SRX Services Gateway
Highlighted
SRX Services Gateway

SRX VPN network issue

Wednesday

Hello all, please help.

I recently had a SRX 210 completely crash and i did not have a config back-up.

I know my fault.

 

I had site to site VPNs setup and know i cant remember how i set it up since i didnt touch it for 3 years.

The Main Site has a static public ip.

The 3 other sites have DHCP from the carrier.

 

Please help.

16 REPLIES 16
SRX Services Gateway

Re: SRX VPN network issue

Wednesday

Hi Dustin,

 

The following tool will help you for sure:

 

https://support.juniper.net/support/tools/vpnconfig/

 

Note you have to choose the option "Local Static IP <<->> Remote Dynamic IP".

 

I hope it helps!

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX VPN network issue

Wednesday

The following documents will also help you for sure:

 

https://www.fir3net.com/Firewalls/Juniper/srx-dyn.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28077&actp=search

https://www.oreilly.com/library/view/juniper-srx-series/9781449339029/ch10.html#configuring_dynamic_... "Configuring an IKE gateway with a dynamic IP address" section)

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX VPN network issue

Wednesday

I used that tool and still a no go.

 

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

Dustin,

if you can describe a little bit more in terms of VPN configuration that has been added along with error message that you see.

Do you see IKE or IPSEC SA up? If not then suggestion is to enable IKE/IPSEC traceoptions.

 

set security ike traceoptions flag all level 12

set security ike traceoptions file IKE_TRACE.txt

set security ipsec traceoptions flag all

 

If you can post the configuration along with error message, it would be easier to answer.

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

What if a post the config?

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

root@RootsBrookfieldWI-SRX210he# run show configuration
## Last commit: 2019-06-12 18:13:58 CDT by root
version 12.1X46-D45.4;
system {
host-name RootsBrookfieldWI-SRX210he;
time-zone America/Chicago;
root-authentication {
encrypted-password "$1$pbQdiG6M$pjnsFmZc4KgM4w37Pduzb1"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
}
dhcp {
router {
10.1.121.254;
}
pool 10.1.121.0/24 {
address-range low 10.1.121.1 high 10.1.121.250;
domain-name rootssalon.com;
name-server {
8.8.8.8;
}
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
match KMD;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
description "Uplink to AT&T";
unit 0 {
description "Uplink to AT&T";
family inet {
sampling {
input;
output;
}
address xx.xxx.xxx.xxx;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members RS-Data;
}
}
}
}
st0 {
unit 0 {
description "Tunnel to Greendale, WI";
family inet {
address 10.1.124.251/24;
}
}
unit 1 {
description "Tunnel to Oak Creek, WI";
family inet;
}
unit 2 {
description "Tunnel to Wauwatosa, WI";
family inet;
}
}
vlan {
unit 0 {
family inet;
}
unit 121 {
description RS-Data;
family inet {
sampling {
input;
output;
}
address 10.1.121.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop xx.xxx.xxxx.xxx;
route 10.1.124.0/24 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal P1-AES128-SHA {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
proposal ike-proposal-GD {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-policy-GD {
mode aggressive;
proposals ike-proposal-GD;
pre-shared-key ascii-text "$9$FCms/CpO1heK8n/clev7NdbsYoGkqfQ3/ev"; ## SECRET-DATA
}
gateway ike-gate-GD {
ike-policy ike-policy-GD;
dynamic hostname greendalewi.rootssalon.com;
external-interface ge-0/0/0;
version v2-only;
}
}
ipsec {
proposal P2-AES128-SHA {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
proposal ipsec-proposal-GD {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy IPSEC-POL-AES128-SHA {
perfect-forward-secrecy {
keys group2;
}
proposals P2-AES128-SHA;
}
policy ipsec-policy-GD {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-proposal-GD;
}
vpn ipsec-vpn-GD {
bind-interface st0.0;
ike {
gateway ike-gate-GD;
ipsec-policy ipsec-policy-GD;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone GreendaleRS-VPN {
policy trust-GreendaleRS-VPN-GD {
match {
source-address net-GD_10-1-121-0--24;
destination-address net-GD_10-1-124-0--24;
application any;
}
then {
permit;
}
}
}
from-zone GreendaleRS-VPN to-zone trust {
policy GreendaleRS-VPN-trust-GD {
match {
source-address net-GD_10-1-124-0--24;
destination-address net-GD_10-1-121-0--24;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address net-GD_10-1-121-0--24 10.1.121.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.121 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
st0.1;
st0.2;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
ping;
}
}
}
}
}
security-zone GreendaleRS-VPN {
address-book {
address net-GD_10-1-124-0--24 10.1.124.0/24;
}
interfaces {
st0.0;
}
}
}
}
vlans {
RS-Data {
vlan-id 121;
l3-interface vlan.121;
}
vlan-trust {
vlan-id 3;
}
}

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

Dustin,

 

The config of both SRXs plus the topology will help us a lot. Something like:

 

LAN-(???)-------SRX_MAIN-(InterfaceSmiley Frustratedtatic-IP??)-------------Internet-------------(DynIP:Interface??)-SRX_REMOTE-------(???)-LAN

 

Also please run of both SRXs:

 

> show security flow session protocol udp destination-port 500

> show security flow session protocol udp destination-port 4500

> show security ike security-associations

> show security ipsec security-associations

> show security ipsec inactive-tunnels

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX VPN network issue

Wednesday
root@RootsGreendaleWI-SRX100h> show configuration
version 10.4R4.5;
system {
    host-name RootsGreendaleWI-SRX100h;
    time-zone America/Chicago;
    root-authentication {
        encrypted-password "$1$p9QACgMj$7cG56U0t5x4fGTmuccBco0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        message "********************************************************************************\nUsage of this system is subject, at all times, to the guidelines and policies of Roots Salon.\nUnauthorized Access is Strictly Prohibited!\n********************************************************************************\n ";
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http;
        }
        dhcp {
            router {
                10.1.124.254;
            }
            pool 10.1.124.0/24 {
                address-range low 10.1.124.1 high 10.1.124.250;
                domain-name rootssalon.com;
                name-server {
                    8.8.8.8;
                }
                router {
                    10.1.124.254;
                }
            }
            propagate-settings fe-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        description "Uplink to AT&T";
        unit 0 {
            description "Uplink to AT&T";
            family inet {
                sampling {
                    input;
                    output;
                }
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members RS-Data;
                }
            }
        }
    }
    st0 {
        unit 0 {
            description "Tunnel to CENTRAL";
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet;
        }
        unit 124 {
            description RS-Data;
            family inet {
                sampling {
                    input;
                    output;
                }
                address 10.1.124.254/24;
            }
        }
    }
}
routing-options {
    static {
        route 10.0.0.0/8 next-hop st0.0;
    }
}
protocols {
    rstp;
}
class-of-service {
    classifiers {
        dscp juniper_dscp_classifier {
            forwarding-class voice {
                loss-priority low code-points ef;
            }
            forwarding-class voice-control {
                loss-priority low code-points af31;
            }
            forwarding-class best-effort {
                loss-priority low code-points be;
            }
        }
    }
    forwarding-classes {
        queue 0 best-effort;
        queue 3 voice-control;
        queue 6 voice;
    }
    interfaces {
        fe-0/0/0 {
            scheduler-map ethernet-cos-map;
            unit 0 {
                classifiers {
                    dscp juniper_dscp_classifier;
                }
            }
        }
    }
    rewrite-rules {
        dscp test-rule {
            forwarding-class voice {
                loss-priority low code-point ef;
            }
        }
    }
    scheduler-maps {
        ethernet-cos-map {
            forwarding-class best-effort scheduler be-sched;
            forwarding-class voice scheduler voice-sched;
            forwarding-class voice-control scheduler voice-control-sched;
        }
    }
    schedulers {
        voice-sched {
            transmit-rate percent 20;
            buffer-size percent 5;
            priority strict-high;
        }
        voice-control-sched {
            transmit-rate percent 10;
            buffer-size percent 5;
            priority low;
        }
        be-sched {
            transmit-rate percent 35;
            buffer-size percent 35;
            priority low;
        }
    }
}
security {
    ike {
        proposal P1-AES128-SHA {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
        }
        policy IKE-POL-GREENDALE-ATT {
            mode aggressive;
            proposals P1-AES128-SHA;
            pre-shared-key ascii-text "$9$0Ml31crbwgDi.oJnCu0EhSreK87GUH5QnuOX-VwaJik.fz6tpBIRSFntORheK-db"; ## SECRET-DATA
        }
        gateway GW-GREENDALE-ATT {
            ike-policy IKE-POL-GREENDALE-ATT;
            address 24.106.47.110;
            local-identity hostname greendalewi.rootssalon.com;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal P2-AES128-SHA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
        }
        policy IPSEC-POL-AES128-SHA {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2-AES128-SHA;
        }
        vpn VPN-GREENDALE-ATT {
            bind-interface st0.0;
            ike {
                gateway GW-GREENDALE-ATT;
                ipsec-policy IPSEC-POL-AES128-SHA;
            }
            establish-tunnels immediately;
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                st0.0;
                vlan.124 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ping;
                            ike;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy Intrazone-Allow {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    alg {
        h323 disable;
        sip disable;
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
services {
    flow-monitoring {
        version9 {
            template NTA-flow {
                ipv4-template;
            }
        }
    }
}
vlans {
    RS-Data {
        vlan-id 124;
        l3-interface vlan.124;
    }
}
SRX Services Gateway

Re: SRX VPN network issue

Wednesday

root@RootsBrookfieldWI-SRX210he> show security flow session protocol udp destination-port 500
Session ID: 36625, Policy name: self-traffic-policy/1, Timeout: 28, Valid
In: 104.231.234.132/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 526
Out: 24.106.47.110/500 --> 104.231.234.132/500;udp, If: .local..0, Pkts: 1, Bytes: 130

Session ID: 41345, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 70.92.135.242/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 526
Out: 24.106.47.110/500 --> 70.92.135.242/500;udp, If: .local..0, Pkts: 1, Bytes: 130

Session ID: 41350, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 172.2.254.74/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 501
Out: 24.106.47.110/500 --> 172.2.254.74/500;udp, If: .local..0, Pkts: 1, Bytes: 130
Total sessions: 3

 

root@RootsBrookfieldWI-SRX210he> show security flow session protocol udp destination-port 4500
Total sessions: 0

 

root@RootsBrookfieldWI-SRX210he> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7835958 DOWN 680bea2374481de2 452146f940997775 Any 70.92.135.242
7835959 DOWN f0784d211b4a574f dc3e0c757586cb9a Any 172.2.254.74

 

root@RootsBrookfieldWI-SRX210he> show security ipsec security-associations
Total active tunnels: 0

 

root@RootsBrookfieldWI-SRX210he> show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
131073 500 0 0 604a29 SA not initiated

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

Dustin,

Gateway GW-GREENDALE-ATT in SRX100 doesnt have "version v2-only" while it is configured on the SRX210. Can you have them matched?

 

Also let us know what option you chose to use on both.

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX VPN network issue

Wednesday

i changed it to v1-only in on the 210

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

Calling it a night, I will be back on early in the AM

SRX Services Gateway

Re: SRX VPN network issue

Wednesday

SRX210 has st0.0 configured with 10.1.124.251 address. I dont this it is needed, can you remove it? Note that you need to leave the "family inet" configured on that interface.

 

So far I have checked the following.

 

+Topology:

 

 

                            st0.0                                    st0.0
(10.0.0.0/8)------SRX210-(ge-0/0/0:24.106.47.110)------Internet----(fe-0/0/0)-SRX100-------(10.1.124.0/24)
                                     static                           dhcp
		 Brookfield                                                  Greendale

 

+Junos

 

RootsBrookfieldWI-SRX210he: 12.1X46-D45.4;

RootsGreendaleWI-SRX100h: version 10.4R4.5;

 

+IKE configured as host-inbound-traffic on the untrust zones.
+IKE-IDs configured properly for phase 1.
+Proxy-IDs: any,any,any due to route-based VPN, so they match.
+VPN configuration match correctly (cant tell about configured pre-shared-keys because they are encrypted in the config)
+Static routes configured and pointing to correct st0.0 interfaces.
+st0.0 interfaces are configured with family inet.

 

Try configuring again the preshared-keys to a common value:

 

SRX100:

#set security ike policy IKE-POL-GREENDALE-ATT pre-shared-key ascii-text junos

SRX210:

#set security ike policy ike-policy-GD pre-shared-key ascii-text junos

 

After those two changes, please collect again:

 

> show security flow session protocol udp destination-port 500
> show security ike security-associations
> show security ipsec security-associations
> show security ipsec inactive-tunnels
Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX VPN network issue

Wednesday
I weave to drive to the site so I will make the changes in the morning.
Thank you

Sent from my iPhone
SRX Services Gateway

Re: SRX VPN network issue

Thursday

root@RootsBrookfieldWI-SRX210he# run show security flow session protocol udp destination-port 500
Session ID: 47496, Policy name: self-traffic-policy/1, Timeout: 58, Valid
In: 70.92.135.242/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 89, Bytes: 30904
Out: 24.106.47.110/500 --> 70.92.135.242/500;udp, If: .local..0, Pkts: 52, Bytes: 28080

Session ID: 47705, Policy name: self-traffic-policy/1, Timeout: 38, Valid
In: 172.2.254.74/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 501
Out: 24.106.47.110/500 --> 172.2.254.74/500;udp, If: .local..0, Pkts: 1, Bytes: 130

Session ID: 48841, Policy name: self-traffic-policy/1, Timeout: 56, Valid
In: 104.231.234.132/500 --> 24.106.47.110/500;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 526
Out: 24.106.47.110/500 --> 104.231.234.132/500;udp, If: .local..0, Pkts: 1, Bytes: 130
Total sessions: 3

 

root@RootsBrookfieldWI-SRX210he# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7840083 DOWN 01a915d5888bb55e 4ebb56bf7201c4e1 Any 104.231.234.132

 

[edit]
root@RootsBrookfieldWI-SRX210he# run show security ipsec security-associations
Total active tunnels: 0

 

root@RootsBrookfieldWI-SRX210he# run show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
131073 500 0 0 604a29 SA not initiated

 

SRX Services Gateway

Re: SRX VPN network issue

Thursday

Dustin,

 

Based on the outputs we can tell that the devices are communicating between each other for IKE negotiation so lets check deeper with IKE traceoptions.

 

Try this on the main SRX which is the one acting as responder:

 

#set security ike traceoptions file TRACE
#set security ike traceoptions file size [specify max size]
#set security ike traceoptions flag all
#commit

Filter for only 1 tunnel (VPN against the remote SRX we have been working with):

# run request security ike debug-enable local 24.106.47.110 remote [ current IP address of remote site] level 15
# run show security ike debug-status

Clear the file in case information from other tunnels had already been saved while we were configuring the IKE debug-enable statement:

# run clear log TRACE

Wait for 1 minute and the check the file:

# run show log TRACE

Please check the file for any errors or upload it so we can take a look and offer more troubleshooting steps.

 

Please mark this comment as the Solution if applicable