SRX

Hi All,

I am  facing some issue with VPN tunnel between SRX and ASA with multiple subnets on both local and remote end. On SRX end i have local resources resides in different  security zones . I have configured multiple security policy with action TUNNEL with respect to remote end resources .

Now the tunnel is came up but no access for the subnet resides in a particular zone . I can see that multiple Tunnel is formed in  show "security ipsec security-associations " output .

I tried using route based VPN but due to the issue of Proxy ID miss match I shifted to policy based VPN.

Is there any limitation for multiple subnets over VPN or is there any recommended way of doing this goal ?

Hi ,

I understand that for a particular subnet , traffic is not flowing even though Ipsec sa is up. is that right?

If the Phase 2 is up , then traffic should work if appropriate policies allows it.

Ensure that security policy contains one subnet for source and destination address.

for route based vpn query:

use Junos 12.1X46 version of code where you have an option to configure traffic selectors for each subnet.

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/ipsec-vpn-traffic-selector-configuring.html

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Raparthi,

Thanks for your swift response . Yes there is policy exist and source NAT is bypassed for the destination subnet( resource behind ASA) . Also I can see that there is dedidicated Phase 2 tunnel exist for the respective source subnet,But no tunnel foarmed for the subnet thats is having issue.

Output show below :

show security ipsec security-associations detail index 4
Virtual-system: root
Local Gateway: yy.yy.yy.yy, Remote Gateway: xx.xx.xx.xx
Local Identity: ipv4_subnet(any:0,[0..7]=10.10.120.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Policy-name: v5_apps

Direction: inbound, SPI: e27959ec, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 25010 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 24417 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: a74e334b, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 25010 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 24417 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

-----------------------------------------

show security ipsec security-associations detail index 10
Virtual-system: root
Local Gateway: YY.YY.YY.YY, Remote Gateway: XX.XX.XX.XX
Local Identity: ipv4_subnet(any:0,[0..7]=10.20.5.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Policy-name: dmz_v5

Direction: inbound, SPI: fbf2e002, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 24916 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 24329 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: da3fa517, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 24916 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 24329 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Hi ,

Phase 2 tunnel has destination proxy id as 0.0.0.0

it will not work.

If you are configuring policy based vpn , then create multiple security policies for one source and one destination.

security policy from zone trust to zone untrust

1. source x.x.x.x destination y.y.y.y then permit tunnel ipsec-vpn test

2. source a.a.a.a destination b.b.b.b then permit tunnel ipsec-vpn test

edit the security policy for this problem tunnel and ensure you have only one source subnet and one destination subnet

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

It did not worked .  Do we expect unique phase 2 tunnel for each security policy ? . In my case case I can see that 2 phase 2 tunnel is up and  with corresponding source sunet as Local proxy ID .

Hi Rapthi,

Thanks its worked . As you mentioned I treid individual Policy for each destination subnet and it started woking . 

Proxy ID was not deriving when the destination profixes referenced in same policy hence the traffice was not forwarded to correct tunnel . Thanks for your support .

Hi,

Glad to know that your VPN issues are fixed.

we more than one subnets are grouped in to one address set , then SRX device derives the proxy id as 0.0.0.0

Regards,

rparthi

Yes , you are right .