Junos OS

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  Issue routing VPN traffic

    Posted 10-21-2024 15:45

    SRX345

    Software Version    22.4R2.8

    BIOS Version    3.12

    Hey all. I have inherited the company setup and I am trying to work my way through this device. I have managed to come out on top with the tasks set, but this one isn't making sense.

    One of our clients is wanting to setup a new VPN to move away from their current setup. The VPN is in place and connected. Static route has been setup to route all traffic for their new subnet down the ST interface. I have setup a static NAT that mirrors their current setup, ICMP traffic wasn't getting a response. This doesn't work for the entire subnet, but will work for individual IP Addresses.

    What I have tried with the static NAT (all traffic from the new VPN):

    Destination Address 192.168.220.0/22  -> Prefix 172.23.32.0/22 - doesn't work on the new VPN, but does on the current one.

    Destination Address 192.168.223.0/24  -> Prefix 172.23.32.0/24 - doesn't work on the new VPN. Both devices (VM and my laptop) were on the 32.0/24 range.

    Destination Address 192.168.223.100/32  -> Prefix 172.23.32.240/32 - ICMP responded on the VM

    Destination Address 192.168.223.100/32  -> Prefix 172.23.32.214/32 - ICMP responded on the laptop

    Unsure how there can be a rule that works for the current setup but the same rule doesn't work for the new setup. From what I have seen it's meant to be traffic per VPN. You can set the same rules on different VPN's

    Any other ideas or information 



    ------------------------------
    TYSON MOORE
    ------------------------------


  • 2.  RE: Issue routing VPN traffic

    This message was posted by a user wishing to remain anonymous
    Posted 10-21-2024 16:30
    This message was posted by a user wishing to remain anonymous

    are you cutting over (removing related old vpn config) or just having two VPNs in parallel?

    Depending on the config. NAT, Traffic Selectors, ProxyID and some other features do not work in parallel. Its either one or the other.




  • 3.  RE: Issue routing VPN traffic

    Posted 10-21-2024 18:18

    I believe that it will eventually be cut over, but it is initially in the testing phase to make sure it works, as it involves connecting to client machines at the other end, and it appears the packets don't flow back properly unless the NAT rules are in place.



    ------------------------------
    TYSON MOORE
    ------------------------------



  • 4.  RE: Issue routing VPN traffic

    Posted 10-25-2024 06:27
    Edited by Simon Bingham (technical debt collector) 10-25-2024 06:32

    Hi Tyson

    I know you might have security concerns but you might need to post more info, maybe a config with the key data obfuscated.

    one reason for a VPN just not working that used to catch me out was ..

    it the st interface part of a zone  ? its easy to foget and hard to spot

    for example

    set security zones security-zone VPN_ZONE interfaces st0.0 

    and for testing I would set up a policy that allow all traffic to and from your VPN 


     



    ------------------------------
    JNCIE-ENT 907
    ------------------------------



  • 5.  RE: Issue routing VPN traffic

    Posted 10-28-2024 22:10

    Is this along the lines of what you're looking for?

    ***********************************************************

    Security zone: xxxx_New_VPN
      Zone ID: 22
      Send reset for non-SYN session TCP packets: Off
      Policy configurable: Yes
      Interfaces bound: 1
      Interfaces:
        st0.500
      Advanced-connection-tracking timeout: 1800
      Unidirectional-session-refreshing: No

    ***********************************************************

    And as it's currently in the testing phase, I already have it set for all traffic.



    ------------------------------
    TYSON MOORE
    ------------------------------



  • 6.  RE: Issue routing VPN traffic

    Posted 10-29-2024 05:12

    Yes :-)

    Do you have a security association? I'm sure Juniper has a pretty good flow chart for troubleshooting VPNs. 

    flowchart_kb10100.pdf



    ------------------------------
    JNCIE-ENT 907
    ------------------------------



  • 7.  RE: Issue routing VPN traffic

    Posted 30 days ago

    My understanding was that you couldn't setup this sort of VPN without the security association...

    ID: 131166 Virtual-system: root, VPN Name: xxxx_New_VPN
      Local Gateway: xxx.xxx.xxx.xxx, Remote Gateway: xxx.xxx.xxx.xxx
      Local Identity: ipv4_subnet(any:0,[0..7]=xxx.xxx.xxx.xxx/22)
      Remote Identity: ipv4_subnet(any:0,[0..7]=xxx.xxx.xxx.xxx/24)
      Version: IKEv2
      DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.500
      Port: 500, Nego#: 656, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
      Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
      Tunnel events:
        Tue Nov 05 2024 09:58:42 +1300: IPSec SA rekey successfully completed (14 times)
        Tue Nov 05 2024 08:49:34 +1300: IKE SA rekey successfully completed (3 times)
        Mon Nov 04 2024 22:24:12 +1300: IPSec SA negotiation successfully completed (1 times)
        Mon Nov 04 2024 22:23:36 +1300: Idle timer triggered. Existing IPSec SAs cleared (1 times)
        Mon Nov 04 2024 21:43:04 +1300: IPSec SA rekey successfully completed (12 times)
        Mon Nov 04 2024 11:47:42 +1300: IPSec SA negotiation successfully completed (1 times)
        Mon Nov 04 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
        Mon Nov 04 2024 11:22:40 +1300: IPSec SA rekey successfully completed (17 times)
        Mon Nov 04 2024 08:00:59 +1300: IKE SA rekey successfully completed (3 times)
        Sun Nov 03 2024 21:19:10 +1300: IPSec SA negotiation successfully completed (1 times)
        Sun Nov 03 2024 21:19:03 +1300: Idle timer triggered. Existing IPSec SAs cleared (1 times)
        Sun Nov 03 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
        Sun Nov 03 2024 07:50:35 +1300: IKE SA rekey successfully completed (3 times)
        Sat Nov 02 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
        Sat Nov 02 2024 08:01:29 +1300: IKE SA rekey successfully completed (3 times)
        Fri Nov 01 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
      Direction: inbound, SPI: 48350626, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 1504 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 883 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64
      Direction: outbound, SPI: ba0784d2, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 1504 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 883 seconds
        Mode: Tunnel(0 0), Type: dynamic, State: installed
        Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
        Anti-replay service: counter-based enabled, Replay window size: 64



    ------------------------------
    TYSON MOORE
    ------------------------------



  • 8.  RE: Issue routing VPN traffic

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 07:19
    This message was posted by a user wishing to remain anonymous

    have you tried using monitor security packet-drop and possibly a traceroute to see which side of the tunnel isn't accepting the traffic, if any?

    monitor security packet-drop | Junos OS | Juniper Networks