SRX Services Gateway
SRX Services Gateway

Does local-address in the IKE gateway work with a preferred address out of a different subnet?

‎01-31-2019 03:39 PM

Hello all.

 

Trying to create a VPN using an external interface that has two inet addreses.  I know about the local-address knob and I am using it.  IKE is failing, but only on the side with dual IPs.  On the side with only a single IP on the external interface the ike sa reports as up, but it never reports up on the side with the two addresses.  Two more details: the two addresses on the external interface are out of different subnets, and this is a chassis cluster.  However, the external interface is not a reth interface.  This is a standard deployment where two fixed interfaces (one on each node) do BGP upstream and have reth interfaces on the inside zones only. 

 

As I say, the single IP side shows the ike SA up and the initator and responder cookies match on both sides.

 

The side with the two addresses, which doesn't ever show the ike SA up or down,  has this log entry, for which I can find no info:

 

 "IKE negotiation failed with error: Negotiation failed as negotiation completed on backup HA node."

 

At that exact instant in the traceoptions log there was this:

 

[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_send_notify: Connected, SA = { c069074a bb502581 - fa965fa7 4043960d}, nego = -1
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 31 16:06:53 PIC 2/5/0 KMD1]ike_sa_delete: Start, SA = { c069074a bb502581 - fa965fa7 4043960d }

 

So it looks to me as though the IKE is completing on both sides, but due to this mysterious "negotation colmpletion" issue, it immediately drops on the side with the two IPs.  But why? Anyone have a clue?

 

Let me know if/what more information would help.  Want to keep it lean to start with. 

 

One last thing, I have made the address I'm peering with both primary and preferred.

 

Much appreciated,

 

dj

 

 

 

4 REPLIES 4
SRX Services Gateway

Re: Does local-address in the IKE gateway work with a preferred address out of a different subnet?

[ Edited ]
‎01-31-2019 06:25 PM

Hi jaajex0,

 

The implementation you currently have for the external interfaces (1 orphan port on each node) is not a recommended one. I will advise to use a reth interface or the loppback interface. Using the a reth or the loopback will provide redundancy should any  phisycal interface fail, and  also will resolve your problem. If you plan to use the loopback interface please note that it has to be configured as part of a Redundancy group:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipsec-vpn-tunnels-with-c...

 

I believe that if you perform a failover right now, that tunnel will be negotiated properly but the one on the other node might start to fail. Please let us know.

 

Branch SRX: On a branch SRX device, usage of a non-reth interface (standalone, aggregate, gre) for the IPsec VPN termination is not supported. The VPN might or might not come up when the non-reth interfaces are used.

High-end SRX: On a high-end SRX device, usage of a non-reth interface (standalone, aggregate, gre) for the IPsec VPN termination is not supported. The VPN might or might not come up when the non-reth interfaces are used.

 

Ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB30554&act=login

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: Does local-address in the IKE gateway work with a preferred address out of a different subnet?

‎01-31-2019 06:34 PM

Please refer the KB for the supported and unsupported ipsec vpn scenario on srx chassis clusters:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30554&act=login

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Does local-address in the IKE gateway work with a preferred address out of a different subnet?

‎02-02-2019 01:03 AM

Can you use loopback interface as external interface and conigure aggressive mode VPN?

 

Aggressive mode VPN config example can be found on KB28108

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Does local-address in the IKE gateway work with a preferred address out of a different subnet?

‎02-11-2019 03:21 PM

Hi jaajex0,

 

Were you able to fix this issue?

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!