SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Site-to-Site VPN between 2 SRX's - can't reach remote local network

  • 1.  Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-27-2012 01:56

    Hi,

     

    I've been looking at this VPN setup, 1 of which my colleagues set up but was having troubles with. But I can't seem to figure out exactly what's wrong. But I feel it must have to do with the routing, however I do have the routes added to send traffic for the remote local networks over the st0.0 interfaces.

     

    So in summary:

    • The VPN goes up and stays stable
    • Both devices can reach eachother on the local addresses
    • But can't reach a host behind that at 172.16.0.2 or 172.16.1.2 for example.

     

    I've attached both configs of both devices so you at least have all the info, hopefully one of you can point me to the solution.

     


    #vpn
    #srx100
    #site-to-site

    Attachment(s)

    txt
    vpn01.khondrion.com.txt   8 KB 1 version
    txt
    vpn02.khondrion.com.txt   8 KB 1 version


  • 2.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-27-2012 09:21
      |   view attached

    You have the st.0 interface in your trust zone, plus a few other errors.

     

    I have attached one end of working SRX config.

    Attachment(s)



  • 3.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-30-2012 02:19

    I have built up Site to Site vpn's before with srx's and replicated the steps used in those configs and have always used the st0.0 interface in the trust-zone. 

     

    But I have moved it over to a separate zone now and nothing's changed. I think the problem is probably in the routing table somehow as they can reach the hosts locally or that are directly connected, but not beyond that.

     

    However testing the routes does show them to work as they will send the traffic for the remote local network over the st0.0 interface.

     

    You point out that there are other errors as well, I've compared the configs to previous ones that work just fine and yours and can't really find huge differences, but I might be reading over them.

     

    Could you elaborate or point me in the right direction?

     



  • 4.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

     
    Posted 07-30-2012 04:55

    Is there a reason you have ip-addresses on your tunnel interfaces? If not, remove them and try again.

    Else you could always configure flow traceoptions.

     

    Also - unrelated to the issue you're facing, I'd change aggressive mode to main mode, and like john mentioned, put st0's in separate zones, gives a lot cleaner/easier configuration imo.



  • 5.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-30-2012 06:23

    I had added the ip's on the st0.0 interfaces because I had read on this forum somewhere that that fixed it for someone in my situation. Those weren't in my default config which I tend(ed) to use.

     

    Removing them again has not yielded any progress. So I guess I'm back to traceoptions then, which I haven't been able to get too much useful information out of thus far.

     

    as for the  st interface being in the trust-zone, I've moved it to it's own zone on both devices. 



  • 6.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

     
    Posted 07-30-2012 06:31
    You mentioned you saw that the devices routed the traffic over the tunnel, so you should be able to see what happens with it after it gets out of the tunnel. If it does send it out the correct interface, does it come back ?


  • 7.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-30-2012 10:19

    Please change your tunnels to main mode instead of agressive.

     

    Then show the output of.

     

    show security ike security-associations

     

    and 

     

    show security ipsec security-associations

     

     



  • 8.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 07-31-2012 08:53

    A couple notes:

     

    IP addresses on st0 interfaces aren't required for point-to-point vpns, point-to-multipoint need an IP.

     

    However, I generally don't use an IP from my vlan subnet on a tunnel.  Pick something like a /30 that is not in the subnet.

     

    Router A   -----------------------------------------------------------------------Router B

    172.16.0.0/24  192.168.0.1/30  ---st0--- 192.168.0.2/30 -- 172.16.1.0/24

     

    Then your routes would point the the opposite side 192 address.

     

    As for placing the st0 interfaces in the trust zone, not a problem at all, just can trip up policy sometimes, so generally they are put in a vpn zone or the untrust zone to keep it logical.

     

     

    Let me know if any of that helps

     

     Edit:

     

    Also, the main or aggressive mode doesn't matter in this case.  If main mode is just an additional security level, but if one peer is dynamic, aggressive is required.



  • 9.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 08-01-2012 07:47

    I normally don't use IP's either and as I've said I've reverted back to having the st0.0 without an IP on both devices.

     

    I've not switched the mode from aggressive to main as I can do that later and the tunnel is up, that's not the problem.

     

    root@vpn01.domain.com> show security ike security-associations 
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
    4891439 UP     c1911570ef2b6e61  77239aed0a7c245d  Aggressive     a.b.c.d  
    
    root@vpn01.domain.com> show security ipsec security-associations 
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
      <131073 ESP:3des/sha1 34dd7097 2497/ unlim   -   root 500   a.b.c.d  
      >131073 ESP:3des/sha1 7ed273e3 2497/ unlim   -   root 500   a.b.c.d 

     This is the interface information of st0.0 now:

    root@vpn01.domain.com> show interfaces st0.0 
      Logical interface st0.0 (Index 79) (SNMP ifIndex 532) 
        Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
        Input packets : 5566 
        Output packets: 5975
        Security: Zone: vpn
        Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet
        reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
        Protocol inet, MTU: 9192
          Flags: Sendbcast-pkt-to-re
    

     Showing the route table:

    root@vpn01.domain.com> show route 
    
    inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 6d 22:46:36
                        > to 87.233.139.1 via fe-0/0/0.0
    87.233.139.0/24    *[Direct/0] 6d 22:46:36
                        > via fe-0/0/0.0
    87.233.139.160/32  *[Local/0] 6d 23:28:24
                          Local via fe-0/0/0.0
    172.16.0.0/24      *[Static/5] 6d 02:10:37
                        > via st0.0
    172.16.0.2/32      *[Static/5] 6d 00:44:09
                        > via st0.0
    172.16.1.0/24      *[Direct/0] 5d 22:49:53
                        > via vlan.0
    172.16.1.1/32      *[Local/0] 6d 23:28:33
                          Local via vlan.0
    

     

    Pretty sure the route is fine since it sends the traffic over the tunnel.  Also shows the local subnet of 172.16.1.0/24 to be directly connected.. so any traffic for that network coming over the tunnel should reach it right?



  • 10.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 08-01-2012 13:25

    Hi

     

    Can you initiate some traffic between 172.16.0.x and 172.16.1.y and post
    an output of "show security flow session" (for these sessions only,
    you can filter by source-prefix and destination-prefix).

     

    From this output it will be seen if you get any reply packets. Also
    you have nat configured in your original configs, and you are doing
    NAT to the interface address. This should not be breaking things, but
    in your case you have (or had) different subnets on st0.0 interfaces
    on differen sides, which will cause an issue (SRXs don't know
    other's st0.0 subnet, to which NAT is made).

     

    However I don't know why it is still not working after moving st0 to
    other zone because NAT shouldn't be applied now. So please post the
    output with sec flow sessions and your new configs also, if possible.



  • 11.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 08-02-2012 02:53

    I did as you asked pk and this does show the problem at least, but I'm not sure why it's not passing the data when it comes over the tunnel.

     

    I sent some traffic from the remote srx unit at 172.16.0.1 to 172.16.1.2. First to show that directly connected that host actually lives and responds:

    PING 172.16.1.2 (172.16.1.2): 56 data bytes
    64 bytes from 172.16.1.2: icmp_seq=0 ttl=64 time=3.020 ms
    64 bytes from 172.16.1.2: icmp_seq=1 ttl=64 time=2.207 ms
    64 bytes from 172.16.1.2: icmp_seq=2 ttl=64 time=2.422 ms

    Then this is the (partial) output from "show security flow session":

    Session ID: 13826, Policy name: vpn-to-trust/10, Timeout: 58, Valid
      In: 172.16.0.1/6 --> 172.16.1.2/6869;icmp, If: st0.0, Pkts: 1, Bytes: 84
      Out: 172.16.1.2/6869 --> 172.16.0.1/6;icmp, If: vlan.0, Pkts: 0, Bytes: 0
    

     So it appears to not be getting sent out despite being sent over the local directly connected vlan. The st0.0 interface is in it's "vpn" zone and the vlan.0 is in the "trust" zone and the policy set should allow everything (ugly config, but just for testing obviously):

    root@vpn01.domain.com> show security policies from-zone vpn to-zone trust  
    From zone: vpn, To zone: trust
      Policy: vpn-to-trust, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit
    
    root@vpn01.domain.com> show security policies from-zone trust to-zone vpn 
    From zone: trust, To zone: vpn
      Policy: trust-to-vpn, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 1
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit
    

     



  • 12.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network
    Best Answer

    Posted 08-02-2012 04:59

    Hi

     

    Please check the following: 

     

    "show route" on the other side

     

    "show sec flow session" on the other side - are the same sessions seen there?



  • 13.  RE: Site-to-Site VPN between 2 SRX's - can't reach remote local network

    Posted 08-02-2012 07:28

    Here's the output of "show route" on the other device:

    root@umcn> show route 
    
    inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 3w1d 02:21:27
                        > to 131.174.196.1 via fe-0/0/0.0
    131.174.196.0/24   *[Direct/0] 3w1d 22:35:44
                        > via fe-0/0/0.0
    131.174.196.75/32  *[Local/0] 3w1d 22:35:44
                          Local via fe-0/0/0.0
    172.16.0.0/24      *[Direct/0] 6d 23:27:36
                        > via vlan.0
    172.16.0.1/32      *[Local/0] 6d 23:27:36
                          Local via vlan.0
    172.16.1.0/24      *[Static/5] 1w0d 00:29:28
                        > via st0.0
    

     

    When I send some traffic over I'll see sessions created on both devices:

    root@umcn> show security flow session protocol icmp    
    Session ID: 16409, Policy name: self-traffic-policy/1, Timeout: 60, Valid
      In: 172.16.0.1/1 --> 172.16.1.2/7644;icmp, If: .local..0, Pkts: 1, Bytes: 84
      Out: 172.16.1.2/7644 --> 172.16.0.1/1;icmp, If: st0.0, Pkts: 0, Bytes: 0
    
    Session ID: 16488, Policy name: self-traffic-policy/1, Timeout: 58, Valid
      In: 172.16.0.1/0 --> 172.16.1.2/7644;icmp, If: .local..0, Pkts: 1, Bytes: 84
      Out: 172.16.1.2/7644 --> 172.16.0.1/0;icmp, If: st0.0, Pkts: 0, Bytes: 0
    Total sessions: 2
    

    On the other side:

    Session ID: 10193, Policy name: vpn-to-trust/10, Timeout: 54, Valid
      In: 172.16.0.1/0 --> 172.16.1.2/7644;icmp, If: st0.0, Pkts: 1, Bytes: 84
      Out: 172.16.1.2/7644 --> 172.16.0.1/0;icmp, If: vlan.0, Pkts: 0, Bytes: 0
    
    Session ID: 10160, Policy name: vpn-to-trust/10, Timeout: 54, Valid
      In: 172.16.0.1/1 --> 172.16.1.2/7644;icmp, If: st0.0, Pkts: 1, Bytes: 84
      Out: 172.16.1.2/7644 --> 172.16.0.1/1;icmp, If: vlan.0, Pkts: 0, Bytes: 0
    

     

    I did just find out though that I can communicate from the 172.16.1.1 SRX to a host behind the 172.16.0.0/24 srx. I do see the sessions for those. However for example when I try to ping from a host behind the 172.16.1.0 network I don't even see the session on the connected srx.

     

    This led me to looking at that host and saw a route going to the srx via the interface. I changed this to the srx IP and suddenly it worked. So it turns out to not have been an SRX issue at all stupidly enough.