SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPSEC with NAT-T

    Posted 08-08-2011 17:16
    Hi, Gurus all over the world. Any chance you can help with an answer to getting this scenario working? I've searched Juniper KB and J-Net and everywhere else and all I was able to find is "yes, it can do this" and "NAT-T allowed scenarios". But no working configurations. Network1 -> SRX100 -> Cisco ASA -> Internet <- SRX240 <- Network2 I need to set up an IPSEC VPN between SRX100 and SRX240. SRX240 has a public static address on the Internet (say 1.2.3.4/30). SRX100 has its external interface - fe-0/0/1 - on a private network - 192.168.100.1/24 - with ASA providing NAT. The aim is for all traffic from network 1 to go via the IPSEC to SRX240 and be dealt with it there according to the HQ policies. I can set up site-to-site IPSEC VPN between 2 public addresses w/o problems. But I could not find sample configs for both ends dealing with IPSEC NAT Traversal. Do you think you could provide a solution? Thank you.


  • 2.  RE: IPSEC with NAT-T

    Posted 08-08-2011 17:34

    NAT-T is supported by default, the only config related to nat-t is to disable it specifically.

     

    So as long as your base vpn config is correct and your case falls into the supported scenarios, you should have no problems.

     

    Also be sure to use the nat outside global address for the ike gateway address, not the inside address.

     

     

     



  • 3.  RE: IPSEC with NAT-T

    Posted 08-08-2011 17:50
    Do you mean, I should use the ASA's address as the address for IKE gateway configured on SRX240?


  • 4.  RE: IPSEC with NAT-T
    Best Answer

    Posted 08-09-2011 11:56

    If your SRX100 is behind NAT, you will need to configure it as if it is using a dynamic ip.  For phase 1, you'll have to configure for aggressive mode.  Additionally, you need to configure a local-id, and on the remote side, it would have to be responding to a peer-id, which matches the local-id of the SRX100 side.

     

    Example:

     

    SRX100:

     


    [edit security ike]

    gateway home-gw {
        ike-policy home;
        address 1.1.1.1;
        local-identity user-at-hostname "test@juniper.net";
        external-interface ge-0/0/1.0;
    }

     

    SRX240:

     

    [edit security ike]

    gateway srx210 {
        ike-policy ike-dyn-vpn-policy;
        dynamic user-at-hostname test.juniper.net;
        external-interface ge-0/0/0.0;
    }




  • 5.  RE: IPSEC with NAT-T

    Posted 08-09-2011 19:09

    Previous post's config is probably what you're really after.. but to explain my earlier comment, in case you are using 1:1 nat, it works, at least on version 11.1, to use main mode and specify the public IP's as the ike gateways on each side. You would have actually disable NAT-T on both ike gateways to get it working however.

     

    Probably the only practical reason to try it this way would be if there is some specific requirement to make the device behind nat as responder... this doesn't seem to be one of the documented supported scenarios so would be better to use aggressive mode if at all possible as previous post mentioned.

     

    In any case, for reference below is the config I was talking about:

     

    ---------------------------
    initiator
    ---------------------------


    root@Network_A> show security ipsec security-associations
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway  
      <131077 ESP:3des/sha1 1f526aa8 3465/ unlim   -   root 500   192.0.12.102   
      >131077 ESP:3des/sha1 77292946 3465/ unlim   -   root 500   192.0.12.102

     

    root@Network_A> show configuration security | display set | match nat
    set security ike policy vpn-natt-static-ikepol mode main
    set security ike policy vpn-natt-static-ikepol proposal-set standard
    set security ike policy vpn-natt-static-ikepol pre-shared-key ascii-text "$9$dVw2ajHmFnCZUnCtuEhVwY"
    set security ike gateway vpn-natt-static-B ike-policy vpn-natt-static-ikepol
    set security ike gateway vpn-natt-static-B address 192.0.12.102
    set security ike gateway vpn-natt-static-B no-nat-traversal
    set security ike gateway vpn-natt-static-B external-interface ge-0/0/0.12
    set security ipsec policy vpn-natt-static-ipsecpol proposal-set standard
    set security ipsec vpn vpn-natt-static-B bind-interface st0.12
    set security ipsec vpn vpn-natt-static-B ike gateway vpn-natt-static-B
    set security ipsec vpn vpn-natt-static-B ike ipsec-policy vpn-natt-static-ipsecpol
    set security ipsec vpn vpn-natt-static-B establish-tunnels immediately


    ---------------------------
    intermediate static 1:1 nat device
    ---------------------------

    root@Network_B> show security flow session protocol esp | no-more 
    Session ID: 6196, Policy name: default-policy/2, Timeout: 1800, Valid
      In: 192.0.12.1/0 --> 192.0.12.102/0;esp, If: ge-0/0/0.12, Pkts: 12, Bytes: 1632
      Out: 192.2.12.254/0 --> 192.0.12.1/0;esp, If: ge-0/0/7.12, Pkts: 12, Bytes: 1632

    root@Network_B> show configuration security nat | display set
    set security nat static rule-set nat_static from zone static_nat_untrust
    set security nat static rule-set nat_static rule nat_static_rule match destination-address 192.0.12.102/32
    set security nat static rule-set nat_static rule nat_static_rule then static-nat prefix 192.2.12.254/32
    set security nat proxy-arp interface ge-0/0/0.12 address 192.0.12.102/32


    ---------------------------
    responder behind static nat:
    ---------------------------
    root@endpoints> show log vpn.tr | match "role is"                                         
    Aug 10 10:09:09 Role is responder. Using responder spi 0x77292946 for payload of vpn-natt-static-B-to-A


    root@endpoints> show security ipsec security-associations
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway  
      <131073 ESP:3des/sha1 77292946 3521/ unlim   -   root 500   192.0.12.1     
      >131073 ESP:3des/sha1 1f526aa8 3521/ unlim   -   root 500   192.0.12.1 

     

    root@endpoints> show configuration security | display set | match "ike|ipsec" | no-more
    set security ike traceoptions file vpn.tr
    set security ike traceoptions file size 5m
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike policy vpn-natt-static-ikepol mode main
    set security ike policy vpn-natt-static-ikepol proposal-set standard
    set security ike policy vpn-natt-static-ikepol pre-shared-key ascii-text "$9$GGjkPFnCBIc5QIcylLXUjH"
    set security ike gateway vpn-natt-static-B-to-A ike-policy vpn-natt-static-ikepol
    set security ike gateway vpn-natt-static-B-to-A address 192.0.12.1
    set security ike gateway vpn-natt-static-B-to-A no-nat-traversal
    set security ike gateway vpn-natt-static-B-to-A external-interface fe-0/0/2.12
    set security ipsec traceoptions flag all
    set security ipsec policy vpn-natt-static-ipsecpol proposal-set standard
    set security ipsec vpn vpn-natt-static-B-to-A bind-interface st0.12
    set security ipsec vpn vpn-natt-static-B-to-A ike gateway vpn-natt-static-B-to-A
    set security ipsec vpn vpn-natt-static-B-to-A ike ipsec-policy vpn-natt-static-ipsecpol
    set security ipsec vpn vpn-natt-static-B-to-A establish-tunnels on-traffic



  • 6.  RE: IPSEC with NAT-T

    Posted 08-13-2011 00:03
      |   view attached

    Thank you for providing help. I've changed the configs as per Dynamic VPN suggestion. And now it goes a bit further - looks like Phase 1 gets established. But Phase 2 flatly refuses to come up. I thought I don't have to specify proxy-ids between two SRXs. I've attached a file with relevant excerpts from configs from both ends, as well as output from some commands. I'd be a very happy man if someone could have a look and tell what I am doing wrong. Your help is greatly appreciated.

    Attachment(s)

    txt
    VPN-NATT.txt   14 KB 1 version


  • 7.  RE: IPSEC with NAT-T

    Posted 08-14-2011 19:43
    Got it working. One little thing was missing on SRX100: [edit security zones security-zone untrust] root@fwi01# set host-inbound-traffic system-services ike But why did Phase 1 get established if IKE was not allowed on untrust interface? Anyway. Mob rules! I mean "Community helps"! 🙂 Thanks to all who assisted.


  • 8.  RE: IPSEC with NAT-T

    Posted 08-15-2011 00:41

    Correct me if i am wrong: As far as i am informed, ike is allowed by default on the external-interface you bind the vpn. Normally you do not need to set host-inbound-traffic system-services ike on the external-interface for a working ipsec tunnel.

     

    Regards,

    Sebastian



  • 9.  RE: IPSEC with NAT-T

    Posted 10-07-2011 07:33

    I can confirm this is needed. I spent like 3 days trying to get a VPN with NAT-T working and thanks to this post, I could solve the issue. Phase 2 quick mode was not working and the logs with ike traceoptions enabled were just saying "timeout". Curiosly, the two endpoint SRX boxes had already working VPNs but without NAT-T. I would like to see an official statement from Juniper about the need of adding ike as inbound service for this kind of setup.

    Thanks to all participants in this post.



  • 10.  RE: IPSEC with NAT-T

    Posted 06-18-2013 13:16

    i have tested something similar in my lab but using local-identity hostname and it also works:

     


    set security ike gateway GATEWAY ike-policy IKE-POLICY
    set security ike gateway IKE-GATEWAY address 80.10.99.100
    set security ike gateway IKE-GATEWAY dead-peer-detection interval 10
    set security ike gateway IKE-GATEWAY dead-peer-detection threshold 5
    set security ike gateway IKE-GATEWAY local-identity hostname SRX-1
    set security ike gateway IKE-GATEWAY external-interface ge-0/0/4.60

    set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
    set security ike gateway IKE-GATEWAY dynamic hostname SRX-1
    set security ike gateway IKE-GATEWAY dead-peer-detection interval 10
    set security ike gateway IKE-GATEWAY dead-peer-detection threshold 5
    set security ike gateway IKE-GATEWAY external-interface reth0.0

    the device SRX-1 it behing the other firewall doing nat and is the one initiating the traffic.

     

    show security ipsec statistics
    ESP Statistics:
      Encrypted bytes:          1678688
      Decrypted bytes:           926016
      Encrypted packets:          11044
      Decrypted packets:          11024

     



  • 11.  RE: IPSEC with NAT-T

    Posted 07-25-2023 10:46

    @Erdem@Erdem

    I too struggled getting my VPN up and running with a similar set up. For my setup, my distant end was using a Cisco ASA and was natting. On my side I have a SRX4200 in front of my SRX1500 that was terminating the VPN. No natting on my side. On the SRX4200, I was allowing JunOS-Ike via policy rule and on the SRX1500 had host-inbound traffic system-service IKE in my untrusted zone. You would think IKE is IKE. Not so much. Come to find out I was stepping on my own feet in that host-inbound traffic system-service IKE allows ALL VPN traffic. However, on a policy rule on the SRX4200, JunOS-IKE only allows UDP 500. NOT UDP 4500. For that you also need to add JunOS-IKE-NAT to the policy rule. That is what ultimately fixed my situation. I also had to put the distant end's outside global address as the remote-ID. 



    ------------------------------
    CHRIS COUTURE
    ------------------------------

    Original Message