vSRX

Expand all | Collapse all

How to get Ipsec Dead Peer Detection working?

  • 1.  How to get Ipsec Dead Peer Detection working?

    Posted 06-27-2018 01:23

    Hello.

    I'm trying to archive Ipsec STS failover using DPD.

    there is three vSRX (12.1X47-D20.7) in my test lab.

    1. top router (routing between two routers)

    Interfaces

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.254/24
    set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
    set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.254/24
    

    2. first IPSec router with RPM probe and ip-monitoing

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 preferred
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
    set interfaces ge-0/0/2 unit 0 family inet address 10.254.1.1/24
    set interfaces st0 unit 1 description "IPsec to SRX2"
    set interfaces st0 unit 1 family inet address 10.10.0.1/24
    set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254
    set routing-options static route 10.254.2.0/24 next-hop st0.1
    set security ike policy ike_pol_STS_to_SRX2 mode aggressive
    set security ike policy ike_pol_STS_to_SRX2 proposal-set compatible
    set security ike policy ike_pol_STS_to_SRX2 pre-shared-key ascii-text ""
    set security ike gateway gw_STS_to_SRX2 ike-policy ike_pol_STS_to_SRX2
    set security ike gateway gw_STS_to_SRX2 address 192.168.10.1
    set security ike gateway gw_STS_to_SRX2 external-interface ge-0/0/1.0
    set security ipsec policy ipsec_pol_STS_to_SRX2 perfect-forward-secrecy keys group2
    set security ipsec policy ipsec_pol_STS_to_SRX2 proposal-set compatible
    set security ipsec vpn STS_to_SRX2 bind-interface st0.1
    set security ipsec vpn STS_to_SRX2 ike gateway gw_STS_to_SRX2
    set security ipsec vpn STS_to_SRX2 ike ipsec-policy ipsec_pol_STS_to_SRX2
    set security ipsec vpn STS_to_SRX2 establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy default-deny match source-address any
    set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
    set security policies from-zone untrust to-zone trust policy default-deny match application any
    set security policies from-zone untrust to-zone trust policy default-deny then deny
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match source-address addr_10_254_1_0_24
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match destination-address addr_10_254_2_0_24
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match application any
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 then permit
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_2_0_24
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_1_0_24
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust address-book address addr_10_254_1_0_24 10.254.1.0/24
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/0.0
    set security zones security-zone trust interfaces ge-0/0/2.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0
    set security zones security-zone STS_Zone address-book address addr_10_254_2_0_24 10.254.2.0/24
    set security zones security-zone STS_Zone interfaces st0.1
    set services rpm probe DG_1_254 test PING_1_DG target address 192.168.1.254
    set services rpm probe DG_1_254 test PING_1_DG probe-count 10
    set services rpm probe DG_1_254 test PING_1_DG probe-interval 5
    set services rpm probe DG_1_254 test PING_1_DG test-interval 5
    set services rpm probe DG_1_254 test PING_1_DG thresholds successive-loss 5
    set services ip-monitoring policy GW_failover match rpm-probe DG_1_254
    set services ip-monitoring policy GW_failover then preferred-route route 0.0.0.0/0 next-hop 192.168.2.254
    

    2. second IPsec router with DPD

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
    set interfaces ge-0/0/2 unit 0 family inet address 10.254.2.1/24
    set interfaces st0 unit 1 description "IPsec to SRX1"
    set interfaces st0 unit 1 family inet address 10.10.0.2/24
    set routing-options static route 0.0.0.0/0 next-hop 192.168.10.254
    set routing-options static route 10.254.1.0/24 next-hop st0.1
    set security ike policy ike_pol_STS_to_SRX1 mode aggressive
    set security ike policy ike_pol_STS_to_SRX1 proposal-set compatible
    set security ike policy ike_pol_STS_to_SRX1 pre-shared-key ascii-text ""
    set security ike gateway gw_STS_to_SRX1 ike-policy ike_pol_STS_to_SRX1
    set security ike gateway gw_STS_to_SRX1 address 192.168.1.1
    set security ike gateway gw_STS_to_SRX1 address 192.168.2.1
    set security ike gateway gw_STS_to_SRX1 dead-peer-detection always-send
    set security ike gateway gw_STS_to_SRX1 dead-peer-detection interval 10
    set security ike gateway gw_STS_to_SRX1 external-interface ge-0/0/1.0
    set security ipsec policy ipsec_pol_STS_to_SRX1 perfect-forward-secrecy keys group2
    set security ipsec policy ipsec_pol_STS_to_SRX1 proposal-set compatible
    set security ipsec vpn STS_to_SRX1 bind-interface st0.1
    set security ipsec vpn STS_to_SRX1 ike gateway gw_STS_to_SRX1
    set security ipsec vpn STS_to_SRX1 ike ipsec-policy ipsec_pol_STS_to_SRX1
    set security ipsec vpn STS_to_SRX1 establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy default-deny match source-address any
    set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
    set security policies from-zone untrust to-zone trust policy default-deny match application any
    set security policies from-zone untrust to-zone trust policy default-deny then deny
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match source-address addr_10_254_2_0_24
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match destination-address addr_10_254_1_0_24
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match application any
    set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 then permit
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_1_0_24
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_2_0_24
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
    set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust address-book address addr_10_254_2_0_24 10.254.2.0/24
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/0.0
    set security zones security-zone trust interfaces ge-0/0/2.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0
    set security zones security-zone STS_Zone address-book address addr_10_254_1_0_24 10.254.1.0/24
    set security zones security-zone STS_Zone interfaces st0.1
    

    while 192.168.1.254 (top router) is available IPsec is working fine.

    but when I'm emulating failover by deleting 192.168.1.254 IP address

    delete interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
    

    IPsec tunnel goes dwn and never came up.

    ip-monitoring and route change is working at the first SRX.

    root@SRX1> show services ip-monitoring status
    
    Policy - GW_failover (Status: FAIL)
      RPM Probes:
        Probe name             Test Name       Address          Status
        ---------------------- --------------- ---------------- ---------
        DG_1_254               PING_1_DG       192.168.1.254    FAIL
      Route-Action:
        route-instance    route             next-hop         state
        ----------------- ----------------- ---------------- -------------
        inet.0            0.0.0.0/0         192.168.2.254    APPLIED
    
    

    it can ping 192.168.10.1 (the second SRX) and the second SRX can ping 192.168.2.1 (the first SRX), but tunnel is down.

     

    root@SRX2> show security ipsec security-associations
      Total active tunnels: 0
    
    root@SRX2> show security ike security-associations
    
    root@SRX2> show security ipsec inactive-tunnels
      Total inactive tunnels: 1
      Total inactive tunnels with establish immediately: 1
      ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
      131073 500   2      0      600a29    192.168.2.1      DPD failover
    
    root@SRX2>
    

    after reenabling 192.168.1.254 at the top router, SRX1 ip-monitoring switch back route

    root@SRX1> show services ip-monitoring status
    
    Policy - GW_failover (Status: PASS)
      RPM Probes:
        Probe name             Test Name       Address          Status
        ---------------------- --------------- ---------------- ---------
        DG_1_254               PING_1_DG       192.168.1.254    PASS
      Route-Action:
        route-instance    route             next-hop         state
        ----------------- ----------------- ---------------- -------------
        inet.0            0.0.0.0/0         192.168.2.254    NOT-APPLIED
    
    

    but IPsec tunnel is still down.

     

    what is wrong with this config?



  • 2.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-02-2018 07:33

    Any ideas?



  • 3.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-09-2018 00:37

    Would it help, if I'll remove any words about vSRX and write SRX100 instead?


    @WingDog


  • 4.  RE: How to get Ipsec Dead Peer Detection working?

     
    Posted 07-10-2018 05:37

    Hello ,

     

    I can understand that you are using firefly 12.1X47-D20.7 which is currently not supported . We have lot bugs fixed in our later releases vSRX2.0 (15.1X49). In order to rule out the possibility of the being this as software bug I would first recommend you to try the same configuration on vSRX 2.0 ( 15.1X49D-140 ) recommended and then if this does not work then we can further troubleshoot this issue.

     

    Regards,

    Rishi 

    JTAC

     

     



  • 5.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-12-2018 04:09

    Hello.

    I'd updated my test lab to

    Hostname: SRX1
    Model: vsrx
    Junos: 15.1X49-D140.2
    JUNOS Software Release [15.1X49-D140.2]
    

    DPD still not working if 192.168.1.254 is unaccesible.

    any help will be appricated.

    configs are attached.

     

    Attachment(s)

    txt
    srx2.txt   6K 1 version
    txt
    srx1.txt   6K 1 version


  • 6.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-12-2018 08:15

    Hello,

    I labbed up Your setup and the root cause of Your problem is that SRX1 is supposed to accept IKE/IPSEC on 192.168.2.1  but it is not configured to do that - You marked 192.168.1.1 as preferred.

    You would need to split Your IKE GW "gw_STS_to_SRX2" into two as below:

    set security ike gateway gw_STS_to_SRX2-AAA ike-policy ike_pol_STS_to_SRX2
    set security ike gateway gw_STS_to_SRX2-AAA address 192.168.10.1
    set security ike gateway gw_STS_to_SRX2-AAA external-interface ge-0/0/0.0
    set security ike gateway gw_STS_to_SRX2-AAA local-address 192.168.1.1
    set security ike gateway gw_STS_to_SRX2-BBB ike-policy ike_pol_STS_to_SRX2
    set security ike gateway gw_STS_to_SRX2-BBB address 192.168.10.1
    set security ike gateway gw_STS_to_SRX2-BBB external-interface ge-0/0/0.0
    set security ike gateway gw_STS_to_SRX2-BBB local-address 192.168.2.1
    set security ipsec policy ipsec_pol_STS_to_SRX2 perfect-forward-secrecy keys group2
    set security ipsec policy ipsec_pol_STS_to_SRX2 proposal-set compatible
    set security ipsec vpn STS_to_SRX2-AAA bind-interface st0.1
    set security ipsec vpn STS_to_SRX2-AAA ike gateway gw_STS_to_SRX2-AAA
    set security ipsec vpn STS_to_SRX2-AAA ike ipsec-policy ipsec_pol_STS_to_SRX2
    set security ipsec vpn STS_to_SRX2-BBB bind-interface st0.2
    set security ipsec vpn STS_to_SRX2-BBB ike gateway gw_STS_to_SRX2-BBB
    set security ipsec vpn STS_to_SRX2-BBB ike ipsec-policy ipsec_pol_STS_to_SRX2
    
    

    And then gw_STS_to_SRX2-BBB will be accepting IKE on 192.168.2.1 address.

    But then there is another issue - when SRX1 is initiator, it tries to establish 2 tunnels to SRX1 and cannot - but SRX2 can. You will need to make SRX1 responder-only by NOT configuring "establish-tunnels immediately" for the whole setup to work properly.

    HTH

    Thx

    Alex



  • 7.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-13-2018 00:06

    Hello.

    In that case I can't understand any profit of this feature....

    and there is no any words about yours proposal in KB

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29211

     

    Perhaps Rsurana from JTAC will be able to provide any Hidden Knowledge for DPD feature?

     

    or DPD is next one useless feature?



  • 8.  RE: How to get Ipsec Dead Peer Detection working?

    Posted 07-23-2018 03:22

    Hello.

    any updates? perhaps from JTAC?