SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX muliple route-based IPsec site-to-site VPN tunnels - st0 interfaces are showing down

    Posted 05-10-2011 04:39

     

    Hi all,
    I've configured five route-based site-to-site VPN tunnels on my SRX240 cluster (this is the first time I've configured VPNs on the SRX). I’ve ‘bound’ each VPN to an unnumbered st0 unit interface and associated a static route to each.
    I've only had the opportunity to test one of the VPNs so far, however it looks as though the VPN only works when it’s initiated from the remote side. I believe the reason it won't initiate from the SRX is that the IP route to the remote side is not in the routing table, this is because the associated st0 unit interface is down.
    When the VPN is up (initiated from the remote side) the st0 unit interface comes up, the IP routing is in the routing table and the VPN works as required.
    I can't see what I'm missing - can anyone help?
    Thanks in advance
    Chris
    nod@QHFW-01> show interfaces terse | match st0
    st0                      up    up
    st0.0                   up    down inet 
    st0.1                   up    down inet
    st0.2                   up    up   inet       < vpn is active on this interface
    st0.3                   up    down inet
    st0.4                   up    down inet
    {primary:node0}[edit security ike]
    nod@QHFW-01# show
    traceoptions {
        file ike size 1m files 2 world-readable;
        flag ike;
        flag policy-manager;
        flag routing-socket;
    }
    proposal P1-DES {
        authentication-method pre-shared-keys;
        dh-group group1;
        authentication-algorithm md5;
        encryption-algorithm des-cbc;
        lifetime-seconds 28800;
    }
    proposal ike-proposal-3DES {
        authentication-method pre-shared-keys;
        dh-group group1;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 28800;
    }
    proposal ike-proposal-3DES-DH2 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 28800;
    }
    proposal ike-proposal-3DES-MD5-DH1 {
        authentication-method pre-shared-keys;
        dh-group group1;
        authentication-algorithm md5;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 28800;
    }
    policy ike-policy-1 {
        mode main;
        proposals P1-DES;
        pre-shared-key ascii-text 
    }
    policy ike-policy-Ald {
        mode main;
        proposals ike-proposal-3DES;
        pre-shared-key ascii-text 
    }
    policy ike-policy-Steve {
        mode main;
        proposals P1-DES;
        pre-shared-key ascii-text 
    }
    policy ike-policy-GlobalRes {
        mode main;
        proposals ike-proposal-3DES-DH2;
        pre-shared-key ascii-text 
    }
    policy ike-policy-XN {
        proposals ike-proposal-3DES-MD5-DH1;
        pre-shared-key ascii-text 
    }
    gateway Frog {
        ike-policy ike-policy-1;
        address 81.xx.xx.xx;
        external-interface reth1.0;
    }
    gateway Ald {
        ike-policy ike-policy-Ald;
        address 212.xx.xx.xx;
        external-interface reth1.0;
    }
    gateway Steve {
        ike-policy ike-policy-Steve;
        address 81.xx.xx.xx1;
        external-interface reth1.0;
    }
    gateway GlobalRes {
        ike-policy ike-policy-GlobalRes;
        address 69.xx.xx.xx;
        external-interface reth1.0;
    }
    gateway XN {
        ike-policy ike-policy-XN;
        address 195.xx.xx.xx;
        external-interface reth1.0;
    {primary:node0}[edit security ipsec]
    nod@QHFW-01# show
    proposal P2-DES {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm des-cbc;
    }
    proposal P2-3DES {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 28800;
    }
    policy ipsec-policy-1 {
        proposals P2-DES;
    }
    policy ipsec-policy-2 {
        proposals P2-3DES;
    }
    vpn Frog {
        bind-interface st0.0;
        ike {
            gateway Frog;
            ipsec-policy ipsec-policy-1;
        }
        establish-tunnels immediately;
    }
    vpn Aldwalk {
        bind-interface st0.1;
        ike {
            gateway Ald;
            ipsec-policy ipsec-policy-2;
        }
        establish-tunnels immediately;
    }
    vpn Steve {
        bind-interface st0.2;
        ike {
            gateway Steve;
            ipsec-policy ipsec-policy-1;
        }
        establish-tunnels immediately;
    }
    vpn GlobalRes {
        bind-interface st0.3;
        ike {
            gateway GlobalRes;
            ipsec-policy ipsec-policy-2;
        }
        establish-tunnels immediately;
    }
    vpn XN {
        bind-interface st0.4;
        ike {
            gateway XN;
            ipsec-policy ipsec-policy-2;
        }
        establish-tunnels immediately;
    {primary:node0}[edit interfaces st0]
    nod@QHFW-01# show
    description "Secure Tunnel Interfaces";
    unit 0 {
        description "Secure Tunnel Interface - Frog";
        family inet;
    }
    unit 1 {
        description "Secure Tunnel Interface - Ald";
        family inet;
    }
    unit 2 {
        description "Secure Tunnel Interface - Steve";
        family inet;
    }
    unit 3 {
        description "Secure Tunnel Interface - Global Res";
        family inet;
    }
    unit 4 {
        description "Secure Tunnel Interface - XN";
        family inet;
    }
    nod@QHFW-01> show version
    node0:
    --------------------------------------------------------------------------
    Hostname: QHFW-01
    Model: srx240h
    JUNOS Software Release [10.4R2.7]
    node1:
    --------------------------------------------------------------------------
    Hostname: QHFW-02
    Model: srx240h
    JUNOS Software Release [10.4R2.7]

     



  • 2.  RE: SRX muliple route-based IPsec site-to-site VPN tunnels - st0 interfaces are showing down

    Posted 05-10-2011 04:54

    Hi

     

    One reason for such behavior may be non-matching proxy-ids: by default, route-based VPNs

    on SRX have all-zero proxy ids, and if on the other side proxy-ids are not zero, VPN will

    be established only to your SRX, but not from it. So please check, what proxy ids are

    configured on the other side.

     

    This may be not the only reason for the behavior you are seeing, but I think that routing

    and st0 status is not a problem in you setup.



  • 3.  RE: SRX muliple route-based IPsec site-to-site VPN tunnels - st0 interfaces are showing down
    Best Answer

    Posted 05-13-2011 06:05

    Hi PK,

     

    I carried out some more testing and you were right it was due to the proxy ids. I fixed the issue by implementing these commands:

     

     

    set security ipsec vpn n4 ike proxy-identity local 103.84.0.0/24
    set security ipsec vpn n4 ike proxy-identity remote 192.168.245.0/24
    set security ipsec vpn n4 ike proxy-identity service any

     

     

    Thanks,

    Chris