SRX

 View Only
last person joined: 2 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Mikrotik Site-to-Site VPN

    Posted 11-06-2014 05:56
      |   view attached

    PROBLEM: pc in SRX site can't ping pc in Mikrotik site and vice versa
    Error message: No route to host
    Questions:
    1. what am I missing

    HW INFO:
    SRX210
    Mikrotik 951ui-2hnd

     

    SRX:
    version 12.1X44-D40.2;
    system {
        root-authentication {
            encrypted-password "$1$wC0UZD2C$pnhZvVdU5Ux1Bmr2wD81y."; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                domain-name poc.local;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                router {
                    192.168.88.1;
                }
                pool 192.168.88.0/24 {
                    address-range low 192.168.88.101 high 192.168.88.200;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.0.0.102/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.88.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 192.168.77.0/24 next-hop st0.0;
        }
    }
    protocols {
        stp;
    }
    security {
        ike {
            policy ike-policy-cfgr {
                mode main;
                proposal-set compatible;
                pre-shared-key ascii-text "$9$Q4Th3Cp0OREcl.P1hSlLX7-V"; ## SECRET-DATA
            }
            gateway ike-gate-cfgr {
                ike-policy ike-policy-cfgr;
                address 10.0.0.101;
                external-interface ge-0/0/0;
                version v1-only;
            }
        }
        ipsec {
            proposal ipsec-proposal-cfgr {
                protocol esp;
            }
            policy ipsec-policy-cfgr {
                proposals ipsec-proposal-cfgr;
            }
            vpn ipsec-vpn-cfgr {
                bind-interface st0.0;
                ike {
                    gateway ike-gate-cfgr;
                    ipsec-policy ipsec-policy-cfgr;
                }
                establish-tunnels immediately;
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone vpn {
                policy trust-vpn-cfgr {
                    match {
                        source-address net-cfgr_192-168-88-0--24;
                        destination-address net-cfgr_192-168-77-0--24;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone vpn to-zone trust {
                policy vpn-trust-cfgr {
                    match {
                        source-address net-cfgr_192-168-77-0--24;
                        destination-address net-cfgr_192-168-88-0--24;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address net-cfgr_192-168-88-0--24 192.168.88.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                address-book {
                }
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ike;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone vpn {
                address-book {
                    address net-cfgr_192-168-77-0--24 192.168.77.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    st0.0;
                }
            }
        }
    }
    poe {
        interface all;
    }
    vlans {
        default;
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }
     
    > show interfaces terse
    Interface Admin Link Proto Local Remote
    ge-0/0/0 up up
    ge-0/0/0.0 up up inet 10.0.0.102/24
    gr-0/0/0 up up
    ip-0/0/0 up up
    lsq-0/0/0 up up
    lt-0/0/0 up up
    mt-0/0/0 up up
    sp-0/0/0 up up
    sp-0/0/0.0 up up inet
    sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
    10.0.0.6 --> 0/0
    128.0.0.1 --> 128.0.1.16
    128.0.0.6 --> 0/0
    ge-0/0/1 up down
    ge-0/0/1.0 up down eth-switch
    fe-0/0/2 up down
    fe-0/0/2.0 up down eth-switch
    fe-0/0/3 up down
    fe-0/0/3.0 up down eth-switch
    fe-0/0/4 up down
    fe-0/0/4.0 up down eth-switch
    fe-0/0/5 up down
    fe-0/0/5.0 up down eth-switch
    fe-0/0/6 up down
    fe-0/0/6.0 up down eth-switch
    fe-0/0/7 up down
    fe-0/0/7.0 up down eth-switch
    fxp2 up up
    fxp2.0 up up tnp 0x1
    gre up up
    ipip up up
    irb up up
    lo0 up up
    lo0.16384 up up inet 127.0.0.1 --> 0/0
    lo0.16385 up up inet 10.0.0.1 --> 0/0
    10.0.0.16 --> 0/0
    128.0.0.1 --> 0/0
    128.0.0.4 --> 0/0
    128.0.1.16 --> 0/0
    lo0.32768 up up
    lsi up up
    mtun up up
    pimd up up
    pime up up
    pp0 up up
    ppd0 up up
    ppe0 up up
    st0 up up
    st0.0 up down inet
    tap up up
    vlan up up
    vlan.0 up down inet 192.168.88.1/24
     
    > show route
    inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    10.0.0.0/24 *[Direct/0] 06:55:45
    > via ge-0/0/0.0
    10.0.0.102/32 *[Local/0] 06:55:45
    Local via ge-0/0/0.0
    192.168.88.1/32 *[Local/0] 07:05:44
    Reject
     
     
    Mikrotik:
    [admin@MikroTik] > export 
    /interface bridge
    add admin-mac=D4:CA:6D:62:1A:8B auto-mac=no name=bridge-local
    /interface lte
    set [ find ] mac-address=1C:4B:D6:B5:17:A2 name=lte1
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-gateway
    set [ find default-name=ether2 ] name=ether2-master-local
    set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
    set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
    set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors hide-ssid=yes l2mtu=2290 mode=ap-bridge preamble-mode=long \
        ssid=mikrotik
    /ip neighbor discovery
    set ether1-gateway discover=no
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys wpa2-pre-shared-key=password
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
    add auth-algorithms=md5 enc-algorithms=3des name=juniper
    /ip pool
    add name=default-dhcp ranges=192.168.77.101-192.168.77.200
    /ip dhcp-server
    add address-pool=default-dhcp disabled=no interface=bridge-local name=default
    /system logging action
    set 2 remember=yes
    /interface bridge port
    add bridge=bridge-local interface=ether2-master-local
    add bridge=bridge-local interface=wlan1
    /ip address
    add address=192.168.77.1/24 comment="default configuration" interface=bridge-local network=192.168.77.0
    add address=10.0.0.101/24 interface=ether1-gateway network=10.0.0.0
    /ip dhcp-client
    add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
    /ip dhcp-server network
    add address=192.168.77.0/24 comment="default configuration" dns-server=192.168.77.1 gateway=192.168.77.1
    /ip dns
    set allow-remote-requests=yes
    /ip dns static
    add address=192.168.77.1 name=router
    /ip firewall filter
    add chain=input comment="default configuration" protocol=icmp
    add chain=input comment="default configuration" connection-state=established
    add chain=input comment="default configuration" connection-state=related
    add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
    add chain=forward comment="default configuration" connection-state=established
    add chain=forward comment="default configuration" connection-state=related
    add action=drop chain=forward comment="default configuration" connection-state=invalid
    /ip firewall nat
    add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
    /ip firewall service-port
    set ftp disabled=yes
    set irc disabled=yes
    /ip ipsec peer
    add address=10.0.0.102/32 dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no secret=Rahasia
    /ip ipsec policy
    add dst-address=192.168.88.0/24 sa-dst-address=10.0.0.102 sa-src-address=10.0.0.101 src-address=192.168.77.0/24 tunnel=yes
    /ip route
    add distance=1 dst-address=192.168.88.0/24 gateway=10.0.0.102
    /ip upnp
    set allow-disable-external-interface=no
    /snmp
    set trap-community=public
    /system leds
    set 5 interface=wlan1
    /tool mac-server
    set [ find default=yes ] disabled=yes
    add interface=ether2-master-local
    add interface=ether3-slave-local
    add interface=ether4-slave-local
    add interface=ether5-slave-local
    add interface=wlan1
    add interface=bridge-local
    add interface=lte1
    /tool mac-server mac-winbox
    set [ find default=yes ] disabled=yes
    add interface=ether2-master-local
    add interface=ether3-slave-local
    add interface=ether4-slave-local
    add interface=ether5-slave-local
    add interface=wlan1
    add interface=bridge-local
    add interface=lte1

    #Mikrotik
    #IPSec


  • 2.  RE: SRX Mikrotik Site-to-Site VPN

    Posted 11-06-2014 06:26

    Hi ,

     

    Configuration on SRX looks good but not sure whether phase 1 and phase 2 are up.

     

    share this outputs:

     

    show security ike security-association

    show security ipsec security-association

    show security ipsec security-association detail

     

    Adding this configuation:

     

    set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.88.0/24
    set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.77.0/24

     

    This should bring up phase 2 sa and you should be able to access the remote resources.

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 3.  RE: SRX Mikrotik Site-to-Site VPN

    Posted 11-06-2014 06:54

    root> show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    7025770 DOWN   56a8ce45331fb78e  1017a096f8063979  Any            10.0.0.101
    7025769 DOWN   2a7eee48bb35e03d  0000000000000000  Main           10.0.0.101

    root> show security ipsec security-associations
      Total active tunnels: 0
    root> show security ipsec security-associations detail

    After
    set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity local 192.168.88.0/24
    set security ipsec vpn ipsec-vpn-cfgr ike proxy-identity remote 192.168.77.0/24
    applied

    root> show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    7025784 DOWN   63d66abf2533272f  0000000000000000  Main           10.0.0.101
    7025783 DOWN   c18783c02d2d8c3f  4a9c1b31c998034d  Any            10.0.0.101

    root> show security ipsec security-associations detail
    root> show security ipsec security-associations
      Total active tunnels: 0

    PROBLEM: from srx can't ping pc in 192.168.77.101
    > ping 192.168.77.101
    PING 192.168.77.101 (192.168.77.101): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host
    ^C
    --- 192.168.77.101 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss

    root> show route
    inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    10.0.0.0/24        *[Direct/0] 00:08:44
                        > via ge-0/0/0.0
    10.0.0.102/32      *[Local/0] 00:08:48
                          Local via ge-0/0/0.0
    192.168.88.1/32    *[Local/0] 00:08:57
                          Reject



  • 4.  RE: SRX Mikrotik Site-to-Site VPN

    Posted 11-06-2014 09:31

    Hi

     

    Phase 1 is not coming up .

     

    enable ike traceoptions and share the vpn logs and 3rd party device logs as well.

     

     

    Regards,

    rparthi



  • 5.  RE: SRX Mikrotik Site-to-Site VPN

    Posted 11-09-2014 05:03

    I think my problem is because there is NAT behind SRX and Mikrotik.

    SRX need to be in flow mode.

     

    I need to find out on how to do NO-NAT in Juniper, Cisco, Mikrotik.

    Then try again with this steps

    http://www.petenetlive.com/KB/Article/0000710.htm



  • 6.  RE: SRX Mikrotik Site-to-Site VPN

    Posted 11-09-2014 08:13

    Hi ,

     

    You can configure General ike-id config under ike gateway settings so that ike id validation is skipped in phase1 negosiation.

     

    set secuirty ike gateway name general ike-id

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too