Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Policy-based VPN challenge - Multi-line policy not working

    Posted 11-09-2009 04:39

    I've been trying the following scenario at my LAB, the VPN is UP and i see the logs on peer A but no log or reply from peer B.

     

    Configs:

     

    Peer A

        ID From     To       Src-address  Dst-address  Service Action State  
        11 Trust    Untrust  192.168.3.0~ 192.168.10.~ PING    Tunnel enabled
                                          192.168.2.0~

    Peer B

        ID From     To       Src-address  Dst-address  Service Action State  
         4 Untrust  Trust    192.168.3.0~ 192.168.10.~ PING    Tunnel enabled
                                          192.168.2.0~

     

     

    get sa (Peer A)

    HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys

    00000007<  BBBBBBBBBBB  500 esp:a128/sha1 8fb8ba70  2653 unlim A/-    -1 0
    00000007>  BBBBBBBBBBB  500 esp:a128/sha1 92f9d192  2653 unlim A/-    11 0

     

    (peer B)

    HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys

    00000017<  AAAAAAAAAAAAAA  500 esp:a128/sha1 92f9d192  2526 unlim A/-    -1 0
    00000017> 
    AAAAAAAAAAAAAA  500 esp:a128/sha1 8fb8ba70  2526 unlim A/-     3 0

     

    get db str (Peer A)

     

    ****** 1450076.0: <Trust/ethernet0/1> packet received [60]******
      ipid = 20687(50cf), @03988770
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet0/1:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
      no session found
      flow_first_sanity_check: in <ethernet0/1>, out <N/A>
      [ Dest] 12.route 192.168.3.2->0.0.0.0, to ethernet0/1
      chose interface ethernet0/1 as incoming nat if.
      flow_first_routing: in <ethernet0/1>, out <N/A>
      search route to (ethernet0/1, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 11.route 192.168.2.2->GWAAAAAAAA, to ethernet0/0
      routed (x_dst_ip 192.168.2.2) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/0
      policy search from zone 2-> zone 1
     policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
      No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 11/0/0x49
      Permitted by policy 11
      No src xlate   choose interface ethernet0/0 as outgoing phy if
      no loop on ifp ethernet0/0.
      session application type 0, name None, nas_id 0, timeout 60sec
      service lookup identified service 0.
      flow_first_final_check: in <ethernet0/1>, out <ethernet0/0>
      existing vector list 5-4ff6134.
      Session (id:8045) created for first pak 5
      flow_first_install_session======>
      handle cleartext reverse route
      search route to (ethernet0/0, 192.168.2.2->192.168.3.2) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/1
      [ Dest] 12.route 192.168.3.2->192.168.3.2, to ethernet0/1
      route to 192.168.3.2
      arp entry found for 192.168.3.2
      ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800801, tunnel ffffffff, rc 1
      flow got session.
      flow session id 8045
      flow_main_body_vector in ifp ethernet0/1 out ifp ethernet0/0
      flow vector index 0x5, vector addr 0x20b7680, orig vector 0x20b7680
      post addr xlation: 192.168.3.2->192.168.2.2.
      going into tunnel 40000007.
      flow_encrypt: pipeline.
    chip info: PIO. Tunnel id 00000007
    (vn2)  doing ESP encryption and size =64
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    ipsec encrypt engine released
    ipsec encrypt done
            put packet(3c33030) into flush queue.
            remove packet(3c33030) out from flush queue.

    **** jump to packet:AAAAAAAAAAAA->BBBBBBBBBBBBBBB
      packet encapsulated, type=ipsec, len=120
      ipid = 42890(a78a), @03988744
      out encryption tunnel 40000007 gw:BBBBBBBBBBBBB
      no more encapping needed
      send out through normal path.
      flow_ip_send: a78a:AAAAAAAAAAAAAA->BBBBBBBBBBB,50 => ethernet0/0(120) flag 0x20, vlan 0
      mac 0019e2e3dfc0 in session
      packet send out to 0019e2e3dfc0 through ethernet0/0
      **** pak processing end.

     

    (peer B)

     

    ****** 917489.0: <Untrust/ethernet0/0> packet received [120]******
      ipid = 42890(a78a), @0387b270
      packet passed sanity check.
      flow_decap_vector IPv4 process
      ethernet0/0:AAAAAAAAAAAAA/37625->BBBBBBBBBBBB/53650,50<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 8055
      flow_decrypt: 33ca708(b),   flow_decrypt: 33ca708(b)pipeline.
      IPv4 encrypted pak.
      Dec: SPI = 92f9d192, Data Len = 120
      SA tunnel id=0x00000017, flag<02400063>
      chip info: PIO. Tunnel id 00000017
      ipsec decrypt prepare done
    ipsec decrypt set engine done
      auth check pass!
    ipsec decrypt engine released
      packet is decrypted
      ipsec decrypt done
            put packet(3c33030) into flush queue.
            remove packet(3c33030) out from flush queue.

    **** jump to packet:192.168.3.2->192.168.2.2
      flow_decap_vector IPv4 process
      packet decapsulated, type=ipsec, len=60
      ipid = 20687(50cf), @0387b270
      ethernet0/0:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
      no session found
      flow_first_sanity_check: in <ethernet0/0>, out <N/A>
      flow_first_routing: in <ethernet0/0>, out <N/A>
      search route to (ethernet0/0, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 10.route 192.168.2.2->192.168.2.2, to ethernet0/1
      routed (x_dst_ip 192.168.2.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
      policy search from zone 1-> zone 2
     policy_flow_search  policy search nat_crt from zone 1-> zone 2
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
     policy_flow_search  in tunnel
      VPN policy= -99: szone 1 dzone 2 pid -99 ports 8008553 iphdr 387b270
      **** pak processing end.



     

    Anyone has a clue ?

     

    Thanks in advance,

    Michel


    #policy
    #screenos
    #vpn


  • 2.  RE: Policy-based VPN challenge - Multi-line policy not working
    Best Answer

    Posted 11-09-2009 09:42

    Found the solution, just put the networks on a group and use that group on the policy.