SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 17:26

    I've spent more than a week trying to figure this out and at a total loss.

      

    I've followed all the steps provided by Amazon, used the configuration they supplied, and have no idea how to troubleshoot.

    root@HSRX300> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    139471 DOWN aa7dfa9d3a2f1ec7 0000000000000000 Main 52.87.109.64
    139472 DOWN 7ece629a6b35cb88 0000000000000000 Main 52.206.202.16

     

    root@HSRX300> show security ipsec security-associations
    Total active tunnels: 0

     

    Since this is not in production and much of the information will change when it is, I have included the VPN config file provided by Amazon, the VPN section of my running config, and the output from the KMD log.

     

    Any help would be greatly appreciated.

     




     


    #AWS
    #vpn
    #IPSec
    #vpc

    Attachment(s)

    txt
    160808-VPN.txt   3 KB 1 version
    txt
    kmd.txt   502 KB 1 version
    txt
    vpn-60c3d501.txt   12 KB 1 version


  • 2.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 19:52

    Hi,

     

    Looks like we are not getting a response from the other side.

     

    #set security ike traceoptions file test1 size 2m files 2

    #set security ike traceoptions flag all

    #commit

    >request security ike debug-enable local <SRX_External_Interface_IP> remote <Peer_Address> level 12

     

    Please provide the test1 file for further analysis.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 3.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 20:34
      |   view attached

    Hope I did this right.


    Attachment(s)

    txt
    test1.txt   489 KB 1 version


  • 4.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 00:25

    Dale,

     

    Looks like the SRX is not getting a response from the remote side after transitioning to port 4500 due to a NAT device in the path. it is timig out the phase 1 negotiation after a few attempts.

     

    Please check if the remote side is responding to the SRX's requests on port 4500.

     

    Also check if you have a firewall filter on the external/loopback interface which is blocking UDP 4500 replies.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 5.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 05:09

    I would love to but not exactly sure how to do either of those things.



  • 6.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 05:41

    Hi Dale,

     

    You can use packet captures or similar stuff on the remote side to check if it is responding to our requests.

     

    In order to check for filters on the SRX :-

     

    • Identify which interface you have specified as the external-interface in the ike gateway config.
    • #show interfaces <name_of_interface>
    • Check if you see any filters applied as input/output.
    • show interfaces lo0
    • Again check for filters on this.
    • FIlter config can be checked using "#show firewall" on the SRX.

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.

     



  • 7.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 06:16

    I apologize for my lack of knowledge, though I've worked with SRX before I've never really had any issues that required "actual Knowledge".

     

    root@HSRX300> show interfaces st0.1
    Logical interface st0.1 (Index 70) (SNMP ifIndex 532)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.44.192/30, Local: 169.254.44.194

     

     

    root@HSRX300> show interfaces st0.1
    Logical interface st0.1 (Index 70) (SNMP ifIndex 532)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.44.192/30, Local: 169.254.44.194

    root@HSRX300> show interfaces st0.2
    Logical interface st0.2 (Index 81) (SNMP ifIndex 533)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.45.144/30, Local: 169.254.45.146

     

     

    root@HSRX300> show interfaces lo0
    Physical interface: lo0 , Enabled, Physical link is Up
    Interface index: 6, SNMP ifIndex: 6
    Type: Loopback, MTU: Unlimited
    Device flags : Present Running Loopback
    Interface flags: SNMP-Traps
    Link flags : None
    Last flapped : Never
    Input packets : 2067964
    Output packets: 2067964

    Logical interface lo0.16384 (Index 65) (SNMP ifIndex 21)
    Flags: Down SNMP-Traps Encapsulation: Unspecified
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: Unlimited
    Flags: None
    Addresses
    Local: 127.0.0.1

    Logical interface lo0.16385 (Index 66) (SNMP ifIndex 22)
    Flags: Down SNMP-Traps Encapsulation: Unspecified
    Input packets : 2067964
    Output packets: 2067964
    Security: Zone: Null
    Protocol inet, MTU: Unlimited
    Flags: None
    Addresses, Flags: Is-Default Is-Primary
    Local: 10.0.0.1
    Addresses
    Local: 10.0.0.16
    Addresses
    Local: 128.0.0.1
    Addresses
    Local: 128.0.0.4
    Addresses
    Local: 128.0.1.16

    Logical interface lo0.32768 (Index 64) (SNMP ifIndex 251)
    Flags: Encapsulation: Unspecified
    Input packets : 0
    Output packets: 0
    Security: Zone: Null

     

     



  • 8.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail
    Best Answer

     
    Posted 08-09-2016 06:15

    Hi.

     

    Can you try disabling NAT-Traversal on the SRX side of the connection?

     

    set security ike gateway xxxxx no-nat-traversal

     

    Perhaps this will 'force' the SRX to keep negotiating phase1 on port udp/500.

     

    Regards,

    Sam



  • 9.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 06:32

    WOW!
    That did it!
    Thanks.

    root@HSRX300> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    142510 UP f56860d62b53f165 11034fd46b0e9d4a Main 52.87.109.64
    142512 UP 53b12a1ca1d20744 973ddc0a8143808c Main 52.206.202.16

     

     

    root@HSRX300> show security ipsec security-associations
    Total active tunnels: 2
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <131073 ESP:aes-cbc-128/sha1 c84815a9 2765/ unlim U root 500 52.87.109.64
    >131073 ESP:aes-cbc-128/sha1 3f4d61b3 2765/ unlim U root 500 52.87.109.64
    <131074 ESP:aes-cbc-128/sha1 a8d4d6c9 2775/ unlim U root 500 52.206.202.16
    >131074 ESP:aes-cbc-128/sha1 a0c3e28c 2775/ unlim U root 500 52.206.202.16

     

     



  • 10.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

     
    Posted 08-08-2016 20:29

    looks as if starting from the 5th packet of phase1 exchange, NAT-T is recognized:

     

    ike_send_packet: <-------- sending SA = { caca4f81 5cf535f6 - d201dbee ac425781}, len = 92, nego = -1, local ip= 173.161.47.145, dst = 52.87.109.64:4500

     

    Is there a NAT device in the path?  I don't know if AWS supports NAT-T/Aggressive mode.

     

    Sam