SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 17:26

    I've spent more than a week trying to figure this out and at a total loss.

      

    I've followed all the steps provided by Amazon, used the configuration they supplied, and have no idea how to troubleshoot.

    root@HSRX300> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    139471 DOWN aa7dfa9d3a2f1ec7 0000000000000000 Main 52.87.109.64
    139472 DOWN 7ece629a6b35cb88 0000000000000000 Main 52.206.202.16

     

    root@HSRX300> show security ipsec security-associations
    Total active tunnels: 0

     

    Since this is not in production and much of the information will change when it is, I have included the VPN config file provided by Amazon, the VPN section of my running config, and the output from the KMD log.

     

    Any help would be greatly appreciated.

     




     


    #AWS
    #vpn
    #IPSec
    #vpc

    Attachment(s)

    txt
    160808-VPN.txt   3 KB 1 version
    txt
    kmd.txt   502 KB 1 version
    txt
    vpn-60c3d501.txt   12 KB 1 version


  • 2.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 19:52

    Hi,

     

    Looks like we are not getting a response from the other side.

     

    #set security ike traceoptions file test1 size 2m files 2

    #set security ike traceoptions flag all

    #commit

    >request security ike debug-enable local <SRX_External_Interface_IP> remote <Peer_Address> level 12

     

    Please provide the test1 file for further analysis.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 3.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-08-2016 20:34
      |   view attached

    Hope I did this right.


    Attachment(s)

    txt
    test1.txt   489 KB 1 version


  • 4.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 00:25

    Dale,

     

    Looks like the SRX is not getting a response from the remote side after transitioning to port 4500 due to a NAT device in the path. it is timig out the phase 1 negotiation after a few attempts.

     

    Please check if the remote side is responding to the SRX's requests on port 4500.

     

    Also check if you have a firewall filter on the external/loopback interface which is blocking UDP 4500 replies.

     

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.



  • 5.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 05:09

    I would love to but not exactly sure how to do either of those things.



  • 6.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 05:41

    Hi Dale,

     

    You can use packet captures or similar stuff on the remote side to check if it is responding to our requests.

     

    In order to check for filters on the SRX :-

     

    • Identify which interface you have specified as the external-interface in the ike gateway config.
    • #show interfaces <name_of_interface>
    • Check if you see any filters applied as input/output.
    • show interfaces lo0
    • Again check for filters on this.
    • FIlter config can be checked using "#show firewall" on the SRX.

    Regards,

    Sahil Sharma

    ---------------------------------------------------

    Please mark my solution as accepted if it helped, Kudos are appreciated as well.

     



  • 7.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 06:16

    I apologize for my lack of knowledge, though I've worked with SRX before I've never really had any issues that required "actual Knowledge".

     

    root@HSRX300> show interfaces st0.1
    Logical interface st0.1 (Index 70) (SNMP ifIndex 532)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.44.192/30, Local: 169.254.44.194

     

     

    root@HSRX300> show interfaces st0.1
    Logical interface st0.1 (Index 70) (SNMP ifIndex 532)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.44.192/30, Local: 169.254.44.194

    root@HSRX300> show interfaces st0.2
    Logical interface st0.2 (Index 81) (SNMP ifIndex 533)
    Flags: Up Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp webapi-clear-text webapi-ssl
    Protocol inet, MTU: 1436
    Flags: Sendbcast-pkt-to-re, User-MTU
    Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
    Destination: 169.254.45.144/30, Local: 169.254.45.146

     

     

    root@HSRX300> show interfaces lo0
    Physical interface: lo0 , Enabled, Physical link is Up
    Interface index: 6, SNMP ifIndex: 6
    Type: Loopback, MTU: Unlimited
    Device flags : Present Running Loopback
    Interface flags: SNMP-Traps
    Link flags : None
    Last flapped : Never
    Input packets : 2067964
    Output packets: 2067964

    Logical interface lo0.16384 (Index 65) (SNMP ifIndex 21)
    Flags: Down SNMP-Traps Encapsulation: Unspecified
    Input packets : 0
    Output packets: 0
    Security: Zone: Null
    Protocol inet, MTU: Unlimited
    Flags: None
    Addresses
    Local: 127.0.0.1

    Logical interface lo0.16385 (Index 66) (SNMP ifIndex 22)
    Flags: Down SNMP-Traps Encapsulation: Unspecified
    Input packets : 2067964
    Output packets: 2067964
    Security: Zone: Null
    Protocol inet, MTU: Unlimited
    Flags: None
    Addresses, Flags: Is-Default Is-Primary
    Local: 10.0.0.1
    Addresses
    Local: 10.0.0.16
    Addresses
    Local: 128.0.0.1
    Addresses
    Local: 128.0.0.4
    Addresses
    Local: 128.0.1.16

    Logical interface lo0.32768 (Index 64) (SNMP ifIndex 251)
    Flags: Encapsulation: Unspecified
    Input packets : 0
    Output packets: 0
    Security: Zone: Null

     

     



  • 8.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail
    Best Answer

     
    Posted 08-09-2016 06:15

    Hi.

     

    Can you try disabling NAT-Traversal on the SRX side of the connection?

     

    set security ike gateway xxxxx no-nat-traversal

     

    Perhaps this will 'force' the SRX to keep negotiating phase1 on port udp/500.

     

    Regards,

    Sam



  • 9.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

    Posted 08-09-2016 06:32

    WOW!
    That did it!
    Thanks.

    root@HSRX300> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    142510 UP f56860d62b53f165 11034fd46b0e9d4a Main 52.87.109.64
    142512 UP 53b12a1ca1d20744 973ddc0a8143808c Main 52.206.202.16

     

     

    root@HSRX300> show security ipsec security-associations
    Total active tunnels: 2
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <131073 ESP:aes-cbc-128/sha1 c84815a9 2765/ unlim U root 500 52.87.109.64
    >131073 ESP:aes-cbc-128/sha1 3f4d61b3 2765/ unlim U root 500 52.87.109.64
    <131074 ESP:aes-cbc-128/sha1 a8d4d6c9 2775/ unlim U root 500 52.206.202.16
    >131074 ESP:aes-cbc-128/sha1 a0c3e28c 2775/ unlim U root 500 52.206.202.16

     

     



  • 10.  RE: SRX300 ipsec VPN to Amazon VPC without BGP = complete fail

     
    Posted 08-08-2016 20:29

    looks as if starting from the 5th packet of phase1 exchange, NAT-T is recognized:

     

    ike_send_packet: <-------- sending SA = { caca4f81 5cf535f6 - d201dbee ac425781}, len = 92, nego = -1, local ip= 173.161.47.145, dst = 52.87.109.64:4500

     

    Is there a NAT device in the path?  I don't know if AWS supports NAT-T/Aggressive mode.

     

    Sam