SRX

Hi guys heres the problem, I have an IPSEC VPN tunnel between an SRX and linux openswan. phase 1 and 2 show as up on both sides. However from the LAN behind the SRX I cannot ping to the LAN behind openswan until the traffic is initaited from the openswan end first. So for example, the tunnel comes up and I leave a contiuous ping running from Juniper side to the openswan side, it all times out, can leave that running for 10 minutes no change until I ping from the openswan lan side to the juniper lan side it will work first time, then the contious ping spring into action straight away and ping works in both directions. I have tried pcap but not getting very far with it. My rules are totally open right now.

heres my config

interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
at-1/0/0 {
description internet;
mtu 1540;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
route 192.168.10.0/24 next-hop st0.0;
}
generate {
route 0.0.0.0/0;
}
}
protocols {
stp;
}
security {
key-protection;
ike {
proposal IKE-SHA-AES128-DH1 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ike-policy-cfgr {
mode aggressive;
proposals IKE-SHA-AES128-DH1;
pre-shared-key ascii-text blah ## SECRET-DATA
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
dynamic hostname hidden;
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
local-identity hostname hidden;
external-interface at-1/0/0;
}
}
ipsec {
proposal IPSEC-SHA-AES128-ESP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ipsec-policy-cfgr {
proposals IPSEC-SHA-AES128-ESP;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
proxy-identity {
local 192.168.1.0/24;
remote 192.168.10.0/24;
}
ipsec-policy ipsec-policy-cfgr;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set trust-to-vpn {
from zone trust;
to zone vpn;
rule NO-NAT {
match {
source-address 192.168.1.0/24;
destination-address 192.168.10.0/24;
}
then {
source-nat {
off;
}
}
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule internet {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cfgr {
match {
source-address net-cfgr_192-168-10-0--24;
destination-address net-cfgr_192-168-1-0--24;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy trust-vpn-cfgr {
match {
source-address net-cfgr_192-168-1-0--24;
destination-address net-cfgr_192-168-10-0--24;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address net-cfgr_192-168-1-0--24 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/0.0;
fe-0/0/7.0;
fe-0/0/6.0;
fe-0/0/5.0;
fe-0/0/4.0;
fe-0/0/3.0;
fe-0/0/2.0;
fe-0/0/1.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
at-1/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone vpn {
address-book {
address net-cfgr_192-168-10-0--24 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}

vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

Hello there,

Please try this

set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately

 HTH

Thanks

Alex

Hi KDN,

I need the following information:

1. show security ike security association

2. show security ipsec sa

3. show security ipsec sa index x detail

4. show security flow session source-prefix x.x.x.x destination-prefix y.y.y.y

x.x.x.x ==LAN PC ip from behind SRX , y.y.y.y == PC ip behind remote firewall lan

5. show security flow session tunnel

6. show route External ip address of Remote Firewall.

After collecting the above outputs , try configure St0.0 and at-1/0/0 interfaces in same security zone and test it.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Alex, tried that, didnt make any difference though 😞

root@JuniperSRX> show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
8243888 UP     e8e4ea4595db7795  e9ecba5c9177dbec  Aggressive     49.227.80.228

root@JuniperSRX> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  <133955613 ESP:aes-128/sha1 9e208f19 28648/unlim - root 500 49.227.80.228
  >133955613 ESP:aes-128/sha1 f6c0592d 28648/unlim - root 500 49.227.80.228

root@JuniperSRX> show security ipsec sa index 133955613 detail
  ID: 133955613 Virtual-system: root, VPN Name: ipsec-vpn-cfgr
  Local Gateway: 111.69.192.19, Remote Gateway: 49.227.80.228
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.10.0/24)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

    Direction: inbound, SPI: 9e208f19, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28625 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28051 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: f6c0592d, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28625 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 28051 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

root@JuniperSRX> ...ix 192.168.1.0/24 destination-prefix 192.168.10.0/24
Session ID: 2113, Policy name: trust-vpn-cfgr/5, Timeout: 24, Valid
  In: 192.168.1.100/7 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/7;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 2342, Policy name: trust-vpn-cfgr/5, Timeout: 8, Valid
  In: 192.168.1.100/50969 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50969;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 2611, Policy name: trust-vpn-cfgr/5, Timeout: 12, Valid
  In: 192.168.1.100/50974 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50974;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 3135, Policy name: trust-vpn-cfgr/5, Timeout: 20, Valid
  In: 192.168.1.100/50976 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 1, Bytes: 52
  Out: 192.168.10.1/80 --> 192.168.1.100/50976;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 3686, Policy name: trust-vpn-cfgr/5, Timeout: 28, Valid
  In: 192.168.1.100/8 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/8;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 4200, Policy name: trust-vpn-cfgr/5, Timeout: 34, Valid
  In: 192.168.1.100/9 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/9;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 4486, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
  In: 192.168.1.100/50973 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50973;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 4749, Policy name: trust-vpn-cfgr/5, Timeout: 2, Valid
  In: 192.168.1.100/50968 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50968;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 5926, Policy name: trust-vpn-cfgr/5, Timeout: 20, Valid
  In: 192.168.1.100/50975 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 1, Bytes: 52
  Out: 192.168.10.1/80 --> 192.168.1.100/50975;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 8014, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
  In: 192.168.1.100/50971 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50971;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 8026, Policy name: trust-vpn-cfgr/5, Timeout: 58, Valid
  In: 192.168.1.100/12 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/12;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 13997, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
  In: 192.168.1.100/50972 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50972;tcp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 21807, Policy name: trust-vpn-cfgr/5, Timeout: 38, Valid
  In: 192.168.1.100/10 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/10;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 28643, Policy name: trust-vpn-cfgr/5, Timeout: 52, Valid
  In: 192.168.1.100/11 --> 192.168.10.1/1;icmp, If: vlan.0, Pkts: 1, Bytes: 60
  Out: 192.168.10.1/1 --> 192.168.1.100/11;icmp, If: st0.0, Pkts: 0, Bytes: 0

Session ID: 32454, Policy name: trust-vpn-cfgr/5, Timeout: 8, Valid
  In: 192.168.1.100/50970 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50970;tcp, If: st0.0, Pkts: 0, Bytes: 0
Total sessions: 15

root@JuniperSRX> show security flow session tunnel
Session ID: 3093, Policy name: N/A, Timeout: N/A, Valid
  In: 49.227.80.228/40480 --> 111.69.192.19/36633;esp, If: at-1/0/0.0, Pkts: 0, Bytes: 0

Session ID: 5024, Policy name: N/A, Timeout: N/A, Valid
  In: 49.227.80.228/0 --> 111.69.192.19/0;esp, If: at-1/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 2

root@JuniperSRX> show route

inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:25:25
                    > via at-1/0/0.0
                    [Aggregate/130] 1d 08:03:37
                    > via at-1/0/0.0
111.69.17.16/32    *[Direct/0] 00:25:25
                    > via at-1/0/0.0
111.69.192.19/32   *[Local/0] 00:25:25
                      Local via at-1/0/0.0
192.168.1.0/24     *[Direct/0] 00:25:54
                    > via vlan.0
192.168.1.1/32     *[Local/0] 1d 08:03:11
                      Local via vlan.0
192.168.10.0/24    *[Static/5] 00:06:26
                    > via st0.0

I added st0.0 to zone untrust. reboot the router but still the same thing, ping from one direction will work and enable bidirectional ping, but ping from juniper lan will fail until this happens.

Hi KDN,

Looking at the following output:

Session ID: 13997, Policy name: trust-vpn-cfgr/5, Timeout: 10, Valid
  In: 192.168.1.100/50972 --> 192.168.10.1/80;tcp, If: vlan.0, Pkts: 3, Bytes: 152
  Out: 192.168.10.1/80 --> 192.168.1.100/50972;tcp, If: st0.0, Pkts: 0, Bytes: 0 <<<<<<<<<<<<<<< no reply

source wing as 3 packets sent but return packet count is 0.

From this output , SRX is indeed creating the session and forwarding it correctly on the vpn tunnel,

But there is no return connection from the remote firewall.

Kindly work on the remote firewall side to verify as why there are not replying to the connection request from SRX side.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

I am experiencing exactly the same issue and I was wondering if you finally got a solution or not.

Thanks, and best regards,

Pablo