vSRX

  • 1.  VSRX to Amazon VPN Gateway

    Posted 11-19-2018 15:05

    I am attempting to connect an Amazon hosted VSRX to a VPN gateway that is in a different VPC, but not having much luck.  Specifically, my IKE security associations never come up.  I have used the configuration supplied by Amazon, but I think that is created assuming that the Juniper isn't in AWS.

     

    The VSRX is in a VPC.  The only interfaces that are up are fxp0 and ge-0/0/0.0.  I have an Elastic IP assigned to the private IP that is on ge-0/0/0.0, and I can ssh into that IP without any issues. 

     

    Here's what I get when I look at the security sessions:

    ec2-user> show security ike security-associations

    ec2-user>

     

    I have enabled IKE debugging.  I am repeatedly getting this message:

     

    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  iked_sa_config_install msg_len=744
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  Successfully added SA Config
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg vpn-06ab852-1 count is 0
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  kmd_update_tunnel_interface:
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  iked_update_tunnel_interface_by_ifname: update ifl st0.1 status UP
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  iked_stop_vpnm_timer: processing SA vpn-06ab852-1
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  iked_process_iff_add: VR id 0 updated in sa_cfg vpn-06ab852-1
    [Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP]  Ignoring the ifa preferred address add/change message as previous local address is the same

    [Nov 19 19:08:43]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [Nov 19 19:10:23]KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection to pfe could not be made after repeated attempts. User should retry cli/SNMP command

     

    Here's my (sanitized) IKE config:

    proposal ike-prop-vpn-06ab852-1 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy ike-pol-vpn-06ab852-1 {
        mode aggressive;
        proposals ike-prop-vpn-06ab852-1;
        pre-shared-key ascii-text "*redacted*"; ## SECRET-DATA
    }
    gateway gw-vpn-06ab852-1 {
        ike-policy ike-pol-vpn-06ab852-1;
        address XXX.YYY.ZZZ.PPP;
        dead-peer-detection {
            always-send;
            interval 10;
            threshold 3;
        }
        nat-keepalive 60;
        external-interface ge-0/0/0.0;
    }

     

    Here's my IPSEC:

    proposal ipsec-prop-vpn-06ab852-1 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy ipsec-pol-vpn-06ab852-1 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ipsec-prop-vpn-06ab852-1;
    }
    vpn vpn-06ab852-1 {
        bind-interface st0.1;
        df-bit clear;
        ike {
            gateway gw-vpn-06ab852-1;
            ipsec-policy ipsec-pol-vpn-06ab852-1;
        }
    }

    Here's my security zone info:

    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
            st0.1;
        }
    }

    And the policy:

    from-zone trust to-zone trust {
        policy everything {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }

     

    I am able to ping the address specified in the  IKE gateway.  I have also opened all TCP and UDP ports to the Juniper from the IKE gateway address in AWS.



  • 2.  RE: VSRX to Amazon VPN Gateway

     
    Posted 11-19-2018 23:22

    Hello,

     

    In the 'security ike gateway <name>', including local-identity as the elastic IP of self and remote-identity as elastic IP of the peer on each vSRX.

    This should bring the VPN up.

     

    Regards,

     

    Rushi



  • 3.  RE: VSRX to Amazon VPN Gateway
    Best Answer

    Posted 11-19-2018 23:44

    Hello,

    why are you using "mode aggressive" this should be used only if one peer has an dynamic public IP-address, also with aggressive mode you should use host identifier.  Why do you have no ip address on the Tunnel ? if you like to use tunnel IP-unnumbered, you have to use traffic-selector for local & remote networks and this does not work with aggressive mode. Also you have to take care not to use dpd and vpn-monitor at the same time

     

    Here is a config template that my work, you have to adapt, fullfill you local informations, this config template has also an bandwidth limter on the Tunnel Interface to protect the I-Net Interface.

     

    set security ike proposal IKE-PROP-VPN-06ab852-1 authentication-method pre-shared-keys
    set security ike proposal IKE-PROP-VPN-06ab852-1 dh-group group2
    set security ike proposal IKE-PROP-VPN-06ab852-1 authentication-algorithm sha1
    set security ike proposal IKE-PROP-VPN-06ab852-1 encryption-algorithm aes-128-cbc
    set security ike proposal IKE-PROP-VPN-06ab852-1 lifetime-seconds 28800
    set security ike policy VPN-06ab852-1-POLICY mode main
    set security ike policy VPN-06ab852-1-POLICY proposals IKE-PROP-VPN-06ab852-1
    set security ike policy VPN-06ab852-1-POLICY pre-shared-key ascii-text  "*redacted*"; ## SECRET-DATA
    set security ike gateway VPN-06ab852-1 ike-policy VPN-06ab852-1-POLICY
    set security ike gateway VPN-06ab852-1 address XXX.YYY.ZZZ.PPP
    set security ike gateway VPN-06ab852-1 dead-peer-detection interval 10
    set security ike gateway VPN-06ab852-1 dead-peer-detection threshold 3
    set security ike gateway VPN-06ab852-1 nat-keepalive 5
    set security ike gateway VPN-06ab852-1 local-identity inet aaa.aaa.aaa.aaa.
    set security ike gateway VPN-06ab852-1 remote-identity inet XXX.YYY.ZZZ.PPP
    set security ike gateway VPN-06ab852-1 external-interface ge-0/0/0.0
    set security ipsec policy VPN-06ab852-1-IPSEC-POLICY perfect-forward-secrecy keys group14
    set security ipsec policy VPN-06ab852-1-IPSEC-POLICY proposals VPN-06ab852-1-IPSEC-PROPOSAL
    set security ipsec vpn VPN-06ab852-1 bind-interface st0.1
    set security ipsec vpn VPN-06ab852-1 df-bit copy
    set security ipsec vpn VPN-06ab852-1 ike gateway VPN-06ab852-1
    set security ipsec vpn VPN-06ab852-1 ike no-anti-replay
    set security ipsec vpn VPN-06ab852-1 ike ipsec-policy VPN-06ab852-1-IPSEC-POLICY
    set security ipsec vpn VPN-06ab852-1 traffic-selector VPN-06ab852-1_TS01 local-ip CCC.CCC.CCC.CCC./XX
    set security ipsec vpn VPN-06ab852-1 traffic-selector VPN-06ab852-1_TS01 remote-ip DDD.DDD.DDD.DDD/YY
    set security ipsec vpn VPN-06ab852-1 establish-tunnels immediately
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match source-address any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match destination-address any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match application any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then permit
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then log session-init
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then log session-close
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match source-address any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match destination-address any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match application any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then permit
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then log session-init
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then log session-close
    set security zones security-zone VPN-06ab852-1-VPN interfaces st0.1 host-inbound-traffic system-services all
    set security zones security-zone VPN-06ab852-1-VPN interfaces st0.1 host-inbound-traffic protocols all
    set interfaces st0 unit 1 description VPN-06ab852-1
    set interfaces st0 unit 1 family inet filter input VPN-06ab852-1-SHAPER
    set interfaces st0 unit 1 family inet filter output VPN-06ab852-1-SHAPER
    set firewall family inet filter VPN-06ab852-1-SHAPER term 1 then policer VPN-06ab852-1-SHAPER
    set firewall policer VPN-06ab852-1-SHAPER if-exceeding bandwidth-limit 50m
    set firewall policer VPN-06ab852-1-SHAPER if-exceeding burst-size-limit 1m
    set firewall policer VPN-06ab852-1-SHAPER then discard

     

    regards

    Josip Kralj

    JNCIP-SEC,JNCIS-SEC, JNCIA-JUNOS, JNCIS-FWV



  • 4.  RE: VSRX to Amazon VPN Gateway

    Posted 11-20-2018 08:32

    The tunnel is now up.  Thank you both!