vSRX
Highlighted
vSRX

S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 02:53 AM

Hi all,

 

I'd like to know if it's possible to set up a S2S VPN between a vsrx VM in Azure (using the ge-0/0/0 public unterface) and an on-premise natted chassis-clustered SRX? I tried the creating the setup but the VPN doesn't come up. 

1 ACCEPTED SOLUTION

Accepted Solutions
vSRX
Solution
Accepted by topic author kenny_01
a month ago

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hello Vikas,

 

I figured out the problem. I forgot to asscociate the untrust (ge-0/0/0) subnet to the internet route table created. Now internet is reachable in the VR-1 instance and the VPN tunnel comes up. 

 

Thanks.

13 REPLIES 13
vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 05:23 AM

Hi,

 

Yes, it should work. What  kind of NATting is there on the  SRX ? what error do you see when VPN fails ?

 

 

Thanks,

Vikas

 

 

 

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 02:28 PM

Hi Vikas,

 

Thanks for your reply. Here are my configs/logs for your review.:

SRX550 Chassis CLuster Config: 

 

set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
set security ike gateway hub-west-eu-vm1 ike-policy hub-west-eu
set security ike gateway hub-west-eu-vm1 address <remote_pub_ip>
set security ike gateway hub-west-eu-vm1 dead-peer-detection interval 10
set security ike gateway hub-west-eu-vm1 dead-peer-detection threshold 3
set security ike gateway hub-west-eu-vm1 local-identity inet <local_pub_ip>
set security ike gateway hub-west-eu-vm1 remote-identity inet <remote_pub_ip>
set security ike gateway hub-west-eu-vm1 external-interface reth0.0
set security ike policy hub-west-eu mode main
set security ike policy hub-west-eu proposals hub-west-eu
set security ike policy hub-west-eu pre-shared-key ascii-text <key>
set security ike proposal hub-west-eu authentication-method pre-shared-keys
set security ike proposal hub-west-eu dh-group group24
set security ike proposal hub-west-eu authentication-algorithm sha-256
set security ike proposal hub-west-eu encryption-algorithm aes-256-cbc
set security ike proposal hub-west-eu lifetime-seconds 86400
set security ipsec proposal hub-west-eu protocol esp
set security ipsec proposal hub-west-eu authentication-algorithm hmac-sha-256-128
set security ipsec proposal hub-west-eu encryption-algorithm aes-256-cbc
set security ipsec proposal hub-west-eu lifetime-seconds 3600
set security ipsec policy hub-west-eu perfect-forward-secrecy keys group24
set security ipsec policy hub-west-eu proposals hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
set interfaces st0 unit 0 description Tunnel_Interface
set interfaces st0 unit 0 family inet
set routing-instances VR-1 instance-type virtual-router
set routing-instances VR-1 interface reth7.546
set routing-instances VR-1 interface st0.0
set routing-instances VR-1 routing-options static route 0.0.0.0/0 next-hop 164.16.28.177
set routing-instances VR-1 routing-options static route 10.3.2.0/24 next-hop st0.0
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic protocols ospf

 

VSRX VM Azure Config.

set security ike traceoptions file ike-trace-log
set security ike traceoptions flag all
set security ike proposal srxcl1-shared authentication-method pre-shared-keys
set security ike proposal srxcl1-shared dh-group group24
set security ike proposal srxcl1-shared authentication-algorithm sha-256
set security ike proposal srxcl1-shared encryption-algorithm aes-256-cbc
set security ike proposal srxcl1-shared lifetime-seconds 86400
set security ike proposal vsrx-hub-vm2 authentication-method pre-shared-keys
set security ike proposal vsrx-hub-vm2 dh-group group24
set security ike proposal vsrx-hub-vm2 authentication-algorithm sha-256
set security ike proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
set security ike proposal vsrx-hub-vm2 lifetime-seconds 86400
set security ike policy srxcl1-shared mode main
set security ike policy srxcl1-shared proposals srxcl1-shared
set security ike policy srxcl1-shared pre-shared-key ascii-text <key>
set security ike policy vsrx-hub-vm2 mode main
set security ike policy vsrx-hub-vm2 proposals vsrx-hub-vm2
set security ike policy vsrx-hub-vm2 pre-shared-key ascii-text <key>
set security ike gateway srxcl1-shared ike-policy srxcl1-shared
set security ike gateway srxcl1-shared address <remote_pub_ip>
set security ike gateway srxcl1-shared dead-peer-detection interval 10
set security ike gateway srxcl1-shared dead-peer-detection threshold 3
set security ike gateway srxcl1-shared local-identity inet <local_pub_ip>
set security ike gateway srxcl1-shared remote-identity inet <remote_pub_ip>
set security ike gateway srxcl1-shared external-interface ge-0/0/0.0
set security ike gateway vsrx-hub-vm2 ike-policy vsrx-hub-vm2
set security ike gateway vsrx-hub-vm2 address <remote_pub_ip>
set security ike gateway vsrx-hub-vm2 dead-peer-detection interval 10
set security ike gateway vsrx-hub-vm2 dead-peer-detection threshold 3
set security ike gateway vsrx-hub-vm2 local-identity inet <local_pub_ip>
set security ike gateway vsrx-hub-vm2 remote-identity inet <remote_pub_ip>
set security ike gateway vsrx-hub-vm2 external-interface ge-0/0/0.0
set security ipsec traceoptions flag all
set security ipsec proposal srxcl1-shared protocol esp
set security ipsec proposal srxcl1-shared authentication-algorithm hmac-sha-256-128
set security ipsec proposal srxcl1-shared encryption-algorithm aes-256-cbc
set security ipsec proposal srxcl1-shared lifetime-seconds 3600
set security ipsec proposal vsrx-hub-vm2 protocol esp
set security ipsec proposal vsrx-hub-vm2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
set security ipsec proposal vsrx-hub-vm2 lifetime-seconds 3600
set security ipsec policy srxcl1-shared perfect-forward-secrecy keys group24
set security ipsec policy srxcl1-shared proposals srxcl1-shared
set security ipsec policy vsrx-hub-vm2 perfect-forward-secrecy keys group24
set security ipsec policy vsrx-hub-vm2 proposals vsrx-hub-vm2
set security ipsec vpn srxcl1-shared-vpn bind-interface st0.0
set security ipsec vpn srxcl1-shared-vpn ike gateway srxcl1-shared
set security ipsec vpn srxcl1-shared-vpn ike ipsec-policy srxcl1-shared
set security ipsec vpn srxcl1-shared-vpn establish-tunnels immediately
set security ipsec vpn vsrx-hub-vm2-vpn bind-interface st0.0
set security ipsec vpn vsrx-hub-vm2-vpn ike gateway vsrx-hub-vm2
set security ipsec vpn vsrx-hub-vm2-vpn ike ipsec-policy vsrx-hub-vm2
set security ipsec vpn vsrx-hub-vm2-vpn establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone vpn policy default-permit match source-address any
set security policies from-zone trust to-zone vpn policy default-permit match destination-address any
set security policies from-zone trust to-zone vpn policy default-permit match application any
set security policies from-zone trust to-zone vpn policy default-permit then permit
set security policies from-zone vpn to-zone trust policy default-permit match source-address any
set security policies from-zone vpn to-zone trust policy default-permit match destination-address any
set security policies from-zone vpn to-zone trust policy default-permit match application any
set security policies from-zone vpn to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.3.1.4/24
set interfaces ge-0/0/1 unit 0 family inet address 10.3.2.4/24
set interfaces fxp0 unit 0
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet
set routing-instances VR-1 instance-type virtual-router
set routing-instances VR-1 interface ge-0/0/0.0
set routing-instances VR-1 interface ge-0/0/1.0
set routing-instances VR-1 interface st0.0

 

IKE Logs as seen from VSRX VM on Azure

[Apr 19 23:16:30]ike_send_packet: Start, retransmit previous packet SA = { 1aa9a650 57558549 - 530ebb04 ff2c9fc3}, nego = -1, dst = <remote_pub_ip>:55518 routing table id = 5
[Apr 19 23:16:30]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:55518): mID=00000000 (retransmit count=2)
[Apr 19 23:16:40]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:55518 { 1aa9a650 57558549 - 530ebb04 ff2c9fc3 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 19 23:16:40]IKE SA delete called for p1 sa 3032206 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
[Apr 19 23:17:05]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:05]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:05]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:54649, initiator = 0
[Apr 19 23:17:05]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:17:05]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:17:05]ike_send_packet: Start, send SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649
[Apr 19 23:17:14]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:14]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:15]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
[Apr 19 23:17:15]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=1)
[Apr 19 23:17:24]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:24]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:25]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
[Apr 19 23:17:25]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=2)
[Apr 19 23:17:35]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:54649 { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 19 23:17:35]IKE SA delete called for p1 sa 3032209 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
[Apr 19 23:18:00]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:00]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:00]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:62940, initiator = 0
[Apr 19 23:18:00]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:18:00]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:18:00]ike_send_packet: Start, send SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940
[Apr 19 23:18:09]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:09]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:10]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
[Apr 19 23:18:10]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=1)
[Apr 19 23:18:18]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:18]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:20]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
[Apr 19 23:18:20]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=2)

[edit]

 

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 02:32 PM

Here are IKE logs as seen from SRX550

 


[Apr 19 23:21:10]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00000000 00000000}, nego = -1, dst = <remote_pub_ip>:500 routing table id = 0
[Apr 19 23:21:20]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00000000 00000000}, nego = -1, dst = <remote_pub_ip>:500 routing table id = 0
[Apr 19 23:21:30]164.16.29.210:500 (Initiator) <-> <remote_pub_ip>:500 { 54e5ac7f a4ee5357 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 19 23:21:30]IPSec SA done callback called for sa-cfg azure-hub-west-eu-vm1-vpn local:164.16.29.210, remote:<remote_pub_ip> IKEv1 with status Timed out
[Apr 19 23:21:30]IKE SA delete called for p1 sa 6128617 (ref cnt 1) local:164.16.29.210, remote:<remote_pub_ip>, IKEv1

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 02:44 PM

One more thing....

The vsrx VM in Azure has a NSG attached to the public subnet (10.3.1.0/24) which allows IKE/IPSEC ports 50, 500, 4500.

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-19-2019 10:59 PM
Hi,

It looks like SRX is initiating the IKE exchange and not getting any response and then clearing it.

What do you see in the vSRX ? Do you even see the same IKE traffic coming to the vSRX.

Monitor traffic interface ge-0/0/0 , IKE session details( show security flow session , , ect may help on the vSRX.

Thanks and Regards
Vikas Singh
vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

‎04-20-2019 12:07 AM

Sorry, I noticed that you have given logs from the vSRX as well. I see the below events matching with IKE cookies :

 

[Apr 19 23:17:25]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
[Apr 19 23:17:25]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=2)
[Apr 19 23:17:35]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:54649 { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

 

vSRX is responding to the IKE packets and, the SRX logs's don't show any such response.

 

 In the IKE session on the SRX , do you see the bidirectional packet count is increasing ? Or Do you see bidirectional traffic on the SRX , you can use " monitor traffic interface <interface >" or the firewall filter on the SRX to check if SRX is receiving the IKE response or not. Depending on the results, we need to troubleshoot on the appropriate device .

 

Thanks,

Vikas

 

 

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hi Vikas,

 

Here are the debug logs:

 

From the vsrx:

 

kakala@vsrx-hub-west-eu-vm1> show security flow session
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 54, Valid
In: <remote_pub_ip>/500 --> 10.3.1.4/500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 52, Bytes: 16432,
Out: 10.3.1.4/500 --> <remote_pub_ip>/500;udp, Conn Tag: 0x0, If: .local..5, Pkts: 0, Bytes: 0,

 

kakala@vsrx-hub-west-eu-vm1> show security flow session
Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 22, Valid
In: <remote_pub_ip>/500 --> 10.3.1.4/500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 53, Bytes: 16748,
Out: 10.3.1.4/500 --> <remote_pub_ip>/500;udp, Conn Tag: 0x0, If: .local..5, Pkts: 0, Bytes: 0,

 

kakala@vsrx-hub-west-eu-vm1> monitor traffic interface ge-0/0/0.0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0.0, capture size 96 bytes

Reverse lookup for 10.3.1.4 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

00:48:48.859235 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:48:55.751912 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:04.548278 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:13.341595 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:24.046824 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:32.831305 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:41.626288 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
00:49:48.516424 In IP <remote_pub_ip>.63679 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]

 

From the SRX:

00:46:03.905561 Out IP truncated-ip - 256 bytes missing! 164.16.29.210.isakmp > <remote_pub_ip>.isakmp: isakmp: phase 1 I ident: [|sa]


kakala@srxCL-1-shared# run show security flow session destination-prefix <remote_pub_ip>
node0:
--------------------------------------------------------------------------

Session ID: 191857, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
In: 164.16.29.210/500 --> <remote_pub_ip>/500;udp, If: .local..0, Pkts: 7229, Bytes: 2284364
Out: <remote_pub_ip>/500 --> 164.16.29.210/500;udp, If: reth0.0, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------

Session ID: 206104, Policy name: self-traffic-policy/1, State: Backup, Timeout: 1256, Valid
In: 164.16.29.210/500 --> <remote_pub_ip>/500;udp, If: .local..0, Pkts: 0, Bytes: 0
Out: <remote_pub_ip>/500 --> 164.16.29.210/500;udp, If: reth0.0, Pkts: 0, Bytes: 0
Total sessions: 1

{primary:node0}[edit]
kakala@srxCL-1-shared#

 

The VSRX is obviouly not sending IKE packets to the SRX and the SRX has its internet zone configured to receive traffic from all networks. And also the VSRX VM has an NSG applied to its outbound interface which permits all traffic too.. So really dont know where the problem might be..

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hi,

 

IKE debugs seems to be sending the packet however the same is no seen in the flow or session.

 

1: What route do you see for the IP <remote_pub_ip>, in vSRX ?

    show route <remote_pub_ip>

    show route

 

2: Do mac address do you see for ge-0/0/0 in vSRX

     show interface ge-0/0/0 | match hard

 

3: What's the version of vSRX ?

     show version

 

Thanks,

Vikas

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hi Vikas,

 

I'd wanted to clarify something as regards the routing on the vSRX. I have a default route in the VR-1 routing-instance pointing to the a next hop gateway I'm not certain about. I'm not sure which GW IP to route to so I used a 10.3.1.1 as the next hop GW IP but can't reach the internet via this gateway. The only path to the internet is via the fxp0 interface, which of course can't be used as the IKE GW interface. Any way around this i.e. reaching the internet via the VR-1... perhaps the wrong GW was configured? I guess this may be the reason there aren't outgoing packets from the vSRX. 

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago
Hi,

Your deployment is fine. We segregate the fxp & the ge traffic using the VRs, each VR will have default gateway accordingly. First IP from Azure’s “virtual network/subnet” is used as default gateway, so if 10.3.1.1 is the first IP then it’s fine.

1: Are you able to ping 10.3.1.1, from VR-1 routing-instance
Ping 10.3.1.1 routing-instance VR-1

2: Is your configured routing showing up in the routing table “sow route”

3: There is also a bug related to the interface mac , so please check MAC address of the interface.
Show interface ge-0/0/0 | match hard




Thanks and Regards
Vikas Singh
vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

HI Vikas,

 

As requested:

 


kakala@vsrx-hub-west-eu-vm1# run show interfaces ge-0/0/0 | match hard
Current address: 00:0d:3a:27:51:ff, Hardware address: 00:0d:3a:27:51:ff

[edit]
kakala@vsrx-hub-west-eu-vm1# run show version
Hostname: vsrx-hub-west-eu-vm1
Model: vsrx
Junos: 15.1X49-D120.3
JUNOS Software Release [15.1X49-D120.3]

[edit]

kakala@vsrx-hub-west-eu-vm1# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:05:38
> to 192.168.2.1 via fxp0.0
192.168.2.0/30 *[Direct/0] 00:05:40
> via fxp0.0
192.168.2.2/32 *[Local/0] 00:05:40
Local via fxp0.0

VR-1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:39
> to 10.3.1.1 via ge-0/0/0.0
10.3.1.0/24 *[Direct/0] 00:00:39
> via ge-0/0/0.0
10.3.1.4/32 *[Local/0] 00:00:39
Local via ge-0/0/0.0
10.3.2.0/24 *[Direct/0] 00:05:39
> via ge-0/0/1.0
10.3.2.4/32 *[Local/0] 00:05:39
Local via ge-0/0/1.0

kakala@vsrx-hub-west-eu-vm1# run show route <remote_pub_ip>

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:03:38
> to 192.168.2.1 via fxp0.0

VR-1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:01:12
> to 10.3.1.1 via ge-0/0/0.0

[edit]
kakala@vsrx-hub-west-eu-vm1#

vSRX

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hi Vikas,

 

kakala@vsrx-hub-west-eu-vm1# run ping routing-instance VR-1 10.3.1.1
PING 10.3.1.1 (10.3.1.1): 56 data bytes

 

10.3.1.1 is not reachable. 

 

10.3.1.4 is the first useable address in the 10.3.1.0/24 subnet and what was configured on the interface card attached to the VM.  So are you saying 10.3.1.1 (out of the reserved addresses) should be the default GW? 

vSRX
Solution
Accepted by topic author kenny_01
a month ago

Re: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

a month ago

Hello Vikas,

 

I figured out the problem. I forgot to asscociate the untrust (ge-0/0/0) subnet to the internet route table created. Now internet is reachable in the VR-1 instance and the VPN tunnel comes up. 

 

Thanks.