SRX Services Gateway
SRX Services Gateway

Tunnel from SRX to ISG

‎05-15-2018 02:37 PM

I'm having trouble establishing a route-based multipoint tunnel from an SRX5400 running 12.3x48 code to an ISG1000, pretty sure the issue is on the SRX side. The security association appears to be up on both sides, but I can't pass any traffic over it. Here is the output from looking at the SRX SA:

show security ipsec security-associations index 131090 detail
node1:
--------------------------------------------------------------------------

ID: 131090 Virtual-system: root, VPN Name: JAXS
Local Gateway: x.x.132.44, Remote Gateway: x.x.72.44
Local Identity: ipv4(any:0,[0..3]=x.x.132.44)
Remote Identity: ipv4(any:0,[0..3]=x.x.72.44)
Version: IKEv1
DF-bit: copy, Bind-interface: st0.1
Port: 500, Nego#: 3581, Fail#: 3566, Def-Del#: 0 Flag: 0x600a21
Tunnel events:
Tue May 15 2018 21:31:36: IPSec SA rekey successfully completed (1 times)
Tue May 15 2018 21:31:36: IKE SA negotiation successfully completed (17 times)
Mon May 14 2018 21:41:43: IPSec SA negotiation successfully completed (2 times)
Mon May 14 2018 21:41:33: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
Mon May 14 2018 21:33:28: IPSec SA negotiation successfully completed (1 times)
Mon May 14 2018 21:33:24: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
Mon May 14 2018 20:15:27: IPSec SA negotiation successfully completed (1 times)
Mon May 14 2018 20:15:22: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
Mon May 14 2018 07:36:17: IPSec SA negotiation successfully completed (1 times)
Location: FPC 0, PIC 1, KMD-Instance 2
Direction: inbound, SPI: c1f70cac, AUX-SPI: 0

 

It appears to be up, right? The only issue I can find is that sometimes the following error message appears :

"IPSec negotiation failed with error: Received nexthop-tunnel IP address from peer, is not in  bind-interface's subnet. Negotiation failed. "

 

Does this mean that the tunnel interfaces on both sides of the VPN need to be in the same subnet? I have been able to successfully build tunnels from Netscreen to Netscreen using different tunnel interface subnets, so I'm not sure swhy it wouldn't work Netscreen to SRX.

Please let me know if you need more information.

 

5 REPLIES 5
SRX Services Gateway

Re: Tunnel from SRX to ISG

‎05-15-2018 10:32 PM

Hi,

When you use st0.0 as a multipoint interface, tunnel ip (st0 interface ip) of all peers should be in same subnet. Otherwise, ipsec sa will not be installed for that peer even though ike sa is up.

If traffic is not passing through the tunnel even after ipsec sa is up, check the routing is pointerd towards the tunnel, security policy and ipsec statistics.

Please share the below mentioned command output, if the traffic is still not working

show security ipsec next-hop-tunnels

show security ipsec statistics index <ipsec sa index-name>

show route terse | match st0

show security flow session destination-prefix < remote lan ip >

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Tunnel from SRX to ISG

‎05-16-2018 12:27 PM

Thank you for your reply. Below are the commands with output you requested. I did notice that the sh route terse command didn't include any subnets for the tunnel I'm trying to build - it would be a 172.x.x.x subnet.

 

NS-ADMIN@NAWEPRLHVP00z# run show security ipsec next-hop-tunnels
node1:
--------------------------------------------------------------------------
Next-hop gateway interface IPSec VPN name Flag IKE-ID XAUTH username
172.31.128.11 st0.1 JAXS Static 138.162.72.44 Not-Available

 

NS-ADMIN@NAWEPRLHVP00z> show security ipsec statistics index 131090
node0:
--------------------------------------------------------------------------

ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

node1:
--------------------------------------------------------------------------

ESP Statistics:
Encrypted bytes: 6640736
Decrypted bytes: 3156848
Encrypted packets: 69171
Decrypted packets: 70273
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

show route terse | match st0
* ? 192.168.50.0/24 D 0 >st0.1
* ? 192.168.100.0/24 D 0 >st0.20
* ? 192.168.100.0/24 D 0 >st0.20
* ? 192.168.250.0/24 D 0 >st0.250
* ? 192.168.160.0/24 D 0 >st0.160
* ? 192.168.150.0/24 D 0 >st0.150

show security flow session destination-prefix 138.162.72.44
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

{primary:node1}
NS-ADMIN@NAWEPRLHVP00z> show security flow session destination-prefix 172.31.128.11
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC0 PIC2:
Total sessions: 0

Flow Sessions on FPC0 PIC3:

SRX Services Gateway

Re: Tunnel from SRX to ISG

‎05-16-2018 07:22 PM

Hi,

To send the traffic through the tunnel, you should have a route for the remote networks pointed towards next-hop-tunnel ip. Same way, remote site should have a route pointed towards to the tunnel for your local networks

e.g:-

set routing-options static route 172.16.1.0/24 next-hop 172.31.128.11

Remote Network : 172.16.1.0/24

Remote st0 ip: 172.31.128.11

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Tunnel from SRX to ISG

‎05-17-2018 04:13 PM

Yep, I had the routes to the tunnel minterface networks. Still not able to ping.

Highlighted
SRX Services Gateway

Re: Tunnel from SRX to ISG

‎05-18-2018 02:10 AM

Hello,

 

ESP captures taken on both ends simultaneously can help when generating a specific size ping to ascertain if ISG is sending the ESP out as well as SRX is getting it and vice versa.

On ISG you can enable the 'debug flow basic' for ping traffic to see if the packet is pushed to the tunnel or not.

Same thing can be done on SRX (flow traceoptions).

 

Regards,

 

Rushi