SRX

Hello everyone,

I have configured ipsec routed vpn based tunnel between srx and linux host machine. after setting this up on both ends, IKE Phase 1 & 2 not establishing tunnel towards linux host machine. The tunnel is still down. But if i look at the tunnel interface st0 and st0.1 are both up up, and between the ipsec phases also could not find any mismatch.  can anyone help me with this. here below i have paste the configuration of both ends:

SRX:

security {
ike {
proposal ike-proposal-cust-CAS1 {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ike-pol-vpn-REMOTE-CUST-CAS1 {
mode main;
proposals ike-proposal-cust-CAS1;
pre-shared-key ascii-text "$9$40JGjn6CtpOdb4JUjPf/Ct0BEvMXbwgxN2aZGq.n/CuRSvMXbw"; ## SECRET-DATA
}
gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/7;
}
ipsec {
proposal ipsec-proposal-cust-CAS1 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
vpn vpn-REMOTE-CUST-CAS1 {
bind-interface st0.1;
ike {
gateway gw-vpn-REMOTE-CUST-CAS1;
ipsec-policy ipsec-pol-vpn-REMOTE-CUST-CAS1;
}
traffic-selector NET-AP-to-CUST-CAS1 {
local-ip 172.16.165.0/24;
remote-ip 172.22.162.71/32;
}
establish-tunnels immediately;
}
}
}
}

security
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.1409;
ge-5/0/7.2409;
}
}
security-zone application {
interfaces {
reth1.20 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}

security-zone vpn-remote-cust-cas1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1;
}

address-book {
global {
address NET-CUST-CAS1 172.22.162.71/32
address NET-AP 172.16.165.0/24

policies {
from-zone application to-zone vpn-remote-cust-cas1 {
policy VPN-APP-to-CAS1 {
match {
source-address NET-AP;
destination-address NET-CUST-CAS1;
application any;
}
then {
permit;
}
}
}
from-zone vpn-remote-cust-cas1 to-zone application {
policy VPN-CAS1-to-APP {
match {
source-address NET-CUST-CAS1;
destination-address NET-AP;
application any;
}
then {
permit;
}
}
}
security-zone trust {  
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.100;
}
}

interfaces {
st0 {
unit 1 {
description "VPN tunnel for NET-CUST-CAS1";
family inet;
}
}
}

ge-0/0/7 {
description "ISP.net-router-01 - cable ID 3555";
vlan-tagging;
unit 1409 {
vlan-id 1409;
family inet {
address 192.168.245.30/30;
}

}
}
ge-5/0/7 {
description "ISP.net-router-02 - cable ID 3566";
vlan-tagging;
unit 2409 {
vlan-id 2409;
family inet {
address 192.168.255.30/30;
}
}
}
reth0 {
....
...
unit 100 {    (this subinterface is been configured with a public ip for the srx and attached on trust zone "they did this because the outside interface are in private-range and attached on untrust towards ISP")
description "public ip-range";
vlan-id 100;
family inet {
address 5.211.12.71/29 {
primary;
preferred;

Linux host machine:

[root@cust-cas1 ipsec.d]# cat to_srx.conf
conn to_srx
leftid=32.205.155.234
left=32.205.155.234
leftsubnet=172.22.162.71/32
leftsourceip=172.22.162.71
rightid=5.211.12.71
right=5.211.12.71
rightsubnet=172.16.165.0/24
auto=start
ike=aes256-sha256-modp1536
esp=aes256-sha256
authby=secret
salifetime=1h
pfs=no

[root@cust-cas1 ipsec.d]# cat cas1.secrets
32.205.155.234 5.211.12.71 : PSK "FNAWEfhfhfugaiebs"  (this key is the same as preshared key on srx phase1)

logs:

00 #294: "to_srx":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 1s; nodpd; idle; import:admin initiate
000 #294: pending Phase 2 for "to_srx" replacing #0

VPN external interface should be reth0.100 as its ip is configured at Linux side. Please change and check

Hello,

 I made this change but still the same, tunnel interface st0.1 went also down but st0 is up. Should'nt be the external interface ge-0/0/7, because this interface is directly connect towards ISP, so all the traffic destined to outside will go through that interface?.  When u set to external interface is ge-0/0/7, then the st0.1 interface shows that is up.

admin@fw01> show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up down inet
st0.1 up down inet  (is down)

admin@fw01> show log kmd-logs
Sep 25 13:58:11 fw01 kmd[2084]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: vpn-REMOTE-CUST-CAS1 Gateway: gw-vpn-REMOTE-CUST-CAS1, Local: 5.211.12.71/500, Remote: 32.205.155.234/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

admin@fw01> show security ike sa
node0:
--------------------------------------------------------------------------
Index State Initiator cookie Responder cookie Mode Remote Address
180531 DOWN 821ee74067a46db6 0000000000000000 Main 32.205.155.234

Responder cookie is all 0s. we will need to run ike traces and then ipsec traces to dig deeper into this. 

Hello,

so i have made a ike and ipsec traces in srx. i have attached the log trace. i have also enabled the kmd-log (ike1).

I think this is the problem "IKEv1 ERROR: TImeout"

SRX

admin@fw01> show log kmd-logs
Sep 26 23:20:15 fw01 kmd[2086]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: vpn-REMOTE-CUST-CAS1 Gateway: gw-vpn-REMOTE-CUST-CAS1, Local: 5.211.12.70/500, Remote: 32.205.155.234/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator

admin@fw01> show system connections | grep 500
udp46 0 0 *.4500 *.*
udp4 0 0 *.4500 *.*
udp46 0 0 *.500 *.*
udp4 0 0 *.500 *.*

Linux host machine:

[root@cust-cas1 ipsec.d]# ipsec verify

Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]

[root@cust-cas1 ipsec.d]# netstat -tulpn | grep :500
udp 0 0 32.205.155.234:500 0.0.0.0:* 28292/pluto
udp 0 0 172.22.162.71:500 0.0.0.0:* 28292/pluto

Attachment(s)

isec ike log.txt   2 KB 1 version

Log message right now showing “IKE negotiation failed with error: Timed out.”

It means that you are not receiving replies for your negotiation request

You cannot put PHISICAL interface as your external interface.

gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/7;
}

It should be LOGICAL subinterface that has route to your linux host

 It should look like this:

gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/7.1409

}

After you correct this error, check if you can reach remote gateway - 32.205.155.234

Ping it.

If your ping failed - traceroute and find where your ping is failing.

If you are getting to upstream gateway of Linux host, then check if it is getting discarded by linux host firewall.

If everything is good check if your tunnel is up 🙂

Also, do not forget to configure routing statement otherwise traffic will not be sent to the tunnel but to the default gateway.

It should look like this if I understood your configuration correctly:

set routing-options static route 172.22.162.0/24 next-hop st0.1

Regards

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hello,

as mention above the external-interface is supposed to be reth0.100 and not ge-0/0/7.1409.

gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface reth0.100; 

After you correct this error, check if you can reach remote gateway - 32.205.155.234 Ping it.

i can ping towards remote gateway and vice versa.

If everything is good check if your tunnel is up

tunnel is still down, i dont know why.

admin@fw01# run show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up down inet
st0.1 up down inet
st0.2 up down inet
st0.3 up down inet
st0.4 up down inet

Also, do not forget to configure routing statement otherwise traffic will not be sent to the tunnel but to the default gateway.

It should look like this if I understood your configuration correctly:

set routing-options static route 172.22.162.0/24 next-hop st0.1

as i understood if u use traffic-selector in the routed-based vpn then u dont need to add a static route. Basicaly the traffic-selector add automatically some routes in the route table when the tunnel is up.

thnks

It's not clear to me which interface this unit belongs that you note in the configuration as being your external interface.

unit 100 {    (this subinterface is been configured with a public ip for the srx and attached on trust zone "they did this because the outside interface are in private-range and attached on untrust towards ISP")
description "public ip-range";
vlan-id 100;
family inet {
address 5.211.12.71/29 {
primary;
preferred;

-----

This would be the interface and unit you need to add to the untrust zone which allows then  host inboud traffic for ike (or all as in your configuration) but I dont see an interface.100 unit here.

zones {
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.1409;
ge-5/0/7.2409;

In addition as previously noted this will be the interface.unit used for the gateway statement.  Not the interface alone but the full interface.unit

gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface ge-0/0/7;

Hello Steve,

It's not clear to me which interface this unit belongs that you note in the configuration as being your external interface.

reth0.100 (5.211.12.70) belongs to a zone trust this is how is been configured and is also the Firewall ip. They reason they did this is because the outside interfaces ge-0/0/7 and ge-5/0/7 towards our datacenter supplier have private-range and they gave us a public range of 5.211.12.64/29 for public NAT (s-nat etc.).

interfaces

...

..

unit 100 {  
description "public ip-range";
vlan-id 100;
family inet {
address 5.211.12.70/29 {
primary;
preferred;

-----

i can not add reth0.100 on untrust zone because its already been attached to a trust zone with included inbound-traffic and system service all (this means IKE is accepted in this zone).

zones {
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.1409; (this interface has a private adres)
ge-5/0/7.2409; (this interface has a private adres)

security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.100;

----------

so i have made tthe following change and added reth0.100 as external-interface. But still not working.

gateway gw-vpn-REMOTE-CUST-CAS1 {
ike-policy ike-pol-vpn-REMOTE-CUST-CAS1;
address 32.205.155.234;
dead-peer-detection {
interval 10;
threshold 5;
}
external-interface reth0.100;

I'm very confused on to what your actual setup is via connection to the internet for this vpn.

The bottom line is that the configured ike gateway interface with the public ip address connecting to your remote vpn gateway is what you will set in the configuration.  This has to be the source ip address in the packet when it arrives at the remote vpn node.  So if that is interface reth0.100 on 5.211.12.70 then this is what should be in your ike gateway configuration.

Similarly for the zone host inbound traffic setting.  Whatever zone this interface belongs to has to allow the ike requests.

Hello Suli,

I will agree with others that the interface configuration is confusing. But let me try to explain what should have been configured and then probably you can validate your configuration.

For a VPN to work on SRX , you need to ensure that the external-interface configured in the ike gateway is also the interface at which you can communicate with the peer. No matter what IP it has.

The best way to find what your external interface should be is  :-

> show route <VPN PEER IP> 

In your case, "show route 32.205.155.234" . I would assume that it gives you ge-0/0/7.1409 as the primary interface. Make sure that external-interface is configured exactly alongwith the unit number i.e. ge-0/0/7.1409 NOT ge-0/0/7.

Also you can use flow session output to see if you are receiving the traffic back or not.

P.S.:- It seems that you are using individual interface along with reth interfaces. I would suggest using ONLY reth if it is a cluster . 

Thanks!

Hello Guys,

I have solved the problem today. It was a firewall filter that was attached on loopback interface. The firewall filter did not allowed any ike/ipsec traffic through the firewall. So i added ike and ipsec filters and then it worked. I am 100% sure if added the whole srx config, u guys would have seen it and fixed the issue. Anyways thank u guys and learned alot.

firewall {
family inet {
filter protect-re {
term established-tcp-v4 {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term icmp-v4 {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then accept;
}
term udp-traceroute-v4 {
from {
protocol udp;
destination-port 33434-33523;
}
then accept;
}
term dns-v4 {
from {
source-prefix-list {
nameserver-addresses;
}
protocol udp;
source-port 53;
}
then accept;
}
term ntp-v4 {
from {
source-prefix-list {
ntp-addresses;
}
protocol udp;
source-port 123;
}
then accept;
}
term ssh {
from {
source-prefix-list {
offices;
datacenter.net;
internal;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term accept-ike {
from {
source-prefix-list {
VPN-IKE-REMOTE-GW;
}
protocol udp;
port 500;
}
then {
count accept-ike;
accept;
}
}
term accept-esp {
from {
source-prefix-list {
VPN-IPSEC-REMOTE-LOCAL;
}
protocol esp;
}
then {
count accept-esp;
accept;
}
}
term discard-the-rest-v4 {
then {
discard;
}
}
}