SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Dynamic VPN (SRX300)

    Posted 09-06-2019 09:06

    Good Afternoon Everyone!  

     

    I recently encountered a Dynamic VPN issue that has me scratching my head after upgrade a branch office to the SRX300.  I followed these instructions to create an IPSEC VPN https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html#id-example-configuring-dynamic-vpn.  I've opted to forgo Pulse because I don't like the idea of an exposed HTTPS interface and will be using OS native IPSEC/XAuth PSK clients (MacOS, Android).

     

    In summary, the clients are able to establish a P1 IKE security association, exchange a few P2 handshakes before eventually timing out.  Traceoptions are on for both IKE and IPSEC; I see an IKE P1 success message in the logs but nothing else.  The ike-debug log also reflects a similar situation.

     

    Without a specific error, I'm not sure where to look next.  Any ideas or pointers would be greatly appreciated!

    ----

    admin@Firewall> show security ike security-associations    

    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   

    6972517 UP     952e672cfec43cf0  f7130c4655d526ab  Aggressive     xxx.xxx.xxx.xxx

     

    admin@Firewall> show security ipsec security-associations

      Total active tunnels: 0     Total Ipsec sas: 0

     

    Sep  6 12:02:40  Firewall kmd[1993]: IKE negotiation successfully completed. IKE Version: 1, VPN: Dynamic-VPN Gateway: Dynamic-VPN-P1-Gateway,


    #vpn


  • 2.  RE: Dynamic VPN (SRX300)

    Posted 09-06-2019 09:32

    Hi ajwilder

     

    The configuration on the document you shared will only work if you use Pulse. If you are planning to establish a regular site-to-site VPN between the SRX and another device then you need to configure your VPN differently. If the software on your machine will simulate an IPsec gateway/peer, then try the following on the SRX:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-route-based-ipsec-vpns.html#id-example-configuring-a-route-based-vpn

     

     

     



  • 3.  RE: Dynamic VPN (SRX300)

    Posted 09-06-2019 09:52

    Currently, dynamic VPN connections to the SRX are only support if you are using either Pulse or NCP clients.

     

    Pulse: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html

     

    NCP: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32418&actp=RSS

     

    Hope this helps you.

     



  • 4.  RE: Dynamic VPN (SRX300)

    Posted 09-06-2019 15:19

    Thanks for the quick reply!  I'm trying to establish a policy-based VPN where one side has a dynamic IP.  All of the documentation for site-to-site VPNs seem to require static IPs.  For example (https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-policy-based-ipsec-vpns.html).

     

    I assume that the SRX is waiting for traffic to establish the IPSec tunnel per the config: set security ipsec vpn Dynamic-VPN establish-tunnels on-traffic.  Attempting to change to immediately throws a commit error.



  • 5.  RE: Dynamic VPN (SRX300)

    Posted 09-06-2019 15:55

    ajwilder,

     

    If the VPN peer has a dynamic IP address you will need to slighty modify the configuration, specifically on the following aspects:

     

    1. mode aggressive has to be used:

     

    set security policy [Policy_Name] mode aggressive

     

    2. Let the SRX know that its peer has a dynamic IP address but it will authenticate itself with a hostname (juniper.net as exmaple):

     

    set security ike gateway [GTW_Name] dynamic hostname juniper.net

     

    Note this hostname doesnt need to resolve to any address, it is just a value; however it has to be configured on the remote end as the local-IKE ID of that device.

     

    Ref:

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28077&actp=search

    https://www.fir3net.com/Firewalls/Juniper/srx-dyn.html

     

     



  • 6.  RE: Dynamic VPN (SRX300)

    Posted 09-07-2019 07:24

    Thanks again!  Unfortunately, I had those settings in place already.  Here is what I've got:

     

    admin@Firewall> show version 
    Hostname: Firewall
    Model: srx300
    Junos: 19.2R1.8
    JUNOS Software Release [19.2R1.8]

    IKE config:

    admin@Firewall> show configuration security ike gateway Dynamic-VPN-P1-Gateway    
    ike-policy Dynamic-VPN-P2-Policy;
    dynamic {
        hostname thebox;
        connections-limit 2;
        ike-user-type shared-ike-id;
    }
    nat-keepalive 200;
    external-interface ge-0/0/0.0;
    aaa {
        access-profile Dynamic-XAuth;
    }
    version v1-only;

    IKE Policy Config:

    admin@Firewall> show configuration security ike policy Dynamic-VPN-P1-Policy      
    mode aggressive;
    description "Dynamic%20P1%20Policy";
    proposals Dynamic-VPN-P1-Proposal;
    pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA

    IPSec Config:

    admin@Firewall> show configuration security ipsec vpn Dynamic-VPN                 
    ike {
        gateway Dynamic-VPN-P1-Gateway;
        ipsec-policy Dynamic-P2-Policy;
    }
    establish-tunnels immediately;

    Log output (NOTE: 192.168.1.5 is the external interface of the SRX; it is fully exposed with a FIOS NAT in front of it; no filter):

    Sep  7 10:13:36  Firewall kmd[1993]: IKE negotiation successfully completed. IKE Version: 1, VPN: Dynamic-VPN Gateway: Dynamic-VPN-P1-Gateway, Local: 192.168.1.5/4500, Remote: 111.111.111.111/11344, Local IKE-ID: 192.168.1.5, Remote IKE-ID: thebox, VR-ID: 0, Role: Responder

    Tcpdump Output:

    10:13:36.662662 IP 111.111.111.111.11340 > 192.168.1.5.500: isakmp: phase 1 I agg
    10:13:36.681588 IP 192.168.1.5.500 > 111.111.111.111.11340: isakmp: phase 1 R agg
    10:13:36.734498 IP 1111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 1 I agg
    10:13:36.738988 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
    10:13:36.741579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
    10:13:36.773911 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    10:13:36.777594 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
    10:13:36.814684 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    10:13:36.817004 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
    10:13:36.821579 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    10:13:36.823822 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
    10:13:36.863907 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    10:13:36.870802 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
    10:13:36.873226 IP 192.168.1.5.4500 > 111.111.111.111.11344: NONESP-encap: isakmp: phase 2/others R #6[E]
    10:13:56.949886 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
    10:14:16.978952 IP 111.111.111.111.11344 > 192.168.1.5.4500: isakmp-nat-keep-alive
    10:14:36.458051 IP 111.111.111.111.11344 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

    Even the debug logs only show success.  I'm begining to wonder if its the Junos version.  I've only attempted setting up the dynamic VPN on this version.  Any ideas on how I could further debug this?  I've never encountered this before.

     

    Thanks!