SRX

Expand all | Collapse all

Can someone post their branch to branch ikev2 routed VPN config?

  • 1.  Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-16-2021 22:06
    I've been working with Junos for about 8 months and we've got to setup an iKev2 routed VPN to a 3rd party firewall. 

    Can someone post their configuration for such a thing and I'll make mine off of that?


  • 2.  RE: Can someone post their branch to branch ikev2 routed VPN config?

     
    Posted 01-17-2021 18:13
    Naturally with cross vendor connections you need to be extra careful in matching all the phase 1 and phase 2 settings.  But these are the SRX side configs for route based vpn with ikev2.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-vpns-for-ikev2.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-18-2021 10:13

    Hey thanks!

    I found that after I posted this, but i'm not getting the tunnel up.

    How does my config look?

    Sadly, the other end gives me very little T/S ability and i'm new to T/S Junos so not really sure where to look.

    I've double checked PSK, etc.

    Is that guide missing security configurations?


    I noticed the VPN zone doesn't have anything under the host-inbound-traffic.

    edit: adding peer configuration for comparison ; Phase 1 is up and connected
    edit2:

    Got a traceoption setup andshowing this.

    [Jan 18 17:49:19]Peer's proposed IKE SA payload is SA([0] protocol = IKE (1), AES CBC key len = 128, AES CBC key len = 192, AES CBC key len = 256, DES, AES128 CBC PRF, HMAC-SHA512 PRF, HMAC-SHA384 PRF, HMAC-SHA256 PRF, HMAC-SHA1 PRF, HMAC-M

    [Jan 18 17:49:19]Configured proposal is SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1-96, 1024 bit MODP, HMAC-SHA1 PRF; )

    Thoughts anyone?

    }
    security {
        ike {
            proposal Test-IkeP1-Proposal {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha-1;
                encryption-algorithm aes-256-cbc;
            }
            policy Test-P1-Policy {
                proposals Test-IkeP1-Proposal;
                pre-shared-key ascii-text "$9$KeVMxNVwYoZUbw5Q36AtxN-dgok.P"; ## SECRET-DATA
            }
            gateway Test {
                ike-policy Test-P1-Policy;   
                address x.x.x.5;
                external-interface ge-0/0/0;
                version v2-only;
            }
        }
        ipsec {
            proposal Test-IPsecP2-Proposal {
                protocol esp;
                authentication-algorithm hmac-sha-256-128;
                encryption-algorithm aes-256-cbc;
            }
            policy Test-IPsecP2-Policy {
                proposals Test-IPsecP2-Proposal;
            }
            vpn Test {
                bind-interface st0.0;
                ike {
                    gateway Test;
                    ipsec-policy Test-IPsecP2-Policy;
                }
            }
        }
        flow {                              
            tcp-mss {
                ipsec-vpn {
                    mss 1320;
                }
            }
        }
        policies {
            from-zone local to-zone VPN-Remote {
                policy VPN {
                    match {
                        source-address Local;
                        destination-address Remote;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone VPN-Remote to-zone local {
                policy VPN {
                    match {
                        source-address Remote;
                        destination-address Local;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone untrust {
                host-inbound-traffic {
                    system-services {
                        ike;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
            security-zone local {
                address-book {
                    address Local 192.168.10.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                }
            }
            security-zone VPN-Remote {
                address-book {
                    address Remote 192.168.168.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;                
                    }
                }
                interfaces {
                    st0.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address x.x.x.x.222/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
        }                                   
        st0 {
            unit 0 {
                family inet {
                    address 169.254.27.142/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop x.x.x.x.217;
            route 192.168.168.0/24 next-hop st0.0;
        }
    }​

    === IPSec Security Association ===
    Protocol : ESP
    Authentication Algorithm : SHA_256
    Encryption Algorithm : AES-256-CBC
    Lifetime : 28800 seconds
    Mode : tunnel
    Perfect Forward Secrecy (PFS) : disabled
    
    === IPSec Dead Peer Detection (DPD) Setting ===
    DPD Type: Periodic
    DPD Interval : 10
    DPD Retries : 3
    DPD Timeout: 20 seconds
    
    === Fragmentation Avoidance ===
    TCP MSS Adjustment : 1320  bytes
    Clear Don't Fragment (DF) Bit : enabled
    Fragmentation Style : Before Encryption / Look Ahead Fragmention
    
    === Tunnel Interface ===
    Tunnel interface MTU : 1328 bytes
    Outside IP Addresses
    - Datacenter Gateway : x.x.x.x.222 (No NAT allowed)
    - SD-WAN Gateway : x.x.x.x.5
    Inside IP Addresses
    - Datacenter Gateway : 169.254.27.142
    - SD-WAN Gateway : 169.254.27.141​







  • 4.  RE: Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-18-2021 11:27
    Walked through the T/S VPN and i'm getting this, but it looks like everything matches!

    IKE negotiation failed with error: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed. I



  • 5.  RE: Can someone post their branch to branch ikev2 routed VPN config?

     
    Posted 01-18-2021 20:12
    I have had this issue occasionally between vendors on IPSEC.  Naturally confirm that both sides really, really, really are configured EXACTLY the same parameters.  Subtle differences will fail.

    But if they are the same and it logs as different, your next step is to pick a new scheme and go at it again.  I had both ASA and Cradlepoints over the years that would not connect with certain group numbers but would on others for example.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-18-2021 21:10
    I shall try that tomorrow. Thank you!

    THere's no way to make your own encyrption / authen algorithim is there?

    The only thing I can think is the Juniper is sending aes-256 and 128, but the 3rd party is not.

    That shouldn't matter, but maybe it does.

    Thanks,


  • 7.  RE: Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-19-2021 14:22
    So,

    oddly enough. Changing my phase 2 to AES-SHA1 from AES-256 and the tunnel came right up.

    now, I can't pass any traffic.



  • 8.  RE: Can someone post their branch to branch ikev2 routed VPN config?

     
    Posted 01-19-2021 17:00
    Here is the guide for vpn tunnel up without passing traffic step by step

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: Can someone post their branch to branch ikev2 routed VPN config?

    Posted 01-19-2021 18:05
    That's the guide that is incorrect for route based VPNs.

    Step 8 is incompatible.

    edit: oddly enough I just went to the next step.

    Weird how packets are coming IN, but not out.

    Session ID: 8832, Policy name: self-traffic-policy/1, Timeout: 60, Valid
    In: 192.168.10.1/13309 --> 172.16.61.1/90;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,
    Out: 172.16.61.1/90 --> 192.168.10.1/13309;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,





  • 10.  RE: Can someone post their branch to branch ikev2 routed VPN config?

     
    Posted 01-19-2021 19:11
    No outbound traffic likely means an issue with the outbound routing setup.

    Check and make sure this route is up and active
    route 192.168.168.0/24 next-hop st0.​0


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------