SRX Services Gateway
Highlighted
SRX Services Gateway

Problem with SRX to SRX route-based VPN

‎08-30-2015 02:23 AM

Hi all,

 

I setup a route based vpn in between SRX3400 and SRX240. It seems to work fine, I can ping from both sides, however when I make SSH connection and try to do some stuff connection drops and I have to relogin to SSH.

 

What do you think the problem can be ? Or how can I trace the problem ?

 

Thanks

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Problem with SRX to SRX route-based VPN

‎08-30-2015 02:33 AM

Hello,

 

Is it SSH connection through VPN to the box other than two peers or SSH to the peer through VPN?

 

If you send 100 pings with a size of 1450 through the VPN, what is the result?

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: Problem with SRX to SRX route-based VPN

‎08-30-2015 03:02 AM

Hi Rushi,

 

SSH connection is from a Zone-A at SRX3400 to Zone-B at SRX240.

 

There is not packet loss in ping test either.

 

There is another symptom. Same thing happens when I try to make http request also.

 

My setup on both sides is;

 

set security ike proposal IKE-PROP-MN-DGN-1 lifetime-seconds 3600
set security ike proposal IKE-PROP-MN-DGN-1 authentication-method pre-shared-keys
set security ike proposal IKE-PROP-MN-DGN-1 authentication-algorithm sha1
set security ike proposal IKE-PROP-MN-DGN-1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-PROP-MN-DGN-1 dh-group group5
set security ike policy IKE-POL-MN-DGN-1 proposals IKE-PROP-MN-DGN-1
set security ike policy IKE-POL-MN-DGN-1 mode main
set security ike policy IKE-POL-MN-DGN-1 pre-shared-key ascii-text {SOMEPASS}
set security ike gateway IKE-GW-MN-DGN-1 ike IKE-POL-MN-DGN-1
set security ike gateway IKE-GW-MN-DGN-1 address {IP}
set security ike gateway IKE-GW-MN-DGN-1 external-interface ge
set security zones security-zone untrust host-inbound-traffic system-services ike


set security ipsec proposal IPSEC-PROP-MN-DGN-1 lifetime-seconds 3600
set security ipsec proposal IPSEC-PROP-MN-DGN-1 protocol esp
set security ipsec proposal IPSEC-PROP-MN-DGN-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROP-MN-DGN-1 encryption-algorithm aes-128-cbc
set security ipsec policy IPSEC-POL-MN-DGN-1 proposals IPSEC-PROP-MN-DGN-1
set security ipsec policy IPSEC-POL-MN-DGN-1 perfect-forward-secrecy keys group5
set security ipsec vpn IPSEC-VPN-MN-DGN-1 ike gateway IKE-GW-MN-DGN-1
set security ipsec vpn IPSEC-VPN-MN-DGN-1 ike ipsec-policy IPSEC-POL-MN-DGN-1
set security ipsec vpn IPSEC-VPN-MN-DGN-1 vpn-monitor
set security ipsec vpn IPSEC-VPN-MN-DGN-1 establish-tunnels immediately
set security ipsec vpn IPSEC-VPN-MN-DGN-1 bind-interface st0.1


set interfaces st0 unit 1 family inet
set security zone security-zone VPN-MN-DGN1 interfaces st0.1
set routing-options static route 10.9.0.0/22 next-hop

on security zone policy, any source to any destination with any application is permitted.

 

Thanks

Highlighted
SRX Services Gateway
Solution
Accepted by topic author CevatKelle
‎08-30-2015 05:47 AM

Re: Problem with SRX to SRX route-based VPN

[ Edited ]
‎08-30-2015 03:37 AM

Hello,

 

Can you set tcp-mss for the traffic going through tunnel as below:

 

set security flow tcp-mss ipsec-vpn mss 1300

 

Note:- Do this change on both peers.

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: Problem with SRX to SRX route-based VPN

‎08-30-2015 05:47 AM

Wow it worked like a charm 🙂

 

Thank you very much

Feedback