SRX

Hi,

 

I’ve written a firewall filter to protect the RE on one of my SRX boxes in the lab. The filter allows (among other things) IKE and ESP traffic to the RE. I’m counting all term hits and while looking at the stats I found the following:

 

> show firewall filter protect-re-ipv4

Filter: protect-re-ipv4
Counters:
Name                                    Bytes      Packets
accept-dhcp-client                        349            1
accept-dhcp-server                       1010            3
accept-esp                                  0            0
accept-icmp                             88279         1058
accept-ike                             145688         1293
accept-ntp                              14592          192
accept-ospf                            354924         2896
accept-radius                             481            7
accept-snmp                            562861         2336
accept-ssh                             250506         3424
accept-ssh-established                      0            0
accept-traceroute-udp                     312            6
discard-bad-packets                       644           13

 

No hits for ESP. Hm, that’s weird. The VPN works like it should though and the ESP stats looks fine:

 

> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:         21644688
  Decrypted bytes:         31782884
  Encrypted packets:          73623
  Decrypted packets:          79730
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

The configuration looks like this:

 

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-re-ipv4;
                }
                address 192.168.1.1/32;
            }
        }
    }
}
firewall {
    family inet {
        filter protect-re-ipv4 {
            term no-icmp-fragments {
                from {
                    is-fragment;
                    protocol icmp;
                }
                then {
                    discard;
                }
            }
            term accept-icmp {
                from {
                    protocol icmp;
                }
                then {
                    policer mgmt-5m;
                    count accept-icmp;
                    accept;
                }
            }
            term accept-traceroute-udp {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    policer mgmt-1m;
                    count accept-traceroute-udp;
                    accept;
                }
            }
            term accept-ike {
                from {
                    source-prefix-list {
                        ike-hosts;
                    }
                    protocol udp;
                    port 500;
                }
                then {
                    count accept-ike;
                    accept;
                }
            }
            term accept-esp {
                from {
                    source-prefix-list {
                        ike-hosts;
                    }
                    protocol esp;
                }
                then {
                    count accept-esp;
                    accept;
                }
            }
            term accept-ospf {
                from {
                    source-prefix-list {
                        interfaces-ipv4;
                    }
                    destination-prefix-list {
                        interfaces-ipv4;
                        ospf-multicast;
                    }
                    protocol ospf;
                }
                then {
                    count accept-ospf;
                    accept;
                }
            }
            term accept-ssh {
                from {
                    source-prefix-list {
                        ssh-hosts;
                    }
                    protocol tcp;
                    port ssh;
                }
                then {
                    policer mgmt-5m;
                    count accept-ssh;
                    accept;
                }
            }
            term accept-ssh-established {
                from {
                    source-prefix-list {
                        ssh-hosts;
                    }
                    source-port ssh;
                    tcp-established;
                }
                then {
                    policer mgmt-5m;
                    count accept-ssh-established;
                    accept;
                }
            }
            term accept-snmp {
                from {
                    source-prefix-list {
                        snmp-hosts;
                    }
                    protocol udp;
                    port snmp;
                }
                then {
                    policer mgmt-5m;
                    count accept-snmp;
                    accept;
                }
            }
            term accept-ntp {
                from {
                    source-prefix-list {
                        ntp-hosts;
                    }
                    protocol udp;
                    port ntp;
                }
                then {
                    policer mgmt-1m;
                    count accept-ntp;
                    accept;
                }
            }
            term accept-radius {
                from {
                    source-prefix-list {
                        radius-hosts;
                    }
                    protocol udp;
                    port radius;
                }
                then {
                    policer mgmt-1m;
                    count accept-radius;
                    accept;
                }
            }
            term accept-dhcp-client {
                from {
                    source-address {
                        0.0.0.0/32;
                    }
                    destination-address {
                        255.255.255.255/32;
                    }
                    protocol udp;
                    source-port 68;
                    destination-port 67;
                }
                then {
                    count accept-dhcp-client;
                    accept;
                }
            }
            term accept-dhcp-server {
                from {
                    protocol udp;
                    source-port [ 67 68 ];
                    destination-port [ 67 68 ];
                }
                then {
                    count accept-dhcp-server;
                    accept;
                }
            }
            term discard-bad-packets {
                then {
                    count discard-bad-packets;
                    log;
                    discard;
                }
            }
        }
    }
    policer mgmt-1m {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer mgmt-5m {
        if-exceeding {
            bandwidth-limit 5m;
            burst-size-limit 625k;
        }
        then discard;
    }
}

 

So, why isn’t anything hitting the accept-esp term? 🙂

What zone is the interface in and what are the settings for the host-inbound-services for the zone and the interface? 

 

I'm wondering if your traffic is being dropped by this function before hitting the filter.

Hi, the st0.0 interface is in the "vpn" zone and ge-0/0/0.0 (which is the interface facing the internet) is in the "ext" zone - configuration looks like this:

 

security-zone ext {
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ike;
                    ssh;
                }
            }
        }
    }
}
security-zone vpn {
    interfaces {
        st0.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ssh;
                    ike;
                    snmp;
                }
                protocols {
                    ospf;
                }
            }
        }
    }
}
security-zone int {
    interfaces {
        vlan.100 {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    bootp;
                }
            }
        }
    }
}

I did a few more tests.

 

First, I placed the accept-esp term first in the filter but still no hits when checking the counters. Lots of hits on the accept-ike counter though, as expected.

 

Then I removed the ESP term entirely from the filter, but the VPN is still alive. It also comes up fine after rebooting the box.

 

What am I missing? Why is ESP still working when the ESP protocol isn't allowed to reach the RE? 🙂

What am I missing? Why is ESP still working when the ESP protocol isn't allowed to reach the RE?

 

I''m not sure, but I would guess that the allow IKE is permitting this esp traffic.  You may need to open a ticket to get a definitive answer.

Just a thought, do you have NAT-T, is your vpn negotiated on UDP 500 or UDP4500?
Can you share "show security ike sa"

No NAT-T. VPN is using UDP port 500.

 

Here's the relevant ike/ipsec configuration:

 

> show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode  Remote Address
2427153 UP     2d74a6d70d1575db  ebdf1f029089ec37  Main  X.X.X.X

> show configuration security ike
proposal ROPSK {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}
policy remote {
    mode main;
    proposals ROPSK;
    pre-shared-key ascii-text XXX
}
gateway blah {
    ike-policy remote;
    address X.X.X.X;
    dead-peer-detection {
        interval 10;
        threshold 3;
    }
    external-interface ge-0/0/0.0;
}

> show configuration security ipsec
proposal meh {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy rem {
    proposals meh;
}
vpn test {
    bind-interface st0.0;
    ike {
        gateway blah;
        proxy-identity {
            local 0.0.0.0/0;
            remote 0.0.0.0/0;
            service any;
        }
        ipsec-policy rem;
    }
}

Can you share "show security ipsec security-associations "

Sure:

 

> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 2b3f248a 3179/ unlim   -   root 500   X.X.X.X
  >131073 ESP:3des/sha1 96254b8  3179/ unlim   -   root 500   X.X.X.X

I've tested this on a few boxes in production now, and they all exhibit the same behaviour. There is no filter allowing the ESP protocol to the RE, but all VPN's using ESP still works. I still don't know if this is expected behaviour or not.

 

This is on 12.1X44-D35. All boxes are SRX210H.

This issue happens with Firewall filters applied on Loopback interface only. When I apply the same filter on physical interface I can see the ESP packets count (Please see below).  It looks like the decryption is done before lo0 counter is hit and it can be expected because the decryption happens in PFE and Lo0 count happens in RE.

Thats the reason why filters on physical interface gets the ESP count.

 

root@SRX> show firewall

Filter: __default_bpdu_filter__

Filter: LAB
Counters:
Name                                                Bytes              Packets
Default                                              1560                   13
ESP                                                     0                    0

root@SRX>show configuration firewall
filter LAB {
    term Count-ESP {
        from {
            protocol esp;
        }
        then count ESP;
    }
    term Default {
        then {
            count Default;
            accept;
        }
    }
}

root@SRX>

OK - my interpretation of your reply is that it's perfectly safe to discard ESP protocol traffic on a filter applied on lo0. It shouldn't affect VPN traffic in my scenario.

 

Thank you for the info.