SRX

Expand all | Collapse all

IPSEC VPN traffic only works after remote side initiates first

Jump to Best Answer
  • 1.  IPSEC VPN traffic only works after remote side initiates first

    Posted 10-12-2014 15:24

    Hi guys heres the problem, I have an IPSEC VPN tunnel between an SRX and linux openswan. phase 1 and 2 show as up on both sides. However from the LAN behind the SRX I cannot ping to the LAN behind openswan until the traffic is initaited from the openswan end first. So for example, the tunnel comes up and I leave a contiuous ping running from Juniper side to the openswan side, it all times out, can leave that running for 10 minutes no change until I ping from the openswan lan side to the juniper lan side it will work first time, then the contious ping spring into action straight away and ping works in both directions. I have tried pcap but not getting very far with it. My rules are totally open right now.

     

    heres my config

     


    interfaces {
    fe-0/0/0 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    at-1/0/0 {
    description internet;
    mtu 1540;
    encapsulation atm-pvc;
    atm-options {
    vpi 0;
    }
    dsl-options {
    operating-mode auto;
    }
    }
    st0 {
    unit 0 {
    family inet;
    }
    }
    vlan {
    unit 0 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop at-1/0/0.0;
    route 192.168.10.0/24 next-hop st0.0;
    }
    generate {
    route 0.0.0.0/0;
    }
    }
    protocols {
    stp;
    }
    security {
    key-protection;
    ike {
    proposal IKE-SHA-AES128-DH1 {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    }
    policy ike-policy-cfgr {
    mode aggressive;
    proposals IKE-SHA-AES128-DH1;
    pre-shared-key ascii-text blah ## SECRET-DATA
    }
    gateway ike-gate-cfgr {
    ike-policy ike-policy-cfgr;
    dynamic hostname hidden;
    dead-peer-detection {
    always-send;
    interval 10;
    threshold 3;
    }
    local-identity hostname hidden;
    external-interface at-1/0/0;
    }
    }
    ipsec {
    proposal IPSEC-SHA-AES128-ESP {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
    }
    policy ipsec-policy-cfgr {
    proposals IPSEC-SHA-AES128-ESP;
    }
    vpn ipsec-vpn-cfgr {
    bind-interface st0.0;
    ike {
    gateway ike-gate-cfgr;
    proxy-identity {
    local 192.168.1.0/24;
    remote 192.168.10.0/24;
    }
    ipsec-policy ipsec-policy-cfgr;
    }
    }
    }
    flow {
    tcp-mss {
    ipsec-vpn {
    mss 1350;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-vpn {
    from zone trust;
    to zone vpn;
    rule NO-NAT {
    match {
    source-address 192.168.1.0/24;
    destination-address 192.168.10.0/24;
    }
    then {
    source-nat {
    off;
    }
    }
    }
    }
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule internet {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone vpn to-zone trust {
    policy vpn-trust-cfgr {
    match {
    source-address net-cfgr_192-168-10-0--24;
    destination-address net-cfgr_192-168-1-0--24;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone vpn {
    policy trust-vpn-cfgr {
    match {
    source-address net-cfgr_192-168-1-0--24;
    destination-address net-cfgr_192-168-10-0--24;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    address-book {
    address net-cfgr_192-168-1-0--24 192.168.1.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    vlan.0;
    fe-0/0/0.0;
    fe-0/0/7.0;
    fe-0/0/6.0;
    fe-0/0/5.0;
    fe-0/0/4.0;
    fe-0/0/3.0;
    fe-0/0/2.0;
    fe-0/0/1.0;
    }
    }
    security-zone untrust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    at-1/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone vpn {
    address-book {
    address net-cfgr_192-168-10-0--24 192.168.10.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    st0.0;
    }
    }
    }
    }

    vlans {
    vlan-trust {
    vlan-id 3;
    l3-interface vlan.0;
    }
    }



  • 2.  RE: IPSEC VPN traffic only works after remote side initiates first

    Posted 10-13-2014 00:46

    Hello there,

    Please try this

     

    set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately

     HTH

    Thanks

    Alex



  • 3.  RE: IPSEC VPN traffic only works after remote side initiates first

    Posted 10-13-2014 01:23


    Hi KDN,

     

    I need the following information:

     

    1. show security ike security association

    2. show security ipsec sa

    3. show security ipsec sa index x detail

    4. show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y

     

    x.x.x.x ==LAN PC ip from behind SRX , y.y.y.y == PC ip behind remote firewall lan

     

    5. show security flow session tunnel

    6. show route External ip address of Remote Firewall.

     

    After collecting the above outputs , try configure St0.0 and at-1/0/0 interfaces in same security zone and test it.

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 4.  RE: IPSEC VPN traffic only works after remote side initiates first

    Posted 10-13-2014 03:11

    Hi Alex, tried that, didnt make any difference though 😞

     

    root@JuniperSRX> show security ike sa
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    8243888 UP     e8e4ea4595db7795  e9ecba5c9177dbec  Aggressive     49.227.80.228

     

    root@JuniperSRX> show security ipsec sa
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
      <133955613 ESP:aes-128/sha1 9e208f19 28648/unlim - root 500 49.227.80.228
      >133955613 ESP:aes-128/sha1 f6c0592d 28648/unlim - root 500 49.227.80.228

     

     


    root@JuniperSRX> show security ipsec sa index 133955613 detail
      ID: 133955613 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
      Local Gateway: 111.69.192.19, Remote Gateway: 49.227.80.228
      Local Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
      Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.10.0/24)
      Version: IKEv1
        DF-bit: clear
        Bind-interface: st0.0

        Direction: inbound, SPI: 9e208f19, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 28625 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 28051 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64

        Direction: outbound, SPI: f6c0592d, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 28625 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 28051 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64

     

     

     

    root@JuniperSRX> ...ix 192.168.1.0/24 destination-prefix 192.168.10.0/24
    Session ID: 2113, Policy name: trust-vpn-cfgr/5, Timeout: 24, Valid
      In: 192.168.1.100/7 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/7;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 2342, Policy name: trust-vpn-cfgr/5, Timeout: 8, Valid
      In: 192.168.1.100/50969 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50969;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 2611, Policy name: trust-vpn-cfgr/5, Timeout: 12, Valid
      In: 192.168.1.100/50974 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50974;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 3135, Policy name: trust-vpn-cfgr/5, Timeout: 20, Valid
      In: 192.168.1.100/50976 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 1, Bytes: 52
      Out: 192.168.10.1/80 --> 192.168.1.100/50976;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 3686, Policy name: trust-vpn-cfgr/5, Timeout: 28, Valid
      In: 192.168.1.100/8 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/8;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 4200, Policy name: trust-vpn-cfgr/5, Timeout: 34, Valid
      In: 192.168.1.100/9 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/9;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 4486, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
      In: 192.168.1.100/50973 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50973;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 4749, Policy name: trust-vpn-cfgr/5, Timeout: 2, Valid
      In: 192.168.1.100/50968 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50968;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 5926, Policy name: trust-vpn-cfgr/5, Timeout: 20, Valid
      In: 192.168.1.100/50975 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 1, Bytes: 52
      Out: 192.168.10.1/80 --> 192.168.1.100/50975;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 8014, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
      In: 192.168.1.100/50971 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50971;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 8026, Policy name: trust-vpn-cfgr/5, Timeout: 58, Valid
      In: 192.168.1.100/12 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/12;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 13997, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
      In: 192.168.1.100/50972 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50972;tcp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 21807, Policy name: trust-vpn-cfgr/5, Timeout: 38, Valid
      In: 192.168.1.100/10 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/10;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 28643, Policy name: trust-vpn-cfgr/5, Timeout: 52, Valid
      In: 192.168.1.100/11 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
      Out: 192.168.10.1/1 --> 192.168.1.100/11;icmp, If: st0.0, Pkts: 0, Bytes: 0

    Session ID: 32454, Policy name: trust-vpn-cfgr/5, Timeout: 8, Valid
      In: 192.168.1.100/50970 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50970;tcp, If: st0.0, Pkts: 0, Bytes: 0
    Total sessions: 15

     

     

     

    root@JuniperSRX> show security flow session tunnel
    Session ID: 3093, Policy name: N/A, Timeout: N/A, Valid
      In: 49.227.80.228/40480 --> 111.69.192.19/36633;esp, If: at-1/0/0.0, Pkts: 0, Bytes: 0

    Session ID: 5024, Policy name: N/A, Timeout: N/A, Valid
      In: 49.227.80.228/0 --> 111.69.192.19/0;esp, If: at-1/0/0.0, Pkts: 0, Bytes: 0
    Total sessions: 2

     

     

    root@JuniperSRX> show route

    inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0          *[Static/5] 00:25:25
                        > via at-1/0/0.0
                        [Aggregate/130] 1d 08:03:37
                        > via at-1/0/0.0
    111.69.17.16/32    *[Direct/0] 00:25:25
                        > via at-1/0/0.0
    111.69.192.19/32   *[Local/0] 00:25:25
                          Local via at-1/0/0.0
    192.168.1.0/24     *[Direct/0] 00:25:54
                        > via vlan.0
    192.168.1.1/32     *[Local/0] 1d 08:03:11
                          Local via vlan.0
    192.168.10.0/24    *[Static/5] 00:06:26
                        > via st0.0

     

     

     

    I added st0.0 to zone untrust. reboot the router but still the same thing, ping from one direction will work and enable bidirectional ping, but ping from juniper lan will fail until this happens.

     

     



  • 5.  RE: IPSEC VPN traffic only works after remote side initiates first
    Best Answer

    Posted 10-13-2014 03:20

    Hi KDN,

     

    Looking at the following output:

     

    Session ID: 13997, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
      In: 192.168.1.100/50972 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
      Out: 192.168.10.1/80 --> 192.168.1.100/50972;tcp, If: st0.0, Pkts: 0, Bytes: 0 <<<<<<<<<<<<<<< no reply

     

    source wing as 3 packets sent but return packet count is 0.

     

    From this output , SRX is indeed creating the session and forwarding it correctly on the vpn tunnel,

     

    But there is no return connection from the remote firewall.

     

    Kindly work on the remote firewall side to verify as why there are not replying to the connection request from SRX side.

     

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 6.  RE: IPSEC VPN traffic only works after remote side initiates first

    Posted 11-06-2018 06:01

    Hi,

     

    I am experiencing exactly the same issue and I was wondering if you finally got a solution or not.

     

    Thanks, and best regards,

    Pablo