Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Not receiving dynamic ip with IKE / Ipsec config

    Posted 05-25-2021 11:06

    Hello,

    We are trying Juniper as a remote CPE device on customer premises for on of our projects. I'm trying to create a IPSEC policy between our current tunnel router (a Mikrotik CHR at the moment, will be replaced with a router with VTI support in the upcoming months but not at the moment) and a Juniper SRX345.

    The ike and ipsec are both established but the dynamic address of the concentrator is not received on the Juniper (while this does work with other CPE devices like Fortinet or Mikrotik).

    The concentrator setup looks like this:

    /ip ipsec mode-config
    add address=172.16.57.2 name=TEST_GIANNI
    /ip ipsec policy group
    add name=group-remote-sites
    /ip ipsec profile
    add dh-group=ecp256,ecp384,ecp521,ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128,3des,blowfish,des name=peer-profile-remote-sites nat-traversal=no
    /ip ipsec peer
    add name=peer1 passive=yes profile=peer-profile-remote-sites send-initial-contact=no
    /ip ipsec proposal
    set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc
    add auth-algorithms=sha512,sha256,sha1,md5,null enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-cbc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gcm,camellia-128,3des,blowfish,twofish,des,null lifetime=1h name=proposal-remote-sites pfs-group=none
    /ip ipsec identity
    add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=TEST_GIANNI password=gianni peer=peer1 policy-template-group=group-remote-sites secret=test username=gianni
    /ip ipsec policy
    set 0 disabled=yes
    add dst-address=0.0.0.0/0 group=group-remote-sites proposal=proposal-remote-sites src-address=0.0.0.0/0 template=yes
    /ip address
    add address=172.16.57.1/24 interface=ipsec network=172.16.57.0


    The SRX config looks like this:

    security {
    ike {
    proposal CM_DC_IKE-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
    }
    policy CM_DC_IKE-POLICY {
    mode main;
    proposals CM_DC_IKE-PROPOSAL;
    pre-shared-key ascii-text ""; ## SECRET-DATA
    }
    gateway CM_DC_IKE-GATEWAY {
    ike-policy CM_DC_IKE-POLICY;
    address 10.200.1.181;
    local-identity hostname PR_KUL_CR01;
    external-interface ge-0/0/0.0;
    aaa {
    client username gianni password ""; ## SECRET-DATA
    }
    }
    }
    ipsec {
    proposal CM_DC_IPSEC-PROPOSAL {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    }
    policy CM_DC_IPSEC-POLICY {
    proposals CM_DC_IPSEC-PROPOSAL;
    }
    vpn CM_DC_IPSEC-VPN {
    ike {
    gateway CM_DC_IKE-GATEWAY;
    ipsec-policy CM_DC_IPSEC-POLICY;
    }
    establish-tunnels immediately;
    }
    }
    flow {
    tcp-mss {
    ipsec-vpn {
    mss 1350;
    }
    }
    }
    policies {
    from-zone trust-main to-zone WAN {
    policy ipsec-out {
    match {
    source-address IPSEC_IP;
    destination-address DC;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn CM_DC_IPSEC-VPN;
    pair-policy ipsec-in;
    }
    }
    }
    }
    policy any-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone WAN to-zone trust-main {
    policy ipsec-in {
    match {
    source-address DC;
    destination-address IPSEC_IP;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn CM_DC_IPSEC-VPN;
    pair-policy ipsec-out;
    }
    }
    }
    }
    }
    default-policy {
    deny-all;
    }
    }
    zones {
    security-zone trust-main {
    address-book {
    address IPSEC_IP 172.16.57.2/32;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.310;
    ge-0/0/3.0;
    lo0.0;
    }
    }
    security-zone WAN {
    address-book {
    address DC 172.16.57.1/32;
    }
    host-inbound-traffic {
    system-services {
    dhcp;
    https;
    ping;
    ssh;
    ike;
    traceroute;
    }
    }
    interfaces {
    ge-0/0/0.0;
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    description UPLINK;
    unit 0 {
    family inet {
    dhcp;
    }
    }
    }

    the status on the concentrator:

    /ip ipsec active-peers print detail
    Flags: R - responder, N - natt-peer
    0 R id="gianni" local-address=10.200.1.181 remote-address=10.201.0.16 state=established side=responder dynamic-address=172.16.57.2
    uptime=29m20s last-seen=1m20s ph2-total=1

    The status on the SRX:

    root@PR_KUL_CR01> show security ike active-peer detail
    shoPeer address: 10.200.1.181, Port: 500,
    Peer IKE-ID : 10.200.1.181
    AAA username: not available
    Assigned network attributes:
    IP Address : 0.0.0.0 , netmask : 0.0.0.0
    DNS Address : 0.0.0.0 , DNS2 Address : 0.0.0.0
    WINS Address : 0.0.0.0 , WINS2 Address : 0.0.0.0

    Previous Peer address : 0.0.0.0, Port : 0
    Active IKE SA indexes : 753515
    IKE SA negotiated : 1
    IPSec tunnels active : 1, IPSec Tunnel IDs : 2


    root@PR_KUL_CR01> show security ike security-associations detail
    IKE peer 10.200.1.181, Index 753515, Gateway Name: CM_DC_IKE-GATEWAY
    Role: Initiator, State: UP
    Initiator cookie: 013553f4c038c78e, Responder cookie: 268c68a0a8f50419
    Exchange type: Main, Authentication method: Pre-shared-keys
    Local: 10.201.0.16:500, Remote: 10.200.1.181:500
    Lifetime: Expires in 26970 seconds
    Reauth Lifetime: Disabled
    IKE Fragmentation: Disabled, Size: 0
    Remote Access Client Info: Unknown Client
    Peer ike-id: 10.200.1.181
    AAA user-name: gianni
    AAA assigned IP: 0.0.0.0
    Algorithms:
    Authentication : hmac-sha1-96
    Encryption : aes256-cbc
    Pseudo random function: hmac-sha1
    Diffie-Hellman group : DH-group-14
    Traffic statistics:
    Input bytes : 2400
    Output bytes : 2632
    Input packets: 22
    Output packets: 23
    Input fragmentated packets: 0
    Output fragmentated packets: 0
    IPSec security associations: 1 created, 0 deleted
    Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 10.201.0.16:500, Remote: 10.200.1.181:500
    Local identity: PR_KUL_CR01
    Remote identity: 10.200.1.181
    Flags: IKE SA is created

    Mainly the interesting thing is that the AAA assigned ip is empty while it should take the IP from the concentrator. (172.16.57.2)



    ------------------------------
    Gianni Stubbe
    ------------------------------


  • 2.  RE: Not receiving dynamic ip with IKE / Ipsec config

    Posted 07-26-2021 05:25
    It seems Juniper does not support Ipsec Mode Config for policy based routes

    ------------------------------
    Gianni Stubbe
    ------------------------------