SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    I was told to remove this ipsec VPN from our SRX CLI , by JTAC, because the Security Director was not removing it correctly.  I can delete 75% of the config an not have a commit check error. This last bit gives an error. 

    delete security ike proposal ike-proposal-iTopia authentication-method pre-shared-keys
    delete security ike proposal ike-proposal-iTopia dh-group group19
    delete security ike proposal ike-proposal-iTopia encryption-algorithm aes-256-gcm
    delete security ike proposal ike-proposal-iTopia lifetime-seconds 28800
    delete security ike policy ike-policy-iTopia mode main
    delete security ike policy ike-policy-iTopia proposals ike-proposal-iTopia
    delete security ike policy ike-policy-iTopia pre-shared-key ascii-text " key removed before posting this question. "

    The commit check error is:

     commit check
    [edit security ike]
      'proposal ike-proposal-iTopia'
        Missing mandatory statement: 'authentication-method'
    [edit security ike policy]
      'ike-policy-iTopia'
        IKE policy must have either local certificate or pre-shared key configured
    error: configuration check-out failed: (statements constraint check failed)

    Clearly, the lines with the pre-shared key and authorization method are listed in the section, so I am confused about this error. 



    ------------------------------
    JOHN WILLIAMSON
    ------------------------------


  • 2.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago
    Edited by Nikolay Semov 14 days ago

    They're no longer listed -- you deleted them.

    What's happening is you deleted the elements of ike-policy-iTopia, but not the actual ike-policy-iTopia. So the thing is complaining you have a policy with the required elements missing.

    So if it's no longer in use, just delete security ike policy ike-policy-iTopia

    Use show | compare to see the differences in the configuration after your changes before committing. 



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 3.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    I rolled back the config, so I can show the whole set of VPN settings. Even with them all there I can't delete the policy.

    set security ike proposal ike-proposal-iTopia authentication-method pre-shared-keys
    set security ike proposal ike-proposal-iTopia dh-group group19
    set security ike proposal ike-proposal-iTopia encryption-algorithm aes-256-gcm
    set security ike proposal ike-proposal-iTopia lifetime-seconds 28800
    set security ike policy ike-policy-iTopia mode main
    set security ike policy ike-policy-iTopia proposals ike-proposal-iTopia
    set security ike policy ike-policy-iTopia pre-shared-key ascii-text " text removed before posting "
    set security ike gateway ike-gate-iTopia ike-policy ike-policy-iTopia
    set security ike gateway ike-gate-iTopia address < IP removed prior to posting >
    set security ike gateway ike-gate-iTopia external-interface reth3.0
    set security ike gateway ike-gate-iTopia version v2-only
    set security ipsec proposal ipsec-proposal-iTopia protocol esp
    set security ipsec proposal ipsec-proposal-iTopia encryption-algorithm aes-256-gcm
    set security ipsec proposal ipsec-proposal-iTopia lifetime-seconds 3600
    set security ipsec policy ipsec-policy-iTopia perfect-forward-secrecy keys group19
    set security ipsec policy ipsec-policy-iTopia proposals ipsec-proposal-iTopia
    set security ipsec vpn ipsec-vpn-iTopia bind-interface st0.2
    set security ipsec vpn ipsec-vpn-iTopia ike gateway ike-gate-iTopia
    set security ipsec vpn ipsec-vpn-iTopia ike ipsec-policy ipsec-policy-iTopia
    set security ipsec vpn ipsec-vpn-iTopia establish-tunnels immediately

    When I edit the security ike section and type show, just to see the config, I noticed this...

    gateway ike-gate-iTopia {
        ##
        ## Warning: Referenced IKE policy must be defined under [edit security ike policy]
        ##
        ike-policy ike-policy-iTopia;
        address < IP removed prior to posting >;
        external-interface reth3.0;
        version v2-only;
    }

    Isn't that covered by the config line set security ike policy ike-policy-iTopia mode main ?

    Here is the result when I tried to delete the policy , as you suggested:

    {primary:node0}[edit security ike]
    sa.john_williamson@NONL-SRX01# delete policy ike-policy-iTopia

    {primary:node0}[edit security ike]
    sa.john_williamson@NONL-SRX01# commit check
    error: can only commit from top of private configuration

    {primary:node0}[edit security ike]
    sa.john_williamson@NONL-SRX01# top

    {primary:node0}[edit]
    sa.john_williamson@NONL-SRX01# commit check
    [edit security ike gateway ike-gate-iTopia ike-policy]
      'ike-policy ike-policy-iTopia'
        Referenced IKE policy must be defined under [edit security ike policy]
    error: configuration check-out failed: (statements constraint check failed)

    Is there a line of config missing before I started this process? 



    ------------------------------
    JOHN WILLIAMSON
    ------------------------------

    Original Message


  • 4.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    Oh, I see. There's a dependency tree you have to keep in mind.

    IKE policy uses IKE proposal. IKE gateway uses IKE policy
    IPsec policy uses IPsec proposal. IPsec VPN uses IPsec policy and IKE gateway.

    You can't delete an object (say, an IKE policy) if it's still in use by another object.

    If your goal is to remove a VPN, then deleting the IPsec VPN and corresponding IKE gateway should be enough. Deleting unused IKE and IPsec policies and proposals is just nice for decluttering your configuration.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 5.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago
    Edited by JOHN WILLIAMSON 14 days ago

    Nikolay,

    I see what you mean. Every section refers to another.  Wouldn't that be the case with any VPN we have?  If the references are required. I can't delete those first and clear up the " connections " they all have to each other. 

    There must be a way to clean this out. I don't believe an unremovable section of config situation should be allowed. 
    ------------------------------
    JOHN WILLIAMSON
    ------------------------------

    Original Message


  • 6.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    I don't know.

    If you have other VPNs / Gateways that use the same policies and proposals, then no.
    If you have no other VPNs / Gateways that use the same policies and proposals, then yes.

    You don't have to do that in multiple commit operations. You can do everything at once.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 7.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    Nikolay,

    I think our other IPsec VPNs have the same pattern, since Security Director lets you know what is required to allow you to save the VPN and publish it. So, the names change based on the VPN, but the construction will be the same. 



    ------------------------------
    JOHN WILLIAMSON
    ------------------------------

    Original Message


  • 8.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    As far as your question is concerned, the pattern doesn't matter. It doesn't matter how similar they look. If you have, for example, ike policy abcd and no ike gateway is using exactly that ike policy abcd, then you can delete ike policy abcd. If even one ike gateway is using ike policy abcd, then you can't delete that ike policy.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 9.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    I understand how the different parts reference each other and how this would interfere with removing the config. My point above was to state that all of our VPNs will have a reference to their own named policy and gateway, and proposals, just like this one does with its iTopia named parts.  So, they all will be structured in the same fashion, and just the names will be changed. 



    ------------------------------
    JOHN WILLIAMSON
    ------------------------------

    Original Message


  • 10.  RE: Remove an ipsec VPN from SRX in the CLI. Is there a proper order to remove sections of the config?

    Posted 14 days ago

    I got the delete commands from JTAC and using these, I removed all of it. 

    • delete security ike proposal ike-proposal-iTopia
    • delete security ike policy ike-policy-iTopia
    • delete security ike gateway ike-gate-iTopia
    • delete security ipsec proposal ipsec-proposal-iTopia
    • delete security ipsec policy ipsec-policy-iTopia
    • delete security ipsec vpn ipsec-vpn-iTopia


    ------------------------------
    JOHN WILLIAMSON
    ------------------------------

    Original Message