SRX Services Gateway
Highlighted
SRX Services Gateway

vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 04:45 AM

-- This post is also listed in another sub-forum: vGW --

 

Hello All

Im running a setup with two virtual SRXs and one physical.
I can ping and ssh between the boxes - Im running flow/sec-mode

I want to create IPSec tunnels between the vSRXs and the real one, but the SA does not come up on the vSRX
I use the standard guides for building IPSec and Im testing wiht Pre-shared-keys, to keep it simple.
Im running the following version:

root> show version
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]

But I get the following error:
"
[May 13 14:47:45]Couldn't get the zone information for interface st0, error No such file or directory
"
"
root> show security ike security-associations
root>
"
For each vSRX I have two NICs allocated to the VMs: one for trust and one for un-trust.
Here is my interfaces:
"
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.25.61.152/24
dsc up up
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
st0.0 up up inet 10.0.0.4/24
tap up up
vlan up down
root>
"
- the tunnel-interface st0 is up


Any help is appreciated

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 05:39 AM

have you asigned the st0.0 to a security zone ? can you share your config with us so we can have a look ?

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 05:57 AM
Hi MarcTB
Here is my zone config:
root# show
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}

Med venlig hilsen / Best regards
Christian Vendelbo Petersen
System Engineer
Tel +4548107519 | Mob +4520549254 | christian.petersen@ipnett.com
IPnett A/S | Gammel K?ge Landevej 55, 4 sal | DK-2500 Valby
www.ipnett.com | twitter.com/ipnett

[cid:image001.jpg@01D0917A.D3AD1E00]
Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 06:00 AM

The config file

Attachments

Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 06:11 AM

You "tunnel / ipsec" zone needs to be a unique zone. Something like IPSEC_VPN (zone) and putting interface st0.0 in that zone will fix your problem.

 

I'm also seeing that you are missing the route for the remote subnets over the st0.0 interface

 

set routing option static x.x.x.x/x next-hop st0.0

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Highlighted
SRX Services Gateway
Solution
Accepted by topic author christianVP
‎08-26-2015 01:27 AM

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-18-2015 07:43 AM
Your config looks fine. Can you try below steps.

#set security ipsec vpn toReal establish-tunnels immediately
#commit

#run restart ipsec-key-management
Wait for couple of minutes and execute below commands

#run show security ike sa
#run show security ipsec sa

If there is no tunnels execute

#run show security ipsec inactive-tunnels

If there is nothing, enable ike traceoptions and check the logs

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-19-2015 12:24 AM
It works!!! Smiley Happy

What was the trigger?
The restart of ipsec-key-management?

Is this a vSRX issue or just SRX-IPSec in general?
Med venlig hilsen / Best regards
Christian Vendelbo Petersen
System Engineer
Tel +4548107519 | Mob +4520549254 | christian.petersen@ipnett.com
IPnett A/S | Gammel K?ge Landevej 55, 4 sal | DK-2500 Valby
www.ipnett.com | twitter.com/ipnett

[cid:image001.jpg@01D09215.70861BB0]
Highlighted
SRX Services Gateway

Re: vSRX (Firefly): IPSec tunnels: st0-interface, not in any zone?

‎05-19-2015 06:37 AM
When establish tunnels is not configured srx will create SA only after recving interested traffic.

Restart ipsec is just like refreshing/restarting ipsec vpn daemon

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too