Because we are configuring an SRX1500 for IPsec VPN we are using the NCP client.
We have a situation where the client connects, but in a strange way (FQDN Username does not equal XAUTH username but still connects)... So, one would assume that we should be able to ping the devices at the far end, but this does not appear to be happening. Firstly, here is the connectivity:
Laptop at desk (188.8.131.52) --> Netopstest-VR (SRX) --> Customer-VR (184.108.40.206 - SRX)....
So the tunnel endpoint is the 220.127.116.11 address.
Configuration of phase 1 and phase 2 as follows:
set security ike traceoptions file iketraceset security ike traceoptions flag allset security ike proposal ngikeproposal-1 authentication-method pre-shared-keysset security ike proposal ngikeproposal-1 dh-group group2set security ike proposal ngikeproposal-1 authentication-algorithm sha1set security ike proposal ngikeproposal-1 encryption-algorithm aes-192-cbcset security ike proposal ngikeproposal-1 lifetime-seconds 300set security ike policy ngikepolicy-1 mode aggressiveset security ike policy ngikepolicy-1 proposals ngikeproposal-1set security ike policy ngikepolicy-1 pre-shared-key ascii-text "$9$NO-YoDjqfQnk.nCpBSy8X7-s2oJGiqm"set security ike gateway ng-remote-vpn-1 ike-policy ngikepolicy-1set security ike gateway ng-remote-vpn-1 dynamic user-at-hostname "firstname.lastname@example.org"set security ike gateway ng-remote-vpn-1 dynamic connections-limit 2set security ike gateway ng-remote-vpn-1 dynamic ike-user-type shared-ike-idset security ike gateway ng-remote-vpn-1 external-interface ae2set security ike gateway ng-remote-vpn-1 aaa access-profile ng-vpnuser
set security ipsec traceoptions flag allset security ipsec proposal ng-ipsec-proposal-1 protocol espset security ipsec proposal ng-ipsec-proposal-1 authentication-algorithm hmac-sha1-96set security ipsec proposal ng-ipsec-proposal-1 encryption-algorithm aes-128-cbcset security ipsec policy ng-ipsec-policy-1 perfect-forward-secrecy keys group2set security ipsec policy ng-ipsec-policy-1 proposals ng-ipsec-proposal-1set security ipsec vpn ng-remote-vpn-1 bind-interface st0.0set security ipsec vpn ng-remote-vpn-1 ike gateway ng-remote-vpn-1set security ipsec vpn ng-remote-vpn-1 ike ipsec-policy ng-ipsec-policy-1set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT local-ip 0.0.0.0/0set security ipsec vpn ng-remote-vpn-1 traffic-selector NO-SPLIT remote-ip 0.0.0.0/0
So, when I complete the following command I get:
run show security ike security-associations detail:
Phase 2 negotiations in progress: 1
But yet I can ping him from any VR on the SRX through the st0 interface. But he cannot ping anything from his client.
Also, when I logon, my colleague gets logged off and vice versa...... this VPN to NCP is almost working but not quite....
So, I am now a little confused.
I have set the st0.0 interface into the correct zone and also the correct VR (now where we are directly connected. If I monitor the interface traffic I see the IP Ping packets hit the ge interface when pinging that interface and the tunnel interface within the VR. However, when I ping the st0 interface within the VR I don't even see a packet hit the ge interface and it fails (obviously).....
So, if the st0 interface is in the correct zone and the ge , lt and st interfaces are in the correct VR, why can I not ping the st0 interface from my laptop but I can ping the lt interface? They are all within the /24 network....
I can ping the st0 interface from within the VR itself
Here is the set up:
laptop (192.168.70.60/24) --> (192.168.70.210/24 - ge-0/0/8) (test-vr) SRX st0.0 (18.104.22.168/29)
Interface in the "test-vr":
lt-0/0/0.9 - 22.214.171.124/30
From my laptop I can ping the ge-0/0/8 interface.
From my laptop I can ping the lt-0/0/0.9 interface
From my laptop I cannot ping the st0 interface
From the "test-vr" I can ping the st0 interface
In the routing table on the SRX the 126.96.36.199/32 address is shown under "test-vr"
Obviously, I cannot get any vpn connectivity until I can see the gateway
Let me try an re-word this:
IP network: 192.168.60.0/24 - Gateway 192.168.60.254
Gateway router - static route - ip route 188.8.131.52 255.255.255.0 192.168.60.210
ge-0/0/8 - 192.168.60.210
lt-0/0/0.9 - 184.108.40.206 / 30
st0.0 - 220.127.116.11 / 29 (within the 18.104.22.168/29 subnet)
Laptop pings lt-0/0/0.9 which is part of the 22.214.171.124 / 24 index network route on the gateway
Laptop won't ping the st0.0 interface in the same vr as ge-0/0/8 and lt-0/0/0.9
Is there a way I can log the interface ping traffic on ge-0/0/8 as dcd log does not show any output for ICMP?
Okay, maybe someone can help me now I have narrowed down the issue, or at least what I think the issue is:
I have a configuration that now works locally to the VR. I am using unnumbered on the st0 interface. The pool is assigning correct addresses from the range in the pool.
When I complete a "run show route x.x.x.x" I get the default on every single VR rib even though I have entererd a static route as per the following:
set routing-options static route x.x.x.x/29 next-hop st0
This route is rejected under the inet default rib and 0.0.0.0/0 on every other VR. This is the reason I cannot get a response from the ping packets I am sending.
The other issue is that I cannot assign st0 to an IS-IS protocol so, here is the question:
How can I propogate the pooled network to the rest of the network?
As I am getting no luck with the NCP side of things, we have decided to utilise a slightly different approach as we already have Anyconnect working in a live environment. We have placed an ASA in the middle of the network as follows:
laptop --> Core1 (MX240) --> (outside) ASA (inside) --> (netopstest-VR - ge-0/0/10) SRX ---> Customer-VR and Internal network
The VPN pool is 192.168.200.0/24
I can ping the ASA inside intrface from anywhere on the internal network, so there is no issue there (with no vpn).... I cannot ping the internal network from the VPN.... but, I think this is due to the route back to the 192.168.200.0 network.... I have configured a static route on the SRX as follows:
set routing-options static route 192.168.200.0/24 next-hop 126.96.36.199 (Inside interface address of ASA) ... but when I look at the routing table I only see the default 0.0.0.0/0 which is no good.... I expected to see it at least appear on each VR via the correct interfaces....
Anyone help with being to advertise the VPN network on the internal network for the route back?
I will close this as resolved as I have the routing working and connectivity to all devices through the VPN.