SRX Services Gateway
Highlighted
SRX Services Gateway

IPSEC with NAT-T

‎08-08-2011 05:15 PM
Hi, Gurus all over the world. Any chance you can help with an answer to getting this scenario working? I've searched Juniper KB and J-Net and everywhere else and all I was able to find is "yes, it can do this" and "NAT-T allowed scenarios". But no working configurations. Network1 -> SRX100 -> Cisco ASA -> Internet <- SRX240 <- Network2 I need to set up an IPSEC VPN between SRX100 and SRX240. SRX240 has a public static address on the Internet (say 1.2.3.4/30). SRX100 has its external interface - fe-0/0/1 - on a private network - 192.168.100.1/24 - with ASA providing NAT. The aim is for all traffic from network 1 to go via the IPSEC to SRX240 and be dealt with it there according to the HQ policies. I can set up site-to-site IPSEC VPN between 2 public addresses w/o problems. But I could not find sample configs for both ends dealing with IPSEC NAT Traversal. Do you think you could provide a solution? Thank you.
9 REPLIES 9
Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎08-08-2011 05:33 PM

NAT-T is supported by default, the only config related to nat-t is to disable it specifically.

 

So as long as your base vpn config is correct and your case falls into the supported scenarios, you should have no problems.

 

Also be sure to use the nat outside global address for the ike gateway address, not the inside address.

 

 

 

Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎08-08-2011 05:49 PM
Do you mean, I should use the ASA's address as the address for IKE gateway configured on SRX240?
Highlighted
SRX Services Gateway
Solution
Accepted by topic author smalev@cdm.com.au
‎08-26-2015 01:27 AM

Re: IPSEC with NAT-T

‎08-09-2011 11:55 AM

If your SRX100 is behind NAT, you will need to configure it as if it is using a dynamic ip.  For phase 1, you'll have to configure for aggressive mode.  Additionally, you need to configure a local-id, and on the remote side, it would have to be responding to a peer-id, which matches the local-id of the SRX100 side.

 

Example:

 

SRX100:

 


[edit security ike]

gateway home-gw {
    ike-policy home;
    address 1.1.1.1;
    local-identity user-at-hostname "test@juniper.net";
    external-interface ge-0/0/1.0;
}

 

SRX240:

 

[edit security ike]

gateway srx210 {
    ike-policy ike-dyn-vpn-policy;
    dynamic user-at-hostname test.juniper.net;
    external-interface ge-0/0/0.0;
}


Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎08-09-2011 07:08 PM

Previous post's config is probably what you're really after.. but to explain my earlier comment, in case you are using 1:1 nat, it works, at least on version 11.1, to use main mode and specify the public IP's as the ike gateways on each side. You would have actually disable NAT-T on both ike gateways to get it working however.

 

Probably the only practical reason to try it this way would be if there is some specific requirement to make the device behind nat as responder... this doesn't seem to be one of the documented supported scenarios so would be better to use aggressive mode if at all possible as previous post mentioned.

 

In any case, for reference below is the config I was talking about:

 

---------------------------
initiator
---------------------------


root@Network_A> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway  
  <131077 ESP:3des/sha1 1f526aa8 3465/ unlim   -   root 500   192.0.12.102   
  >131077 ESP:3des/sha1 77292946 3465/ unlim   -   root 500   192.0.12.102

 

root@Network_A> show configuration security | display set | match nat
set security ike policy vpn-natt-static-ikepol mode main
set security ike policy vpn-natt-static-ikepol proposal-set standard
set security ike policy vpn-natt-static-ikepol pre-shared-key ascii-text "$9$dVw2ajHmFnCZUnCtuEhVwY"
set security ike gateway vpn-natt-static-B ike-policy vpn-natt-static-ikepol
set security ike gateway vpn-natt-static-B address 192.0.12.102
set security ike gateway vpn-natt-static-B no-nat-traversal
set security ike gateway vpn-natt-static-B external-interface ge-0/0/0.12
set security ipsec policy vpn-natt-static-ipsecpol proposal-set standard
set security ipsec vpn vpn-natt-static-B bind-interface st0.12
set security ipsec vpn vpn-natt-static-B ike gateway vpn-natt-static-B
set security ipsec vpn vpn-natt-static-B ike ipsec-policy vpn-natt-static-ipsecpol
set security ipsec vpn vpn-natt-static-B establish-tunnels immediately


---------------------------
intermediate static 1:1 nat device
---------------------------

root@Network_B> show security flow session protocol esp | no-more 
Session ID: 6196, Policy name: default-policy/2, Timeout: 1800, Valid
  In: 192.0.12.1/0 --> 192.0.12.102/0;esp, If: ge-0/0/0.12, Pkts: 12, Bytes: 1632
  Out: 192.2.12.254/0 --> 192.0.12.1/0;esp, If: ge-0/0/7.12, Pkts: 12, Bytes: 1632

root@Network_B> show configuration security nat | display set
set security nat static rule-set nat_static from zone static_nat_untrust
set security nat static rule-set nat_static rule nat_static_rule match destination-address 192.0.12.102/32
set security nat static rule-set nat_static rule nat_static_rule then static-nat prefix 192.2.12.254/32
set security nat proxy-arp interface ge-0/0/0.12 address 192.0.12.102/32


---------------------------
responder behind static nat:
---------------------------
root@endpoints> show log vpn.tr | match "role is"                                         
Aug 10 10:09:09 Role is responder. Using responder spi 0x77292946 for payload of vpn-natt-static-B-to-A


root@endpoints> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway  
  <131073 ESP:3des/sha1 77292946 3521/ unlim   -   root 500   192.0.12.1     
  >131073 ESP:3des/sha1 1f526aa8 3521/ unlim   -   root 500   192.0.12.1 

 

root@endpoints> show configuration security | display set | match "ike|ipsec" | no-more
set security ike traceoptions file vpn.tr
set security ike traceoptions file size 5m
set security ike traceoptions file files 2
set security ike traceoptions flag all
set security ike policy vpn-natt-static-ikepol mode main
set security ike policy vpn-natt-static-ikepol proposal-set standard
set security ike policy vpn-natt-static-ikepol pre-shared-key ascii-text "$9$GGjkPFnCBIc5QIcylLXUjH"
set security ike gateway vpn-natt-static-B-to-A ike-policy vpn-natt-static-ikepol
set security ike gateway vpn-natt-static-B-to-A address 192.0.12.1
set security ike gateway vpn-natt-static-B-to-A no-nat-traversal
set security ike gateway vpn-natt-static-B-to-A external-interface fe-0/0/2.12
set security ipsec traceoptions flag all
set security ipsec policy vpn-natt-static-ipsecpol proposal-set standard
set security ipsec vpn vpn-natt-static-B-to-A bind-interface st0.12
set security ipsec vpn vpn-natt-static-B-to-A ike gateway vpn-natt-static-B-to-A
set security ipsec vpn vpn-natt-static-B-to-A ike ipsec-policy vpn-natt-static-ipsecpol
set security ipsec vpn vpn-natt-static-B-to-A establish-tunnels on-traffic

Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎08-13-2011 12:03 AM

Thank you for providing help. I've changed the configs as per Dynamic VPN suggestion. And now it goes a bit further - looks like Phase 1 gets established. But Phase 2 flatly refuses to come up. I thought I don't have to specify proxy-ids between two SRXs. I've attached a file with relevant excerpts from configs from both ends, as well as output from some commands. I'd be a very happy man if someone could have a look and tell what I am doing wrong. Your help is greatly appreciated.

Attachments

Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎08-14-2011 07:42 PM
Got it working. One little thing was missing on SRX100: [edit security zones security-zone untrust] root@fwi01# set host-inbound-traffic system-services ike But why did Phase 1 get established if IKE was not allowed on untrust interface? Anyway. Mob rules! I mean "Community helps"! 🙂 Thanks to all who assisted.
Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

[ Edited ]
‎08-15-2011 12:41 AM

Correct me if i am wrong: As far as i am informed, ike is allowed by default on the external-interface you bind the vpn. Normally you do not need to set host-inbound-traffic system-services ike on the external-interface for a working ipsec tunnel.

 

Regards,

Sebastian

Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎10-07-2011 07:33 AM

I can confirm this is needed. I spent like 3 days trying to get a VPN with NAT-T working and thanks to this post, I could solve the issue. Phase 2 quick mode was not working and the logs with ike traceoptions enabled were just saying "timeout". Curiosly, the two endpoint SRX boxes had already working VPNs but without NAT-T. I would like to see an official statement from Juniper about the need of adding ike as inbound service for this kind of setup.

Thanks to all participants in this post.

Highlighted
SRX Services Gateway

Re: IPSEC with NAT-T

‎06-18-2013 01:15 PM

i have tested something similar in my lab but using local-identity hostname and it also works:

 


set security ike gateway GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY address 80.10.99.100
set security ike gateway IKE-GATEWAY dead-peer-detection interval 10
set security ike gateway IKE-GATEWAY dead-peer-detection threshold 5
set security ike gateway IKE-GATEWAY local-identity hostname SRX-1
set security ike gateway IKE-GATEWAY external-interface ge-0/0/4.60

set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY dynamic hostname SRX-1
set security ike gateway IKE-GATEWAY dead-peer-detection interval 10
set security ike gateway IKE-GATEWAY dead-peer-detection threshold 5
set security ike gateway IKE-GATEWAY external-interface reth0.0

the device SRX-1 it behing the other firewall doing nat and is the one initiating the traffic.

 

show security ipsec statistics
ESP Statistics:
  Encrypted bytes:          1678688
  Decrypted bytes:           926016
  Encrypted packets:          11044
  Decrypted packets:          11024

 

Feedback