SRX Services Gateway
Highlighted
SRX Services Gateway

SRX IPsec tunnel. [NAT at both ends].

[ Edited ]
‎01-16-2013 07:53 PM

Hi SRX gurus,

 

We're trying to set up an IPsec tunnel across the internet with both firewalls behind a NAT device.

 

i.e.   

SRX1---PRIVATE.NET1---NAT.RTR1---INTERNET---NAT.RTR2---PRIVATE.NET2---SRX1

 

We have successfully set up the tunnel through a single NAT with the other SRX using a public IP. Putting both SRX behind NAT prevents the IKE from establishing a security association.

 

The below config snippet is from SRX 1.

 

*The devices are SRX100 running 12.1R4.7. The NAT routers are Cisco 1841 performing static NAT.

 

root> show configuration security ike

 

proposal ike-phase1-proposal {
  authentication-method pre-shared-keys;
  dh-group group2;
  authentication-algorithm sha1;
  encryption-algorithm aes-128-cbc;
  }
policy ike-phase1-policy {
  mode aggressive;
  proposals ike-phase1-proposal;
  pre-shared-key ascii-text "**************************"; ## SECRET-DATA
}
gateway gw-plenary {
  ike-policy ike-phase1-policy;
  address X.X.X.X;                                                   ## NAT.RTR2 Internet address
  no-nat-traversal;                                                   ## This command was omitted with no change. 
  local-identity inet Y.Y.Y.Y;                                    ## SRX1 Private address
  remote-identity inet Z.Z.Z.Z;                                ## SRX2 Private address
  external-interface fe-0/0/1.0;
}

 

 

 

Any suggestions greatly appreciated.

 

 

4 REPLIES 4
SRX Services Gateway

Re: SRX IPsec tunnel. [NAT at both ends].

[ Edited ]
‎01-18-2013 11:15 AM

Not sure if these will work, but might be worth trying:

 

Using a different type of identity other than inet (e.g. hostname)

or

Using Main mode and use the public IPs as the identities (or remove the identities altogether).

SRX Services Gateway

Re: SRX IPsec tunnel. [NAT at both ends].

‎01-18-2013 11:40 PM

Would also suggest you try the 'MAIN' mode. Since you know the public IP's for both ends.

Regards,
Willys W.
SRX Services Gateway

Re: SRX IPsec tunnel. [NAT at both ends].

[ Edited ]
‎01-21-2013 07:22 PM

Thanks for the suggestions, but Main mode was the first thing that we tested.

 

This is no longer particularly important as we will now be deploying NAT on one side with a public IP on the other. 

 

It just would have been nice to nail down the problem, as this is apparrently a supported topology.

SRX Services Gateway

Re: SRX IPsec tunnel. [NAT at both ends].

‎06-16-2013 11:05 AM

i have found the following post to be a good direction on what to change:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/IPSEC-with-NAT-T/m-p/103324#M12872