ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

VPN tunnel using LTE modem

‎12-03-2019 01:44 PM

So i have a need for connecting a remote site (trailer) using cellular to our main SSG140 @ our datacenter. We purchased a Netgear LTE modem and put it in bridge mode and put a SSG5 behind it. Plugging in behind the SSG5 we get internet access no problem. The SSG5 shows a ethernet0/0 ip of 10.129.215.93 which is a private IP that it seems to get from the modem. Going to ipchicken.com and checking the WAN IP there, i get 107.77.210.83.

 

So i created the ipsec tunnel setup in aggressive mode and finally get some "completed negotiations" but the tunnel never shows as coming up. Plus, the SSG140 shows the connecting IP as: 166.170.220.223...which isn't the originating IP but its ATT cellular IP.

 

Relevant events from SSG140:

2019-12-03 15:01:14 info IKE 166.170.220.223 Phase 1: Retransmission limit has been reached.
2019-12-03 15:00:32 info IKE 166.170.221.15 Phase 2 msg ID 44e3690b: Completed negotiations with SPI 90fc9f72, tunnel ID 43, and lifetime 3600 seconds/0 KB.
2019-12-03 15:00:32 info IKE 166.170.221.15 phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 15:00:32 info IKE 166.170.221.15: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 15:00:32 info IKE 166.170.221.15 Phase 2 msg ID 44e3690b: Responded to the peer's first message.
2019-12-03 15:00:32 info IKE 166.170.221.15 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 15:00:31 info IKE 166.170.221.15 phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 15:00:31 info IKE 166.170.221.15 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2019-12-03 15:00:26 info IKE1xx.xxx.xxx.xxx 166.170.220.223 Phase 1: Initiated negotiations in aggressive mode.
2019-12-03 14:59:41 info IKE 166.170.220.223 Phase 2: Initiated negotiations.
2019-12-03 13:59:51 info IKE 166.170.220.223 Phase 2 msg ID 34e835d3: Completed negotiations with SPI 90fc9f61, tunnel ID 43, and lifetime 3600 seconds/0 KB.
2019-12-03 13:59:51 info IKE 166.170.220.223 phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 13:59:50 info IKE 166.170.220.223: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 13:59:50 info IKE 166.170.220.223 Phase 2 msg ID 34e835d3: Responded to the peer's first message.
2019-12-03 13:59:50 info IKE 166.170.220.223 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 13:59:50 info IKE 166.170.220.223 phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 13:59:50 info IKE 166.170.220.223 Phase 1: Responder starts AGGRESSIVE mode negotiations.
2019-12-03 13:59:26 info IKE1xx.xxx.xxx.xxx 166.170.220.223 Phase 1: Initiated negotiations in aggressive mode.
2019-12-03 13:58:46 info IKE 166.170.220.223 Phase 2: Initiated negotiations.
2019-12-03 12:58:52 info IKE 166.170.220.223 Phase 2 msg ID 22fbaa20: Completed negotiations with SPI 90fc9f4f, tunnel ID 43, and lifetime 3600 seconds/0 KB.
2019-12-03 12:58:52 info IKE 166.170.220.223 phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 12:58:52 info IKE 166.170.220.223: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 12:58:52 info IKE 166.170.220.223 Phase 2 msg ID 22fbaa20: Responded to the peer's first message.
2019-12-03 12:58:52 info IKE 166.170.220.223 Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 12:58:52 info IKE 166.170.220.223 phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 12:58:52 info IKE 166.170.220.223 Phase 1: Responder starts AGGRESSIVE mode negotiations.

 

And the remote SSG5 (about 15mins ahead)
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx Phase 2 msg ID 44e3690b: Completed negotiations with SPI d5310d59, tunnel ID 1, and lifetime 3600 seconds/0 KB.
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx Phase 2: Initiated negotiations.
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 15:13:33 info IKE 1xx.xxx.xxx.xxx phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 15:13:33 info IKE10.129.215.93 1xx.xxx.xxx.xxx Phase 1: Initiated negotiations in aggressive mode.
2019-12-03 15:12:51 info IKE 1xx.xxx.xxx.xxx Phase 2: Initiated negotiations.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx Phase 2 msg ID 34e835d3: Completed negotiations with SPI d5310d57, tunnel ID 1, and lifetime 3600 seconds/0 KB.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx Phase 2: Initiated negotiations.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 14:12:52 info IKE 1xx.xxx.xxx.xxx phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 14:12:52 info IKE10.129.215.93 1xx.xxx.xxx.xxx Phase 1: Initiated negotiations in aggressive mode.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx Phase 2 msg ID 22fbaa20: Completed negotiations with SPI d5310d55, tunnel ID 1, and lifetime 3600 seconds/0 KB.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx phase 2:The symmetric crypto key has been generated successfully.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx: Received a notification message for DOI 1 40001 NOTIFY_NS_NHTB_INFORM.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx Phase 2: Initiated negotiations.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
2019-12-03 13:11:55 info IKE 1xx.xxx.xxx.xxx phase 1:The symmetric crypto key has been generated successfully.
2019-12-03 13:11:55 info IKE10.129.215.93 1xx.xxx.xxx.xxx Phase 1: Initiated negotiations in aggressive mode.

It seems the tunnel negotiates but the tunnel that it's bound to never comes up and passes traffic. On the SSG140 it shows Ready and on the SSG5 it shows Link Down.

 

I've attached both config files, scrubbed what i could.

 

Appreciate any help

Attachments

4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel using LTE modem

‎12-03-2019 05:19 PM

You will need the DC side SSG140 to have the gateway configured for dynamic ip address for these LTE connections.

 

And be sure the SSG5 on LTE is the tunnel initiator for the connection.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel using LTE modem

[ Edited ]
‎12-04-2019 06:52 AM

Thanks, the SSG140 has the peer gateway setup as dynamic with Peer ID, attached.

GkltxB7QW6.png

And i initiate traffic from remote site and tunnel seems to come up but neither end Receives traffic? The routes exists but the tunnel never shows as Up and never passes traffic

 

Remote LTE-> get sa id 1
index 0, name Colo_VPN, peer gateway ip 1x.x.x.x. vsys<Root>
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 1, peer id 0, NSRP Local. site-to-site. Local interface is ethernet0/0 <10.129.215.93>.
esp, group 2, 3des encryption, sha1 authentication
autokey, IN active, OUT active
monitor<1>, latency: -1, availability: 0
DF bit: clear
app_sa_flags: 0x24000e7
proxy id: local 172.16.142.0/255.255.255.0, remote 172.16.10.0/255.255.255.0, proto 0, port 0/0
ike activity timestamp: 67401437
DSCP-mark : disabled
nat-traversal map not available
incoming: SPI d5310d7a, flag 00004000, tunnel info 40000001, pipeline
life 3600 sec, 907 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 2693 seconds
next pak sequence number: 0x0
bytes/paks:0/0; sw bytes/paks:0/0
outgoing: SPI ff8815a9, flag 00000000, tunnel info 40000001, pipeline
life 3600 sec, 907 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 4 seconds
next pak sequence number: 0x111
bytes/paks:319118/6997; sw bytes/paks:319118/6997


SSG140-> get sa id 43
index 12, name LTE_VPN, peer gateway ip 166.170.221.15. vsys<Root>
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 43, peer id 13, NSRP Local. site-to-site. Local interface is bgroup0/0 <1x.x.x.x.>.
esp, group 2, 3des encryption, sha1 authentication
autokey, IN active, OUT active
monitor<0>, latency: 0, availability: 0
DF bit: clear
app_sa_flags: 0x2400067
proxy id: local 172.16.10.0/255.255.255.0, remote 172.16.142.0/255.255.255.0, proto 0, port 0/0
ike activity timestamp: 32918843
DSCP-mark : disabled
nat-traversal map not available
incoming: SPI ff8815a9, flag 00004000, tunnel info 4000002b, pipeline
life 3600 sec, 365 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 3235 seconds
next pak sequence number: 0x0
bytes/paks:0/0; sw bytes/paks:0/0
outgoing: SPI d5310d7a, flag 00000000, tunnel info 4000002b, pipeline
life 3600 sec, 365 remain, 0 kb, 0 bytes remain
anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 5 seconds
next pak sequence number: 0x5
bytes/paks:354/5; sw bytes/paks:354/5

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel using LTE modem

‎12-05-2019 06:36 AM

Ok dug into it a bunch more and i'm guessing that my ATT sim card is only provisioned to get a Private IP address on ATT's network. Hence why the SSG5 WAN interface was getting a 10.129.x.x IP address even when the modem was in bridge mode.

 

Apparently i would need a sim card provisioned on i2Go APN or something that would give me a Public IP on ATT's network.

 

Based on this info: https://developer.att.com/technical-library/apns/apn-descriptions-and-characteristics

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel using LTE modem

‎12-09-2019 02:23 AM

Aggressive vpn tunnels can definately be formed when on LTE networks with private ip using CG NAT.  This is a common scenario on LTE carriers. 

 

Inbound intiated  traffic is another question but these outbound initiated aggressive vpn will work.

The troubleshooting process will be the same as any other vpn we need to match all the parameters and use trace options for more detailed logs if the tunnel won't come up.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback