SRX

I am configuring Site-to-site vpn with multiple remote subnets. However, only one of the subets work.

SRX

Local|SRX                                           Remote | SSG

192.168.193.0/24         <--->                192.168.96.0/24   (work)

192.168.193.0/24         <--->                172.16.0.0/24       (cannot ping to 172.16.0.0 devices)

IPSEC-VPN1

Proxy-id:  Local:192.168.193.0/24 | Remote: 192.168.96.0/24

IPSEC-VPN2

Proxy-id:  Local:192.168.193.0/24 | Remote: 172.16.0.0/24

Routing-Options

static route 0.0.0.0/0 next-hop 69.xx.50.xxx;

SSG

I checked VPN monitor status in SSG, and found both are up.

Anything configurations are missed? Thanks

Hello,

Are you using policy based VPN or route based VPN on SRX?

How many policies or tunnel interfaces you are using?

Regards,

Rushi

Both sides are using policy based VPN.

SRX( 1 unnumbered interface tunnel including two ipsec)

Out Policy:

1. 192.168.193.0/24 to 192.168.96.0/24 permit tunnel & pair-policy 

2. 192.168.193.0/24 to 172.16.0.0/24 permit tunnel & pair-policy 

In Policy

3. 192.168.96.0/24 to 192.168.193.0/24 permit tunnel & pair-policy 

4. 172.16.0.0/24 to 192.168.193.0/24 permit tunnel & pair-policy 

SSG(untrust interface tunnel including two ipsec)

Out Policy:

1. 192.168.96.0/24 to 192.168.193.0/24 permit tunnel & pair-policy 

2. 172.16.0.0/24 to 192.168.193.0/24 permit tunnel & pair-policy

In Policy

3. 192.168.193.0/24 to 192.168.96.0/24 permit tunnel & pair-policy 

4. 192.168.193.0/24 to 172.16.0.0/24 permit tunnel & pair-policy 

I didn't configure proxy ID on SSG, only on SRX.

Hello,

On SSG can you enable the 'ike debug' as below & provide the ouptput of 'get db stream' once the negotiation fails or after waiting for a minute.

set sa-filter <SRX public IP>

undegub all

clear db

set db size 4096

debug ike detail or debug ike all

Once you allow it to run for a minute, stop the debugs using 'undebug all' command & provide output of 'get db stream'.

Regards,

Rushi

Do I need to trigger traffic flow from both subnets to SRX?

I have captured the logs.

Could you have a look? Thanks

Attachment(s)

debug.txt   126 KB 1 version

Hello,

For some reason, the proxy IDs are not matching.

## 2016-08-29 17:14:05 : rcv_local_addr = 172.16.0.0, rcv_local_mask = 255.255.255.0, p_rcv_local_real = 172.16.0.0
## 2016-08-29 17:14:05 : rcv_remote_addr = 192.168.0.0, rcv_remote_mask = 255.255.240.0, p_rcv_remote_real = 192.168.0.0
## 2016-08-29 17:14:05 : ike_p2_id->local_ip = 192.168.121.0, cfg_local_mask = 255.255.255.0, p_cfg_local_real = 192.168.121.0
## 2016-08-29 17:14:05 : ike_p2_id->remote_ip = 30.20.10.0, cfg_remote_mask = 255.255.255.0, p_cfg_remote_real = 30.20.10.0
## 2016-08-29 17:14:05 : IKE<0.0.0.0        >   protocol matched expected<0>.
## 2016-08-29 17:14:05 : IKE<0.0.0.0        >   port matched expect l:<0>, r<0>.

Can you cross check the policies? Also when you say that SRX has one unnumbered tunnel interface, do you mean st0.0 interface without IP?

Regards,

Rushi 

Hello,

Here is the configuration for the SRX

    ike {
        proposal P1proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy P1policy {
            mode aggressive;
            proposals P1proposal;
            pre-shared-key ascii-text "$9$z5GuF9pu01hyKO1b2aU.mO1REcl"; ## SECRET-DATA
        }
        gateway LAX_HKG_Phase1 {
            ike-policy P1policy;
            address 202.52.35.4;
            no-nat-traversal;
            external-interface fe-0/0/2.0;
            version v1-only;
        }
    }
    ipsec {
        proposal P2proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 36000;
        }
        policy P2policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2proposal;
        }
        policy P2PolicyDMZ {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2proposal;
        }

        vpn LAX_HKG_Tunnel {
            ike {
                gateway LAX_HKG_Phase1;
                proxy-identity {
                    local 192.168.193.0/24;
                    remote 192.168.96.0/20;
                    service any;
                }
                ipsec-policy P2policy;
            }
            establish-tunnels immediately;
        }
        vpn LAX_HKG_Tu_DMZ {
            ike {
                gateway LAX_HKG_Phase1;
                proxy-identity {
                    local 192.168.193.0/24;
                    remote 172.16.0.0/24;
                    service any;
                }
                ipsec-policy P2PolicyDMZ;
            }
            establish-tunnels immediately;
        }
    }

I configured a Tunnel (vpn LAX_HKG_Tunnel) which included two different ipsec policies.

On Netscreen, I didn't configure any proxy ID

Hello,

In WebUI IPSec VPN Phase 2, I have configured two Auto Key VPN.

Both Key didn't bind to any interfaces. I configure a default route <route 0.0.0.0/0 next-hop 69.xx.50.xxx)

Should I configure two sub-interfaces on both side, and add particular route point to each tunnel interface.

Then this issue can be fixed? Thanks

Hello,

For now you can keep it as policy based & hence no need to add tunnel interfaces.

Check the VPN proxy-id configuration:

vpn LAX_HKG_Tunnel {
            ike {
                gateway LAX_HKG_Phase1;
                proxy-identity {
                    local 192.168.193.0/24;
                    remote 192.168.96.0/20;  <--------------- Here. Shouldn't it be 192.168.96.0/24 as per initial description?
                    service any;
                }
                ipsec-policy P2policy;
            }
            establish-tunnels immediately;
        }

Regards,

Rushi

Hello,

I configured the same policy on netscreen.

Untrust 192.168.193.0/24 <--> trust 192.168.96.0/20

This tunnel is working fine. Just the other tunnel isn't

   vpn LAX_HKG_Tu_DMZ {
            ike {
                gateway LAX_HKG_Phase1;
                proxy-identity {
                    local 192.168.193.0/24;
                    remote 172.16.0.0/24;
                    service any;
                }
                ipsec-policy P2PolicyDMZ;

I'm struggling in this. I don't have any idea why I cannot ping to 172.16.0.x devices. =(

Thanks

Hello,

Ok. Now I see the problem.

On SRX Use only one VPN without proxy-id settings. Delete other VPN.

Call this VPN in 4 policies (2 outbound & 2 corresponding inbound) with each policy having a single source subnet & single destination subnet. Let proxy ids be derived from the security policies.

Regards,

Rushi

Hello,

I changed the SRX configuration like this.

    ipsec {
        proposal P2proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 36000;
        }
        policy P2policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2proposal;
        }
        policy P2PolicyDMZ {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals P2proposal;
        }
        vpn LAX_HKG_Tunnel {
            ike {
                gateway LAX_HKG_Phase1;
                ipsec-policy P2policy;
            }
            establish-tunnels immediately;
        }

=============================================

        from-zone Untrust to-zone Trust {                                            <---Untrust to trust
            policy HKGOffice_to_LAXOffice {
                match {
                    source-address [ HKG_Office HKG_DMZ2 ];                 <--- two zones
                    destination-address LAX_Office;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn LAX_HKG_Tunnel;
                            pair-policy LAXOffice_to_HKGOffice;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }

            policy LAXOffice_to_HKGOffice {                                            <---trust to Untrust
                match {
                    source-address LAX_Office;
                    destination-address [ HKG_Office HKG_DMZ2 ];              <--- two zones
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn LAX_HKG_Tunnel;
                            pair-policy HKGOffice_to_LAXOffice;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }

On netscreen monitor status

Thanks

Hello,

One policy pair will be from Trust to Untrust & untrust to trust with single source & destination subnets in it.

Other policy pair should be from DMZ to untrust & untrust to DMZ with single source & destination subnets in it.

Note:- This is assuming one subnet is in Trust & other in DMZ.

Regards,

Rushi

Hello,

I tried to configure, but hit this error.

I configure both policies under Ipsec VPN with Pair Policy

Am I misconfiguring somewhere? Thanks

Hi,

Do you have 2 policies with the same name in the same zone context?

Regards,

Anand

Yes, I found One way tunnel is formed by using Policy based tunnel.

SRX     < tunnel>    Netscreen

<------------------------One way traffic via tunnel

SRX traffic go to Internet

I reconfigure it back to route based tunnel

SRX     <tunnel>     Netscreen

trust <-----------------> trust tunnel is up

turst <-----------------> dmz is down until the above tunnel is down. it will come up

Thanks

Hello,

Can you provide complete configuration on SSG & SRX in its present form.

Regards,

Rushi

Hello,

I changed the firewall config to route based at this moment,

so that traffic can go via both sides.

You can refer to LAX_VPN in HKGFWL0001 file

Thanks

Hello,

To make VPNs to work, do following things on SRX if you want to keep route-based VPN.

-> Create two tunnel interfaces & two VPNs as below: (with policy based VPN, only one VPN is required which will be used in multiple policies)

vpn LAX_HKG_Tunnel-1 {
bind-interface st0.0;
ike {
gateway LAX_HKG_Phase1;
proxy-identity {
local 192.168.193.0/24;
remote 192.168.96.0/20;
}
ipsec-policy P2policy;
}
establish-tunnels immediately;
}
}

vpn LAX_HKG_Tunnel2 {
bind-interface st0.1;
ike {
gateway LAX_HKG_Phase1;
proxy-identity {
local 192.168.193.0/24;
remote 172.16.0.0/20;
}
ipsec-policy P2policy;
}
establish-tunnels immediately;
}
}

routing-options {
static {
route 192.168.96.0/20 next-hop st0.0;
route 172.16.0.0/24 next-hop st0.1;
}
}

On SSG, I am assuming LAX_VPN & LAX_Gateway are relevent configuration for VPN with SRX. Keep that configuration intact.

Regards,

Rushi

Thanks mate. I tried this configuration before but I have no idea why it didn't work.

Half-way to Goal. I tried to ping from 192.168.96.0/24 & 172.16.0.x devices to 192.168.193.1.

It works.

However, devices from 192.168.193.1 firewall or other deviecs cannot ping to 192.168.96.0/24 & 172.16.0.x devices.

Devices from 192.168.96.0/24 & 172.16.0.x.can remote to 192.168.193.x devices

kaychan@LAXFWL0001> ping 192.168.99.109
PING 192.168.99.109 (192.168.99.109): 56 data bytes
76 bytes from agg10.tustcaft01r.socal.rr.com (66.75.161.48): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  40 0054 5908   0 0000  01  01 c466 69.75.50.154  192.168.99.109

76 bytes from agg10.tustcaft01r.socal.rr.com (66.75.161.48): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  40 0054 590f   0 0000  01  01 c45f 69.75.50.154  192.168.99.109

76 bytes from agg10.tustcaft01r.socal.rr.com (66.75.161.48): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  40 0054 591a   0 0000  01  01 c454 69.75.50.154  192.168.99.109

76 bytes from agg10.tustcaft01r.socal.rr.com (66.75.161.48): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  40 0054 5921   0 0000  01  01 c44d 69.75.50.154  192.168.99.109

^C
--- 192.168.99.109 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

kaychan@LAXFWL0001> ping 172.16.0.20
PING 172.16.0.20 (172.16.0.20): 56 data bytes
^C
--- 172.16.0.20 ping statistics ---
11 packets transmitted, 0 packets received, 100% packet loss

kaychan@LAXFWL0001> show route 172.16.0.20

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 2w5d 20:13:48
                    > to 69.75.50.153 via fe-0/0/2.0

kaychan@LAXFWL0001> show route 192.168.99.109

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 2w5d 20:13:57
                    > to 69.75.50.153 via fe-0/0/2.0

kaychan@LAXFWL0001>

Thanks

Hello,

I have configured below no source NAT and only a default route pointing to gateway 

Thanks