SRX Services Gateway
SRX Services Gateway

SRX210 - IPSec packets denied by default policy

[ Edited ]
‎03-24-2014 11:59 AM

This is a VPN connection between Amazon VPC and my office. I used the configuration which comes from Amazon when chosing to use JunOS, though they list JunOS 9 as the version and I'm using 11. 

 

 

Mar 24 18:23:01 18:23:01.079507:CID-0:RT:<10.0.1.4/3->10.10.10.174/2681;1> matched filter client:

Mar 24 18:23:01 18:23:01.079507:CID-0:RTSmiley Tongueacket [84] ipid = 53088, @422db09e
Mar 24 18:23:01 18:23:01.079507:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x422dae80, rtbl_idx = 0
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: flow process pak fast ifl 70 in_ifp vlan.0
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: vlan.0:10.0.1.4->10.10.10.174, icmp, (8/0)
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: find flow: table 0x4dd0d5c0, hash 46732(0xffff), sa 10.0.1.4, da 10.10.10.174, sp 3, dp 2681, proto 1, tok 6
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: flow_first_create_session
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: flow_first_in_dst_nat: in <vlan.0>, out <N/A> dst_adr 10.10.10.174, sp 3, dp 2681
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: chose interface vlan.0 as incoming nat if.
Mar 24 18:23:01 18:23:01.079507:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.174(2681)
Mar 24 18:23:01 18:23:01.079507:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.0.1.4, x_dst_ip 10.10.10.174, in ifp vlan.0, out ifp N/A sp 3, dp 2681, ip_proto 1, tos 0
Mar 24 18:23:01 18:23:01.079507:CID-0:RTSmiley Very Happyoing DESTINATION addr route-lookup
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: routed (x_dst_ip 10.10.10.174) from trust (vlan.0 in 0) to st0.1, Next-hop: 169.254.255.72
Mar 24 18:23:01 18:23:01.079507:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x30a79,0xa79)
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: packet dropped, denied by policy
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: packet dropped, policy deny.
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: flow find session returns error.
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

 

This is what my default security policy looks like:

 

 

policy-statement EXPORT-DEFAULT {
    term default {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

 

More information that might be helpful:

 

show security policies

 

Default policy: deny-all
From zone: trust, To zone: untrust
  Policy: trust-to-untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: untrust, To zone: trust
  Policy: vpn--tr-untr, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: dev-vpn-useast-1, dev-vpn-useast-2
    Destination addresses: any
    Applications: any
    Action: permit

2 REPLIES 2
SRX Services Gateway

Re: SRX210 - IPSec packets denied by default policy

‎03-24-2014 06:06 PM

Mar 24 18:23:01 18:23:01.079507:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone trust (0x0,0x30a79,0xa79)
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: app 0, timeout 60s, curr ageout 60s
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: packet dropped, denied by policy
Mar 24 18:23:01 18:23:01.079507:CID-0:RT: denied by policy default-policy-00(2), dropping pkt

 

Do you have intra zone blocking enabled? Try adding a policy as below since the policy search is between the trust zone.

 

[edit security policies]
SRX# show
from-zone trust to-zone trust {
      policy trust-to-trust {
            match {
                  source-address any;
                  destination-address any;
                  application any;
            }
            then {
                  permit;
            }
      }
}

 

"policy-statement EXPORT-DEFAULT {
    term default {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}" ---> I am new to Junos, but this is not a security policy.

SRX Services Gateway

Re: SRX210 - IPSec packets denied by default policy

‎03-24-2014 08:01 PM

Yes, you were right on both accounts. I did not have a trust-to-trust policy in place. Also that was not a security policy, I forget where that came from but it looks like a routing policy.