
set security ike proposal pre-g5-aes256-sha dh-group group5
set security ike proposal pre-g5-aes256-sha authentication-algorithm sha-256
set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800

set security policies from-zone trust to-zone untrust policy 102 match source-address LAN_A
set security policies from-zone trust to-zone untrust policy 102 match destination-address LAN_B
set security policies from-zone trust to-zone untrust policy 102 match application APP_TCP5800
set security policies from-zone trust to-zone untrust policy 102 then permit tunnel ipsec-vpn IPSec_VPN_A
set security policies from-zone trust to-zone untrust policy 102 then permit tunnel pair-policy 201

set security policies from-zone untrust to-zone trust policy 201 match source-address LAN_B
set security policies from-zone untrust to-zone trust policy 201 match destination-address LAN_A
set security policies from-zone untrust to-zone trust policy 201 match application APP_TCP5800
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel ipsec-vpn IPSec_VPN_A
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel pair-policy 102

 

Any idea ?

Hi,

Have you placed the st interface in its zone and configure a security policy for this ?

I mean :
set security zones security-zone xxx interfaces st0.x
and apply another set of policies .

Dear Abed,

 

It is a policy based vpn tunnel, it doesn't require an st0.x interface .

Dear Benl,

 

With policy based vpns the return policy has to be the exact opposite of the main policy. Which you have done correctly except for your use of the same application in both policies ( APP_TCP5800 ) . To resolve this the application in the opposite direction ( return traffic ) should have the source port 5008, as opposed to the destination port being 5008 . You can create a new app say ( APP_TCP5801 ) and define its source port as 5008  :

 

 

set applications application APP_TCP5801 protocol tcp
set applications application APP_TCP5801 source-port 5008

 

 

 

Then you should change the app of the return policy ( 201 ) to APP_TCP5801 :

 

 

set security policies from-zone untrust to-zone trust policy 201 match source-address LAN_B
set security policies from-zone untrust to-zone trust policy 201 match destination-address LAN_A
set security policies from-zone untrust to-zone trust policy 201 match application APP_TCP5801
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel ipsec-vpn hq-to-airport-ipsec-vpn
set security policies from-zone untrust to-zone trust policy 201 then permit tunnel pair-policy 102

 

 

It should commit after that ( though I didn't review the rest of the config, so can't speak for the vpn traffic traversing 😛 ).

 

 

Hisham said:

 

------------------------------------------------------------------------------------------------

Dear Abed,

 

It is a policy based vpn tunnel, it doesn't require an st0.x interface .

------------------------------------------------------------------------------------------------

 

You're right .

 

This is likely caused by a missing policy for the return traffic.

Thanks elkadiki !

This seems clear once you explained it !

 

Changed with:

 

set applications application APP_SRC_TCP5800 protocol tcp
set applications application APP_SRC_TCP5800 source-port 5008

set applications application APP_DST_TCP5800 protocol tcp
set applications application APP_DST_TCP5800 destination-port 5008

 

set security policies from-zone trust to-zone untrust policy 102 match application APP_SRC_TCP5800

set security policies from-zone untrust to-zone trust policy 201 match application APP_DST_TCP5800

 

And it is OK.

 

Regards,

Ben

You're welcome Benl !