SRX Services Gateway
Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-01-2014 06:21 AM

1) Like this (subnets ip was replaced):

set security ipsec vpn IPSEC_TEST-1 bind-interface st0.10
set security ipsec vpn IPSEC_TEST-1 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity local 100.100.100.100/32
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn IPSEC_TEST-1 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-1 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-1 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-2 bind-interface st0.11
set security ipsec vpn IPSEC_TEST-2 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity local 100.100.100.100/32
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn IPSEC_TEST-2 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-2 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-2 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-3 bind-interface st0.19
set security ipsec vpn IPSEC_TEST-3 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity local 200.200.200.200/32
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity remote 1.1.1.1/32
set security ipsec vpn IPSEC_TEST-3 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-3 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-3 establish-tunnels immediately

set security ipsec vpn IPSEC_TEST-4 bind-interface st0.20
set security ipsec vpn IPSEC_TEST-4 ike gateway IKE-GW-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity local 200.200.200.200/32
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity remote 2.2.2.2/32
set security ipsec vpn IPSEC_TEST-4 ike proxy-identity service any
set security ipsec vpn IPSEC_TEST-4 ike ipsec-policy IPSEC-POL-IPSEC_TEST
set security ipsec vpn IPSEC_TEST-4 establish-tunnels immediately

 

2) if srx initiator - no problems at all, if ASA- no phase 1, and no attemps in log on srx

3) yes

4) policy based, afaik

5) correct, every sa has it`s own policy (afaik, it will not work with one policy and multiple source\dest)

 

Thank you for your help!

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-01-2014 08:50 AM

Hi Burner,

 

Configuraration on SRX looks good.

 

The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.x.x.x, its source as 0.0.0.0, and its protocol as icmp. The SA specifies its local proxy as 10.x.x.x/255.255.255.255/ip/0 and its remote_proxy as 10.y.y.y/255.255.255.255/ip/0.


But looking on the Cisco error, it decrypts the ESP packet from SRX but after that it is not able to select the proxy-id's of the vpn.

 

Is there any NAT rules interfering on either SRX or Cisco?

 

Try pinging remote cisco network for one phase 2 sa subnet and share the following.


1. show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y
verify if this traffic is natted ?

 

2. Do similar tests on Cisco to SRX vpn traffic testing.

 

Regards
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-01-2014 09:25 PM

hi Rparthi,

 

my first guess was that traffic is natted, so i`ve verify this allready

 

1) No, traffic not natted

 

2) i don`t see any packets from cisco side in show security flow. Also, i`ve checked for logs - no blocks for cisco side subnet.

 

I`ve find information, that vpn monitor can give such result, but i dont turn it on in my ipsec config (only DPD)

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-01-2014 10:04 PM

Hi

 

Flow traceoptions must have packet filter with external ip address of SRX and Cisco device for capturing IKE and ESP packets.

 

Since the vpn tunnel is up and passing traffic from SRX to Cisco , i am still not able to understand why you do not see any packets from cisco.

 

Are you getting ICMP reply for the ping request initated from SRX ?

 

please share the following:

 

show security flow session source-prefix  x.x.x.x destination-prefix y.y.y.y

 

 

 

Regards,

 

rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-01-2014 10:22 PM

Here it is (ip replaced with examples) 

 

Session ID: 29762, Policy name: POLICY-OUT-TEST-10/266, Timeout: 2, Valid
In: 200.200.200.200/773 --> 1.1.1.1/30;icmp, If: ge-0/0/3.4, Pkts: 1, Bytes: 100
Out: 1.1.1.1/30 --> 200.200.200.200/773;icmp, If: st0.19, Pkts: 1, Bytes: 100

 

 

 

 

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-02-2014 01:08 AM

Hi Burner,

 

As per your last update , tunnel traffic from srx to cisco is working fine.

 

Now on the cisco side , ask them ping from 1.1.1.1 to 200.200.200.200 and update the status.

 

may be they are pinging from different source ip address which are not part of source proxy-id and not from 1.1.1.1

 

Regards,

rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-02-2014 01:11 AM

Hi,

 

No, they pinging from correct source (asked earlier).

Looks like this is one of the reason, why RB ipsec is not prefered between ASA and SRX Smiley Happy

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-02-2014 03:30 AM

Hi Burner,

 

Thanks for the update.

 

From the Cisco Error message and SRX capturing ( NO packet received) it is clear that vpn destination was not accessed from the correct proxy-id source networks.

 

That could be the only reason as why cisco device is reporting that error.

 

if not , then ESP packet will definetely will be received by SRX.

 

Please confirm

 

Regards,

rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎12-02-2014 03:36 AM

Hi,

 

Totally agree with you! But i can`t find any clues what can couse this.

For now, it is not so important, cause RB ipsec has the same issue as PB in my case - 2nd phase stocking after some time and gets up only if i clear 2nd phase SA.

So, i`ve rolled back to PB ipsec, and do research, why this tunnel is so unstable. In PB ipsec, all pings work fine.

 

Thank you for your help!

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

[ Edited ]
‎01-22-2015 07:37 AM

 


escapehere wrote:

Don't use proxy-ids, replace them with traffic selectors. See this:

 

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipsec-vpn-traffic-selector-configu...

 

We've set it up for a VPN with an ASA and it works great.


I second that, though your code must support it : ) 

whats more it means less lines of code, and thats always welcomed when it comes to Junos 

 

testing now, at first glance seems good. the scenario i'm currently workiing on is route-based VPNs, multiple subnets, SRXhub-and-ASAspokes, three sites in total. will post diagram and results in due course. 

 

limitiations noted thus far, lack of dynamic routing options, though still awaiting customer requirements if indeed that is going to be needed.

Ajaz Nawaz
JNCIE-SEC#254 | CCIE#15721
JNCIA-FWV | JNCIS-FWV
JNCIA-JUNOS | JNCIS-SEC
JNCIP-SEC | JNCIE-SEC
CCNP-Collaboration
Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎01-22-2015 11:55 PM

Thank you for your help! i`ll try!

Highlighted
SRX Services Gateway

Re: SRX multiple proxy-ID on route-based VPN with multiple local networks

‎01-27-2015 03:37 AM

ok cool just take note of the limitations:

 

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/ipsec-vpn-traffic-selector-un...

 

Traffic selectors cannot be configured with the following features:

  • Policy-based VPNs
  • Group or shared IKE IDs
  • IKE version 2
  • Point-to-multipoint secure tunnel (st0) interfaces
  • VPNs on which VPN monitoring is configured
  • Different address families configured for the local and remote IP addresses
  • VPNs configured with proxy identity values used in negotiation
  • Remote address value 0.0.0.0/0 (IPv4) or 0::0 (IPv6)

hth,

Ajaz Nawaz
JNCIE-SEC#254 | CCIE#15721
JNCIA-FWV | JNCIS-FWV
JNCIA-JUNOS | JNCIS-SEC
JNCIP-SEC | JNCIE-SEC
CCNP-Collaboration