SRX

Expand all | Collapse all

Why does it work ?

Jump to Best Answer
  • 1.  Why does it work ?

    Posted 04-12-2017 04:17

    Hi everyone.

     

    I'm testing in my lan 2 srx-220 H

    IPSEC + GRE + OSPF

     

     

    First I've decide to config IPSEC + OSPF.

    So there is config on 1 node

    Spoiler

     
    set security ike proposal IKE_prop description Propor_IKE
    set security ike proposal IKE_prop authentication-method pre-shared-keys
    set security ike proposal IKE_prop dh-group group14
    set security ike proposal IKE_prop authentication-algorithm sha-256
    set security ike proposal IKE_prop encryption-algorithm aes-256-cbc
    set security ike proposal IKE_prop lifetime-seconds 28800
    set security ike policy IKE_Policy mode main
    set security ike policy IKE_Policy proposals IKE_prop
    set security ike policy IKE_Policy pre-shared-key ascii-text "$9$.5390ORSyK0BclMWdV"
    set security ike gateway IKE_Gate ike-policy IKE_Policy
    set security ike gateway IKE_Gate address x.x.226.93
    set security ike gateway IKE_Gate local-identity inet x.x.226.94
    set security ike gateway IKE_Gate remote-identity inet 1 x.x.226.93
    set security ike gateway IKE_Gate external-interface ge-0/0/2.0
    set security ipsec proposal IPSEC_prop protocol esp
    set security ipsec proposal IPSEC_prop authentication-algorithm hmac-sha1-96
    set security ipsec proposal IPSEC_prop encryption-algorithm aes-128-cbc
    set security ipsec proposal IPSEC_prop lifetime-seconds 28800
    set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group14
    set security ipsec policy IPSEC_POL proposals IPSEC_prop
    set security ipsec vpn VPN_J-2-J bind-interface st0.0
    set security ipsec vpn VPN_J-2-J df-bit clear
    set security ipsec vpn VPN_J-2-J ike gateway IKE_Gate
    set security ipsec vpn VPN_J-2-J ike proxy-identity service junos-gre
    set security ipsec vpn VPN_J-2-J ike ipsec-policy IPSEC_POL
    set security ipsec vpn VPN_J-2-J establish-tunnels immediately
    set protocols ospf area 0.0.0.0 interface st0.0
    set interfaces ge-0/0/2 unit 0 family inet address x.x.226.94/29
    set interfaces st0 unit 0 description "'VPN'"
    set interfaces st0 unit 0 family inet
     
     
    It's all OK with IPSEC
    run show security ipsec security-association
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
      <131073 ESP:aes-cbc-128/sha1 60387070 27569/unlim - root 500 x.x.226.93
      >131073 ESP:aes-cbc-128/sha1 d2e727c1 27569/unlim - root 500 x.x.226.93

    But OSPF has worked too.
     
    I see in dump only ESP messages. OSPF encapsulated in IPSEC and work.
     
    As I know OSPF shouldn't work in IPSEC tunnels - that's why all of us use GRE + IPSEC - to forfard multicast throuhg the GRE and then all it encrypted by IPSEC.
     
    Second thing I know - OSPF in p2p mode use unicast to send messages. But SRX use multycast by default - I've tested it with a dump.
     
    So how multicast forward throuhg the IPSEC ?
     

     


    #ospf


  • 2.  RE: Why does it work ?

    Posted 04-12-2017 06:12

    Hello,

     

    If Tunnel interfaces are enabled with OSPF, then the OSPF works over ESP. You do not need GRE for this separately. Regarding the OSPF communication, I have seen instances when the OSPF communicates on point to multipoint basis. In our case, what was seen the dumps whn you checked ?

     

    Regards

    Srivatsa

    ATAC



  • 3.  RE: Why does it work ?

    Posted 04-12-2017 06:57

    Thanks for reply but

     

    Each design guide that I've learnt told me that IPSEC forward only unicast.

    Some design from cisco for example

     

    Spoiler
    IPsec Deployment with Point-to-Point GRE
    Generic Routing Encapsulation (GRE) is often deploy
    ed with IPsec for several reasons, including the following:
    IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets

     

    From https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f26a.pdf

     

    It's was first link that I found in google.

     



  • 4.  RE: Why does it work ?

    Posted 04-12-2017 07:03

    Once more

    http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14381-gre-ipsec-ospf.html

     

    Introduction

    Normal IP Security (IPsec) configurations cannot transfer routing protocols, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF), or non-IP traffic, such as Internetwork Packet Exchange (IPX) and AppleTalk. This document illustrates how to route between different networks that use a routing protocol and non-IP traffic with IPsec. This example uses generic routing encapsulation (GRE) in order to accomplish routing between the different networks.



  • 5.  RE: Why does it work ?

    Posted 04-12-2017 08:08

    Hello there,

     


    trushchelev@vmcity.ru wrote:

     

    Each design guide that I've learnt told me that IPSEC forward only unicast.

    Some design from cisco for example

     


    Well, Juniper is not Cisco Smiley LOL

    I am not aware of OSPF over IPSec design guides specifically for JUNOS, but OSPF over IPSec on Juniper routers worked fine for me since I started to use JUNOS (some ~15 years ago).

    Other asumption You are mistaken about is that OSPF p2p uses unicast - it does not. See https://ccieblog.co.uk/ospf/ospf-hello-protocol

    OSPF p2mp may use unicast if underlying network is non-broadcast, again, see  https://ccieblog.co.uk/ospf/ospf-hello-protocol about halfway down the page.

    HTH

    Thx

    Alex

     



  • 6.  RE: Why does it work ?
    Best Answer

    Posted 04-17-2017 13:56

    You need to understand the basic difference between Cisco IOS and Junos in terms of IPsec implementation, Cisco IOS (before VTI was available)'s IPsec is always "policy-based VPN" in Junos's term, where encrytion domains/proxy-IDs are explicitly defined, that is why people from Cisco world always believe that IPsec can only transport unicast traffic, Junos route-based VPN from day one defaults any to any encryption domains but leave the encrytion decision to routing (same as VTI concept), that was why you are able to run OSPF over Junos route based VPN with a tunnel interface (with IP address) bounded.



  • 7.  RE: Why does it work ?

     
    Posted 04-16-2017 08:20

    Yes, Juniper supports OSPF over route based VPN without the use of GRE.  I have an example in the Day One Enterprise Cookbook for free download here.

     

    Hub and Spoke VPN with OSPF on page 137

     

    https://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-Enterprise/ba-p/198733

     

    This is a video version from Juniper Learning Bytes series if you prefer that format.

     

    https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=9473



  • 8.  RE: Why does it work ?

    Posted 04-17-2017 04:47

    I've made some labs on cisco and found some articles about IPSEC.

    So  what can I find out ?

     

    You are right about route based VPN.

    All route based VPN supply OSPF without GRE. Cisco use for that VTI. But VTI use some addresses on that interface

    interface Tunnel0
     ip address 192.168.10.1 255.255.255.0
     tunnel source 100.0.0.1
     tunnel mode ipsec ipv4
     tunnel destination 200.0.0.1
     tunnel protection ipsec profile VTI

     

    In other way we use  crypto map based VPN that do not supply OSPF. IF we use point-to-multypoint non-broadcast on interface - we have to use peer from the same subnet and ttl=1 for hello packet anyway. So the only way to use IPSEC without GRE - is route based VPN.

     

    I've made on SRX-SRX route based VPN ( based st0 tunnels )

    But I have no IP address on st0.0 Does anybody know can we config the same way to use IPSEC in Cisco ? I mean I see that it's not a cisco forum, but has anybody made Juniper-Cisco IPSEC route based vpn + OSPF without GRE ?



  • 9.  RE: Why does it work ?

     
    Posted 04-17-2017 13:45

    Just to be clear:  The recommended and best way to have OSPF over VPN on the SRX is to have ip addresses as a reouted link between the tunnel interfaces and setup a normal OSPF adjacency.

     

    Simple and straightforward, treat the VPN link as if it were a physical link between two routers.

     

    Other vendors also support this type of link, I have setup OSPF over VPN to Palo Alto firewalls from the SRX as well.

     

    For Cisco you are correct, to have the OSPF connection over VPN Cisco requires the GRE over IPSEC.  So this configuration is ONLY needed if you are making the connection to a Cisco peer.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB19372