SRX Services Gateway
Reply
Contributor
viks_a
Posts: 48
Registered: ‎05-07-2011
0
Accepted Solution

route based vpn 11.1 R6.4

 

I have a scenario where in I have a route for HOST B via st0.0 on SRX A and route for HOST A via st0.0 on SRX B.

 

when A tries to communicate with B  or vice versa the traffic communicates via the route based VPN between SRX A and SRX B.

 

Interesting situation is when HOST C behind SRX A tries to communicates with HOST B which is behind SRX B, because of the routing via st0.0 on SRX A the initial request goes via the tunnel . However the return traffic from B-> C gets routed outside the tunnel on SRX B and SRX A permits the traffic to go thru to HOST C.

 

 

The same scenario with Netscreen instead of a SRX at the other end just drops any TCP & UDP traffic, but permits ICMP ( because ICMP is stateless )

 

My question: is this normal ? for the firewall to permit one flow go via the tunnel and return flow to travel outside the tunnel  ?

 

 

 

I can attach a diagram if my explanation above  is confusing.

Contributor
MarcTB
Posts: 56
Registered: ‎10-18-2009
0

Re: route based vpn 11.1 R6.4

[ Edited ]

Can you attach configs from both routers ?


Regards,

Marc

Security Officer
Network / Security Specialist for Scarlet / Belgacom

Distinguished Expert
MMcD
Posts: 630
Registered: ‎07-20-2010
0

Re: route based vpn 11.1 R6.4

That is indeed strange as I feel a reverse route lookup may fail, hoever I have read of instances of both interfaces, in your case the st and the ge- terminating your VPN being in the same security zone and permitting the return traffic.

 

You probably just have some small routing problem to not return the traffic via the vpn.  Can you post both relevant configs?

 

Can you post your config and maybe a security flow trace with flag basic-datapath set from the SRX transmitting and receving the traffic outside the vpn.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Contributor
viks_a
Posts: 48
Registered: ‎05-07-2011
0

Re: route based vpn 11.1 R6.4

I have attached the trace file, like you have metioned both the interfaces st0.0 and reth0.980 are in untrust security zone and it's a routing issues as well because route to the host 1.1.6.2 is not via st0.0.

 

but shouldn't SRX drop the return packet instead of rerouting the packet outside the tunnel ( look at the last 4 lines in the attached file )

Distinguished Expert
MMcD
Posts: 630
Registered: ‎07-20-2010
0

Re: route based vpn 11.1 R6.4

I think this is the bit that allows this to happen.  You should try and put the ST into its own "VPN" zone and see if it allows it then as I feel it may not.

 

Feb 23 11:51:16 11:51:16.709491:CID-1:RT: route lookup: dest-ip 1.1.6.2 orig ifp st0.0 output_ifp reth0.980 orig-zone 7 out-zone 7 vsd 0

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.