SRX

Expand all | Collapse all

IKEv2 traffic selector support

Jump to Best Answer
  • 1.  IKEv2 traffic selector support

    Posted 05-08-2017 16:39

    Hi, 

     

    I need to use IKEv2 to setup site-to-site VPN with a 3rd party, I was astonished to find that IKEv2 does not support traffic-selectors, so we will need to have multiple encryption domains between two IKEv2 gateways, how does IKEv2 address this basic requirement?

     

    Thanks,



  • 2.  RE: IKEv2 traffic selector support
    Best Answer

    Posted 05-08-2017 18:32

    Hi,

     

     

    Thanks for posting your query here.

     

    Unfortunately Yes, IKEv2 does not supports to configure Traffic selectors asof yet and hence you need to have multiple vpns configured under the [edit security ipsec vpn] heirarchy with each vpn having different proxy-id's in it.

     

    The below KB can serve as an example of how to configure multiple vpn configuration with different proxy IDs. Though the KB is using IKEv1 but the same can be used for IKEv2 as well 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB20543 

     

    Hope This helps. 🙂

     

    Thanks,
    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy



  • 3.  RE: IKEv2 traffic selector support

    Posted 05-08-2017 22:15

    So Junos IPsec started with ScreenOS's proxy-ID (single only), then implemented (multiple) traffic selectors, then going back to single proxy-ID again with IKEv2?



  • 4.  RE: IKEv2 traffic selector support

    Posted 07-13-2017 13:59


  • 5.  RE: IKEv2 traffic selector support

    Posted 05-22-2019 10:00

    I undertand that now it is possible IKE v2 with traffic selectors, but I can't make it work. Please see the output from my FW. You can see that after I add the traffic-selector is telling me that I am missing statements that are clearly in the config. Have you encountered this? my box is an SRX4100 with 15.1X49-D150.2

     

    xxxxxxx# show | compare
    [edit security ipsec]
    xxxxxxx { ... }
    + vpn xxxxxxxPH2_VPN {
    + bind-interface st0.xxxxxxx;
    + ike {
    + gateway xxxxxxx-PH1_Gateway;
    + ipsec-policy xxxxxxx-PH2_Policy;
    + }
    + }
    + vpn xxxxxxx-PH2-VPN {
    + traffic-selector xxxxxxx-Proxy1 {
    + local-ip xxxxxxx/32;
    + remote-ip xxxxxxxxxxxxxxxxxxxxx/32;
    + }
    + ## Warning: missing mandatory statement(s): 'manual' or 'ike'
    + }

    xxxxxxx# commit check
    [edit security ipsec vpn xxxxxxx-PH2-VPN]
    'traffic-selector'
    Bind-interface must be configured under [edit security ipsec vpn] hierarchy
    [edit security ipsec]
    'vpn xxxxxxx-PH2-VPN'
    Missing mandatory statement: 'manual' or 'ike'
    error: configuration check-out failed: (missing mandatory statements)

    {primary:node0}[edit]
    xxxxxxx#



  • 6.  RE: IKEv2 traffic selector support

    Posted 05-22-2019 10:13
    There is a typo in vpn name. Change PH2-VPN to PH2_VPN


  • 7.  RE: IKEv2 traffic selector support

    Posted 05-22-2019 10:20

    Hi Victor,

     

    Seems you have made a typo.

    Traffic selector is to be configured under vpn name "xxxxxxxPH2_VPN "

    but you by mistake has written the vpn name as "xxxxxxx-PH2-VPN".

     

    You added "-" in case of "_" which lead junos to configure Traffic selector under a new VPN.

     

    delete the vpn statement xxxxxxx-PH2-VPN and configure Traffic selector under xxxxxxxPH2_VPN which contains the ike config.

     

    Regards,

     

    Rahul