SRX

Expand all | Collapse all

VPN Configuration on SRX1500 issue

Jump to Best Answer
  • 1.  VPN Configuration on SRX1500 issue

     
    Posted 04-09-2018 08:14

    Hi,

     

    Because we are configuring an SRX1500 for IPsec VPN we are using the NCP client.

     

    We have a situation where the client connects, but in a strange way (FQDN Username does not equal XAUTH username but still connects)... So, one would assume that we should be able to ping the devices at the far end, but this does not appear to be happening. Firstly, here is the connectivity:

     

    Laptop at desk (192.169.70.61) --> Netopstest-VR (SRX) --> Customer-VR (197.95.0.33 - SRX)....

     

    So the tunnel endpoint is the 197.95.0.33 address.

     

    Configuration of phase 1 and phase 2 as follows:

    set security ike traceoptions file iketrace
    set security ike traceoptions flag all
    set security ike proposal ngikeproposal-1 authentication-method pre-shared-keys
    set security ike proposal ngikeproposal-1 dh-group group2
    set security ike proposal ngikeproposal-1 authentication-algorithm sha1
    set security ike proposal ngikeproposal-1 encryption-algorithm aes-192-cbc
    set security ike proposal ngikeproposal-1 lifetime-seconds 300
    set security ike policy ngikepolicy-1 mode aggressive
    set security ike policy ngikepolicy-1 proposals ngikeproposal-1
    set security ike policy ngikepolicy-1 pre-shared-key ascii-text "$9$NO-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"
    set security ike gateway ng-remote-vpn-1 ike-policy ngikepolicy-1
    set security ike gateway ng-remote-vpn-1 dynamic user-at-hostname "steve@ninegroup.co.uk"
    set security ike gateway ng-remote-vpn-1 dynamic connections-limit 2
    set security ike gateway ng-remote-vpn-1 dynamic ike-user-type shared-ike-id
    set security ike gateway ng-remote-vpn-1 external-interface ae2
    set security ike gateway ng-remote-vpn-1 aaa access-profile ng-vpnuser

     

    set security ipsec traceoptions flag all
    set security ipsec proposal ng-ipsec-proposal-1 protocol esp
    set security ipsec proposal ng-ipsec-proposal-1 authentication-algorithm hmac-sha1-96
    set security ipsec proposal ng-ipsec-proposal-1 encryption-algorithm aes-128-cbc
    set security ipsec policy ng-ipsec-policy-1 perfect-forward-secrecy keys group2
    set security ipsec policy ng-ipsec-policy-1 proposals ng-ipsec-proposal-1
    set security ipsec vpn ng-remote-vpn-1 bind-interface st0.0
    set security ipsec vpn ng-remote-vpn-1 ike gateway ng-remote-vpn-1
    set security ipsec vpn ng-remote-vpn-1 ike ipsec-policy ng-ipsec-policy-1
    set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT local-ip 0.0.0.0/0
    set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT remote-ip 0.0.0.0/0

     

     So,  when I complete the following command I get:

    run show security ike security-associations detail:

    Phase 2 negotiations in progress: 1

     

    But yet I can ping him from any VR on the SRX through the st0 interface. But he cannot ping anything from his client.

    Also, when I logon, my colleague gets logged off and vice versa...... this VPN to NCP is almost working but not quite....

     



  • 2.  RE: VPN Configuration on SRX1500 issue

     
    Posted 04-10-2018 03:16

    So, I am now a little confused.

     

    I have set the st0.0 interface into the correct zone and also the correct VR (now where we are directly connected. If I monitor the interface traffic I see the IP Ping packets hit the ge interface when pinging that interface and the tunnel interface within the VR. However, when I ping the st0 interface within the VR I don't even see a packet hit the ge interface and it fails (obviously).....

     

    So, if the st0 interface is in the correct zone and the ge , lt and st interfaces are in the correct VR, why can I not ping the st0 interface from my laptop but I can ping the lt interface? They are all within the /24 network....

     

    I can ping the st0 interface from within the VR itself

     

    Here is the set up:

     

    laptop (192.168.70.60/24) --> (192.168.70.210/24 - ge-0/0/8) (test-vr) SRX st0.0 (195.80.10.153/29)

     

    Interface in the "test-vr":

    ge-0/0/8 

    st0.0

    lt-0/0/0.9 - 195.80.10.113/30

     

    From my laptop I can ping the ge-0/0/8 interface.

    From my laptop I can ping the lt-0/0/0.9 interface

    From my laptop I cannot ping the st0 interface

     

    From the "test-vr" I can ping the st0 interface

     

    In the routing table on the SRX the 185.80.10.153/32 address is shown under "test-vr"

     

    Obviously, I cannot get any vpn connectivity until I can see the gateway

     

    Help  🙂 



  • 3.  RE: VPN Configuration on SRX1500 issue

     
    Posted 04-10-2018 05:52

    Let me try an re-word this:

     

    Laptop:

    IP network: 192.168.60.0/24 - Gateway 192.168.60.254

    Gateway router - static route - ip route 195.80.10.0 255.255.255.0 192.168.60.210

     

    SRX:

    ge-0/0/8 - 192.168.60.210

    lt-0/0/0.9 - 195.80.10.113 / 30

    st0.0 - 195.80.10.153 / 29 (within the 195.80.10.152/29 subnet)

     

    Laptop pings lt-0/0/0.9 which is part of the 195.80.10.0 / 24 index network route on the gateway

    Laptop won't ping the st0.0 interface in the same vr as ge-0/0/8 and lt-0/0/0.9

     

    Is there a way I can log the interface ping traffic on ge-0/0/8 as dcd log does not show any output for ICMP?



  • 4.  RE: VPN Configuration on SRX1500 issue

     
    Posted 04-11-2018 03:38

    Okay, maybe someone can help me now I have narrowed down the issue, or at least what I think the issue is:

     

    I have a configuration that now works locally to the VR. I am using unnumbered on the st0 interface. The pool is assigning correct addresses from the range in the pool. 

     

    When I complete a "run show route x.x.x.x" I get the default on every single VR rib even though I have entererd a static route as per the following:

     

    set routing-options static route x.x.x.x/29 next-hop st0

     

    This route is rejected under the inet default rib and 0.0.0.0/0 on every other VR. This is the reason I cannot get a response from the ping packets I am sending.

    The other issue is that I cannot assign st0 to an IS-IS protocol so, here is the question:

     

    How can I propogate the pooled network to the rest of the network?



  • 5.  RE: VPN Configuration on SRX1500 issue

     
    Posted 04-12-2018 07:06

    Hi,

     

    As I am getting no luck with the NCP side of things, we have decided to utilise a slightly different approach as we already have Anyconnect working in a live environment. We have placed an ASA in the middle of the network as follows:

     

    laptop --> Core1 (MX240) --> (outside) ASA (inside) --> (netopstest-VR - ge-0/0/10) SRX ---> Customer-VR and Internal network

     

    The VPN pool is 192.168.200.0/24

     

    I can ping the ASA inside intrface from anywhere on the internal network, so there is no issue there (with no vpn).... I cannot ping the internal network from the VPN.... but, I think this is due to the route back to the 192.168.200.0 network.... I have configured a static route on the SRX as follows:

     

    set routing-options static route 192.168.200.0/24 next-hop 195.80.10.157 (Inside interface address of ASA) ... but when I look at the routing table I only see the default 0.0.0.0/0 which is no good.... I expected to see it at least appear on each VR via the correct interfaces....

     

    Anyone help with being to advertise the VPN network on the internal network for the route back?



  • 6.  RE: VPN Configuration on SRX1500 issue
    Best Answer

     
    Posted 04-12-2018 08:01

    I will close this as resolved as I have the routing working and connectivity to all devices through the VPN.

     

    Thanks