SRX Services Gateway
Reply
Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0
Accepted Solution

ipsec with selective packet services and flow mode master vr with router on a stick

Hi

I want to have this configuration with srx210. Please see attached diagra also configuration. I also attached chassis cluster diagram which is not important, I think. Just in case...

I have remote site. It's name is (branch-)pernik and a central site domino. Branch consist of chassis cluster srx210. Domino is a single srx210 but with selective packet services enabled.

I want this:

- pernik should ipsec vpn to domino

- domino have 2 routing instances. One is master - flow and second is packet based.

- domino instances are interconnected with lt interfaces that have ip address.

- packet vr has input firewall filters enabled with action modifier ... then packet-mode

- flow mode router has routes only to 192.168.2.0/24 subnet and to packet VR

Is this configuration (with lt-0/0/1 as external-interface in ike gateway configuration)  supported?

My previous configuration without selective packet services worked as it should so I think it is problem of selective packet serv. and that this conf. is unsupported. Now after router startup the ipsec association is created for some time but traffic cant go through. And after couple of minutes ipsec associationt is toren down, but ike still remain UP. But now I after weekend I cannot even see ike UP :-(

see some logs and output

 

- Second thing I want to have is 192.168.2.0/24 subnet to be source-natted to public assigned to lt-0/0/1 (is even this supported or possible?)

 

Branch srx series and j series selective packet services:

http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

There is a little bit similar configuration with ipsec as wan failover.

 

Now I am thinking as my config isn't supported, I will assign from subnet to ISP A also to flow master VR to act as gateway and also to our network.

 

***Logs aren't very clear. There is so much I should post here. But as I said. Firstly, I want to know wether nat and ipsec is supported on lt interfaces***

Disabling nat also disabled creating ike association. It was connecting to port 4500

Sep 12 11:08:23 Group/Shared IKE ID VPN configured: 0
Sep 12 11:08:24 Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
Sep 12 11:08:24 Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
Sep 12 11:08:24 KMD_INTERNAL_ERROR: VPN monitor ping send via tunnel 131073 failed, err 65
Sep 12 11:08:25 KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

 Does anyone know wether this should be working?

 

Jozef Klacko

Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: ipsec with selective packet services and flow mode master vr with router on a stick

Hi

 

I solved this. It is working. I had typo in configuration domino.txt

 

security {
    ike {
        inactive: traceoptions {
            file size 1m;
            flag policy-manager;
            flag ike;
            flag routing-socket;
        }
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "xxxxxxxx"; ## SECRET-DATA
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 1.2.3.4;
            external-interface lt-0/0/0.1; #### was lt-0/0/1 but i dont have lt-0/0/1 only lt-0/0/0.0 and lt-0/0/0.1
        }
    }



Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.