SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

  • 1.  S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 02:53

    Hi all,

     

    I'd like to know if it's possible to set up a S2S VPN between a vsrx VM in Azure (using the ge-0/0/0 public unterface) and an on-premise natted chassis-clustered SRX? I tried the creating the setup but the VPN doesn't come up. 



  • 2.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 05:24

    Hi,

     

    Yes, it should work. What  kind of NATting is there on the  SRX ? what error do you see when VPN fails ?

     

     

    Thanks,

    Vikas

     

     

     



  • 3.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 14:28

    Hi Vikas,

     

    Thanks for your reply. Here are my configs/logs for your review.:

    SRX550 Chassis CLuster Config: 

     

    set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
    set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
    set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
    set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
    set security ike gateway hub-west-eu-vm1 ike-policy hub-west-eu
    set security ike gateway hub-west-eu-vm1 address <remote_pub_ip>
    set security ike gateway hub-west-eu-vm1 dead-peer-detection interval 10
    set security ike gateway hub-west-eu-vm1 dead-peer-detection threshold 3
    set security ike gateway hub-west-eu-vm1 local-identity inet <local_pub_ip>
    set security ike gateway hub-west-eu-vm1 remote-identity inet <remote_pub_ip>
    set security ike gateway hub-west-eu-vm1 external-interface reth0.0
    set security ike policy hub-west-eu mode main
    set security ike policy hub-west-eu proposals hub-west-eu
    set security ike policy hub-west-eu pre-shared-key ascii-text <key>
    set security ike proposal hub-west-eu authentication-method pre-shared-keys
    set security ike proposal hub-west-eu dh-group group24
    set security ike proposal hub-west-eu authentication-algorithm sha-256
    set security ike proposal hub-west-eu encryption-algorithm aes-256-cbc
    set security ike proposal hub-west-eu lifetime-seconds 86400
    set security ipsec proposal hub-west-eu protocol esp
    set security ipsec proposal hub-west-eu authentication-algorithm hmac-sha-256-128
    set security ipsec proposal hub-west-eu encryption-algorithm aes-256-cbc
    set security ipsec proposal hub-west-eu lifetime-seconds 3600
    set security ipsec policy hub-west-eu perfect-forward-secrecy keys group24
    set security ipsec policy hub-west-eu proposals hub-west-eu
    set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
    set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
    set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
    set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
    set interfaces st0 unit 0 description Tunnel_Interface
    set interfaces st0 unit 0 family inet
    set routing-instances VR-1 instance-type virtual-router
    set routing-instances VR-1 interface reth7.546
    set routing-instances VR-1 interface st0.0
    set routing-instances VR-1 routing-options static route 0.0.0.0/0 next-hop 164.16.28.177
    set routing-instances VR-1 routing-options static route 10.3.2.0/24 next-hop st0.0
    set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ping
    set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ike
    set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic protocols ospf

     

    VSRX VM Azure Config.

    set security ike traceoptions file ike-trace-log
    set security ike traceoptions flag all
    set security ike proposal srxcl1-shared authentication-method pre-shared-keys
    set security ike proposal srxcl1-shared dh-group group24
    set security ike proposal srxcl1-shared authentication-algorithm sha-256
    set security ike proposal srxcl1-shared encryption-algorithm aes-256-cbc
    set security ike proposal srxcl1-shared lifetime-seconds 86400
    set security ike proposal vsrx-hub-vm2 authentication-method pre-shared-keys
    set security ike proposal vsrx-hub-vm2 dh-group group24
    set security ike proposal vsrx-hub-vm2 authentication-algorithm sha-256
    set security ike proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
    set security ike proposal vsrx-hub-vm2 lifetime-seconds 86400
    set security ike policy srxcl1-shared mode main
    set security ike policy srxcl1-shared proposals srxcl1-shared
    set security ike policy srxcl1-shared pre-shared-key ascii-text <key>
    set security ike policy vsrx-hub-vm2 mode main
    set security ike policy vsrx-hub-vm2 proposals vsrx-hub-vm2
    set security ike policy vsrx-hub-vm2 pre-shared-key ascii-text <key>
    set security ike gateway srxcl1-shared ike-policy srxcl1-shared
    set security ike gateway srxcl1-shared address <remote_pub_ip>
    set security ike gateway srxcl1-shared dead-peer-detection interval 10
    set security ike gateway srxcl1-shared dead-peer-detection threshold 3
    set security ike gateway srxcl1-shared local-identity inet <local_pub_ip>
    set security ike gateway srxcl1-shared remote-identity inet <remote_pub_ip>
    set security ike gateway srxcl1-shared external-interface ge-0/0/0.0
    set security ike gateway vsrx-hub-vm2 ike-policy vsrx-hub-vm2
    set security ike gateway vsrx-hub-vm2 address <remote_pub_ip>
    set security ike gateway vsrx-hub-vm2 dead-peer-detection interval 10
    set security ike gateway vsrx-hub-vm2 dead-peer-detection threshold 3
    set security ike gateway vsrx-hub-vm2 local-identity inet <local_pub_ip>
    set security ike gateway vsrx-hub-vm2 remote-identity inet <remote_pub_ip>
    set security ike gateway vsrx-hub-vm2 external-interface ge-0/0/0.0
    set security ipsec traceoptions flag all
    set security ipsec proposal srxcl1-shared protocol esp
    set security ipsec proposal srxcl1-shared authentication-algorithm hmac-sha-256-128
    set security ipsec proposal srxcl1-shared encryption-algorithm aes-256-cbc
    set security ipsec proposal srxcl1-shared lifetime-seconds 3600
    set security ipsec proposal vsrx-hub-vm2 protocol esp
    set security ipsec proposal vsrx-hub-vm2 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
    set security ipsec proposal vsrx-hub-vm2 lifetime-seconds 3600
    set security ipsec policy srxcl1-shared perfect-forward-secrecy keys group24
    set security ipsec policy srxcl1-shared proposals srxcl1-shared
    set security ipsec policy vsrx-hub-vm2 perfect-forward-secrecy keys group24
    set security ipsec policy vsrx-hub-vm2 proposals vsrx-hub-vm2
    set security ipsec vpn srxcl1-shared-vpn bind-interface st0.0
    set security ipsec vpn srxcl1-shared-vpn ike gateway srxcl1-shared
    set security ipsec vpn srxcl1-shared-vpn ike ipsec-policy srxcl1-shared
    set security ipsec vpn srxcl1-shared-vpn establish-tunnels immediately
    set security ipsec vpn vsrx-hub-vm2-vpn bind-interface st0.0
    set security ipsec vpn vsrx-hub-vm2-vpn ike gateway vsrx-hub-vm2
    set security ipsec vpn vsrx-hub-vm2-vpn ike ipsec-policy vsrx-hub-vm2
    set security ipsec vpn vsrx-hub-vm2-vpn establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone trust to-zone vpn policy default-permit match source-address any
    set security policies from-zone trust to-zone vpn policy default-permit match destination-address any
    set security policies from-zone trust to-zone vpn policy default-permit match application any
    set security policies from-zone trust to-zone vpn policy default-permit then permit
    set security policies from-zone vpn to-zone trust policy default-permit match source-address any
    set security policies from-zone vpn to-zone trust policy default-permit match destination-address any
    set security policies from-zone vpn to-zone trust policy default-permit match application any
    set security policies from-zone vpn to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust host-inbound-traffic system-services ping
    set security zones security-zone trust host-inbound-traffic system-services ssh
    set security zones security-zone trust host-inbound-traffic system-services https
    set security zones security-zone trust interfaces ge-0/0/1.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone vpn host-inbound-traffic system-services ping
    set security zones security-zone vpn host-inbound-traffic protocols ospf
    set security zones security-zone vpn interfaces st0.0
    set interfaces ge-0/0/0 unit 0 family inet address 10.3.1.4/24
    set interfaces ge-0/0/1 unit 0 family inet address 10.3.2.4/24
    set interfaces fxp0 unit 0
    set interfaces st0 unit 0 multipoint
    set interfaces st0 unit 0 family inet
    set routing-instances VR-1 instance-type virtual-router
    set routing-instances VR-1 interface ge-0/0/0.0
    set routing-instances VR-1 interface ge-0/0/1.0
    set routing-instances VR-1 interface st0.0

     

    IKE Logs as seen from VSRX VM on Azure

    [Apr 19 23:16:30]ike_send_packet: Start, retransmit previous packet SA = { 1aa9a650 57558549 - 530ebb04 ff2c9fc3}, nego = -1, dst = <remote_pub_ip>:55518 routing table id = 5
    [Apr 19 23:16:30]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:55518): mID=00000000 (retransmit count=2)
    [Apr 19 23:16:40]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:55518 { 1aa9a650 57558549 - 530ebb04 ff2c9fc3 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
    [Apr 19 23:16:40]IKE SA delete called for p1 sa 3032206 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
    [Apr 19 23:17:05]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:17:05]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
    [Apr 19 23:17:05]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:54649, initiator = 0
    [Apr 19 23:17:05]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
    [Apr 19 23:17:05]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
    [Apr 19 23:17:05]ike_send_packet: Start, send SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649
    [Apr 19 23:17:14]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:17:14]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
    [Apr 19 23:17:15]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
    [Apr 19 23:17:15]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=1)
    [Apr 19 23:17:24]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:17:24]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
    [Apr 19 23:17:25]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
    [Apr 19 23:17:25]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=2)
    [Apr 19 23:17:35]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:54649 { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
    [Apr 19 23:17:35]IKE SA delete called for p1 sa 3032209 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
    [Apr 19 23:18:00]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:18:00]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
    [Apr 19 23:18:00]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:62940, initiator = 0
    [Apr 19 23:18:00]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
    [Apr 19 23:18:00]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
    [Apr 19 23:18:00]ike_send_packet: Start, send SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940
    [Apr 19 23:18:09]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:18:09]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
    [Apr 19 23:18:10]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
    [Apr 19 23:18:10]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=1)
    [Apr 19 23:18:18]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
    [Apr 19 23:18:18]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
    [Apr 19 23:18:20]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
    [Apr 19 23:18:20]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=2)

    [edit]

     



  • 4.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 14:33

    Here are IKE logs as seen from SRX550

     


    [Apr 19 23:21:10]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00000000 00000000}, nego = -1, dst = <remote_pub_ip>:500 routing table id = 0
    [Apr 19 23:21:20]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00000000 00000000}, nego = -1, dst = <remote_pub_ip>:500 routing table id = 0
    [Apr 19 23:21:30]164.16.29.210:500 (Initiator) <-> <remote_pub_ip>:500 { 54e5ac7f a4ee5357 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
    [Apr 19 23:21:30]IPSec SA done callback called for sa-cfg azure-hub-west-eu-vm1-vpn local:164.16.29.210, remote:<remote_pub_ip> IKEv1 with status Timed out
    [Apr 19 23:21:30]IKE SA delete called for p1 sa 6128617 (ref cnt 1) local:164.16.29.210, remote:<remote_pub_ip>, IKEv1



  • 5.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 14:45

    One more thing....

    The vsrx VM in Azure has a NSG attached to the public subnet (10.3.1.0/24) which allows IKE/IPSEC ports 50, 500, 4500.



  • 6.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-19-2019 23:00
    Hi,

    It looks like SRX is initiating the IKE exchange and not getting any response and then clearing it.

    What do you see in the vSRX ? Do you even see the same IKE traffic coming to the vSRX.

    Monitor traffic interface ge-0/0/0 , IKE session details( show security flow session <filters>, , ect may help on the vSRX.

    Thanks and Regards
    Vikas Singh</filters>


  • 7.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-20-2019 00:07

    Sorry, I noticed that you have given logs from the vSRX as well. I see the below events matching with IKE cookies :

     

    [Apr 19 23:17:25]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
    [Apr 19 23:17:25]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=2)
    [Apr 19 23:17:35]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:54649 { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback

     

    vSRX is responding to the IKE packets and, the SRX logs's don't show any such response.

     

     In the IKE session on the SRX , do you see the bidirectional packet count is increasing ? Or Do you see bidirectional traffic on the SRX , you can use " monitor traffic interface <interface >" or the firewall filter on the SRX to check if SRX is receiving the IKE response or not. Depending on the results, we need to troubleshoot on the appropriate device .

     

    Thanks,

    Vikas

     

     



  • 8.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-20-2019 16:18

    Hi Vikas,

     

    Here are the debug logs:

     

    From the vsrx:

     

    kakala@vsrx-hub-west-eu-vm1> show security flow session
    Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 54, Valid
    In: <remote_pub_ip>/500 --> 10.3.1.4/500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 52, Bytes: 16432,
    Out: 10.3.1.4/500 --> <remote_pub_ip>/500;udp, Conn Tag: 0x0, If: .local..5, Pkts: 0, Bytes: 0,

     

    kakala@vsrx-hub-west-eu-vm1> show security flow session
    Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 22, Valid
    In: <remote_pub_ip>/500 --> 10.3.1.4/500;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 53, Bytes: 16748,
    Out: 10.3.1.4/500 --> <remote_pub_ip>/500;udp, Conn Tag: 0x0, If: .local..5, Pkts: 0, Bytes: 0,

     

    kakala@vsrx-hub-west-eu-vm1> monitor traffic interface ge-0/0/0.0
    verbose output suppressed, use <detail> or <extensive> for full protocol decode
    Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
    Address resolution timeout is 4s.
    Listening on ge-0/0/0.0, capture size 96 bytes

    Reverse lookup for 10.3.1.4 failed (check DNS reachability).
    Other reverse lookup failures will not be reported.
    Use <no-resolve> to avoid reverse lookups on IP addresses.

    00:48:48.859235 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:48:55.751912 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:04.548278 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:13.341595 In IP <remote_pub_ip>.55156 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:24.046824 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:32.831305 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:41.626288 In IP <remote_pub_ip>.isakmp > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]
    00:49:48.516424 In IP <remote_pub_ip>.63679 > 10.3.1.4.isakmp: isakmp: phase 1 I ident: [|sa]

     

    From the SRX:

    00:46:03.905561 Out IP truncated-ip - 256 bytes missing! 164.16.29.210.isakmp > <remote_pub_ip>.isakmp: isakmp: phase 1 I ident: [|sa]


    kakala@srxCL-1-shared# run show security flow session destination-prefix <remote_pub_ip>
    node0:
    --------------------------------------------------------------------------

    Session ID: 191857, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
    In: 164.16.29.210/500 --> <remote_pub_ip>/500;udp, If: .local..0, Pkts: 7229, Bytes: 2284364
    Out: <remote_pub_ip>/500 --> 164.16.29.210/500;udp, If: reth0.0, Pkts: 0, Bytes: 0
    Total sessions: 1

    node1:
    --------------------------------------------------------------------------

    Session ID: 206104, Policy name: self-traffic-policy/1, State: Backup, Timeout: 1256, Valid
    In: 164.16.29.210/500 --> <remote_pub_ip>/500;udp, If: .local..0, Pkts: 0, Bytes: 0
    Out: <remote_pub_ip>/500 --> 164.16.29.210/500;udp, If: reth0.0, Pkts: 0, Bytes: 0
    Total sessions: 1

    {primary:node0}[edit]
    kakala@srxCL-1-shared#

     

    The VSRX is obviouly not sending IKE packets to the SRX and the SRX has its internet zone configured to receive traffic from all networks. And also the VSRX VM has an NSG applied to its outbound interface which permits all traffic too.. So really dont know where the problem might be..



  • 9.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-21-2019 01:07

    Hi,

     

    IKE debugs seems to be sending the packet however the same is no seen in the flow or session.

     

    1: What route do you see for the IP <remote_pub_ip>, in vSRX ?

        show route <remote_pub_ip>

        show route

     

    2: Do mac address do you see for ge-0/0/0 in vSRX

         show interface ge-0/0/0 | match hard

     

    3: What's the version of vSRX ?

         show version

     

    Thanks,

    Vikas



  • 10.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-21-2019 11:06

    Hi Vikas,

     

    I'd wanted to clarify something as regards the routing on the vSRX. I have a default route in the VR-1 routing-instance pointing to the a next hop gateway I'm not certain about. I'm not sure which GW IP to route to so I used a 10.3.1.1 as the next hop GW IP but can't reach the internet via this gateway. The only path to the internet is via the fxp0 interface, which of course can't be used as the IKE GW interface. Any way around this i.e. reaching the internet via the VR-1... perhaps the wrong GW was configured? I guess this may be the reason there aren't outgoing packets from the vSRX. 



  • 11.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-21-2019 22:16
    Hi,

    Your deployment is fine. We segregate the fxp & the ge traffic using the VRs, each VR will have default gateway accordingly. First IP from Azure’s “virtual network/subnet” is used as default gateway, so if 10.3.1.1 is the first IP then it’s fine.

    1: Are you able to ping 10.3.1.1, from VR-1 routing-instance
    Ping 10.3.1.1 routing-instance VR-1

    2: Is your configured routing showing up in the routing table “sow route”

    3: There is also a bug related to the interface mac , so please check MAC address of the interface.
    Show interface ge-0/0/0 | match hard




    Thanks and Regards
    Vikas Singh


  • 12.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-22-2019 00:56

    HI Vikas,

     

    As requested:

     


    kakala@vsrx-hub-west-eu-vm1# run show interfaces ge-0/0/0 | match hard
    Current address: 00:0d:3a:27:51:ff, Hardware address: 00:0d:3a:27:51:ff

    [edit]
    kakala@vsrx-hub-west-eu-vm1# run show version
    Hostname: vsrx-hub-west-eu-vm1
    Model: vsrx
    Junos: 15.1X49-D120.3
    JUNOS Software Release [15.1X49-D120.3]

    [edit]

    kakala@vsrx-hub-west-eu-vm1# run show route

    inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:05:38
    > to 192.168.2.1 via fxp0.0
    192.168.2.0/30 *[Direct/0] 00:05:40
    > via fxp0.0
    192.168.2.2/32 *[Local/0] 00:05:40
    Local via fxp0.0

    VR-1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:00:39
    > to 10.3.1.1 via ge-0/0/0.0
    10.3.1.0/24 *[Direct/0] 00:00:39
    > via ge-0/0/0.0
    10.3.1.4/32 *[Local/0] 00:00:39
    Local via ge-0/0/0.0
    10.3.2.0/24 *[Direct/0] 00:05:39
    > via ge-0/0/1.0
    10.3.2.4/32 *[Local/0] 00:05:39
    Local via ge-0/0/1.0

    kakala@vsrx-hub-west-eu-vm1# run show route <remote_pub_ip>

    inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:03:38
    > to 192.168.2.1 via fxp0.0

    VR-1.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:01:12
    > to 10.3.1.1 via ge-0/0/0.0

    [edit]
    kakala@vsrx-hub-west-eu-vm1#



  • 13.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?

    Posted 04-22-2019 01:02

    Hi Vikas,

     

    kakala@vsrx-hub-west-eu-vm1# run ping routing-instance VR-1 10.3.1.1
    PING 10.3.1.1 (10.3.1.1): 56 data bytes

     

    10.3.1.1 is not reachable. 

     

    10.3.1.4 is the first useable address in the 10.3.1.0/24 subnet and what was configured on the interface card attached to the VM.  So are you saying 10.3.1.1 (out of the reserved addresses) should be the default GW? 



  • 14.  RE: S2S VPN between a vsrx VM in Azure and an on-premise natted chassis-clustered SRX possible?
    Best Answer

    Posted 04-23-2019 09:28

    Hello Vikas,

     

    I figured out the problem. I forgot to asscociate the untrust (ge-0/0/0) subnet to the internet route table created. Now internet is reachable in the VR-1 instance and the VPN tunnel comes up. 

     

    Thanks.