SRX

Expand all | Collapse all

LAB SRX 540 To MX-140 IPSEC Tunnel

Jump to Best Answer
  • 1.  LAB SRX 540 To MX-140 IPSEC Tunnel

    Posted 04-11-2018 12:42

    1.1.1.1--------MX---------xe-2/0/0----------------------------------------------XE-2/0/0--SRX-----2.2.2.2
                                               10.0.1.1/30                                                    10.0.1.2/30

     

     

    set services service-set ipsec_ss_ms_0_2_0 next-hop-service inside-service-interface ms-0/2/0.1
    set services service-set ipsec_ss_ms_0_2_0 next-hop-service outside-service-interface ms-0/2/0.2
    set services service-set ipsec_ss_ms_0_2_0 ipsec-vpn-options local-gateway 10.0.1.1
    set services service-set ipsec_ss_ms_0_2_0 ipsec-vpn-rules vpn_rule_ms_0_2_0_01
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from source-address 1.1.1.1/32
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from destination-address 2.2.2.2/32
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then remote-gateway 10.0.1.2
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ike-policy ike_policy_ms_0_2_0
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ipsec-policy ipsec_policy_ms_0_2_0
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then anti-replay-window-size 4096
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 match-direction input
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 protocol esp
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 authentication-algorithm hmac-sha1-96
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
    set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 perfect-forward-secrecy keys group2
    set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 proposals ipsec_proposal_ms_0_2_0
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 dh-group group19
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-algorithm sha1
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
    set services ipsec-vpn ike policy ike_policy_ms_0_2_0 proposals ike_proposal_ms_0_2_0
    set services ipsec-vpn ike policy ike_policy_ms_0_2_0 pre-shared-key ascii-text "$9$f5nCOBEyeWRh"

     

    set interfaces ms-0/2/0 unit 0 family inet
    set interfaces ms-0/2/0 unit 1 family inet
    set interfaces ms-0/2/0 unit 1 family inet6
    set interfaces ms-0/2/0 unit 1 service-domain inside
    set interfaces ms-0/2/0 unit 2 family inet
    set interfaces ms-0/2/0 unit 2 family inet6
    set interfaces ms-0/2/0 unit 2 service-domain outside
    set interfaces xe-2/0/0 description IPSEC
    set interfaces xe-2/0/0 unit 0 family inet address 10.0.1.1/30

     

    set interfaces lo0 unit 2 family inet address 1.1.1.1/32
    set routing-options static route 2.2.2.2/32 next-hop ms-0/2/0.1

     

    SRX:

     

    set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
    set security ike proposal ike-phase1-proposal dh-group group19
    set security ike proposal ike-phase1-proposal authentication-algorithm sha1
    set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
    set security ike policy ike-phase1-policy mode main
    set security ike policy ike-phase1-policy proposals ike-phase1-proposal
    set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$FJHK3A0Ehrv87yl"
    set security ike gateway ike-gw ike-policy ike-phase1-policy
    set security ike gateway ike-gw address 10.0.1.1
    set security ike gateway ike-gw local-identity inet 10.0.1.2
    set security ike gateway ike-gw remote-identity inet 10.0.1.1
    set security ike gateway ike-gw external-interface xe-2/2/0
    set security ipsec traceoptions flag all
    set security ipsec proposal ipsec-phase2-proposal protocol esp
    set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
    set security ipsec policy vpn-policy1 perfect-forward-secrecy keys group2
    set security ipsec policy vpn-policy1 proposals ipsec-phase2-proposal
    set security ipsec vpn ike-vpn bind-interface st0.0
    set security ipsec vpn ike-vpn vpn-monitor
    set security ipsec vpn ike-vpn ike gateway ike-gw
    set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
    set security ipsec vpn ike-vpn establish-tunnels immediately
    set security policies from-zone trust to-zone trust policy All match source-address any
    set security policies from-zone trust to-zone trust policy All match destination-address any
    set security policies from-zone trust to-zone trust policy All match application any
    set security policies from-zone trust to-zone trust policy All then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces xe-2/2/0.0
    set security zones security-zone trust interfaces lo0.2
    set security zones security-zone trust interfaces st0.0
    set interfaces xe-2/2/0 unit 0 family inet address 10.0.1.2/30
    set interfaces lo0 unit 2 family inet address 2.2.2.2/32
    set interfaces st0 unit 0
    set routing-options static route 1.1.1.1/32 next-hop st0.0

     

    The tunnel is not up. What config am i missing? 

     

    Thank you for the help 

    Nils. 

     



  • 2.  RE: LAB SRX 540 To MX-140 IPSEC Tunnel

    Posted 04-11-2018 12:43

    root@SRX-TEST-540> show log kmd | last
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 71082027
    [Apr 11 19:46:04 PIC 0/0/1 KMD1] IKEv1 Error : Timeout
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]IPSec Rekey for SPI 0x0 failed
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]IPSec SA done callback called for sa-cfg ike-vpn local:10.0.1.2, remote:10.0.1.1 IKEv1 with status Timed out
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]ike_sa_delete: Start, SA = { b71822d7 be22e059 - 00000000 00000000 }
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]IKE SA delete called for p1 sa 71082027 (ref cnt 1) local:10.0.1.2, remote:10.0.1.1, IKEv1
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]iked_pm_p1_sa_destroy: p1 sa 71082027 (ref cnt 0), waiting_for_del 0x0
    [Apr 11 19:46:04 PIC 0/0/1 KMD1]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)



  • 3.  RE: LAB SRX 540 To MX-140 IPSEC Tunnel

    Posted 04-11-2018 13:13

    This is phase 1 proposal mismatch

    One think I noticed you using on SRX

    set security ike gateway ike-gw local-identity inet 10.0.1.2
    set security ike gateway ike-gw remote-identity inet 10.0.1.1

     

     Remove it at all or  reconfigure to

    set security ike gateway ike-gw local-identity inet 2.2.2.2
    set security ike gateway ike-gw remote-identity inet 1.1.1.1.1

     

    You do not need to specify the local IKE identity to send in the exchange with the destination peer to establish communication. If you do not configure a local-identity, the device uses the IPv4 or IPv6 address corresponding to the local endpoint by default.

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 4.  RE: LAB SRX 540 To MX-140 IPSEC Tunnel

    Posted 04-11-2018 13:28

    The change in the SRX brought the IKE Phase 1 up,

     

    root@SRX-TEST-540> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    71082059 UP 9f415d2785522824 417d0fdac3ee434d Main 10.0.1.1

     

     

    but still getting the following error:

     

    root@SRX-TEST-540> show log kmd | last
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]ike_st_i_n: Start, doi = 1, protocol = 3, code = No proposal chosen (14), spi[0..4] = 81dd67ee 00000000 ..., data[0..50] = 800c0001 00060022 ...
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]<none>:500 (Responder) <-> 10.0.1.1:500 { 9f415d27 85522824 - 417d0fda c3ee434d [1] / 0x002c915a } Info; Notification data has attribute list
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]<none>:500 (Responder) <-> 10.0.1.1:500 { 9f415d27 85522824 - 417d0fda c3ee434d [1] / 0x002c915a } Info; Notify message version = 1
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]<none>:500 (Responder) <-> 10.0.1.1:500 { 9f415d27 85522824 - 417d0fda c3ee434d [1] / 0x002c915a } Info; Error text = Could not find acceptable proposal
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]<none>:500 (Responder) <-> 10.0.1.1:500 { 9f415d27 85522824 - 417d0fda c3ee434d [1] / 0x002c915a } Info; Offending message id = 0xd3c8c27c
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]<none>:500 (Initiator) <-> 10.0.1.1:500 { 9f415d27 85522824 - 417d0fda c3ee434d [0] / 0xd3c8c27c } QM; Connection got error = 14, calling callback
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]ike_st_i_private: Start
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]ike_send_notify: Connected, SA = { 9f415d27 85522824 - 417d0fda c3ee434d}, nego = 1
    [Apr 11 20:30:01 PIC 0/0/1 KMD1]IPSec negotiation failed for SA-CFG ike-vpn for local:10.0.1.2, remote:10.0.1.1 IKEv1. status: No proposal chosen
    [Apr 11 20:30:01 PIC 0/0/1 KMD1] P2 ed info: flags 0x8082, P2 error: Error ok
    [Apr 11 20:30:01 PIC 0/0/1 KMD1] IKEv1 Error : No proposal chosen

     

     



  • 5.  RE: LAB SRX 540 To MX-140 IPSEC Tunnel
    Best Answer

    Posted 04-11-2018 14:01

    You need to change one more thing :

    Current SRX config:

    set interfaces st0 unit 0

    Change to:

    set interfaces st0.0 family inet

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 6.  RE: LAB SRX 540 To MX-140 IPSEC Tunnel

    Posted 04-12-2018 13:59

    Working Config:

     

    root@SRX-TEST-540> show configuration | display set
    set version 15.1X49-D50.3
    set system host-name SRX-TEST-540
    set system root-authentication encrypted-password "$5$HDGwCjBc$VQ8o0QVroyItSzkZpNoeMeMd7Y8skFE5d7ETHxTQAyA"
    set system syslog user * any emergency
    set system syslog file messages any info
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
    set security ike traceoptions flag all
    set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
    set security ike proposal ike-phase1-proposal dh-group group19
    set security ike proposal ike-phase1-proposal authentication-algorithm sha-256
    set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
    set security ike proposal ike-phase1-proposal lifetime-seconds 86400
    set security ike policy ike-phase1-policy mode main
    set security ike policy ike-phase1-policy proposals ike-phase1-proposal
    set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$FJHK3A0Ehrv87yl"
    set security ike gateway ike-gw ike-policy ike-phase1-policy
    set security ike gateway ike-gw address 10.0.1.1
    set security ike gateway ike-gw external-interface xe-2/2/0
    set security ipsec traceoptions flag all
    set security ipsec proposal ipsec-phase2-proposal protocol esp
    set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
    set security ipsec policy vpn-policy1 perfect-forward-secrecy keys group2
    set security ipsec policy vpn-policy1 proposals ipsec-phase2-proposal
    set security ipsec vpn ike-vpn bind-interface st0.0
    set security ipsec vpn ike-vpn ike gateway ike-gw
    set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
    set security ipsec vpn ike-vpn establish-tunnels immediately
    set security policies from-zone trust to-zone trust policy All match source-address any
    set security policies from-zone trust to-zone trust policy All match destination-address any
    set security policies from-zone trust to-zone trust policy All match application any
    set security policies from-zone trust to-zone trust policy All then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces xe-2/2/0.0
    set security zones security-zone trust interfaces lo0.2
    set security zones security-zone trust interfaces st0.0
    set interfaces xe-2/2/0 unit 0 family inet filter input icmp-filter
    set interfaces xe-2/2/0 unit 0 family inet filter output icmp-filter
    set interfaces xe-2/2/0 unit 0 family inet address 10.0.1.2/30
    set interfaces lo0 unit 2 family inet address 2.2.2.2/32
    set interfaces st0 unit 0 family inet
    set routing-options static route 1.1.1.1/32 next-hop 10.0.1.1
    set firewall family inet filter icmp-filter term 1 from protocol icmp
    set firewall family inet filter icmp-filter term 1 then count icmp-counter
    set firewall family inet filter icmp-filter term 1 then accept
    set firewall family inet filter icmp-filter term default then accept

     

     

     

    MX

     

    root@TEST-WAN-Router> show configuration | display set
    set version 16.1R4-S2.2
    set system host-name TEST-WAN-Router
    set system root-authentication encrypted-password "$5$QDMikHYN$AOnqaqXAGGHo9JQUTtY7X/C7o4IMrtPPDX05316X3mB"
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set chassis aggregated-devices ethernet device-count 4
    set services service-set ipsec_ss_ms_0_2_0 next-hop-service inside-service-interface ms-0/2/0.1
    set services service-set ipsec_ss_ms_0_2_0 next-hop-service outside-service-interface ms-0/2/0.2
    set services service-set ipsec_ss_ms_0_2_0 ipsec-vpn-options local-gateway 10.0.1.1
    set services service-set ipsec_ss_ms_0_2_0 ipsec-vpn-rules vpn_rule_ms_0_2_0_01
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from source-address 1.1.1.1/32
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 from destination-address 2.2.2.2/32
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then remote-gateway 10.0.1.2
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ike-policy ike_policy_ms_0_2_0
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then dynamic ipsec-policy ipsec_policy_ms_0_2_0
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 term term1 then anti-replay-window-size 4096
    set services ipsec-vpn rule vpn_rule_ms_0_2_0_01 match-direction input
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 protocol esp
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 authentication-algorithm hmac-sha1-96
    set services ipsec-vpn ipsec proposal ipsec_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
    set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 perfect-forward-secrecy keys group2
    set services ipsec-vpn ipsec policy ipsec_policy_ms_0_2_0 proposals ipsec_proposal_ms_0_2_0
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-method pre-shared-keys
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 dh-group group19
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 authentication-algorithm sha-256
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 encryption-algorithm aes-128-cbc
    set services ipsec-vpn ike proposal ike_proposal_ms_0_2_0 lifetime-seconds 86400
    set services ipsec-vpn ike policy ike_policy_ms_0_2_0 proposals ike_proposal_ms_0_2_0
    set services ipsec-vpn ike policy ike_policy_ms_0_2_0 pre-shared-key ascii-text "$9$f5nCOBEyeWRh"
    set services ipsec-vpn traceoptions file all
    set services ipsec-vpn traceoptions flag all
    set services ipsec-vpn traceoptions flag ike
    set interfaces xe-0/0/0 gigether-options 802.3ad ae0
    set interfaces xe-0/0/1 gigether-options 802.3ad ae1
    set interfaces ms-0/2/0 unit 0 family inet
    set interfaces ms-0/2/0 unit 1 family inet
    set interfaces ms-0/2/0 unit 1 family inet6
    set interfaces ms-0/2/0 unit 1 service-domain inside
    set interfaces ms-0/2/0 unit 2 family inet
    set interfaces ms-0/2/0 unit 2 family inet6
    set interfaces ms-0/2/0 unit 2 service-domain outside
    set interfaces xe-2/0/0 description IPSEC
    set interfaces xe-2/0/0 unit 0 family inet filter output TEST
    set interfaces xe-2/0/0 unit 0 family inet address 10.0.1.1/30
    set interfaces xe-2/0/1 gigether-options 802.3ad ae1
    set interfaces xe-2/0/2 vlan-tagging
    set interfaces xe-2/0/2 encapsulation extended-vlan-bridge
    set interfaces xe-2/0/2 unit 0 vlan-id 3
    set interfaces ae0 vlan-tagging
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae1 vlan-tagging
    set interfaces ae1 aggregated-ether-options lacp active
    set interfaces irb unit 0
    set interfaces lo0 unit 2 family inet address 1.1.1.1/32
    set routing-options static route 2.2.2.2/32 next-hop 10.0.1.2
    set firewall filter TEST term 1 then count COUNTER
    set firewall filter TEST term 1 then accept
    set bridge-domains vlan-3 vlan-id 3
    set bridge-domains vlan-3 interface xe-2/0/2.0
    set bridge-domains vlan-3 routing-interface irb.0

     

     

     

    root@TEST-WAN-Router> show services ipsec-vpn ike security-associations
    Remote Address State Initiator cookie Responder cookie Exchange type
    10.0.1.2 Matured 0bdf2e0e741c0c7e 502a3b49dd71da28 Main

     

     

    root@TEST-WAN-Router> show services ipsec-vpn ipsec security-associations
    Service set: ipsec_ss_ms_0_2_0, IKE Routing-instance: default

    Rule: vpn_rule_ms_0_2_0_01, Term: term1, Tunnel index: 2
    Local gateway: 10.0.1.1, Remote gateway: 10.0.1.2
    IPSec inside interface: ms-0/2/0.1, Tunnel MTU: 1500
    UDP encapsulate: Disabled, UDP Destination port: 0
    Direction SPI AUX-SPI Mode Type Protocol
    inbound 1565990929 0 tunnel dynamic ESP
    outbound 2175502731 0 tunnel dynamic ESP