SRX

Expand all | Collapse all

Site-to-Site VPN with one site behind NAT device

  • 1.  Site-to-Site VPN with one site behind NAT device

    Posted 06-18-2019 06:36

    Hi

     

    I have SRX in the branch, the SRX is behind a NAT device, so the public IP is in the NAT device and the SRX external interface has private IP address.

    We need to setup site to site VPN with a Cisco ASA in HQ.

    I configured the Juniper SRX as below commands but neither phase1 nor phase2 goes up.

     

    set security ike proposal HQ-VPN authentication-method pre-shared-keys
    set security ike proposal HQ-VPN dh-group group2
    set security ike proposal HQ-VPN authentication-algorithm sha1
    set security ike proposal HQ-VPN encryption-algorithm aes-128-cbc
    set security ike proposal HQ-VPN lifetime-seconds 86400
    set security ike policy HQ-VPN mode main
    set security ike policy HQ-VPN proposals HQ-VPN
    set security ike policy HQ-VPN pre-shared-key ascii-text "$9$dDVgaJZD.PQHqT369OBvWLN-bwYgGDkqm0BREyr24o"
    set security ike gateway HQ-VPN ike-policy HQ-VPN
    set security ike gateway HQ-VPN address "Peer public IP"
    set security ike gateway HQ-VPN local-identity inet "NAT device Public IP"
    set security ike gateway HQ-VPN external-interface ge-0/0/0.0

    set security ipsec proposal HQ-VPN protocol esp
    set security ipsec proposal HQ-VPN authentication-algorithm hmac-sha1-96
    set security ipsec proposal HQ-VPN encryption-algorithm aes-128-cbc
    set security ipsec proposal HQ-VPN lifetime-seconds 28800
    set security ipsec policy HQ-VPN proposals HQ-VPN
    set security ipsec vpn HQ-VPN ike gateway HQ-VPN
    set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x
    set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
    set security ipsec vpn HQ-VPN ike ipsec-policy HQ-VPN
    set security ipsec vpn HQ-VPN establish-tunnels immediately

    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN

    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN

    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/0.0



  • 2.  RE: Site-to-Site VPN with one site behind NAT device

    Posted 06-18-2019 07:54

    Hi Mahmoud,

     

    This KB describes how to configure site-to-site VPNs between SRX and Cisco ASA in different scenarios: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28861&actp=METADATA

     

    If this solves your problem, please mark this post as "Accepted Solution."If this solves your problem, please mark this post as "Accepted Solution."

     

    Regards,

    HS



  • 3.  RE: Site-to-Site VPN with one site behind NAT device

    Posted 06-18-2019 08:58

    In addition to the KB article, review this thread too for reference with respect to the NAT device: https://forums.juniper.net/t5/SRX-Services-Gateway/Vpn-created-behind-NAT-device/m-p/290866#M40688

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!

     

    Regards,

    HS



  • 4.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-18-2019 16:14

    Could you confirm that this phase 2 lifetime is correct per the ASA configuration.  My recollection is that the default on the ASA is 3600

     

    ipsec proposal HQ-VPN lifetime-seconds 28800

     

    Since there is NAT involved make sure NAT-T is enabled on the Cisco side.

     

    Since phase 1 is not coming up we need to see the logs for this.

    show log kmd-logs

     

    Post the ike log message you get for the failed phase 1.

     

    Typical problems are:

     

    Mismatch on preshared key

    MIsmatch on the ike policy specifics

    local id on SRX does not match remote id on cisco 

    remote id on SRX does not match local id on cisco

     

     



  • 5.  RE: Site-to-Site VPN with one site behind NAT device

    Posted 06-19-2019 04:04

    Hi

     

    the lifetime and the NAT-T is already enabled and matched "as this is not a new VPN setup, the VPN was working over the same connection using another vendor device".

     

    Since the SRX is behind a NAT device and the NAT device has the VPN public IP address, then I used the "Local Identity" command in the IKE settings to reference the public IP address. 

    But here, do I have to configure a "Remote Identity" in the Cisco side, or change any other settings?

    I am not sure as the same setup work when we connect the old device back in-place of the SRX...



  • 6.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-19-2019 08:04

    Hello mahmoud,

     

    Because the device is behind NAT then you will need NAT-T enabled on both devices and local-identity configured on your SRX; I can see you have both. I believe that by default the ASA shold be using the following IKE-IDs:

     

    local-identity: ASA's public IP

    remote-identity: NAT device's public IP

     
    The above will match with the SRX configuration we have in place as of now (note it has to match in the reverse order).
     
    Regarding the proxy-IDs, I can see you have configured:
     
    set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x
    set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
     
    This is not needed (and I believe is not doing anything) as the SRX will populate the proxy-IDs values from the matching criteria of the secuirty-policies:
     
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any
    set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN
    
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any
    set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN
     
    So you can delete the proxy-IDs statements.
     
    If phase 1 is not coming up, we have either a reachability issue or a negotiation problem. Lets find it out:
     
    1. Try the following command to confirm if we have IKE sessions and if we see phase 1 temporally up:
     
          > show security flow sessions protocol udp destination-port 500
          > show security flow sessions protocol udp destination-port 4500
          > show security ike security-associations
     
    2. If we see sessions and packets being sent/received, lets gather IKE traces to investigate further:
     
         # set security ike traceoptions file IKE_TRACE
         # set security ike traceoptions flag all
         # commit
         # run request security ike debug-enable local [External_SRX_IP] remote [ASA_Public_IP] level 15
         # run show security ike debug-status
         # run clear log IKE_TRACE
         # run show log IKE_TRACE
        
    Please upload the IKE_TRACE file output so we can check for any errors and help you.
     
    Please mark my answer as the solution if it applies.
     
     


  • 7.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-19-2019 15:23

    When you configure local and remote identity on the SRX the partner device must have the matching configuration in place for the policies to fully match and phase one come up.

     



  • 8.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-23-2019 03:05

    Hi,

     

    I was working on a similar setup.

     

    > Please use aggressive mode on both sides

    > Rest I believe is fine

    https://forums.juniper.net/t5/SRX-Services-Gateway/IPSEC-with-NAT-T/td-p/103102

     

    I hope this helps. Regards,

     

    Vikas



  • 9.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-23-2019 03:12

    Aggressive mode is only necessary when on side has a dynamic ip address.  If the nat is from a static address down to the internal one aggressive mode is not necessary only the engagement of nat-t.

     



  • 10.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-23-2019 21:44

    Hello,

     

    Apologies. Yes, main mode would also work. Here is a config from the lab and is validated to be working fine.


    Setup: SRX1 (1.1.1.1) ---- SRX2 --- (2.2.2.2) SRX3 (NAT) --- SRX4 (with priv IP)


    SRX4 config - policy based (in your case the SRX):
    ===================================================

    set security ike policy SRX1Ike mode main
    set security ike policy SRX1Ike proposal-set compatible
    set security ike policy SRX1Ike pre-shared-key ascii-text "pre-shared-key"
    set security ike gateway SRX1_gateway ike-policy SRX1Ike
    set security ike gateway SRX1_gateway address 1.1.1.1
    set security ike gateway SRX1_gateway local-identity inet 2.2.2.2
    set security ike gateway SRX1_gateway external-interface ge-0/0/0.0
    set security ipsec policy SRX1Ipsec proposal-set compatible
    set security ipsec vpn SRX1_vpn ike gateway SRX1_gateway
    set security ipsec vpn SRX1_vpn ike proxy-identity local 192.168.10.0/24
    set security ipsec vpn SRX1_vpn ike proxy-identity remote 192.168.20.0/24
    set security ipsec vpn SRX1_vpn ike ipsec-policy SRX1Ipsec
    set security ipsec vpn SRX1_vpn establish-tunnels immediately
    set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match source-address 192.168.10.0/24
    set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match destination-address 192.168.20.0/24
    set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy permit-trust-to-untrust then permit tunnel ipsec-vpn SRX1_vpn


    SRX1 config - route based (in your case the ASA):
    ====================================================

    set security ike policy SRX4Ike mode main
    set security ike policy SRX4Ike proposal-set compatible
    set security ike policy SRX4Ike pre-shared-key ascii-text "pre-shared-key"
    set security ike gateway SRX4_gateway ike-policy SRX4Ike
    set security ike gateway SRX4_gateway address 2.2.2.2
    set security ike gateway SRX4_gateway external-interface lo0.27

    set security ipsec policy SRX4Ipsec proposal-set compatible
    set security ipsec vpn SRX4_vpn bind-interface st0.103
    set security ipsec vpn SRX4_vpn ike gateway SRX4_gateway
    set security ipsec vpn SRX4_vpn ike ipsec-policy SRX4Ipsec
    set security ipsec vpn SRX4_vpn establish-tunnels immediately

    set security zones security-zone SRX4_Internet screen standard-screens
    set security zones security-zone SRX4_Internet host-inbound-traffic system-services ping
    set security zones security-zone SRX4_Internet host-inbound-traffic system-services traceroute
    set security zones security-zone SRX4_Internet host-inbound-traffic system-services ike
    set security zones security-zone SRX4_Internet interfaces reth0.0
    set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services ping
    set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services traceroute
    set security zones security-zone SRX4_Internet interfaces lo0.27 host-inbound-traffic system-services ike
    set security zones security-zone SRX4_vpn interfaces st0.103

    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match source-address any
    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match destination-address any
    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application junos-ike
    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application junos-ike-nat
    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all match application esp
    set security policies from-zone SRX4_Internet to-zone SRX4_Internet policy permit-all then permit

     

    I hope this helps. Regards,

     

    Vikas

    CFTS-Security



  • 11.  RE: Site-to-Site VPN with one site behind NAT device

    Posted 06-24-2019 07:27

    Hi

     

    Attached the trace file for VPN (KMD)

     



  • 12.  RE: Site-to-Site VPN with one site behind NAT device

     
    Posted 06-24-2019 08:06

    Hi Mahmoud,

     

    No attachments are actually seen on your post here unfortunately, can you check?

     

    Cheers

    Pooja