SRX Services Gateway
Highlighted
SRX Services Gateway

IKEv2 traffic selector support

‎05-08-2017 04:39 PM

Hi, 

 

I need to use IKEv2 to setup site-to-site VPN with a 3rd party, I was astonished to find that IKEv2 does not support traffic-selectors, so we will need to have multiple encryption domains between two IKEv2 gateways, how does IKEv2 address this basic requirement?

 

Thanks,

6 REPLIES 6
SRX Services Gateway
Solution
Accepted by topic author oldcreek
‎05-08-2017 10:12 PM

Re: IKEv2 traffic selector support

‎05-08-2017 06:32 PM

Hi,

 

 

Thanks for posting your query here.

 

Unfortunately Yes, IKEv2 does not supports to configure Traffic selectors asof yet and hence you need to have multiple vpns configured under the [edit security ipsec vpn] heirarchy with each vpn having different proxy-id's in it.

 

The below KB can serve as an example of how to configure multiple vpn configuration with different proxy IDs. Though the KB is using IKEv1 but the same can be used for IKEv2 as well 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543 

 

Hope This helps. Smiley Happy

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

SRX Services Gateway

Re: IKEv2 traffic selector support

‎05-08-2017 10:14 PM

So Junos IPsec started with ScreenOS's proxy-ID (single only), then implemented (multiple) traffic selectors, then going back to single proxy-ID again with IKEv2?

SRX Services Gateway

Re: IKEv2 traffic selector support

‎07-13-2017 01:59 PM

Good news, traffic selectors now support IKEv2 as of 15.1x49D100. 

 

Starting with Junos OS Release 15.1X49-D100, traffic selectors can be configured with IKEv2 site-to-...

JNCIE-ENT #371
diehard fan of all things Junos
SRX Services Gateway

Re: IKEv2 traffic selector support

‎05-22-2019 10:00 AM

I undertand that now it is possible IKE v2 with traffic selectors, but I can't make it work. Please see the output from my FW. You can see that after I add the traffic-selector is telling me that I am missing statements that are clearly in the config. Have you encountered this? my box is an SRX4100 with 15.1X49-D150.2

 

xxxxxxx# show | compare
[edit security ipsec]
xxxxxxx { ... }
+ vpn xxxxxxxPH2_VPN {
+ bind-interface st0.xxxxxxx;
+ ike {
+ gateway xxxxxxx-PH1_Gateway;
+ ipsec-policy xxxxxxx-PH2_Policy;
+ }
+ }
+ vpn xxxxxxx-PH2-VPN {
+ traffic-selector xxxxxxx-Proxy1 {
+ local-ip xxxxxxx/32;
+ remote-ip xxxxxxxxxxxxxxxxxxxxx/32;
+ }
+ ## Warning: missing mandatory statement(s): 'manual' or 'ike'
+ }

xxxxxxx# commit check
[edit security ipsec vpn xxxxxxx-PH2-VPN]
'traffic-selector'
Bind-interface must be configured under [edit security ipsec vpn] hierarchy
[edit security ipsec]
'vpn xxxxxxx-PH2-VPN'
Missing mandatory statement: 'manual' or 'ike'
error: configuration check-out failed: (missing mandatory statements)

{primary:node0}[edit]
xxxxxxx#

SRX Services Gateway

Re: IKEv2 traffic selector support

‎05-22-2019 10:12 AM
There is a typo in vpn name. Change PH2-VPN to PH2_VPN
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: IKEv2 traffic selector support

‎05-22-2019 10:20 AM

Hi Victor,

 

Seems you have made a typo.

Traffic selector is to be configured under vpn name "xxxxxxxPH2_VPN "

but you by mistake has written the vpn name as "xxxxxxx-PH2-VPN".

 

You added "-" in case of "_" which lead junos to configure Traffic selector under a new VPN.

 

delete the vpn statement xxxxxxx-PH2-VPN and configure Traffic selector under xxxxxxxPH2_VPN which contains the ike config.

 

Regards,

 

Rahul

Regards,
Rahul