SRX

Expand all | Collapse all

Help with configuring dynamic IPSec tunnel on NAT connection

  • 1.  Help with configuring dynamic IPSec tunnel on NAT connection

    Posted 03-29-2021 14:54
    Hello

    I'm trying to setup IPsec from one of our remote SRX1 with an LTE connection to our HQ SRX2

    In my lab environment  I have tried by first assigning a public dynamic address on SRX1 and it works even when the dynamic IP changes

    [SRX1]=====[ LTE connection public dynamic IP] ==== [INTENET]===[SRX2]

    But the actual production setup wont be having dynamic public IP instead it will be dynamic private IP with NAT

    [SRX1]=====[ LTE connection private dynamic IP with NAT] ==== [INTENET]===[SRX2]

    I have tried to follow this example SRX  but was not successful. Below is what I get 
    Note: 10.10.10.1 is the global IP after NAT

    root@SRXHQ# run show security ike security-associations detail
    IKE peer 10.10.10.1, Index 5149998, Gateway Name: N/A
    Role: Responder, State: DOWN
    Initiator cookie: 27a88bbe65f241bf, Responder cookie: a7b47f85c1167b5c
    Exchange type: Any, Authentication method: Unknown
    :500, Remote: 10.10.10.1:7
    Peer ike-id: not available
    Xauth user-name: not available
    Xauth assigned IP: 0.0.0.0
    Algorithms:
    Authentication : (null)
    Encryption : (null)
    Pseudo random function: (null)
    Diffie-Hellman group : unknown
    Traffic statistics:
    Input bytes : 460
    Output bytes : 102
    Input packets: 1
    Output packets: 1
    Flags: IKE SA is created
    IPSec security associations: 0 created, 0 deleted
    Phase 2 negotiations in progress: 0

    Flags: IKE SA is created



    root@SRXREMOTE# run show security ike security-associations detail
    IKE peer 10.30.30.2, Index 3078681, Gateway Name: SRX-IKE-GATEWAY
    Role: Initiator, State: DOWN
    Initiator cookie: 27a88bbe65f241bf, Responder cookie: 0000000000000000
    Exchange type: Aggressive, Authentication method: Pre-shared-keys
    Local: 172.16.0.3:500, Remote: 10.30.30.2:500
    Peer ike-id: not available
    Xauth user-name: not available
    Xauth assigned IP: 0.0.0.0
    Algorithms:
    Authentication : (null)
    Encryption : (null)
    Pseudo random function: (null)
    Diffie-Hellman group : unknown
    Traffic statistics:
    Input bytes : 0
    Output bytes : 460
    Input packets: 0
    Output packets: 1
    IPSec security associations: 0 created, 0 deleted
    Phase 2 negotiations in progress: 0


    Configuration

    root@SRXHQ# show security ike
    proposal SRX-ISAKMP-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
    }
    policy SRX-ISAKMP-POLICY {
    mode aggressive;
    proposals SRX-ISAKMP-PROPOSAL;
    pre-shared-key ascii-text "$9$rS0Kv8Xx-g4Jk.hy"; ## SECRET-DATA
    }
    gateway SRX-IKE-GATEWAY {
    ike-policy SRX-ISAKMP-POLICY;
    dynamic user-at-hostname "user1@abc.com.au";
    external-interface ge-0/0/0;
    }

    [edit]
    root@SRXHQ# 


    root@SRXREMOTE# show  security ike
    proposal SRX-ISAKMP-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
    }
    policy SRX-ISAKMP-POLICY {
    mode aggressive;
    proposals SRX-ISAKMP-PROPOSAL;
    pre-shared-key ascii-text "$9$aNGUikqPn6C1R2o"; ## SECRET-DATA
    }
    gateway SRX-IKE-GATEWAY {
    ike-policy SRX-ISAKMP-POLICY;
    address 10.30.30.2;
    local-identity user-at-hostname "user1@abc.com.au";
    external-interface ge-0/0/0;
    }

    [edit]
    root@SRXREMOTE#


    Output from my NAT router
    LTEPROVIDER#sh ip nat transl
    Pro Inside global Inside local Outside local Outside global
    udp 10.10.10.1:500 172.16.0.3:500 10.20.20.2:500 10.20.20.2:500
    udp 10.10.10.1:500 172.16.0.3:500 10.30.30.2:500 10.30.30.2:500
    udp 10.10.10.1:500 172.16.0.3:500 10.30.30.2:500 10.30.30.2:500

    Will really appreciate some insight

    ------------------------------
    Regards
    Paul Basondole
    ------------------------------


  • 2.  RE: Help with configuring dynamic IPSec tunnel on NAT connection

     
    Posted 03-30-2021 05:56
    You will need to use the vpn configuration with the nat traversal feature as outlined in this kb article.

    https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html#id-understanding-nat-t

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Help with configuring dynamic IPSec tunnel on NAT connection

    Posted 03-30-2021 08:30
    Thank you.  Have come to realize a reboot is required when you make changes on these sections below. 

    gateway SRX-IKE-GATEWAY {
      dynamic user-at-hostname "user1@abc.com.au";

    gateway SRX-IKE-GATEWAY {
      local-identity user-at-hostname "user1@abc.com.au";

    After rebooting SRX in my lab it is working. If I make changes on that hierarchy for example changing the email address, IPsec  stops working until reboot.


    ------------------------------
    Paul Basondole
    ------------------------------