SRX Services Gateway
Highlighted
SRX Services Gateway

Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-05-2015 11:58 PM

Hi Folks!

 

I have a huge problem getting an simple IPSec VPN tunnel between a SRX100 and a SSG520 working Smiley Mad

On my SSG520, I have many IPSec tunnel from various router (netgear, cisco, other netscreenOS) - without any problem.

Now, I have a new SRX100 - the only junos driven device in my environment - and I can't get this VPN tunnel up!

 

Logging on my SSG520:

2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                       53b6e132: Responded to the peer's 
                                       first message.
2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 1: Completed 
                                       Aggressive mode negotiations with a 
                                       28800-second lifetime.
2015-02-06 08:20:59 system info  00536 IKE<46.142.93.122> Phase 1: IKE 
                                       responder has detected NAT in front of 
                                       the remote device.
2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 phase 1:The 
                                       symmetric crypto key has been 
                                       generated successfully.
2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 1: Responder 
                                       starts AGGRESSIVE mode negotiations.
2015-02-06 08:20:39 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                       09f7a4fb: Responded to the peer's 
                                       first message.
2015-02-06 08:19:59 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                       09f7a4fb: Responded to the peer's 
                                       first message.
2015-02-06 08:19:49 system info  00536 Rejected an IKE packet on ethernet2/
                                       2.1 from 46.142.93.122:4500 to 
                                       86.103.130.68:4500 with cookies 
                                       b70c1283f245cb78 and 6e5538e5f9d70375 
                                       because There was a preexisting 
                                       session from the same peer.
2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                       09f7a4fb: Responded to the peer's 
                                       first message.
2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 Phase 1: Completed 
                                       Aggressive mode negotiations with a 
                                       28800-second lifetime.
2015-02-06 08:19:49 system info  00536 IKE<46.142.93.122> Phase 1: IKE 
                                       responder has detected NAT in front of 
                                       the remote device.
2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 phase 1:The 
                                       symmetric crypto key has been 
                                       generated successfully.

 This repeats over and over again...

 

So I thought to have a look at the logs on my SRX100 - but WHERE Smiley Surprised

 

I googled around and found this kb: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10099&smlogin=true

 

I wonder, why I have to enable logging at the first place...

 

So, I set a new log-file as described in this kb article:

 

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

 

I tried to get the tunnel up (SRX is initiator) and reviewed the kmd-logfile and it said:

 

Feb  5 11:21:54  metzi kmd[1374]: Initialized Empty Buffer (44 bytes), Message length: 44
Feb  5 11:21:56  metzi kmd[1374]: LIBJSNMP_SA_IPC_REG_ROWS: ns_subagent_register_mibs: registering 4 rows
Feb  5 11:22:00  metzi kmd[1374]: Config download: Processed 1 - 1 messages
Feb  5 11:22:00  metzi kmd[1374]: Config download time: 0 seconds
Feb  5 11:22:01  metzi kmd[1374]: LIBJSNMP_NS_LOG_INFO: INFO: ns_subagent_open_session: NET-SNMP version 5.3.1 AgentX subagent connected
Feb  5 11:56:53  metzi kmd[1374]: Config download: Processed 2 - 3 messages
Feb  5 11:56:53  metzi kmd[1374]: Config download time: 0 seconds
Feb  5 12:02:53  metzi kmd[3126]: Initialized Empty Buffer (44 bytes), Message length: 44
Feb  5 12:02:53  metzi kmd[3126]: LIBJSNMP_SA_IPC_REG_ROWS: ns_subagent_register_mibs: registering 4 rows
Feb  5 12:02:54  metzi kmd[3126]: Config download: Processed 1 - 1 messages
Feb  5 12:02:54  metzi kmd[3126]: Config download time: 0 seconds
Feb  5 12:02:54  metzi kmd[3126]: LIBJSNMP_NS_LOG_INFO: INFO: ns_subagent_open_session: NET-SNMP version 5.3.1 AgentX subagent connected
Feb  6 06:27:09  metzi kmd[3126]: Config download: Processed 1 - 2 messages
Feb  6 06:27:09  metzi kmd[3126]: Config download time: 0 seconds

 Why didn't I see any entrys like "IKE Phase-2 Failure: Quick mode - no proposal chosen" or anything like that?

 

What do I have to do to get my SRX log the same my SSG520 does? Or, which logfile do I have to review?

 

VPN Config SSG520:

cluster:tfkiel_kiwi_fw_2(M)-> get config | inc vpn_metzinger
set ike gateway "vpn_metzinger" address 0.0.0.0 id "metzinger@tfkiel.de" Aggr outgoing-interface "ethernet2/2.1" preshare "9bN0F3a8NY6yMwsr21Cc6TJmqRnJ2LSgjfLjZS6WoiDuWBPoiAafLS8=" proposal "pre-g5-aes256-sha"
unset ike gateway "vpn_metzinger" nat-traversal udp-checksum
set ike gateway "vpn_metzinger" nat-traversal keepalive-frequency 5
set vpn "vpn_metzinger" gateway "vpn_metzinger" replay tunnel idletime 0 proposal "g5-esp-aes256-sha" 
set vpn "vpn_metzinger" monitor source-interface ethernet0/1.3 destination-ip 192.168.179.14 optimized
set vpn "vpn_metzinger" id 0x16e bind interface tunnel.1
set vpn "vpn_metzinger" proxy-id local-ip 192.168.8.0/24 remote-ip 192.168.179.0/24 "ANY" 

 

VPN Config SRX100:

set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
set security ike proposal pre-g5-aes256-sha dh-group group5
set security ike proposal pre-g5-aes256-sha authentication-algorithm sha1
set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
set security ike policy vpn_transfair mode aggressive
set security ike policy vpn_transfair proposals pre-g5-aes256-sha
set security ike policy vpn_transfair pre-shared-key ascii-text "$9$HmQ3CtO1EcmfRSleW84aZjHmQzn9tOzF/tpOcSYg4JDkP5Fftsge"
set security ike gateway vpn_transfair ike-policy vpn_transfair
set security ike gateway vpn_transfair address 1.1.1.1
set security ike gateway vpn_transfair local-identity user-at-hostname "metzinger@tfkiel.de"
set security ike gateway vpn_transfair external-interface fe-0/0/0
set security ike gateway vpn_transfair version v1-only
set security ipsec proposal esp-aes256-sha protocol esp
set security ipsec proposal esp-aes256-sha authentication-algorithm hmac-sha1-96
set security ipsec proposal esp-aes256-sha encryption-algorithm aes-256-cbc
set security ipsec proposal esp-aes256-sha lifetime-seconds 3600
set security ipsec policy g5-esp-aes256-sha perfect-forward-secrecy keys group5
set security ipsec policy g5-esp-aes256-sha proposals esp-aes256-sha
set security ipsec vpn vpn_transfair bind-interface st0.1
set security ipsec vpn vpn_transfair ike gateway vpn_transfair
set security ipsec vpn vpn_transfair ike proxy-identity local 192.168.179.0/24
set security ipsec vpn vpn_transfair ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn vpn_transfair ike proxy-identity service any
set security ipsec vpn vpn_transfair ike ipsec-policy g5-esp-aes256-sha
set security ipsec vpn vpn_transfair establish-tunnels immediately

 

34 REPLIES 34
SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-06-2015 02:26 AM

Please enable ike/ipsec traceoptions as below.

 

set security ike traceoptions flag all

set security ipsec traceoptions flag all

commt

 

the logs wil be in "kmd" file

 

>show log kmd

 

Please refer to SRX Resolution Guide for more details on troubleshooting

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&smlogin=true

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-06-2015 02:44 AM

Thanks for the quick reply!

 

I enabled the logging as you described. This is what I get:

 

[Feb  5 13:25:53]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Feb  5 11:22:01]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

Why is this?

The command restart ipsec-key-management has no effect on this.

Thanks in advance!

 

Cheers

 

Andy

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

[ Edited ]
‎02-06-2015 03:07 AM

This is not giving much information.. Can you make sure the life time is configured same on both SSG and SRX?

 

Also try deactivate/activate of ike/ipsec configuration and see if you see any other messages

 

deactivate security ike

deactivate security ipsec

commit

 

activate security ike

activate security ipsec

commit

 

Please make sure st0 is assigned to a security zone.

 

Also please provide the below outputs

 

show security ike security -association

 

show security ipsec security -association

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

[ Edited ]
‎02-08-2015 10:56 PM

Hello Suraj!

 

I deactivated and activated ike and ipsec security. I also deleted the vpn config on both sides and created a new config -> same result! Stuck on phase 2...

 

Here`s my output as you requested:

 

root@metzi> show security ike security-associations      
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
4277358 UP     988c11c7c5233dcc  f8eac1e99c7bd84d  Aggressive     86.103.130.68   

root@metzi> show security ipsec security-associations    
 Total active tunnels: 0

Interface st0.1 is assigned to my untrust zone "internet" .

 

What the heck is wrong with my config?! So many other vpn tunnels are working with the same proposals...

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-09-2015 05:58 AM

I don't get it!

 

I just load the factory defaults into my srx100 and configured from scratch.

Here's my all new config:

 

root@metze> show configuration | display set 
set version 12.1X44.3
set system host-name metze
set system time-zone GMT+1
set system root-authentication encrypted-password "$1$9TAa31UU$lSJgl9v5bQIIbL6LUrL4d2"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system services ssh
set system services web-management http interface fe-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface fe-0/0/1.0
set system services web-management session idle-timeout 60
set system services dhcp pool 192.168.179.0/24 address-range low 192.168.179.110
set system services dhcp pool 192.168.179.0/24 address-range high 192.168.179.254
set system services dhcp pool 192.168.179.0/24 router 192.168.179.1
set system services dhcp propagate-settings fe-0/0/0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server de.pool.ntp.org
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family inet address 192.168.179.1/24
set interfaces st0 unit 1 family inet
set interfaces st0 unit 1 family inet6
set routing-options static route 192.168.8.0/24 next-hop st0.1
set protocols stp
set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
set security ike proposal pre-g5-aes256-sha dh-group group5
set security ike proposal pre-g5-aes256-sha authentication-algorithm sha1
set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
set security ike policy pre-g5-aes256-sha-St1 mode aggressive
set security ike policy pre-g5-aes256-sha-St1 proposals pre-g5-aes256-sha
set security ike policy pre-g5-aes256-sha-St1 pre-shared-key ascii-text "secret_psk"
set security ike gateway vpn_transfair_p1 ike-policy pre-g5-aes256-sha-St1
set security ike gateway vpn_transfair_p1 address 86.103.130.68
set security ike gateway vpn_transfair_p1 local-identity user-at-hostname "metzinger@tfkiel.de"
set security ike gateway vpn_transfair_p1 external-interface fe-0/0/0
set security ike gateway vpn_transfair_p1 version v1-only
set security ipsec proposal esp-aes256-sha protocol esp
set security ipsec proposal esp-aes256-sha authentication-algorithm hmac-sha1-96
set security ipsec proposal esp-aes256-sha encryption-algorithm aes-256-cbc
set security ipsec proposal esp-aes256-sha lifetime-seconds 3600
set security ipsec policy g5-esp-aes256-sha perfect-forward-secrecy keys group5
set security ipsec policy g5-esp-aes256-sha proposals esp-aes256-sha
set security ipsec vpn vpn_transfair_p2 bind-interface st0.1
set security ipsec vpn vpn_transfair_p2 ike gateway vpn_transfair_p1
set security ipsec vpn vpn_transfair_p2 ike proxy-identity local 192.168.179.0/24
set security ipsec vpn vpn_transfair_p2 ike proxy-identity remote 192.168.8.0/24
set security ipsec vpn vpn_transfair_p2 ike proxy-identity service any
set security ipsec vpn vpn_transfair_p2 ike ipsec-policy g5-esp-aes256-sha
set security ipsec vpn vpn_transfair_p2 establish-tunnels on-traffic
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set nat_source from zone home
set security nat source rule-set nat_source to zone Internet
set security nat source rule-set nat_source rule nat match source-address 192.168.179.0/24
set security nat source rule-set nat_source rule nat match destination-address 8.8.8.8/32
set security nat source rule-set nat_source rule nat then source-nat interface
set security policies from-zone home to-zone Internet policy All_home_Internet match source-address any
set security policies from-zone home to-zone Internet policy All_home_Internet match destination-address any
set security policies from-zone home to-zone Internet policy All_home_Internet match application any
set security policies from-zone home to-zone Internet policy All_home_Internet then permit
set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone Internet interfaces st0.1

 

What is wrong with this config?!

 

Any help will be appreciated...

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

[ Edited ]
‎02-09-2015 06:06 AM

I've had similar issues and it was down to the Proxy ID, make sure it's mirroed on both ends or as a test don't use ProxyID and see if phase 2 comes up.

 

Also I don't see you have allowed IKE on the host-inbound on the Internet zone.

 

Thanks.

Mas

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-09-2015 07:02 AM

Hi Mas.

 

Thanks for your reply!

I now have allowed IKE on the host-inbound on the Internet zone -> same result

I also unchecked the proxy-id's on both sides -> same result

 

I never had so much issues on building a vpn tunnel...

 

Here`s the config on my ssg520 - just in case I missed something:

 

set ike p1-proposal "pre-g5-aes256-sha" preshare group5 esp aes256 sha-1 hour 8
set ike p2-proposal "g5-esp-aes256-sha" group5 esp aes256 sha-1 hour 1
set ike gateway "vpn_metzinger" address 0.0.0.0 id "metzinger@tfkiel.de" Aggr outgoing-interface "ethernet2/2.1" preshare "secret_psk" proposal "pre-g5-aes256-sha"
set ike gateway "vpn_metzinger" nat-traversal keepalive-frequency 5
set vpn "vpn_metzinger" gateway "vpn_metzinger" replay tunnel idletime 0 proposal "g5-esp-aes256-sha" 
set vpn "vpn_metzinger" monitor optimized
set vpn "vpn_metzinger" id 0x170 bind interface tunnel.1
set route 192.168.179.0/24 interface tunnel.1

Policys are also set.

Thanks in advance!

 

 

Cheers

 

Andy

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 01:49 AM

Hey Andy,

 

Can you PM your full config from both firewalls if that's ok?  I'll lab it up for you when I have some spare time.  The config looks correct to me, can't see anything wrong with it.

 

Cheers.

Mas

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

[ Edited ]
‎02-10-2015 02:29 AM

I generally wouldn't put the st0.1 interface into the same zone as your Internet-edge.  I would create a new zone for the tunnel-interface, and then make sure you have appropriate security policies for the traffic between your internal and the new VPN zone.  Also, it looks like your current source-NAT policy only matches on the destination-address of 8.8.8.8?  Is it your intention that traffic to all other Internet sites does not work?

JNCIE-SEC #127
JNCIE-ENT #489
SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 03:18 AM

Also, is it possible there is another VPN tunnel on the SSG side that uses the ID:  metzinger@tfkiel.de?  Since you are using that as your identifier, it has to be unique among your VPN tunnels.

JNCIE-SEC #127
JNCIE-ENT #489
SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 06:05 AM

Hi!

 

I put st0.1 in a newly created zone "vpn" and set appropriate security policies for the traffic.

My source nat policy was only for testing purposes. Meanwhile I added 0.0.0.0/0 for interface nat an 192.168.8.0/24 for no nat.

Result is sadly still the same.

I will try another srx100...

I'm desperate.

 

 

Thank you all so far for your help!

 

Andy

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 08:55 AM

Hello.

 

Are you able to provide debugs from the ScreenOS firewall?

 

set sa-filter <pubic_ip_srx>

set dbuf size 4096

debug ike detail

clear db

*** let a few iterations of ipsec failure occur ***

undebug all

get db stream

 

 

Regards,

Sam

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 09:46 AM

Can you try adding "set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike"?

 

Without this command, the SRX's internet-facing interface never allows in port 500 traffic, and IKE negotiation fails.

 

I verified this on SRX210 (12.1X44-D40) and SSG-350M (6.3.0r17).

 

Regards,

Sam

 

 

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 09:52 AM

Hi Sam!

 

Thanks for your input! I'll do this tomorrow since I don't have access to my ssg right now ;-)

I'll post the results as soon as possible.

 

Cheers

 

Andy

SRX Services Gateway
Solution
Accepted by topic author MetzingerAn
‎08-26-2015 01:27 AM

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-10-2015 10:23 AM

Please verify you have configured:

 

 

"set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike"

 

I took this out on our lab srx, and i got the same exact event logs on our screenos firewall.

 

When I put this back in, the VPN came up.

 

 

Regards,

Sam

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

[ Edited ]
‎02-11-2015 04:02 AM

Hi Sam!!

 

I could give you a big hug right now! Smiley Happy

Setting the host-inbound-traffic system-services ike on the interface did the trick!

 

VPN tunnel's up BUT no traffic is coming through...

I double checked the config on both sides and also was going through this kb:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9276

 

This described exactly what I tested anyway Smiley Wink

 

Since I know my SSG (screen os) very well, I will post the SRX side:

 

IKE:

 

root@metze> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7910063 UP     986abde0dca36582  d818606d4904bb6b  Aggressive     86.103.130.68

 IPSec:

root@metze> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-256/sha1 9544ecfe 1350/ unlim -  root 4500  86.103.130.68
  >131073 ESP:aes-256/sha1 3d15cd47 1350/ unlim -  root 4500  86.103.130.68

 NAT:

root@metze> show security nat source rule all
Total rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 4/0

source NAT rule: no_nat               Rule-set: nsw_srcnat
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : Internet
  Match
    Source addresses         : 192.168.179.0   - 192.168.179.255
    Destination addresses    : 192.168.8.0     - 192.168.8.255
    Destination port         : 0               - 0
  Action                        : off
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 4868

source NAT rule: nsw-src-interface    Rule-set: nsw_srcnat
  Rule-Id                    : 2
  Rule position              : 2
  From zone                  : trust
  To zone                    : Internet
  Match
    Source addresses         : 192.168.179.0   - 192.168.179.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
    Destination port         : 0               - 0
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 1241

 

Policies:

root@metze> show security policies from-zone Internet to-zone trust
From zone: Internet, To zone: trust
  Policy: from_transfair, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
    Source addresses: netz_transfair
    Destination addresses: netz_metze
    Applications: any
    Action: permit, log



root@metze> show security policies from-zone trust to-zone Internet
From zone: trust, To zone: Internet
  Policy: to_transfair, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: netz_metze
    Destination addresses: netz_transfair
    Applications: any
    Action: permit, log
  Policy: All_trust_Internet, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

 

Route:

root@metze> show route 192.168.8.1

inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.8.0/24     *[Static/5] 03:46:46
                    > via st0.0

 Security flow:

root@metze> ...prefix 192.168.179.0/24 destination-prefix 192.168.8.0/24
Session ID: 23416, Policy name: to_transfair/4, Timeout: 2, Valid
  In: 192.168.179.99/13128 --> 192.168.8.14/12868;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 84
  Out: 192.168.8.14/12868 --> 192.168.179.99/13128;icmp, If: st0.0, Pkts: 0, Bytes: 0

 So, the correct policy (4) and correct tunnel interface (st0.0).

 

Logging on my SSG520:

cluster:tfkiel_kiwi_fw_2(M)-> get log traffic src-ip 192.168.179.99
No entry matched.

 

 

I want to go from 192.168.179.0/24 (home) to 192.168.8.0/24 (remote) and vice versa.

Everything looks fine to me...

 

Thank you so much for your help so far!!

 

 

Cheers

 

Andy

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-11-2015 05:57 AM

Hi Andy,

 

Very good news...

 

Is your st0.1 interface still part of the "Internet" zone? Or a new 'vpn' zone?

 

If both fe-0/0/0 and st01 are part of the same "Internet" zone, then my gut feeling is that we'll need to create an intra-zone policy...  not sure exactly what the parameters would be.

 

Regards,

Sam

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-11-2015 06:34 AM

Hi Sam.

 

To avoid the use of intra zone policies (I'm not a friend of them), I just created a new zone "vpn" and bound the interface st0.0 to it.

 

Policies are set from trust to untrust and the other way round.

Security flow shows that the newly created policy takes care of my ICMP pakets. The results are still the same -> no answer...

 

Why is this so hard? It was so easy on netscreen os...

Thanks for your help.

 

Cheers

 

Andy

 

SRX Services Gateway

Re: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

‎02-11-2015 06:51 AM

In that case, you'll need rules permitting traffic from trust <--> vpn zone.  And not between trust <--> untrust zones.

 

Hang in there.  I felt the same way moving from ScreenOS to SRX.  It grows on you... you'll learn to love it, esp. the CLI  Smiley Happy

 

 

Also, i found it's a very different behavior when initiating pings from the firewall itself, or from a PC attached to the firewall (dffierent from screenos, eh?).  If pinging from the firewall itself, you'll need to create rules from the junos-host zone....

 

 

hope this helps.

 

Regards,

Sam