vSRX
Highlighted
vSRX

IPsec VPN between a VSRX in Azure and an On-premise SRX GW behind a NAT device supported?

[ Edited ]
‎05-07-2019 11:51 PM

Hi guys,

 

I'd like to know if Azure supports an S2S IPsec connection between a vSRX in Azure and an On-premise SRX device behind a NAT device with a private IP address. The NAT device uses a public IP which is dynamic. I tried doing this using the statement "set security ike dynamic hostname xxxx" command in the vSRX in Azure, but it doesn't work. It works only with both sides on static IP.

10 REPLIES 10
Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 12:09 AM

Hello Kenny,

 

VSRX deployed over Azure does not support the Dynamic VPN. You can refer the below document which confirms the same under the section- IP security and VPN's .

 

# https://www.juniper.net/documentation/en_US/vsrx/topics/concept/security-vsrx-feature-support.html

 

-Regards,

Rishi

[KUDOS PLEASE! If you think I earned it!

If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

 

 

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 12:16 AM

Hi Rishi,

Thanks for your reply.

DVPN is different I believe. It's a S2S IPsec VPN but in this case one GW is behind a NAT device.

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 12:51 AM

Hello kenny,

 

I got that its a S2S VPN with SRX as the dynamic peer. I tested this configuration on the lab device (vSRX-15.1X49-D133) over azure and command : "set security ike gateway <gw-name> dynamic hostname test.juniper.net" worked fine. Below is snippet for committed configuration.

 

root@vsrxtestrishi# show security ike
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode aggressive;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$FnDvnApO1RSlKB1dbYgJZ"; ## SECRET-DATA
}
gateway gw-chicago {
ike-policy ike-phase1-policy;
dynamic hostname test.juniper.net;
external-interface ge-0/0/0.0;
}

[edit]
root@vsrxtestrishi#

 

CLI commands:

 

set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-phase1-policy mode aggressive
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text 123456
set security ike gateway gw-chicago external-interface ge-0/0/0.0
set security ike gateway gw-chicago ike-policy ike-phase1-policy
set security ike gateway gw-chicago dynamic hostname test.juniper.net

 

Can you please help me with the answers to below queries:

 

1. What is the vSRX version you are using (CLI command : Show version) ?

2. What is error you get while executing the command "set security ike gateway gw-chicago dynamic hostname <Name>"

 

Regards,
Rishi

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 03:42 AM

Hi Rishi,

 

I get no error while executing the command. The VPN doesn't just come up. 

I run 15.1X49-D120.3. I see no logs on the static peer, but here's what I see on the dynamic peer.

 

IKE Logs on dynamic peer:

 

kakala@SRX-INA-DE-019> show log ikedebug.0.gz
[May 8 00:42:57]ike_send_packet: Start, retransmit previous packet SA = { 8fe60ad4 540a8de8 - 00000000 00000000}, nego = -1, dst = <remote-peer>:500 routing table id = 0
[May 8 00:42:57]IKEv1 packet S(172.17.3.61:500 -> <remote-peer>:500): mID=00000000 (retransmit count=1)
[May 8 00:43:07]ike_retransmit_callback: Start, retransmit SA = { 8fe60ad4 540a8de8 - 00000000 00000000}, nego = -1
[May 8 00:43:07]ike_send_packet: Start, retransmit previous packet SA = { 8fe60ad4 540a8de8 - 00000000 00000000}, nego = -1, dst = <remote-peer>:500 routing table id = 0
[May 8 00:43:07]IKEv1 packet S(172.17.3.61:500 -> <remote-peer>:500): mID=00000000 (retransmit count=2)
[May 8 00:43:17]P1 SA 1193660 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 8 00:43:17]Initiate IKE P1 SA 1193660 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
[May 8 00:43:17]iked_pm_ike_sa_delete_done_cb: For p1 sa index 1193660, ref cnt 2, status: Error ok
[May 8 00:43:17]172.17.3.61:500 (Initiator) <-> <remote-peer>:500 { 8fe60ad4 540a8de8 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Connection timed out or error, calling callback
[May 8 00:43:17]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[May 8 00:43:17]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[May 8 00:43:17]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[May 8 00:43:17]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 1193660
[May 8 00:43:17] IKEv1 Error : Timeout
[May 8 00:43:17]IPSec Rekey for SPI 0x0 failed
[May 8 00:43:17]IPSec SA done callback called for sa-cfg AZURE-vSRX-HUB-WEST-EU-VPN local:172.17.3.61, remote:<remote-peer> IKEv1 with status Timed out
[May 8 00:43:17]IKE SA delete called for p1 sa 1193660 (ref cnt 2) local:172.17.3.61, remote:<remote-peer>, IKEv1
[May 8 00:43:17]P1 SA 1193660 reference count is not zero (1). Delaying deletion of SA
[May 8 00:43:17]iked_pm_p1_sa_destroy: p1 sa 1193660 (ref cnt 0), waiting_for_del 0x129fa40
[May 8 00:43:17]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 8 00:43:17]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 8 00:43:17]ike_sa_delete: Start, SA = { 8fe60ad4 540a8de8 - 00000000 00000000 }
[May 8 00:43:17]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 8 00:43:47]ikev2_fb_i_p1_negotiation_start: FSM_SET_NEXT:ikev2_fb_i_p1_negotiation_negotiate
[May 8 00:43:47]ikev2_fb_st_i_ike_local_address_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_id_request
[May 8 00:43:47]ikev2_fb_st_i_ike_id_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_notify_request
[May 8 00:43:47]ikev2_fb_st_i_ike_notify_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_psk_request
[May 8 00:43:47]iked_pm_ike_spd_notify_request: Sending Initial contact
[May 8 00:43:47]ikev2_fb_st_i_ike_psk_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_psk_result
[May 8 00:43:47]ikev2_fb_st_i_ike_psk_result: FSM_SET_NEXT:ikev2_fb_st_i_ike_sa_request
[May 8 00:43:47]ikev2_fb_st_i_ike_sa_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_sa_result
[May 8 00:43:47]ikev2_fb_st_i_ike_sa_request: FSM_SET_NEXT:ikev2_fb_st_i_conf_request
[May 8 00:43:47]ikev2_fb_st_i_conf_request: FSM_SET_NEXT:ikev2_fb_st_i_ike_sa_result
[May 8 00:43:47]ikev2_fb_i_p1_negotiation_negotiate: FSM_SET_NEXT:ikev2_fb_i_p1_negotiation_result
[May 8 00:43:47]ssh_ike_connect: Start, remote_name = <remote-peer>:500, xchg = 4, flags = 00040000
[May 8 00:43:47]ike_sa_allocate: Start, SA = { dddb6ca5 a2389c17 - 00000000 00000000 }
[May 8 00:43:47]ike_init_isakmp_sa: Start, remote = <remote-peer>:500, initiator = 1
[May 8 00:43:47]ssh_ike_connect: SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1
[May 8 00:43:47]ike_st_o_sa_proposal: Start
[May 8 00:43:47]ike_st_o_ke: Start
[May 8 00:43:47]ike_st_o_nonce: Start
[May 8 00:43:47]ike_policy_reply_isakmp_nonce_data_len: Start
[May 8 00:43:47]ike_st_o_id: Start
[May 8 00:43:47]ike_policy_reply_isakmp_vendor_ids: Start
[May 8 00:43:47]ike_st_o_private: Start
[May 8 00:43:47]ike_policy_reply_private_payload_out: Start
[May 8 00:43:47]IKEv1 packet S(<none>:500 -> <remote-peer>:500): len= 619, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[May 8 00:43:47]ike_send_packet: Start, send SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1, dst = <remote-peer>:500
[May 8 00:43:57]ike_retransmit_callback: Start, retransmit SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1
[May 8 00:43:57]ike_send_packet: Start, retransmit previous packet SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1, dst = <remote-peer>:500 routing table id = 0
[May 8 00:43:57]IKEv1 packet S(172.17.3.61:500 -> <remote-peer>:500): mID=00000000 (retransmit count=1)
[May 8 00:44:07]ike_retransmit_callback: Start, retransmit SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1
[May 8 00:44:07]ike_send_packet: Start, retransmit previous packet SA = { dddb6ca5 a2389c17 - 00000000 00000000}, nego = -1, dst = <remote-peer>:500 routing table id = 0
[May 8 00:44:07]IKEv1 packet S(172.17.3.61:500 -> <remote-peer>:500): mID=00000000 (retransmit count=2)
[May 8 00:44:17]P1 SA 1193661 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[May 8 00:44:17]Initiate IKE P1 SA 1193661 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
[May 8 00:44:17]iked_pm_ike_sa_delete_done_cb: For p1 sa index 1193661, ref cnt 2, status: Error ok
[May 8 00:44:17]172.17.3.61:500 (Initiator) <-> <remote-peer>:500 { dddb6ca5 a2389c17 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Connection timed out or error, calling callback
[May 8 00:44:17]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[May 8 00:44:17]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[May 8 00:44:17]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[May 8 00:44:17]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 1193661
[May 8 00:44:17] IKEv1 Error : Timeout
[May 8 00:44:17]IPSec Rekey for SPI 0x0 failed
[May 8 00:44:17]IPSec SA done callback called for sa-cfg AZURE-vSRX-HUB-WEST-EU-VPN local:172.17.3.61, remote:<remote-peer> IKEv1 with status Timed out
[May 8 00:44:17]IKE SA delete called for p1 sa 1193661 (ref cnt 2) local:172.17.3.61, remote:<remote-peer>, IKEv1
[May 8 00:44:17]P1 SA 1193661 reference count is not zero (1). Delaying deletion of SA
[May 8 00:44:17]iked_pm_p1_sa_destroy: p1 sa 1193661 (ref cnt 0), waiting_for_del 0x129f460
[May 8 00:44:17]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 8 00:44:17]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 8 00:44:17]ike_sa_delete: Start, SA = { dddb6ca5 a2389c17 - 00000000 00000000 }
[May 8 00:44:17]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[May 8 00:45:08]kmd_iked_cfgbuf_addrec: 553: ** Allocated recptr is 0, reclen = 0 **
[May 8 00:45:08]kmd_iked_cfgbuf_addrec: 553: ** Allocated recptr is c, reclen = 0 **
[May 8 00:45:08]Error: Unknown record, type = 25

 

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 03:46 AM

Hi Rishi,

 

The problem is not with the command. It's the VPN connection that doesn't get established. It works only with static IPs on both ends. Does your config. work with a dynamic peer?

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 04:29 AM

Hello Kenny,

 

These logs show that there is no response to the message sent by the SRX.

 

I think you can follow the configuration per https://kb.juniper.net/KB28108  and configure the SRX with a local identity and specify that as the remote identity on the vsrx, instead of using the statement: set security ike dynamic hostname xxxx.

Also, ensure that you port 4500 permitted on the Azure NSG when using NAT-T. 

 

Let us know if this helps.

 

Thanks,

Pranita

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 06:36 AM

Hi Pranata,

 

There isn't a response from the vSRX actually and not the SRX. The SRX in this case is the initiator. There isn't an NSG configured on the outbound and inbound network interfaces in Azure, which I guess permits all traffic. Also all traffic is allowed inbound and outbound the vSRX. Do you have a working configuration with vSRX deployed in Azure?

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 08:40 AM

Hello Kenny,

 

As of now we do not have working configuration from the lab. I can test it in the lab but this might take some time.

 

You can follow the Page# 99 document which has the sample configuration of S2S VPN.

 

# https://www.juniper.net/documentation/en_US/vsrx/information-products/pathway-pages/security-vsrx-az...

 

Kindly also fix the communication between the vSRX and SRX for traffic from UDP-500/4500 along with protocol ESP(ID=50) .

 

Also , please attach the RSI from SRX and VSRX for further investigation.

 

Regards,

Rishi

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-08-2019 10:14 AM

Hi Rishi,

 

I'm certain it doesn't work. You can lab it up. I've gone through the Juniper guide. It isn't sufficient enough IMO. The 2 Use cases provided are for peers with static IPs (not dynamic as in this case) configured on both sides. I'm aware the setup isn't possible peering with Mircosoft's own VPN GW. I'm surpised it doesn't work for vSRXs too. 

Highlighted
vSRX

Re: IPsec VPN between a VSRX in Azure and a dynamically assigned public IP On-premise SRX GW supported?

‎05-09-2019 04:06 AM

Hi Rishi,

 

It works now. Thanks for the hint. I think by default, in Azure, if no NSG is attached to an interface or subnet of a VM, traffic is allowed outbound but not inbound. I had to create a NSG, opened UDP ports 50,500,4500 and attached to the NIC's subnet. This had to be done since the traffic is initiated inbound the vSRX. 

Feedback