SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Inestable VPN between juniper srx240 and asa firewall.

    Posted 04-01-2015 09:11

    Hello junos guy ...  please provide some help setting my vpn.

    After many attempts , this is what I get:

     

    Tunel is established only after remote site sends  traffic.

    Only one network at time can send me traffic. (im trying to encript multiple source networks)

     

    note:

    I tryed the vpn generation tool but I have some problems when I tray to attach untrust zone to a second address-book as the aplication suggest.

    Mine is running:

    JUNOS Software Release [11.4R9.4]

    is any problem with this release?

     

    Please if some body can take a look to mi lines I will apreciate.

    Regards.

    Leandro.

    leandro@SRX01COR-cluster# show security address-book bsas_lan  
address bsas_net 172.22.162.0/23;
address bsas_net2 172.22.6.0/24;
address bsas_net3 172.22.165.0/24;
address bsas_net4 172.21.104.0/24;
address bsas_net5 172.22.164.0/24;
address bsas_net6 172.22.118.0/24;
address bsas_net7 172.22.11.0/24;
address bsas_net8 172.22.46.0/24;
attach {
    zone untrust;
}

leandro@SRX01COR-cluster# show security address-book cdba_mgmt 
address mgmt_server 172.31.160.250/32;
attach {
    zone OAM;
}


leandro@SRX01COR-cluster# show security policies from-zone OAM to-zone untrust 
policy vpn-OAM-untrust {
    match {
        source-address mgmt_server;
        destination-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn BSAS_tunnel;
                pair-policy vpn-untr-OAM;
            }
        }
    }
}
policy permit-any {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

leandro@SRX01COR-cluster# show security policies from-zone untrust to-zone OAM 
policy vpn-untr-OAM {
    match {
        source-address [ bsas_net bsas_net2 bsas_net3 bsas_net4 bsas_net5 bsas_net6 bsas_net7 bsas_net8 ];
        destination-address mgmt_server;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn BSAS_tunnel;
                pair-policy vpn-OAM-untrust;
            }
        }
    }
}


leandro@SRX01COR-cluster# show security ike      
respond-bad-spi 20;

proposal to_BSAS_ike-prop {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}

policy BSAS_ike_policy {
    mode main;
    proposals to_BSAS_ike-prop;
    pre-shared-key ascii-text "$9$wxsaZDi.Q36qmRhSlXxqmP5nCIEcylMSyVY"; ## SECRET-DATA
}

gateway BSAS_GW {
    ike-policy BSAS_ike_policy;
    address XXX.XXX.XXX.XXX;
    external-interface reth0.10;
}



leandro@SRX01COR-cluster# show security ipsec                                                                                       
vpn-monitor-options {
    interval 2;
    threshold 5;
}
proposal BSAS_ipsec_prop {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}

policy BSAS_ipsec_policy {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals BSAS_ipsec_prop;
}

vpn BSAS_tunnel {
    ike {
        gateway BSAS_GW;
        ipsec-policy BSAS_ipsec_policy;
    }
    establish-tunnels immediately;
}

     

     

     



  • 2.  RE: Inestable VPN between juniper srx240 and asa firewall.
    Best Answer

     
    Posted 04-01-2015 09:21
    On your vpn policy vpn-untr-OAM you have specified multiple destination address, which is not supported. We can only use single source address and destination. Or you have to use a supernet of these address. Other available options are given below.

    1. Create multiple policies for same vpn as in below kb

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28197

    2. Create multiple vpns and use st0 interfaces for each subnets as in below kb
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28198

    3. Upgrade to 12.1X46 or latest to use traffic selectors as in below kb
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28820



  • 3.  RE: Inestable VPN between juniper srx240 and asa firewall.

    Posted 04-10-2015 07:13

    Thanks for the response rsuraj !!!

    I will try with defininig one policy per subnet.

    I don`t want to change to route based,

    I will try and back to you !!

    Thanks.

    Leandro.

     



  • 4.  RE: Inestable VPN between juniper srx240 and asa firewall.

    Posted 05-12-2015 07:02

    Solution was defining a policy per subnet.