SRX

I am testing IPsec VPN's on the SRX currently and need to have multiple tunnels running between two test systems.  I'm starting with just two tunnels first.  I can get them working when I configure two ike gateways, but the gateway information is exactly the same for each.  I'd like to avoid having to configure multiple gateway entries if possible.  Shouldn't I be able to use the same gateway on multiple ipsec vpn's?  When I try to use the same ike gateway for both ipsec vpn's only one will work.  Any ideas?

In case of route based VPNs,

You can have multiple ipsec VPNs pointing to a single gateway (hub-spoke scenario)

However, in that case you have two options

1. Bind separate tunnel interface in each ipsec vpn, i.e. st0.0, st0.1, st0.2, st0.3 .....

2. Bind single interface st0.0 in all VPNs and make it multipoint i.e.

     set interface st0.0 unit 0 multipoint

Check (or post) you config ...

Regards

I have the following configuration that I'm trying to get working.  I have one gateway configured on both routers that terminate the IPsec tunnels.  I have two ipsec vpn's setup.  When I only configure one ipsec vpn it works fine.  But when I configure a 2nd the 1st VPN stops passing pings but the 2nd vpn passes pings fine. 

If you notice in the show commands which i attached as a text file (since there is not enough room to post it) there is a very high number of SA's for phase 2 negotiations.  It looks like they attempt negotiation but fail and then it tries again and again perhaps. 

Also, if I configure a 2nd gateway on each router for the 2nd vpn tunnel to use, it intermittently works but mostly does not pass icmp traffic:

SRX210:

[edit]
Devin@SRX210-2# show security ike
proposal ike-phase1-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm aes-256-cbc;
}
policy ike-phase1-policy {
    mode main;
    proposals ike-phase1-proposal;
    pre-shared-key ascii-text "$9$TQ/t1IclvLhS"; ## SECRET-DATA
}
gateway test1 {
    ike-policy ike-phase1-policy;
    address 10.10.3.93;
    external-interface t1-1/0/0;
}

[edit]
Devin@SRX210-2# show security ipsec 
inactive: vpn-monitor-options {
    interval 15;
    threshold 15;
}
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
}
policy ipsec-phase2-policy {
    proposals ipsec-phase2-proposal;
}
vpn test1 {
    bind-interface st0.1;
    ike {
        gateway test1;
        ipsec-policy ipsec-phase2-policy;
    }
    establish-tunnels immediately;
}
vpn test2 {
    bind-interface st0.2;
    ike {
        gateway test1;
        ipsec-policy ipsec-phase2-policy;
    }
    establish-tunnels immediately;
}

[edit]
Devin@SRX210-2# show routing-options
static {
    route 10.5.40.0/24 next-hop st0.1;
    route 10.5.41.0/24 next-hop st0.2;
}
autonomous-system 65000;

[edit]
Devin@SRX210-2# show interfaces st0
unit 1 {
    family inet;
}
unit 2 {
    family inet;
}

SRX240:

[edit]
Devin@SRX240-1# show security ike
proposal ike-phase1-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm aes-256-cbc;
}
policy ike-phase1-policy {
    mode main;
    proposals ike-phase1-proposal;
    pre-shared-key ascii-text "$9$TQ/t1IclvLhS"; ## SECRET-DATA
}
gateway test1 {
    ike-policy ike-phase1-policy;
    address 10.10.3.89;
    external-interface lsq-0/0/0;
}

[edit]
Devin@SRX240-1# show security ipsec 
inactive: vpn-monitor-options {
    interval 15;
    threshold 15;
}
proposal ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 1800;
}
policy ipsec-phase2-policy {
    proposals ipsec-phase2-proposal;
}
vpn test1 {
    bind-interface st0.1;
    ike {
        gateway test1;
        ipsec-policy ipsec-phase2-policy;
    }
    establish-tunnels immediately;
}
vpn test2 {
    bind-interface st0.2;
    ike {
        gateway test1;
        ipsec-policy ipsec-phase2-policy;
    }
    establish-tunnels immediately;
}

[edit]
Devin@SRX240-1# show routing-options
static {
    route 10.5.1.0/24 next-hop st0.1;
    route 10.5.2.0/24 next-hop st0.2;
}
autonomous-system 65000;

[edit]
Devin@SRX240-1# show interfaces st0
unit 1 {
    family inet;
}
unit 2 {
    family inet;
}

With this config I was able to get pings to work on the 2nd ipsec vpn tunnel, but the 1st ipsec vpn tunnel would not pass pings.  

Please see attached file for show commands as well.

Attachment(s)

forum posting show commands output.txt   32 KB 1 version

While I don't really see the need to have 2 VPNs going between the 2 endpoints, since you're using unnumbered st0 interfaces, they borrow the IP from the outgoing interfaces.  Since there are 2 VPNs, they could be having issues sharing the external interfaces' IP addresses.

Try setting your st0 interfaces to be numbered, and set your static routes to point to the next-hop IP.

keithr is right, there is no point in making two vpns between two gateways ... i.e.

SRX-1

route 10.5.1.0/24 next-hop st0.1;
route 10.5.2.0/24 next-hop st0.1;

SRX-2

route 10.5.1.0/24 next-hop st0.1;
route 10.5.2.0/24 next-hop st0.1;

i though you were asking about hub-spoke, but it is just p2p ...

Regards

Hi,

I am having the same issue as the original poster where if you attempt to have two IPSEC tunnels established on the same gateway you loose traffic on one of the tunnels.  Has anyone ever successfully got this to work on a Junos device?

The reason I am attempting to have two tunnels between the same devices is due to the fact that I have two routing instances to seperate distinct routing domains (think of it as seperate customers that don't want to know of each other but are sharing SRX-3400's) and I would like both routing instances on SRX-1 to pass traffic to the corresponding routing instances on SRX-2.  

Any suggestions?

Dave

If you have separate routing instances on your SRX boxes, then your gateway / external interfaces will have separate IP addresses, so you won't be configuring your IKE gateways to the same IP address.

On SRX-1 (routing instance A), your IKE gateway will point to the external interface IP of SRX-2 (routing instance A).  For SRX-1 (routing instance B), your IKE gateway will point to the external interface IP of SRX-2 (routing instance B).  They shouldn't be the same.

If that isn't what you're asking, perhaps post a diagram and a config for us to look at.

---

@keithr wrote:

If you have separate routing instances on your SRX boxes, then your gateway / external interfaces will have separate IP addresses, so you won't be configuring your IKE gateways to the same IP address.

 

On SRX-1 (routing instance A), your IKE gateway will point to the external interface IP of SRX-2 (routing instance A).  For SRX-1 (routing instance B), your IKE gateway will point to the external interface IP of SRX-2 (routing instance B).  They shouldn't be the same.

 

If that isn't what you're asking, perhaps post a diagram and a config for us to look at.

---

Hi all,

After much searching of the message boards and some deep diving into the Junos documentation I was able to solve this issue and get the setup that I needed to work.  Details below:

The situation I was attempting to solve wouldn't have different IP addresses as it was using the same ike gateway with two IPSEC vpn's bound to two different st0 units (which would be in two different routing instances).  Best example is:

SRX-1                                                                                                                    SRX-2
 Routing Instance 1                                                                                                                            

 st0.2 10.1.1.1/30 --- |                                                                                           Routing Instance 1 
                                      |                    Default Routing instance                         |------10.1.1.2/30
                                      | ------30.30.1.254--->INTERNET<---20.3.1.254-----|
 st0.36 20.2.2.1/24---|                                                                                          |------20.2.2.2/24

  Routining Instance 2                                                                                         Routining Instance 2

The failed configuration is as follows

interfaces {

    st0 {        

unit 2 {           

family inet {               

mtu 1400;               

address 10.1.1.1/30;           

}       

unit 36 {

family inet {

mtu 1400;

address 10.2.2.1/30

}

}

security {

ike {

gateway ATgtwy {   

ike-policy ipsec-psk-policy;   

address 20.3.1.254;   

dead-peer-detection {       

interval 10;       

threshold 3;    }   

external-interface ge-0/0/8.0;

}

        ipsec {

vpn ATvpn {   

bind-interface st0.2;   

ike {       

gateway ATgtwy;

ipsec-policy nopfs-esp-aes256-sha-policy;   

}   

establish-tunnels immediately;

}

vpn AT_ESLvpn {   

bind-interface st0.36;   

ike {       

gateway ATgtwy;       

idle-time 60;       

ipsec-policy nopfs-esp-aes256-sha-policy;   

}   

establish-tunnels immediately;

}

}

With the above configuration I would have the same situation as the original poster where at any given time only one of the st0 interfaces could successfully send traffic to the other.  The root cause of this issue is due to the SPI value being assigned to the to the two VPN's bound to the single gateway.  Junos uses a combination of the source IP, destination IP, and service port to create the SPI value for a tunnel.  So in the case above, both tunnels would have a SPI value of: (0,0.0.0.0/0, 0.0.0.0/0) creating a non-deterministic way for the traffic to be routed to the correct st0 interface.  The solution to the issue was to create a unique SPI for each VPN bound to the gateway, as seen in the config below:

security {

ike {

gateway ATgtwy {   

ike-policy ipsec-psk-policy;   

address 175.28.239.41;   

dead-peer-detection {       

interval 10;       

threshold 3;    }   

external-interface ge-0/0/8.0;

}

        ipsec {

vpn ATvpn {   

bind-interface st0.2;   

ike {       

gateway ATgtwy;       

proxy-identity {           

local 10.1.1.1/32;           

remote 10.1.1.2/32;       

}       

ipsec-policy nopfs-esp-aes256-sha-policy;   

}   

establish-tunnels immediately;

}

vpn AT_ESLvpn {   

bind-interface st0.36;   

ike {       

gateway ATgtwy;       

idle-time 60;       

proxy-identity {           

local 20.1.1.1/32;           

remote 20.1.1.2/32;       

}       

ipsec-policy nopfs-esp-aes256-sha-policy;   

}   

establish-tunnels immediately;

}

With the configuration above, the SPI value for the two VPNs are different, allowing the Junos device to parse out which tunnel a packet is destined for fixing the issue.

dave

References:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16008&actp=search&searchid=1273847680110&smlogin=true

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-security/ipsec-vpn-overview.html

The proxy-identity worked great for me, it solved exactly the problem this thread was discussing.

I need seperate ST0.x interfaces due to connecting to multiple customers and wanted multiple point to point VPNs coming in on the same physical interface, using the proxy-id allowed multiple connections to be active and to pass traffic at the same time.

Thanks for your help.

I am having a similar problem and was hoping to piggy-back on the useful knowledge in this thread.

I am also trying to establish multiple IPSec tunnels to a bunch of Amazon VPCs (same remote addresses) through the same SRX interface. The difference is I wish to use different outside IPs for each tunnel end-point, but on the same physical interface. I set multiple IPs in the same subnet of the interface. However, I can't set an address to use for the gateway (only an interface).

set security ike gateway xxxx external-interface ge-0/0/7.0

When I show the tunnel, I see that it is trying to use the primary inet address of that interface and thus will not initiate. Anyone have an idea for this one?

root@sniktc-jr05-SRX550-KXDC-E09> ...ipsec inactive-tunnels index 131075
  ID: 131075 Virtual-system: root, VPN Name: vpn-xxx
  Local Gateway: xxx.xxx.xxx.xxx, Remote Gateway: 54.240.217.166
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.3

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: SA not initiated

HI,

I am not sure what you are trying to do is possible.  I believe that the firewall will always use the primary address of the egress interface to establish the tunnel.  The best you can do is have a single phase 1 gateway bound to the endpoint and then have multiple phase 2 tunnels.

Dave

I have configure miltipoint on st0.0 its working but when i configure ne route  based VPN its not comming up. here is the config

set interfaces st0 unit 0 description "ABC S2S VPN"
set interfaces st0 unit 0 multipoint    
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.2 ipsec-vpn ABC-1
set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.3 ipsec-vpn ABC-2

set interfaces st0 unit 0 family inet address 172.16.8.1/24
set interfaces st0 unit 1 description "XYZ S2S VPN"
set interfaces st0 unit 1 family inet   

set routing-options static route 1.1.1.1/24 next-hop 172.16.8.3
set routing-options static route 2.2.2.2/24 next-hop 172.16.8.2
set routing-options static route 3.3.3.3/32 next-hop st0.1

ABC has 2 encryption domain and customer site and we have 1 encryption domain on our side. ABC vpn is up

But when I have configured another VPN XYZ - st0.1 is down and I can't see route entry for 3.3.3.3 on show route .

Please advise what I'm missing.

many thanks