Junos OS

Expand all | Collapse all

SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

  • 1.  SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 11-09-2017 15:54
      |   view attached

    Hi Juniper Team,

    We are trying to create 2 IPSec tunnels originating from different Virtual-Routers on a SRX device using the same WAN interface IP and to the same destination IP.
    We are using IKEv2 with FQDN & PSK.

     

    CSR- Network Diagram - Page 3 (1).jpeg

     

    Created a st0.2 interface in VR-1 and lo0.100 and ge-0/0/3.0 in default VR.
    Added st0.2 in SRX-1 zone.
    Added lo0.100 in VPN-1 zone.
    Added ge-0/0/3.0 in untrust1 zone.

    Using lo0.100 as an egress interface in ike gateway.
    Configured Source NAT between VPN-1 to untrust1 zone.

    So that NAT-T is selected and multiple tunnels could be created using the same source and destination public IP addresses.

     

    Virtual-Router:

    Created st0.2 interface in VR-A.
    Created st0.3 interface in VR-B.
    Created lo0.100, lo0.101 & ge-0/0/3.0 interface in default VR.

     

    Zones:

    SRX-1: st0.2 interface
    SRX-2: st0.3 interface
    VPN-1:lo0.100 interface
    VPN-2:lo0.101 interface
    Untrust1: ge-0/0/3.0

     

    PS: Currently just trying to bring one tunnel.

     

    Please let us know If this solution is possible. Currently we see tunnel is not coming up because ISAKMP request packet is going without the NAT IP. It is going using lo0.100 interface IP instead of ge-0/0/3.0(WAN) IP.

     

    Config file is in the attachments.

     

     

     

     

     

    Attachment(s)

    txt
    Juniper_SRX_Config.txt   6K 1 version


  • 2.  RE: SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

     
    Posted 11-09-2017 16:26

    Hi,

     

    Can you please try putting the lo0 into the same security zone as ge-0/0/3? You will need to adjust your source nat as well.

     

    Not sure what version of junos you are running but there is KB related to having separate security zones with lo0 and external interface.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22129

     

    Thanks

    Tim



  • 3.  RE: SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 11-09-2017 16:36

    Hi Tim,

     

    Thanks for your response.

    I have already tried keeping lo0 and ge-0/0/3 in the same zone. But it didn't work as I still saw the packet going out with lo0 IP address.

    I tried NAT config as below

     

    set security nat source rule-set cust1_srcnat from interface lo0.100
    set security nat source rule-set cust1_srcnat to interface ge-0/0/3.0
    set security nat source rule-set cust1_srcnat rule cust1_src_interface match source-address 0.0.0.0/0
    set security nat source rule-set cust1_srcnat rule cust1_src_interface match destination-address 0.0.0.0/0
    set security nat source rule-set cust1_srcnat rule cust1_src_interface then source-nat interface

     

    This didn't help. Please let me know what NAT changes I need to make



  • 4.  RE: SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

     
    Posted 11-09-2017 16:51

    Hi,

     

    Can you use to following for your source nat

     

    set security nat source rule-set cust1_srcnat from zone junos-host
    set security nat source rule-set cust1_srcnat to zone untrust

    Thanks

    Tim



  • 5.  RE: SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 11-13-2017 14:24

    Hi Tim,

     

    I added the NAT configurations as specified.

    Now I do see the ISAKMP request packet with source NAT IP. 

    We are using strongswan on the other end.

     

    I'm seeing the error message "iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed" on Juniper SRX after the other end send IKE response.

     

    Logs on SRX:

     

    [Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
    [Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
    [Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
    [Nov 9 05:32:33]ikev2_decode_packet: [e44800/1c39400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED)
    [Nov 9 05:32:33]ikev2_packet_allocate: Allocated packet e35000 from freelist
    [Nov 9 05:32:33]Added (spi=0x2ceb7f9a, protocol=0) entry to the spi table
    [Nov 9 05:32:33]iked_pm_ike_conf_request: SA-CFG BT-ike-vpn-srx2 not configured for config payload. Skipping...
    [Nov 9 05:32:33]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Nov 9 05:32:33]Construction NHTB payload for local:10.9.91.125, remote:10.79.105.221 IKEv2 P1 SA index 637539 sa-cfg BT-ike-vpn-srx2
    [Nov 9 05:32:33]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg BT-ike-vpn-srx2, p1_sa=637539
    [Nov 9 05:32:33]ikev2_packet_allocate: Allocated packet e45000 from freelist
    [Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
    [Nov 9 05:32:33]ikev2_decode_packet: [e45000/1c39400] Received packet: HDR, N(AUTHENTICATION_FAILED)
    [Nov 9 05:32:33]ikev2_state_auth_initiator_in: [e45000/1c39400] Error: IKE_AUTH packet is missing IDr or AUTH payload
    [Nov 9 05:32:33]ikev2_process_notify: [e45000/1c39400] Received error notify Authentication failed (24)
    [Nov 9 05:32:33]ikev2_state_error: [e45000/1c39400] Negotiation failed because of error Authentication failed (24)
    [Nov 9 05:32:33]IKE negotiation fail for local:10.9.91.125, remote:10.79.105.221 IKEv2 with status: Authentication failed
    [Nov 9 05:32:33]IPSec negotiation failed for SA-CFG BT-ike-vpn-srx2 for local:10.9.91.125, remote:10.79.105.221 IKEv2. status: Authentication failed
    [Nov 9 05:32:33] P2 ed info: flags 0xc2, P2 error: Error ok

     

    Summarize my configs:

     

    I'm using lo0.100 as external interface in IKE gateway config.

    lo0.100 & WAN interface are in same zone.

    NAT is configured between junos-host zone to untrust1 zone.

    lo0.100 : 192.168.100.1

    ge-0/0/3.0(wan): 10.9.91.125

    other end IP(strongswan): 10.79.105.191

     

    NAT Flow ouput:

     

    root@site-1> show security flow session nat
    Session ID: 267471, Policy name: self-traffic-policy/1, Timeout: 56, Valid
    In: 192.168.100.1/500 --> 10.79.105.191/500;udp, If: .local..0, Pkts: 40, Bytes: 14560
    Out: 10.79.105.191/500 --> 10.9.91.125/14405;udp, If: ge-0/0/3.0, Pkts: 40, Bytes: 13600
    Total sessions: 1

     

    Tunnel flow session:

     

    root@site-1> show security flow session tunnel
    Session ID: 267460, Policy name: N/A, Timeout: N/A, Valid
    In: 10.79.105.191/0 --> 192.168.100.1/0;esp, If: lo0.100, Pkts: 0, Bytes: 0

    Session ID: 267461, Policy name: N/A, Timeout: N/A, Valid
    In: 10.79.105.191/0 --> 192.168.100.1/0;ah, If: lo0.100, Pkts: 0, Bytes: 0
    Total sessions: 2

     

    root@site-1> show security ike sa detail
    IKE peer 10.79.105.191, Index 709122, Gateway Name: BT-gw-srx1-bkp
    Role: Initiator, State: DOWN
    Initiator cookie: 5edba4212ce78692, Responder cookie: fb147f7992d599dc
    Exchange type: IKEv2, Authentication method: Pre-shared-keys
    Local: 192.168.100.1:500, Remote: 10.79.105.191:4500
    Peer ike-id: not available
    Xauth user-name: not available
    Xauth assigned IP: 0.0.0.0
    Algorithms:
    Authentication : hmac-sha1-96
    Encryption : aes128-cbc
    Pseudo random function: hmac-sha1
    Diffie-Hellman group : unknown
    Traffic statistics:
    Input bytes : 312
    Output bytes : 592
    Input packets: 1
    Output packets: 2 <<--- I do not see the second packet leaving the WAN interface
    IPSec security associations: 0 created, 0 deleted
    Phase 2 negotiations in progress: 0

     

    Please let me know how do I proceed.

     

    Thanks



  • 6.  RE: SRX: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

     
    Posted 11-13-2017 19:07

    Hi,

     

    I have not worked with Strongswan before but there is another post which discusses srx ipsec with strongswan.

     

    https://forums.juniper.net/t5/SRX-Services-Gateway/Site-to-Site-VPN-with-SRX-and-StrongSwan/td-p/179871

     

    Tim