SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-18-2022 17:04
    This topic has been posted before but I have a slightly different scenario.

    I had always thought you could build multiple tunnels from the same device TO the same device using the same source-gateway and destination-gateway as long as the tunnels were aggressive using dynamic-hostname.

    1 tunnel comes up, but the other is getting 'No Proposal Chosen'.

    Below is a simplified diagram - any input would be appreciated!



    ------------------------------
    JOHN
    ------------------------------


  • 2.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-19-2022 05:44
    Hi John,

    I'm sure somebody else will be able to provide a more helpful reply, but I always find any info is useful, so thought I'd let you know I have exactly the same setup as your diagram working, but I am not using dynamic-hostname, just static IP at both ends, so your issue may be with this part of the configuration, I haven't tried to do it that way before.  However, the gateway will have a dynamic-hostname entry, which I believe must be configured as the local ID at the remote end, so I'm a bit confused by your diagram, which suggests you have more than one gateway statement as you have Foo and Bar.

    Is it possible to post the relevant part your config, I'm not sure anyone will be able to resolve your issue from your diagram alone.


  • 3.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-20-2022 18:38
    Edited by JOHN P2023 10-24-2022 17:31

    Thanks for  the reply -

    As you suggested, I placed both into main mode on both ends, and set local-id/remote-id for both.  

    However, the end result is one tunnel flaps, the other tunnel does not come up.

    Please see the attached config - see anything out of place?

    set security ike proposal pre-g14-aes256-sha256 authentication-method pre-shared-keys
    set security ike proposal pre-g14-aes256-sha256 dh-group group14
    set security ike proposal pre-g14-aes256-sha256 authentication-algorithm sha-256
    set security ike proposal pre-g14-aes256-sha256 encryption-algorithm aes-256-cbc
    
    set security ike policy phase1 mode main
    set security ike policy phase1 proposals pre-g14-aes256-sha256
    set security ike policy phase1 pre-shared-key ascii-text <redacted>
    
    set security ike gateway gw2foo ike-policy phase1
    set security ike gateway gw2foo address 10.255.2.0
    set security ike gateway gw2foo dead-peer-detection
    set security ike gateway gw2foo local-identity hostname foo1
    set security ike gateway gw2foo remote-identity hostname foo2
    set security ike gateway gw2foo external-interface reth5.0
    
    set security ike gateway gw2bar ike-policy phase1
    set security ike gateway gw2bar address 10.255.2.0
    set security ike gateway gw2bar dead-peer-detection
    set security ike gateway gw2bar local-identity hostname bar1
    set security ike gateway gw2bar remote-identity hostname bar2
    set security ike gateway gw2bar external-interface reth5.0
    
    set security ipsec proposal g14-esp-aes256-sha256 protocol esp
    set security ipsec proposal g14-esp-aes256-sha256 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal g14-esp-aes256-sha256 encryption-algorithm aes-256-cbc
    
    set security ipsec policy phase2 proposals g14-esp-aes256-sha256
    set security ipsec policy phase2 perfect-forward-secrecy keys group14
    
    set security ipsec vpn vpn2foo bind-interface st0.1
    set security ipsec vpn vpn2foo ike gateway gw2foo
    set security ipsec vpn vpn2foo ike proxy-identity
    set security ipsec vpn vpn2foo ike ipsec-policy phase2
    set security ipsec vpn vpn2foo establish-tunnels immediately
    
    set security ipsec vpn vpn2bar bind-interface st0.2
    set security ipsec vpn vpn2bar ike gateway gw2bar
    set security ipsec vpn vpn2bar ike proxy-identity
    set security ipsec vpn vpn2bar ike ipsec-policy phase2
    set security ipsec vpn vpn2bar establish-tunnels immediately
    
    set security zones security-zone foo interfaces st0.1
    set security zones security-zone bar interfaces st0.2
    
    set routing-instances foo-vr instance-type virtual-router
    set routing-instances foo-vr interface st0.1
    set routing-instances foo-vr routing-options static route 0.0.0.0/0 next-hop st0.1
    
    set routing-instances bar-vr instance-type virtual-router
    set routing-instances bar-vr interface st0.2
    set routing-instances bar-vr routing-options static route 0.0.0.0/0 next-hop st0.2


    ------------------------------
    JOHN
    ------------------------------



  • 4.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-21-2022 05:14
    Hi,

    I have mine working by just using a single gateway statement and no local/remote-id hostnames, but proxy-id needs to be configured or else only one tunnel will pass traffic.

    If I was to amend the ike gateway and ipsec vpn from your config to match my setup it would look as follows...


    #no ike gateway gw2bar
    #delete local/remote-identity hostnames

    set security ike gateway gw2foo ike-policy phase1
    set security ike gateway gw2foo address 10.255.2.0
    set security ike gateway gw2foo dead-peer-detection
    set security ike gateway gw2foo external-interface reth5.0


    #both use gw2foo gateway
    #configure unique local and remote proxy-identity

    set security ipsec vpn vpn2foo bind-interface st0.1
    set security ipsec vpn vpn2foo ike gateway gw2foo
    set security ipsec vpn vpn2foo ike proxy-identity local 1.1.1.1/32 (example st0.1 local IP)
    set security ipsec vpn vpn2foo ike proxy-identity remote 1.1.1.2/32 (example st0.1 remote IP)
    set security ipsec vpn vpn2foo ike ipsec-policy phase2
    set security ipsec vpn vpn2foo establish-tunnels immediately

    set security ipsec vpn vpn2bar bind-interface st0.2
    set security ipsec vpn vpn2bar ike gateway gw2foo
    set security ipsec vpn vpn2bar ike proxy-identity local 2.2.2.1/32 (example st0.2 local IP)
    set security ipsec vpn vpn2bar ike proxy-identity remote 2.2.2.2/32 (example st0.2 remote IP)
    set security ipsec vpn vpn2bar ike ipsec-policy phase2
    set security ipsec vpn vpn2bar establish-tunnels immediately

    This is just how mine is setup, I haven't played around enough to know exactly what is possible, especially using dynamic hostnames, but this works for me.


  • 5.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-24-2022 15:20
    Edited by JOHN P2023 10-24-2022 17:30
    Hey - I got it working!

    In times past, I had always thought the proxy-identity acted somewhat as a security-policy that would only permit the subnets specified to transit the tunnel.

    Am I wrong about this?

    ------------------------------
    JOHN
    ------------------------------



  • 6.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-25-2022 04:06
    Hi,
    My understanding is that if you are using policy based vpn the proxy-ids will be generated by the "interesting" traffic statements creating a tunnel for each. Likewise, using route based vpn with traffic selector statements, the proxy id's will be generated from these creating multiple SAs. Without using these 2 methods it seems you can just manually configure the proxy-id, which will only be used to bring up the vpn, you can then send any traffic to the tunnel with routing statements regardless of proxy-id, this is the behaviour I see.


  • 7.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-21-2022 06:35
    Hi,
    I have mine working by just using a single gateway entry with no identity hostnames, but proxy-identity must be configured or only one tunnel will pass traffic. So if I was to amend your config to look like mine, the amended sections would look like this,

    Deleted  local/remote-identity
    Only one ike gateway statement, no gw2bar
    set security ike gateway gw2foo ike-policy phase1
    set security ike gateway gw2foo address 10.255.2.0
    set security ike gateway gw2foo dead-peer-detection
    set security ike gateway gw2foo external-interface reth5.0​


    Set vpn's to use same gateway
    set proxy-id local and remote

    set security ipsec vpn vpn2foo bind-interface st0.1
    set security ipsec vpn vpn2foo ike gateway gw2foo
    set security ipsec vpn vpn2bar ike proxy-identity local (local st0.1 tun IP Addr)
    set security ipsec vpn vpn2bar ike proxy-identity remote (remote st0.1 tun IP Addr)
    set security ipsec vpn vpn2foo ike ipsec-policy phase2
    set security ipsec vpn vpn2foo establish-tunnels immediately
    
    set security ipsec vpn vpn2bar bind-interface st0.2
    set security ipsec vpn vpn2bar ike gateway gw2foo
    set security ipsec vpn vpn2bar ike proxy-identity local (local st0.2 tun IP Addr)
    set security ipsec vpn vpn2bar ike proxy-identity remote (remote st0.2 tun IP Addr)
    set security ipsec vpn vpn2bar ike ipsec-policy phase2
    set security ipsec vpn vpn2bar establish-tunnels immediately​

    This is just how I have mine working,
    I haven't played around enough with other combinations to know what is possible or your exact setup, so can't guarantee anything but may help.


  • 8.  RE: Multiple IPSec tunnels from same source and destination IP's using virtual-routing instances

    Posted 10-21-2022 11:53
    What type of error are being generated by the responder device? If nothing else, assuming that using the same enc domain is the cause (in theory, it shouldn't), I would try NAT option for one of them.