My understanding was that you couldn't setup this sort of VPN without the security association...
ID: 131166 Virtual-system: root, VPN Name: xxxx_New_VPN
Local Gateway: xxx.xxx.xxx.xxx, Remote Gateway: xxx.xxx.xxx.xxx
Local Identity: ipv4_subnet(any:0,[0..7]=xxx.xxx.xxx.xxx/22)
Remote Identity: ipv4_subnet(any:0,[0..7]=xxx.xxx.xxx.xxx/24)
Version: IKEv2
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.500
Port: 500, Nego#: 656, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
Tunnel events:
Tue Nov 05 2024 09:58:42 +1300: IPSec SA rekey successfully completed (14 times)
Tue Nov 05 2024 08:49:34 +1300: IKE SA rekey successfully completed (3 times)
Mon Nov 04 2024 22:24:12 +1300: IPSec SA negotiation successfully completed (1 times)
Mon Nov 04 2024 22:23:36 +1300: Idle timer triggered. Existing IPSec SAs cleared (1 times)
Mon Nov 04 2024 21:43:04 +1300: IPSec SA rekey successfully completed (12 times)
Mon Nov 04 2024 11:47:42 +1300: IPSec SA negotiation successfully completed (1 times)
Mon Nov 04 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
Mon Nov 04 2024 11:22:40 +1300: IPSec SA rekey successfully completed (17 times)
Mon Nov 04 2024 08:00:59 +1300: IKE SA rekey successfully completed (3 times)
Sun Nov 03 2024 21:19:10 +1300: IPSec SA negotiation successfully completed (1 times)
Sun Nov 03 2024 21:19:03 +1300: Idle timer triggered. Existing IPSec SAs cleared (1 times)
Sun Nov 03 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
Sun Nov 03 2024 07:50:35 +1300: IKE SA rekey successfully completed (3 times)
Sat Nov 02 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
Sat Nov 02 2024 08:01:29 +1300: IKE SA rekey successfully completed (3 times)
Fri Nov 01 2024 11:47:42 +1300: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: 48350626, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1504 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 883 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: ba0784d2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1504 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 883 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
------------------------------
TYSON MOORE
------------------------------
Original Message:
Sent: 10-29-2024 05:12
From: Simon Bingham (technical debt collector)
Subject: Issue routing VPN traffic
Yes :-)
Do you have a security association? I'm sure Juniper has a pretty good flow chart for troubleshooting VPNs.
flowchart_kb10100.pdf
------------------------------
JNCIE-ENT 907
Original Message:
Sent: 10-28-2024 22:09
From: TYSON MOORE
Subject: Issue routing VPN traffic
Is this along the lines of what you're looking for?
***********************************************************
Security zone: xxxx_New_VPN
Zone ID: 22
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
st0.500
Advanced-connection-tracking timeout: 1800
Unidirectional-session-refreshing: No
***********************************************************
And as it's currently in the testing phase, I already have it set for all traffic.
------------------------------
TYSON MOORE
Original Message:
Sent: 10-25-2024 06:26
From: Simon Bingham (technical debt collector)
Subject: Issue routing VPN traffic
Hi Tyson
I know you might have security concerns but you might need to post more info, maybe a config with the key data obfuscated.
one reason for a VPN just not working that used to catch me out was ..
it the st interface part of a zone ? its easy to foget and hard to spot
for example
set security zones security-zone VPN_ZONE interfaces st0.0
and for testing I would set up a policy that allow all traffic to and from your VPN
------------------------------
JNCIE-ENT 907
Original Message:
Sent: 10-21-2024 14:02
From: TYSON MOORE
Subject: Issue routing VPN traffic
SRX345
Software Version 22.4R2.8
BIOS Version 3.12
Hey all. I have inherited the company setup and I am trying to work my way through this device. I have managed to come out on top with the tasks set, but this one isn't making sense.
One of our clients is wanting to setup a new VPN to move away from their current setup. The VPN is in place and connected. Static route has been setup to route all traffic for their new subnet down the ST interface. I have setup a static NAT that mirrors their current setup, ICMP traffic wasn't getting a response. This doesn't work for the entire subnet, but will work for individual IP Addresses.
What I have tried with the static NAT (all traffic from the new VPN):
Destination Address 192.168.220.0/22 -> Prefix 172.23.32.0/22 - doesn't work on the new VPN, but does on the current one.
Destination Address 192.168.223.0/24 -> Prefix 172.23.32.0/24 - doesn't work on the new VPN. Both devices (VM and my laptop) were on the 32.0/24 range.
Destination Address 192.168.223.100/32 -> Prefix 172.23.32.240/32 - ICMP responded on the VM
Destination Address 192.168.223.100/32 -> Prefix 172.23.32.214/32 - ICMP responded on the laptop
Unsure how there can be a rule that works for the current setup but the same rule doesn't work for the new setup. From what I have seen it's meant to be traffic per VPN. You can set the same rules on different VPN's
Any other ideas or information
------------------------------
TYSON MOORE
------------------------------