SRX

last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  how policies get applied for traffic initiated from other side IPSEC L2L VPN ?

    Posted 05-29-2013 16:07

    Hi

     

    Let's assume we have a site-site ipsec tunnel from SRX to ASA

     

    Tunnel is down and now traffic gets initiated from ASA side towards SRX 

     

    Phase 1&2 get completed

     

    The encrypted traffic arrives on SRX. Now as per the order of processing on SRX as seen here VPN is a step after Services ALG

     

    But the traffic hitting SRX is encrypted and there is no session info on srx. How do the policies and NAT rules get applied to this incoming traffic since this traffic is encrypted?

     

    Policies can't really be applied to encryped incoming traffic and as per the diagram policies/NAT takes place before vpn enc/decryption module

     

    I am trying to figure out how it's working



  • 2.  RE: how policies get applied for traffic initiated from other side IPSEC L2L VPN ?
    Best Answer

    Posted 05-30-2013 05:09

    Hi ronydc86,

     

    Not quite - the diagram isn't showing VPN decryption occuring at all.

     

    Depending on the type of VPN you're configuring, it will be different as well.

     

    If you configure a route-based VPN, the traffic is decrypted outside the flow chart, and the vpn tunnel is treated just like any other interface - so the First Packet in the diagram would be traffic from the tunnel already decrypted.

     

    If however you are using policy-based VPN then the First Packet will be decrypted around the Policy step, and available for NAT services.

     

    Keep in mind though that the diagram doesn't show the full story either - source NAT takes place before Policy lookup, and destination NAT takes place after, so based on this, I don't think you can source-NAT traffic coming in via a Policy-based VPN.



  • 3.  RE: how policies get applied for traffic initiated from other side IPSEC L2L VPN ?

    Posted 05-30-2013 09:31

    Thank you!

     

    Do you have a link by any chance where I can find a diagram that includes VPN step instead of one that I had linked?

     

    Thanks!

     



  • 4.  RE: how policies get applied for traffic initiated from other side IPSEC L2L VPN ?

    Posted 05-30-2013 14:51

    I've just had a look through the Junos KB and doco, and all the diagrams are the same as the one you have shown - with no mention of IPSEC in them 😞



  • 5.  RE: how policies get applied for traffic initiated from other side IPSEC L2L VPN ?

    Posted 05-31-2013 09:48

    Thanks a lot 



  • 6.  RE: how policies get applied for traffic initiated from other side IPSEC L2L VPN ?

    Posted 06-02-2013 00:35
    "Keep in mind though that the diagram doesn't show the full story either - source NAT takes place before Policy lookup, and destination NAT takes place after, so based on this, I don't think you can source-NAT traffic coming in via a Policy-based VPN."
    The other way around. Take a look at the flow module again. Destination and Static NAT takes place before route and policy lookup while Source NAT after policy lookup.