SRX

I'm trying vSRX on AWS and ran into this issue..

After creating routing instance named TEST (TEST.inet.0) I added st0.1 and st0.2 under it.
Added interfaces to the zones, checked my polices and the rest as needed.

My goal was to establish VPN tunnels between my vSRX acting as a VPN peer with IP C.C.C.C
to the other two VPN peers: VPN Peer 1 with IP A.A.A.A and VPN Peer 2 with IP B.B.B.B
In order to reach remote networks behind them: 1.1.1.1/24 and 2.2.2.2/24

And vise versa for 1.1.1.1/24 and 2.2.2.2/24 to be able to reach 3.3.3.3/24 behind vSRX.

When I setup my first tunnel with st0.1 all is working properly..

IKE security-associations:

Index State Initiator cookie Responder cookie Mode Remote Address
1111111 UP eeeeeeeeeeeeeeee ffffffffffffffff Main A.A.A.A

IPSEC security-associations:

Total active tunnels: 1 Total Ipsec sas: 1

Gateway
unlim - root 4500 A.A.A.A
unlim - root 4500 A.A.A.A

I also able to reach remote network 1.1.1.1/24 - proxy-identity remote 1.1.1.1/24

When I setup my second tunnel with st0.2, I noticed this

IKE security-associations and see that both remote VPN peers are listed:

Index State Initiator cookie Responder cookie Mode Remote Address
1111111 UP eeeeeeeeeeeeeeee ffffffffffffffff Main A.A.A.A
2222222 UP eeeeeeeeeeeeeeee ffffffffffffffff Main B.B.B.B

But for the IPSEC security-associations I see only one (the second one):

Total active tunnels: 1 Total Ipsec sas: 1

Gateway
unlim - root 4500 B.B.B.B
unlim - root 4500 B.B.B.B

Where did IPSEC security-association entry for the first VPN peer A.A.A.A go?
I also can't connect to 1.1.1.1/24

How do I accomplish this kind of connectivity so my vSRX C.C.C.C establishes tunnels to A.A.A.A and B.B.B.B?
Do I need to add anything else on vSRX?

Thank you!

Can you provide a bit more of your (sanitised) config?

Specifically the output from 

show configuration security ike
show configuration security ipsec

Sure, please see below:

Tunnel1

proposal NYPROPOSAL
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 30000;

policy NYPOLICY
proposals NYPROPOSAL;
pre-shared-key ascii-text "..."; ## SECRET-DATA

gateway NYGW
ike-policy NYPOLICY;
address A.A.A.A;
dead-peer-detection
always-send;
interval 10;
threshold 3;

local-identity inet C.C.C.C;
remote-identity inet A.A.A.A;
external-interface ge-0/0/0.0;


proposal IPSECNYPROPOSAL
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 600;

policy IPSECPOLICYNY
proposals IPSECNYPROPOSAL;

vpn SRXNY
bind-interface st0.1;
ike
gateway NYGW;
proxy-identity
local 3.3.3.3/24;
remote 1.1.1.1/24;
service any;

ipsec-policy IPSECPOLICYNY;

establish-tunnels immediately;

Tunnel2

proposal NYPROPOSAL-2
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 30000;

policy NYPOLICY-2
proposals NYPROPOSAL-2;
pre-shared-key ascii-text "..."; ## SECRET-DATA

gateway NYGW-2
ike-policy NYPOLICY-2;
address B.B.B.B;
dead-peer-detection
always-send;
interval 10;
threshold 3;

local-identity inet C.C.C.C;
remote-identity inet B.B.B.B;
external-interface ge-0/0/0.0;


proposal IPSECNYPROPOSAL-2
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 600;

policy IPSECPOLICYNY-2
proposals IPSECNYPROPOSAL-2;

vpn SRXNY-2
bind-interface st0.2;
ike
gateway NYGW-2;
proxy-identity
local 3.3.3.3/24;
remote 2.2.2.2/24;
service any;

ipsec-policy IPSECPOLICYNY-2;

establish-tunnels immediately;

It is odd that the second tunnel brings down the first one - are A.A.A.A, B.B.B.B and C.C.C.C all publicly reachable IP addresses, or is C.C.C.C behind a NAT?

Are the remote tunnel endpoints both Juniper devices?  If so, try removing the proxy-identity from each of your tunnels, and then statically route those subnets down your st0.1 and st0.2 interfaces.

@dfex

A.A.A.A, B.B.B.B and C.C.C.C are all publicly reachable IP addresses
No NAT

For removing the proxy-identity from each of your tunnels,
and then statically route those subnets down your st0.1 and st0.2 interfaces.

Can you please provide an example?
Something like static route 2.2.2.2/24 next-hop st0.2? I'm not sure.

I checked everything but it still does not work for me.
Does anyone have a workaround suggestion?

Thank you

Hi,

I understand that peer sites are two different locations or two different devices, not any redundant VPN etc. I see the port 4500 in the SA so I understand that peers are sending traffic to the AWS Elastic IPs and then AWS is supposed to do the one to one NATting to the vSRX IP. Please correct if I'm wrong.

Have you checked any error etc or why VPN is going down on the vSRX .  E.g: output of "show security ipsec inactive-tunnels"  or IKE/IPSec  traceoptions . Or any error  in "show log messages | in kmd" etc ?

e.g: of ike tracoptions:

root> show configuration security ike traceoptions | display set
set security ike traceoptions file <filename>
set security ike traceoptions file size 5m
set security ike traceoptions file files 5
set security ike traceoptions flag all
set security ike traceoptions level 15

root> show configuration security ipsec traceoptions | display set
set security ipsec traceoptions flag all

recreate the issue and check the ike traceoptions logs and the messages log.

Thanks,

Vikas

Thank you everyone who tried to help!
After reviewing all your suggestions and my configuration again,

I realized that it was a small typo on my side in configuration for ipsec.

Interesting..

Have you directly linked the elastic IP with the vSRX instance?

Or does the vSRX go through any other EC2 instance, NAT-ing itself for internet access / VPN negotiation?

@Gokul

Yes, elastic IP is directly linked with the vSRX
No NAT-ing

Only 1 tunnel at the time works.