Hey Everyone,
I am working on setting up a Group VPN as part of a Proof of Concept as well as my JNCIE-SEC concepts refresher.
In this case I have 3x SRX100's in which one is the Key Server, and the other two are members. I can get the IKE, IPSEC, KEK, and dynamic policies to come up, but the hosts I am trying send traffic to/from are not able to do so.
All SRX's are running 11.1R6.4; configs are attached. It looks like I am just missing a config statement but after poring over the configs for the past few hours I am unable to find the missing piece. If any can provide some insight I would be extremely grateful.
I do have debug logs from key server as well as the members, but I did not attach them because I did not find anything unusual in them. I would be more than happy to attach them if you would like.
A rough diagram is attached below:
chaynes@srx100-1> show security dynamic-policies detail
Policy: allow-in-0001, action-type: permit, State: enabled, Index: 1048583, Scope Policy: 7
Policy Type: Dynamic
Sequence number: 1
From zone: trust, To zone: untrust
Source addresses:
N/A: 0.0.0.0/0
Destination addresses:
N/A: 0.0.0.0/0
Application: Unknown
Application: Unknown
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: INSTANCE-group-vpn_133955585, Type: IPSec, Index: 133955585
Policy: allow-out-0001, action-type: permit, State: enabled, Index: 1048584, Scope Policy: 8
Policy Type: Dynamic
Sequence number: 1
From zone: untrust, To zone: trust
Source addresses:
N/A: 0.0.0.0/0
Destination addresses:
N/A: 0.0.0.0/0
Application: Unknown
Application: Unknown
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
Tunnel: INSTANCE-group-vpn_133955585, Type: IPSec, Index: 133955585
chaynes@srx100-1> show security group-vpn member ike security-associations
chaynes@srx100-1> show security group-vpn member ipsec security-associations
Total active tunnels: 1
ID Server Port Algorithm SPI Life:sec/kb GId vsys
>133955585 10.0.0.4 848 ESP:aes-128/sha1 a678566f 2021/ unlim 1 root
<133955585 10.0.0.4 848 ESP:aes-128/sha1 a678566f 2021/ unlim 1 root
chaynes@srx100-1> show security group-vpn member kek security-associations
Index Remote Address State Initiator cookie Responder cookie GroupId
3214130 10.0.0.4 UP c8b022d822b75563 90b11b50cc4b6278 1