SRX Services Gateway
SRX Services Gateway

Dynamic VPN (SRX300)

‎09-06-2019 09:06 AM

Good Afternoon Everyone!  

 

I recently encountered a Dynamic VPN issue that has me scratching my head after upgrade a branch office to the SRX300.  I followed these instructions to create an IPSEC VPN https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-....  I've opted to forgo Pulse because I don't like the idea of an exposed HTTPS interface and will be using OS native IPSEC/XAuth PSK clients (MacOS, Android).

 

In summary, the clients are able to establish a P1 IKE security association, exchange a few P2 handshakes before eventually timing out.  Traceoptions are on for both IKE and IPSEC; I see an IKE P1 success message in the logs but nothing else.  The ike-debug log also reflects a similar situation.

 

Without a specific error, I'm not sure where to look next.  Any ideas or pointers would be greatly appreciated!

----

admin@Firewall> show security ike security-associations    

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   

6972517 UP     952e672cfec43cf0  f7130c4655d526ab  Aggressive     xxx.xxx.xxx.xxx

 

admin@Firewall> show security ipsec security-associations

  Total active tunnels: 0     Total Ipsec sas: 0

 

Sep  6 12:02:40  Firewall kmd[1993]: IKE negotiation successfully completed. IKE Version: 1, VPN: Dynamic-VPN Gateway: Dynamic-VPN-P1-Gateway,

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Dynamic VPN (SRX300)

‎09-06-2019 09:32 AM

Hi ajwilder

 

The configuration on the document you shared will only work if you use Pulse. If you are planning to establish a regular site-to-site VPN between the SRX and another device then you need to configure your VPN differently. If the software on your machine will simulate an IPsec gateway/peer, then try the following on the SRX:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-route-based-ipsec-vpns.h...

 

 

 

SRX Services Gateway

Re: Dynamic VPN (SRX300)

‎09-06-2019 09:52 AM

Currently, dynamic VPN connections to the SRX are only support if you are using either Pulse or NCP clients.

 

Pulse: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-...

 

NCP: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32418&actp=RSS

 

Hope this helps you.

 

SRX Services Gateway

Re: Dynamic VPN (SRX300)

‎09-06-2019 03:18 PM

Thanks for the quick reply!  I'm trying to establish a policy-based VPN where one side has a dynamic IP.  All of the documentation for site-to-site VPNs seem to require static IPs.  For example (https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-policy-based-ipsec-vpns....).

 

I assume that the SRX is waiting for traffic to establish the IPSec tunnel per the config: set security ipsec vpn Dynamic-VPN establish-tunnels on-traffic.  Attempting to change to immediately throws a commit error.

SRX Services Gateway

Re: Dynamic VPN (SRX300)

[ Edited ]
‎09-06-2019 03:55 PM

ajwilder,

 

If the VPN peer has a dynamic IP address you will need to slighty modify the configuration, specifically on the following aspects:

 

1. mode aggressive has to be used:

 

set security policy [Policy_Name] mode aggressive

 

2. Let the SRX know that its peer has a dynamic IP address but it will authenticate itself with a hostname (juniper.net as exmaple):

 

set security ike gateway [GTW_Name] dynamic hostname juniper.net

 

Note this hostname doesnt need to resolve to any address, it is just a value; however it has to be configured on the remote end as the local-IKE ID of that device.

 

Ref:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28077&actp=search

https://www.fir3net.com/Firewalls/Juniper/srx-dyn.html

 

 

SRX Services Gateway

Re: Dynamic VPN (SRX300)

[ Edited ]
‎09-07-2019 07:23 AM

Thanks again!  Unfortunately, I had those settings in place already.  Here is what I've got:

 

admin@Firewall> show version 
Hostname: Firewall
Model: srx300
Junos: 19.2R1.8
JUNOS Software Release [19.2R1.8]

IKE config:

admin@Firewall> show configuration security ike gateway Dynamic-VPN-P1-Gateway    
ike-policy Dynamic-VPN-P2-Policy;
dynamic {
    hostname thebox;
    connections-limit 2;
    ike-user-type shared-ike-id;
}
nat-keepalive 200;
external-interface ge-0/0/0.0;
aaa {
    access-profile Dynamic-XAuth;
}
version v1-only;

IKE Policy Config:

admin@Firewall> show configuration security ike policy Dynamic-VPN-P1-Policy      
mode aggressive;
description "Dynamic%20P1%20Policy";
proposals Dynamic-VPN-P1-Proposal;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA

IPSec Config:

admin@Firewall> show configuration security ipsec vpn Dynamic-VPN                 
ike {
    gateway Dynamic-VPN-P1-Gateway;
    ipsec-policy Dynamic-P2-Policy;
}
establish-tunnels immediately;

Log output (NOTE: 192.168.1.5 is the external interface of the SRX; it is fully exposed with a FIOS NAT in front of it; no filter):

Sep  7 10:13:36  Firewall kmd[1993]: IKE negotiation successfully completed. IKE Version: 1, VPN: Dynamic-VPN Gateway: Dynamic-VPN-P1-Gateway, Local: 192.168.1.5/4500, Remote: 111.111.111.111/11344, Local IKE-ID: 192.168.1.5, Remote IKE-ID: thebox, VR-ID: 0, Role: Responder

Tcpdump Output:

10:13:36.662662 IP 111.111.111.111.11340 > 192.168.1.5.500: isakmp: phase 1 I agg
10:13:36.681588 IP 192.168.1.5.500 > 111.111.111.111.11340: isakmp: phase 1 R agg
10:13:36.734498 IP 1111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 I agg
10:13:36.738988 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.741579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
10:13:36.773911 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.777594 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.814684 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.817004 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.821579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.823822 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:36.863907 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.870802 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
10:13:36.873226 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
10:13:56.949886 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
10:14:16.978952 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
10:14:36.458051 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

Even the debug logs only show success.  I'm begining to wonder if its the Junos version.  I've only attempted setting up the dynamic VPN on this version.  Any ideas on how I could further debug this?  I've never encountered this before.

 

Thanks!