SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Cannot get multiple IPsec tunnels working on SRX.

  • 1.  Cannot get multiple IPsec tunnels working on SRX.

    Posted 03-10-2011 14:29

    I am testing IPsec VPN's on the SRX currently and need to have multiple tunnels running between two test systems.  I'm starting with just two tunnels first.  I can get them working when I configure two ike gateways, but the gateway information is exactly the same for each.  I'd like to avoid having to configure multiple gateway entries if possible.  Shouldn't I be able to use the same gateway on multiple ipsec vpn's?  When I try to use the same ike gateway for both ipsec vpn's only one will work.  Any ideas?


    #vpn


  • 2.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 03-10-2011 18:22

    In case of route based VPNs,

     

    You can have multiple ipsec VPNs pointing to a single gateway (hub-spoke scenario)

     

    However, in that case you have two options

     

    1. Bind separate tunnel interface in each ipsec vpn, i.e. st0.0, st0.1, st0.2, st0.3 .....

     

    2. Bind single interface st0.0 in all VPNs and make it multipoint i.e.

     

         set interface st0.0 unit 0 multipoint

     

    Check (or post) you config ...

     

    Regards

     



  • 3.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 03-11-2011 09:02
      |   view attached

    I have the following configuration that I'm trying to get working.  I have one gateway configured on both routers that terminate the IPsec tunnels.  I have two ipsec vpn's setup.  When I only configure one ipsec vpn it works fine.  But when I configure a 2nd the 1st VPN stops passing pings but the 2nd vpn passes pings fine. 

     

    If you notice in the show commands which i attached as a text file (since there is not enough room to post it) there is a very high number of SA's for phase 2 negotiations.  It looks like they attempt negotiation but fail and then it tries again and again perhaps. 

     

    Also, if I configure a 2nd gateway on each router for the 2nd vpn tunnel to use, it intermittently works but mostly does not pass icmp traffic:

     

    SRX210:

     

    [edit]
    Devin@SRX210-2# show security ike
    proposal ike-phase1-proposal {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm md5;
        encryption-algorithm aes-256-cbc;
    }
    policy ike-phase1-policy {
        mode main;
        proposals ike-phase1-proposal;
        pre-shared-key ascii-text "$9$TQ/t1IclvLhS"; ## SECRET-DATA
    }
    gateway test1 {
        ike-policy ike-phase1-policy;
        address 10.10.3.93;
        external-interface t1-1/0/0;
    }

    [edit]
    Devin@SRX210-2# show security ipsec 
    inactive: vpn-monitor-options {
        interval 15;
        threshold 15;
    }
    proposal ipsec-phase2-proposal {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm 3des-cbc;
    }
    policy ipsec-phase2-policy {
        proposals ipsec-phase2-proposal;
    }
    vpn test1 {
        bind-interface st0.1;
        ike {
            gateway test1;
            ipsec-policy ipsec-phase2-policy;
        }
        establish-tunnels immediately;
    }
    vpn test2 {
        bind-interface st0.2;
        ike {
            gateway test1;
            ipsec-policy ipsec-phase2-policy;
        }
        establish-tunnels immediately;
    }

    [edit]
    Devin@SRX210-2# show routing-options
    static {
        route 10.5.40.0/24 next-hop st0.1;
        route 10.5.41.0/24 next-hop st0.2;
    }
    autonomous-system 65000;

    [edit]
    Devin@SRX210-2# show interfaces st0
    unit 1 {
        family inet;
    }
    unit 2 {
        family inet;
    }

     

    SRX240:

     

    [edit]
    Devin@SRX240-1# show security ike
    proposal ike-phase1-proposal {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm md5;
        encryption-algorithm aes-256-cbc;
    }
    policy ike-phase1-policy {
        mode main;
        proposals ike-phase1-proposal;
        pre-shared-key ascii-text "$9$TQ/t1IclvLhS"; ## SECRET-DATA
    }
    gateway test1 {
        ike-policy ike-phase1-policy;
        address 10.10.3.89;
        external-interface lsq-0/0/0;
    }

    [edit]
    Devin@SRX240-1# show security ipsec 
    inactive: vpn-monitor-options {
        interval 15;
        threshold 15;
    }
    proposal ipsec-phase2-proposal {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 1800;
    }
    policy ipsec-phase2-policy {
        proposals ipsec-phase2-proposal;
    }
    vpn test1 {
        bind-interface st0.1;
        ike {
            gateway test1;
            ipsec-policy ipsec-phase2-policy;
        }
        establish-tunnels immediately;
    }
    vpn test2 {
        bind-interface st0.2;
        ike {
            gateway test1;
            ipsec-policy ipsec-phase2-policy;
        }
        establish-tunnels immediately;
    }

    [edit]
    Devin@SRX240-1# show routing-options
    static {
        route 10.5.1.0/24 next-hop st0.1;
        route 10.5.2.0/24 next-hop st0.2;
    }
    autonomous-system 65000;

    [edit]
    Devin@SRX240-1# show interfaces st0
    unit 1 {
        family inet;
    }
    unit 2 {
        family inet;
    }

     

    With this config I was able to get pings to work on the 2nd ipsec vpn tunnel, but the 1st ipsec vpn tunnel would not pass pings.  

     

    Please see attached file for show commands as well.

    Attachment(s)



  • 4.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 03-11-2011 09:10

    While I don't really see the need to have 2 VPNs going between the 2 endpoints, since you're using unnumbered st0 interfaces, they borrow the IP from the outgoing interfaces.  Since there are 2 VPNs, they could be having issues sharing the external interfaces' IP addresses.

     

    Try setting your st0 interfaces to be numbered, and set your static routes to point to the next-hop IP.



  • 5.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 03-11-2011 11:01

    keithr is right, there is no point in making two vpns between two gateways ... i.e.

     

    SRX-1

    route 10.5.1.0/24 next-hop st0.1;
    route 10.5.2.0/24 next-hop st0.1;

     

    SRX-2

    route 10.5.1.0/24 next-hop st0.1;
    route 10.5.2.0/24 next-hop st0.1;

     

    i though you were asking about hub-spoke, but it is just p2p ...

     

    Regards



  • 6.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 09-15-2011 13:22

    Hi,

    I am having the same issue as the original poster where if you attempt to have two IPSEC tunnels established on the same gateway you loose traffic on one of the tunnels.  Has anyone ever successfully got this to work on a Junos device?

     

    The reason I am attempting to have two tunnels between the same devices is due to the fact that I have two routing instances to seperate distinct routing domains (think of it as seperate customers that don't want to know of each other but are sharing SRX-3400's) and I would like both routing instances on SRX-1 to pass traffic to the corresponding routing instances on SRX-2.  

     

    Any suggestions?

     

    Dave



  • 7.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 09-15-2011 14:21

    If you have separate routing instances on your SRX boxes, then your gateway / external interfaces will have separate IP addresses, so you won't be configuring your IKE gateways to the same IP address.

     

    On SRX-1 (routing instance A), your IKE gateway will point to the external interface IP of SRX-2 (routing instance A).  For SRX-1 (routing instance B), your IKE gateway will point to the external interface IP of SRX-2 (routing instance B).  They shouldn't be the same.

     

    If that isn't what you're asking, perhaps post a diagram and a config for us to look at.



  • 8.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 09-16-2011 13:03


    @keithr wrote:

    If you have separate routing instances on your SRX boxes, then your gateway / external interfaces will have separate IP addresses, so you won't be configuring your IKE gateways to the same IP address.

     

    On SRX-1 (routing instance A), your IKE gateway will point to the external interface IP of SRX-2 (routing instance A).  For SRX-1 (routing instance B), your IKE gateway will point to the external interface IP of SRX-2 (routing instance B).  They shouldn't be the same.

     

    If that isn't what you're asking, perhaps post a diagram and a config for us to look at.




    Hi all,

    After much searching of the message boards and some deep diving into the Junos documentation I was able to solve this issue and get the setup that I needed to work.  Details below:

     

     

    The situation I was attempting to solve wouldn't have different IP addresses as it was using the same ike gateway with two IPSEC vpn's bound to two different st0 units (which would be in two different routing instances).  Best example is:

     

     

    SRX-1                                                                                                                    SRX-2
     Routing Instance 1                                                                                                                            

     st0.2 10.1.1.1/30 --- |                                                                                           Routing Instance 1 
                                          |                    Default Routing instance                         |------10.1.1.2/30
                                          | ------30.30.1.254--->INTERNET<---20.3.1.254-----|
     st0.36 20.2.2.1/24---|                                                                                          |------20.2.2.2/24

      Routining Instance 2                                                                                         Routining Instance 2

     

    The failed configuration is as follows

     

    interfaces {

        st0 {        

    unit 2 {           

    family inet {               

    mtu 1400;               

    address 10.1.1.1/30;           

    }       

    unit 36 {

    family inet {

    mtu 1400;

    address 10.2.2.1/30

    }

    }

     

    security {

    ike {

    gateway ATgtwy {   

    ike-policy ipsec-psk-policy;   

    address 20.3.1.254;   

    dead-peer-detection {       

    interval 10;       

    threshold 3;    }   

    external-interface ge-0/0/8.0;

    }

            ipsec {

    vpn ATvpn {   

    bind-interface st0.2;   

    ike {       

    gateway ATgtwy;

    ipsec-policy nopfs-esp-aes256-sha-policy;   

    }   

    establish-tunnels immediately;

    }

    vpn AT_ESLvpn {   

    bind-interface st0.36;   

    ike {       

    gateway ATgtwy;       

    idle-time 60;       

    ipsec-policy nopfs-esp-aes256-sha-policy;   

    }   

    establish-tunnels immediately;

    }

    }

     

     

     

     

     

     

     

    With the above configuration I would have the same situation as the original poster where at any given time only one of the st0 interfaces could successfully send traffic to the other.  The root cause of this issue is due to the SPI value being assigned to the to the two VPN's bound to the single gateway.  Junos uses a combination of the source IP, destination IP, and service port to create the SPI value for a tunnel.  So in the case above, both tunnels would have a SPI value of: (0,0.0.0.0/0, 0.0.0.0/0) creating a non-deterministic way for the traffic to be routed to the correct st0 interface.  The solution to the issue was to create a unique SPI for each VPN bound to the gateway, as seen in the config below:

     

     

     

     

     


    security {

    ike {

    gateway ATgtwy {   

    ike-policy ipsec-psk-policy;   

    address 175.28.239.41;   

    dead-peer-detection {       

    interval 10;       

    threshold 3;    }   

    external-interface ge-0/0/8.0;

    }

            ipsec {

    vpn ATvpn {   

    bind-interface st0.2;   

    ike {       

    gateway ATgtwy;       

    proxy-identity {           

    local 10.1.1.1/32;           

    remote 10.1.1.2/32;       

    }       

    ipsec-policy nopfs-esp-aes256-sha-policy;   

    }   

    establish-tunnels immediately;

    }

    vpn AT_ESLvpn {   

    bind-interface st0.36;   

    ike {       

    gateway ATgtwy;       

    idle-time 60;       

    proxy-identity {           

    local 20.1.1.1/32;           

    remote 20.1.1.2/32;       

    }       

    ipsec-policy nopfs-esp-aes256-sha-policy;   

    }   

    establish-tunnels immediately;

    }

     

     

    With the configuration above, the SPI value for the two VPNs are different, allowing the Junos device to parse out which tunnel a packet is destined for fixing the issue.

     

    dave

     

    References:
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16008&actp=search&searchid=1273847680110&smlogin=true

     

    http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-security/ipsec-vpn-overview.html

     



  • 9.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 12-19-2012 02:51

    The proxy-identity worked great for me, it solved exactly the problem this thread was discussing.

     

    I need seperate ST0.x interfaces due to connecting to multiple customers and wanted multiple point to point VPNs coming in on the same physical interface, using the proxy-id allowed multiple connections to be active and to pass traffic at the same time.

     

    Thanks for your help.



  • 10.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 07-21-2014 13:40

    I am having a similar problem and was hoping to piggy-back on the useful knowledge in this thread.

     

    I am also trying to establish multiple IPSec tunnels to a bunch of Amazon VPCs (same remote addresses) through the same SRX interface. The difference is I wish to use different outside IPs for each tunnel end-point, but on the same physical interface. I set multiple IPs in the same subnet of the interface. However, I can't set an address to use for the gateway (only an interface).

     

    set security ike gateway xxxx external-interface ge-0/0/7.0

     

    When I show the tunnel, I see that it is trying to use the primary inet address of that interface and thus will not initiate. Anyone have an idea for this one?

     

    root@sniktc-jr05-SRX550-KXDC-E09> ...ipsec inactive-tunnels index 131075
    ID: 131075 Virtual-system: root, VPN Name: vpn-xxx
    Local Gateway: xxx.xxx.xxx.xxx, Remote Gateway: 54.240.217.166
    Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.3

    Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 600a29
    Tunnel Down Reason: SA not initiated


  • 11.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 07-22-2014 06:08

    HI,

    I am not sure what you are trying to do is possible.  I believe that the firewall will always use the primary address of the egress interface to establish the tunnel.  The best you can do is have a single phase 1 gateway bound to the endpoint and then have multiple phase 2 tunnels.

     

    Dave



  • 12.  RE: Cannot get multiple IPsec tunnels working on SRX.

    Posted 07-14-2015 07:48

     

    I have configure miltipoint on st0.0 its working but when i configure ne route  based VPN its not comming up. here is the config

     

    set interfaces st0 unit 0 description "ABC S2S VPN"
    set interfaces st0 unit 0 multipoint    
    set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.2 ipsec-vpn ABC-1
    set interfaces st0 unit 0 family inet next-hop-tunnel 172.16.8.3 ipsec-vpn ABC-2

    set interfaces st0 unit 0 family inet address 172.16.8.1/24
    set interfaces st0 unit 1 description "XYZ S2S VPN"
    set interfaces st0 unit 1 family inet   

    set routing-options static route 1.1.1.1/24 next-hop 172.16.8.3
    set routing-options static route 2.2.2.2/24 next-hop 172.16.8.2
    set routing-options static route 3.3.3.3/32 next-hop st0.1

    ABC has 2 encryption domain and customer site and we have 1 encryption domain on our side. ABC vpn is up

    But when I have configured another VPN XYZ - st0.1 is down and I can't see route entry for 3.3.3.3 on show route .

    Please advise what I'm missing.

    many thanks