SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Policy based VPN Problem

    Posted 12-28-2014 18:41

    Hello

    I have a lab environment where I have 2 SRX 3600 and 1 EX series switch in between

    Topology goes like this

     

           

                            192.168.1.0/24          10.0.0.0/24                  20.0.0.0/24                        192.168.0.0/24

                                   <----------SRX1 -------------------- Switch-------------------------SRX2---------->

                                   trust                   untrust                               untrust                               trus

     

    The switch has 2 Vlan interfaces, Vlan 10 Interface for 10.0.0.0/24 network and vlan 20 interface for 20.0.0.0/24 network

    I have set up policy based vpn implemented the policy and from SRX point of view the configuration seems correct.

    I have also set  default route on both SRX's pointed to each side switch RVI.

    The problem is, when I ping from 192.168.1.0/24 to 192.168.0.0/24 it fails. Via traceoptions and Traceroute, The packet has left SRX1 and it drops on the switch,

    What special configuration do I need to add to the switch?

    I've set up two static routes for 192.168.0.0/24 and 192.168.1.0/24 but it didn't help anything and I'm using ESP, so it doesn't even matter, because via the traceoptions the source was 10.0.0.0/24 and destination was 20.0.0.0/24 as the packets left SRX1 and using port UDP 500, also, I have enabled IKE for host inbound traffic on SRX2

     

    Any help with this problem would be greatly appreciated

    Thanks in advance

     



  • 2.  RE: Policy based VPN Problem
    Best Answer

    Posted 12-29-2014 02:47

    Hi Wall-ED,

     

    No special configuration are needed on the switch.

    You can delete the routes that you created on Switch for 192.168.0.0/24 and 1.0/24

     

    VPN packets will be ESP packets with external ip addresses of 2 srx devices but the ports will not be 500.

    it will using different UDP ports derived from SPI .


    it could be a problem with vpn itself and not switch.

     

    Ensure you have the following:

     

    1. show security ipsec sa and check whether inbound SPI of SRX1 is equal to Outbound SPI of SRX2 and vice versa

    if it is not same , clear the ipsec and ike sa and chech it.

     

    2. show security ipsec statistics index number  will show whether SRX1 is encrypting the packets or not.

     

    3. Check whether IPSEC Tunnel Policy is at the top of the rule base from trust to untrust and untrust to trust


    4. Capture the Traceoptions on both devices for the following filter.
    Filter 1 : private ip of lan machine to Private ip of Remote machine
    Filter 2 : Private ip of Remote machine to private ip of lan machine
    Filter 3: SRX1 Wan ip to SRX2 Wan ip with protocol as ESP
    Filter 4 : SRX2Wanip to SRX1 Wanip with protocol as ESP


    Check the tracefiles and verify that packet from LAN to SRX1 is encrypted and sent out via tunnel

    Check the tracefile on SRX2 and verify that it is correctly getting decrypted first and then sent to the machine.

     

    Regards,

    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 3.  RE: Policy based VPN Problem

    Posted 12-29-2014 03:50

    I have solved the problem, thnks a lot for your help

    The problem turned out to be the peer address, instead of 10.0.0.1 I mistyped 100.0.0.1

    I changed it and removed the routes on the switch and everything went fine

    thanks !



  • 4.  RE: Policy based VPN Problem

    Posted 12-29-2014 03:54

    Hi Wall-ED,

     

    Thanks for the update.

     

    Can you mark this as resolved ?

     

    Regards,

    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too