Hello,
We are trying Juniper as a remote CPE device on customer premises for on of our projects. I'm trying to create a IPSEC policy between our current tunnel router (a Mikrotik CHR at the moment, will be replaced with a router with VTI support in the upcoming months but not at the moment) and a Juniper SRX345.
The ike and ipsec are both established but the dynamic address of the concentrator is not received on the Juniper (while this does work with other CPE devices like Fortinet or Mikrotik).
The concentrator setup looks like this:
/ip ipsec mode-config
add address=172.16.57.2 name=TEST_GIANNI
/ip ipsec policy group
add name=group-remote-sites
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128,3des,blowfish,des name=peer-profile-remote-sites nat-traversal=no
/ip ipsec peer
add name=peer1 passive=yes profile=peer-profile-remote-sites send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc
add auth-algorithms=sha512,sha256,sha1,md5,null enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-cbc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gcm,camellia-128,3des,blowfish,twofish,des,null lifetime=1h name=proposal-remote-sites pfs-group=none
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=TEST_GIANNI password=gianni peer=peer1 policy-template-group=group-remote-sites secret=test username=gianni
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=group-remote-sites proposal=proposal-remote-sites src-address=0.0.0.0/0 template=yes
/ip address
add address=172.16.57.1/24 interface=ipsec network=172.16.57.0
The SRX config looks like this:
security {
ike {
proposal CM_DC_IKE-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
}
policy CM_DC_IKE-POLICY {
mode main;
proposals CM_DC_IKE-PROPOSAL;
pre-shared-key ascii-text ""; ## SECRET-DATA
}
gateway CM_DC_IKE-GATEWAY {
ike-policy CM_DC_IKE-POLICY;
address 10.200.1.181;
local-identity hostname PR_KUL_CR01;
external-interface ge-0/0/0.0;
aaa {
client username gianni password ""; ## SECRET-DATA
}
}
}
ipsec {
proposal CM_DC_IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy CM_DC_IPSEC-POLICY {
proposals CM_DC_IPSEC-PROPOSAL;
}
vpn CM_DC_IPSEC-VPN {
ike {
gateway CM_DC_IKE-GATEWAY;
ipsec-policy CM_DC_IPSEC-POLICY;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
policies {
from-zone trust-main to-zone WAN {
policy ipsec-out {
match {
source-address IPSEC_IP;
destination-address DC;
application any;
}
then {
permit {
tunnel {
ipsec-vpn CM_DC_IPSEC-VPN;
pair-policy ipsec-in;
}
}
}
}
policy any-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WAN to-zone trust-main {
policy ipsec-in {
match {
source-address DC;
destination-address IPSEC_IP;
application any;
}
then {
permit {
tunnel {
ipsec-vpn CM_DC_IPSEC-VPN;
pair-policy ipsec-out;
}
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone trust-main {
address-book {
address IPSEC_IP 172.16.57.2/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.310;
ge-0/0/3.0;
lo0.0;
}
}
security-zone WAN {
address-book {
address DC 172.16.57.1/32;
}
host-inbound-traffic {
system-services {
dhcp;
https;
ping;
ssh;
ike;
traceroute;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
description UPLINK;
unit 0 {
family inet {
dhcp;
}
}
}
the status on the concentrator:
/ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer
0 R id="gianni" local-address=10.200.1.181 remote-address=10.201.0.16 state=established side=responder dynamic-address=172.16.57.2
uptime=29m20s last-seen=1m20s ph2-total=1
The status on the SRX:
root@PR_KUL_CR01> show security ike active-peer detail
shoPeer address: 10.200.1.181, Port: 500,
Peer IKE-ID : 10.200.1.181
AAA username: not available
Assigned network attributes:
IP Address : 0.0.0.0 , netmask : 0.0.0.0
DNS Address : 0.0.0.0 , DNS2 Address : 0.0.0.0
WINS Address : 0.0.0.0 , WINS2 Address : 0.0.0.0
Previous Peer address : 0.0.0.0, Port : 0
Active IKE SA indexes : 753515
IKE SA negotiated : 1
IPSec tunnels active : 1, IPSec Tunnel IDs : 2
root@PR_KUL_CR01> show security ike security-associations detail
IKE peer 10.200.1.181, Index 753515, Gateway Name: CM_DC_IKE-GATEWAY
Role: Initiator, State: UP
Initiator cookie: 013553f4c038c78e, Responder cookie: 268c68a0a8f50419
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 10.201.0.16:500, Remote: 10.200.1.181:500
Lifetime: Expires in 26970 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Disabled, Size: 0
Remote Access Client Info: Unknown Client
Peer ike-id: 10.200.1.181
AAA user-name: gianni
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-14
Traffic statistics:
Input bytes : 2400
Output bytes : 2632
Input packets: 22
Output packets: 23
Input fragmentated packets: 0
Output fragmentated packets: 0
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 10.201.0.16:500, Remote: 10.200.1.181:500
Local identity: PR_KUL_CR01
Remote identity: 10.200.1.181
Flags: IKE SA is created
Mainly the interesting thing is that the AAA assigned ip is empty while it should take the IP from the concentrator. (172.16.57.2)
------------------------------
Gianni Stubbe
------------------------------