SRX Services Gateway
Highlighted
SRX Services Gateway

S and D NAT with Policy Based VPN

‎12-12-2018 12:00 PM

Hello,

 

We have a policy based VPN between two of our locations and I can't get them to talk. The issue this that they share the same subnet and I had to do S and D NAT. The IKE comes up but IPSEC shows 0 tunnels. I know that if I switch to route based  VPN my problem will go away, but management insists it to be policy based (don't ask why I don't understand myself).  Configuration is below

 

 DC-Site

 

proposal LAS-IKE-Preposal {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy LAS-IKE-Policy {
    mode main;                          
    proposals LAS-IKE-Preposal;
    pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
gateway LAS-IKE-GATEWAY {
    ike-policy LAS-IKE-Policy;
    address X.X.X.X;
    dead-peer-detection optimized;
    external-interface reth0.0;
}


proposal LAS-IPSEC-Proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-kilobytes 1048576;
}
policy LAS-IPSEC-Policy {
    proposals LAS-IPSEC-Proposal;
}
vpn LAS-IPSEC-VPN {
    ike {
        gateway LAS-IKE-GATEWAY;
        proxy-identity {
            local X.X.210.0/24;
            remote X.X.200.0/24;
        }
        ipsec-policy LAS-IPSEC-Policy;
    }
    establish-tunnels immediately;      
}


from-zone untrust to-zone trust {
    policy LAS-2-DC-VPN {
        match {
            source-address LAS-NAT-X.X.200.0;
            destination-address DC-LOCAL-X.X.110.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn LAS-IPSEC-VPN;
                    pair-policy DC-2-LAS-VPN;
                }
            }
        }
    }
}
from-zone trust to-zone untrust {
    policy DC-2-LAS-VPN {
        match {
            source-address DC-LOCAL-X.X.110.0;
            destination-address LAS-NAT-X.X.200.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn LAS-IPSEC-VPN;
                    pair-policy LAS-2-DC-VPN;
                }
            }
        }
    }
}

 

source {
    pool DC-LOCAL-2-NAT {
        address {
            X.X.210.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address-name DC-LOCAL-X.X.110.0;
                destination-address-name LAS-NAT-X.X.200.0;
            }
            then {
                source-nat {
                    pool {
                        DC-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool DC-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address-name LAS-NAT-X.X.200.0;
                destination-address X.X.210.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        DC-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}

 

 

 

 

 

 

LAS-Site

 

proposal DC-IKE-Preposal {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy DC-IKE-Policy {
    mode main;
    proposals DC-IKE-Preposal;
    pre-shared-key ascii-text "XXXXXXX"; ## SECRET-DATA
}
gateway DC-IKE-GATEWAY {
    ike-policy DC-IKE-Policy;
    address X.X.X.105;
    dead-peer-detection optimized;
    external-interface ge-0/0/0;
}

proposal DC-IPSEC-Proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-kilobytes 1048576;
}
policy DC-IPSEC-Policy {
    proposal-set standard;
}
vpn DC-IPSEC-VPN {
    ike {
        gateway DC-IKE-GATEWAY;
        proxy-identity {
            local X.X.200.0/24;
            remote X.X.210.0/24;
        }
        ipsec-policy DC-IPSEC-Policy;
    }
    establish-tunnels immediately;
}

from-zone trust to-zone untrust {
    policy LAS-2-DC-VPN {
        match {
            source-address LAS-LOCAL-X.X.110.0;
            destination-address DC-NAT-X.X.210.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DC-IPSEC-VPN;
                    pair-policy DC-2-LAS-VPN;
                }
            }
        }
    }
}
from-zone untrust to-zone trust {
    policy DC-2-LAS-VPN {
        match {
            source-address DC-NAT-X.X.210.0;
            destination-address LAS-LOCAL-X.X.110.0;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DC-IPSEC-VPN;
                    pair-policy LAS-2-DC-VPN;
                }
            }
        }
    }
}


source {
    pool LAS-LOCAL-2-NAT {
        address {
            X.X.200.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address-name LAS-LOCAL-X.X.110.0;
                destination-address-name DC-NAT-X.X.210.0;
            }
            then {
                source-nat {
                    pool {
                        LAS-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool LAS-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address-name DC-NAT-X.X.210.0;
                destination-address X.X.200.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        LAS-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}

 

 

Verification:

 

show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2655583 UP     109b52008c9929c2  7f69bc9e87cd1395  Main           X.X.X.105

Session ID: 65215, Policy name: LAS-2-DC-VPN/6, Timeout: 60, Valid
  In: X.X.110.100/27083 --> X.X.210.1/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, 
  Out: X.X.210.1/1 --> X.X.200.100/9473;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, 
Total sessions: 12

show security ipsec sa 
  Total active tunnels: 0

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 12      trust            untrust           LAS-2-DC-VPN   27089  

 

Any help is greatly appriciated!

 

2 REPLIES 2
SRX Services Gateway

Re: S and D NAT with Policy Based VPN

‎12-12-2018 12:28 PM

You cannot solve it with policy based VPN. To do nat via vpn you have to switch to route-based.

 

Differences between policy-based and route-based are listed here: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/policy-based-and-...

 

Last row in the overview  states "Policy-based VPNs cannot be used if NAT is required for tunneled traffic."


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: S and D NAT with Policy Based VPN

‎12-13-2018 02:42 AM

You can make it work by applying a workaround. Change the address-book entries prefix-length to /16 from /24. In NAT, use separate address-book-name which uses /24 prefix-length or use /24 prefix directly (X.X.200.0/24)

Eg:-

DC Site:
++++++++
Modify address book:

address LAS-NAT-X.X.200.0 X.X.0.0/16
address DC-LOCAL-X.X.110.0 X.X.0.0/16

NAT:-
+++++++++
source {
    pool DC-LOCAL-2-NAT {
        address {
            X.X.210.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address X.X.110.0/24;
                destination-address X.X.200.0/24;
            }
            then {
                source-nat {
                    pool {
                        DC-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool DC-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address X.X.200.0/24;
                destination-address X.X.210.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        DC-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}


LAS Site:
+++++++++++
Modify address book:

address LAS-LOCAL-X.X.110.0 X.X.0.0/16
address DC-NAT-X.X.210.0 X.X.0.0/16

NAT:-
+++++
source {
    pool LAS-LOCAL-2-NAT {
        address {
            X.X.200.0/24;
        }
    }
    address-persistent;
    rule-set NAT-LOCAL {
        from zone trust;
        to zone untrust;
        rule 1 {
            match {
                source-address X.X.110.0/24;
                destination-address X.X.210.0/24;
            }
            then {
                source-nat {
                    pool {
                        LAS-LOCAL-2-NAT;
                    }
                }
            }
        }
    }
}
destination {
    pool DC-NAT-2-LOCAL {
        address X.X.110.0/24;
    }
    rule-set NAT-BACK-2-LOCAL {
        from zone untrust;
        rule 1 {
            match {
                source-address X.X.210.0/24;
                destination-address X.X.200.0/24;
                application any;
            }
            then {
                destination-nat {
                    pool {
                        DC-NAT-2-LOCAL;
                    }
                }
            }
        }
    }
}

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!