Hello all,
This has me scratching my head:
I have an IPSec VPN beween local LAN (192.168.10.0/24) and remote site (192.168.171.0/24).
Traffic is moving smoothly between sites, but I recently decided to implement configuration auto-archival to FTP server on remote site.
Sadly, the SRX is unable to talk to the remote site.
After configuring a flow filter, I found out that the SRX is sending pings out of the Untrust ge-0/0/0 interface using the SRX's public IP, and therefore don't go up the VPN tunnel.
Sure enough, if I force a ping to go out with the SRX's local LAN IP, I get replies:
>ping 192.168.171.14 source 192.168.10.1
Anyone has an idea why this is happening and how to remedy it?
Thanks.
Here is my config:
## Last changed: 2018-07-06 10:00:01 EDT
version 17.3R2.10;
system {
host-name location_1-srx;
time-zone America/New_York;
root-authentication {
encrypted-password "...";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
message "\n\n === Location_1 Office SRX === \n\n";
user bart {
uid 2000;
class super-user;
authentication {
encrypted-password "...";
}
}
}
services {
ssh;
telnet;
web-management {
http {
port 2346;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
https {
port 2345;
system-generated-certificate;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
}
dhcp {
pool 192.168.10.0/24 {
address-range low 192.168.10.100 high 192.168.10.199;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
192.168.171.14;
10.11.17.140;
208.67.222.222;
}
domain-search {
acme.local;
}
router {
192.168.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 6.6.10.0/24 {
address-range low 6.6.10.100 high 6.6.10.150;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
6.6.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 192.168.100.0/24 {
address-range low 192.168.100.50 high 192.168.100.200;
maximum-lease-time 172800;
default-lease-time 86400;
name-server {
192.168.171.14;
10.11.17.140;
}
router {
192.168.100.1;
}
}
}
}
syslog {
file kmd-logs {
daemon info;
match KMD;
}
}
archival {
configuration {
transfer-on-commit;
archive-sites {
ftp://192.168.171.14/SRX;
}
}
}
ntp {
server 104.232.3.3;
server 64.99.80.121;
}
}
security {
ike {
policy ike-location_1-SSG {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
policy ike-policy-location_1-SSG-location_2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
gateway ike-gw-location_1-comcast-SSG {
ike-policy ike-location_1-SSG;
address my.remote.ip;
external-interface ge-0/0/0.0;
}
gateway ike-gw-location_2 {
ike-policy ike-policy-location_1-SSG-location_2;
address my.other.remote.ip;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy vpn-policy-std {
proposal-set standard;
}
policy vpn-policy-std-location_2 {
proposal-set standard;
}
vpn ike-vpn-location_1-comcast {
bind-interface st0.0;
ike {
gateway ike-gw-location_1-comcast-SSG;
proxy-identity {
local 192.168.10.0/24;
remote 192.168.171.0/24;
}
ipsec-policy vpn-policy-std;
}
}
vpn ike-vpn-location_2 {
bind-interface st0.1;
ike {
gateway ike-gw-location_2;
proxy-identity {
local 192.168.10.0/24;
remote 10.11.17.0/24;
}
ipsec-policy vpn-policy-std-location_2;
}
}
}
address-book {
global {
address location_1-lan2 192.168.16.0/24;
address location_1-lan 192.168.10.0/24;
address apc-ups 192.168.10.251/32;
address location_1-wlan 192.168.100.0/24;
address PACS_192_168_10_15 192.168.10.15/32;
address location_1-lan 192.168.171.0/24;
address location_2-lan 10.11.17.0/24;
address SRX-routing-addr 10.255.255.16/28;
address loopback 127.0.0.1/32;
}
}
flow {
traceoptions {
file debug.log;
flag basic-datapath;
packet-filter FILTER1 {
protocol icmp;
source-prefix 0.0.0.0/0;
destination-prefix 192.168.171.14/32;
}
}
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-192_168_10_251m32 {
address 192.168.10.251/32 port 161;
}
rule-set dest-nat {
from zone untrust;
rule rule-snmp-16100 {
match {
destination-address my.public.ip/32;
destination-port {
16100;
}
}
then {
destination-nat {
pool {
dnat-192_168_10_251m32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
my.public.ip.2/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy all-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-to-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-to-location_2 {
match {
source-address location_1-lan;
destination-address location_2-lan;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-from-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-from-location_2 {
match {
source-address location_2-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy unt-to-trust-snmp-16100 {
match {
source-address any;
destination-address apc-ups;
application snmp-16100;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
snmp;
ping;
ssh;
https;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/5.0;
lo0.0;
}
}
security-zone vpn {
interfaces {
st0.0;
st0.1;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address my.public.ip/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.16.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 6.6.10.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input allow-mgmt-ip-only;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
snmp {
description "Location_1 SRX";
location "Somewhere";
contact "Bart";
community my.community.string {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop my.public.gateway.ip;
route 192.168.171.0/24 next-hop st0.0;
route 10.11.17.0/24 next-hop st0.1;
route 10.255.255.16/28 next-hop st0.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
policy-options {
prefix-list mgmt-ip {
10.11.17.0/24;
192.168.171.0/24;
}
}
firewall {
filter allow-mgmt-ip-only {
term block-except-mgmt {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol [ tcp udp ];
destination-port [ ssh http https snmp 16100 2345 2346 ];
}
then {
inactive: log;
discard;
}
}
term block-ping {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol icmp;
icmp-type echo-request;
}
then {
discard;
}
}
term allow-everything-else {
then accept;
}
}
}
applications {
application snmp-16100 {
protocol udp;
destination-port 161;
}
}