Security

 View Only
last person joined: 6 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  SRX300 - VLAN not routing

    Posted 04-12-2023 10:39

    I have two SRX300 Firewalls that I am trying to test a site-to-site VPN/VLAN on ... basic format as shown below:

    PC-1 (150.150.160.10/24) --> SRX300 (150.150.160.3/24) <--- Site-to-Site IPSEC ---> SRX300 (150.150.160.2) ---> PC-2 (150.150.160.9/24)

    The ipsec tunnel is up for both IKE and IPSEC so there is no issue there.
    From PC-1 I can ping the gateway 10.10.10.3 and from PC-2 I can ping the gateway 10.10.10.2 so there is no issue there.
    I have interface fe-0/0/2.0 as the VLAN entry interface on both SRX's and have the VLAN assigned to the interface.
    I have the layer 3 addresses (as shown above) assigned to the VLAN.
    Routing to st0.0 is in place.

    Config of SRX-1:
    set version 12.1X44.5
    set system host-name pokemon-1
    set system root-authentication encrypted-password "$1$aGS4Pthu$E.vGnopiLEOKAaXkcaPcN0"
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
    set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
    set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
    set system services dhcp propagate-settings fe-0/0/0.0
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set interfaces fe-0/0/0 unit 0
    set interfaces fe-0/0/1 description ipsec-tunnel-phase1-pokemon
    set interfaces fe-0/0/1 unit 0 family inet address 150.150.150.2/24
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members pokemon-1
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces pt-1/0/0 unit 0
    set interfaces st0 unit 0 family inet address 150.150.151.49/30
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set interfaces vlan unit 247 family inet address 150.150.160.3/24
    set routing-options static route 0.0.0.0/0 next-hop st0.0
    set routing-options static route 150.150.160.10/32 next-hop st0.0
    set protocols stp
    set security ike proposal pokemon-ike-proposal authentication-method pre-shared-keys
    set security ike proposal pokemon-ike-proposal dh-group group2
    set security ike proposal pokemon-ike-proposal authentication-algorithm sha1
    set security ike proposal pokemon-ike-proposal encryption-algorithm aes-128-cbc
    set security ike proposal pokemon-ike-proposal lifetime-seconds 86400
    set security ike policy pokemon-ike-policy mode main
    set security ike policy pokemon-ike-policy proposals pokemon-ike-proposal
    set security ike policy pokemon-ike-policy pre-shared-key ascii-text "$9$iHPQF39pOR6987VYZG69Atu1"
    set security ike gateway pokemon-gw ike-policy pokemon-ike-policy
    set security ike gateway pokemon-gw address 150.150.150.1
    set security ike gateway pokemon-gw dead-peer-detection always-send
    set security ike gateway pokemon-gw external-interface fe-0/0/1.0
    set security ipsec proposal pokemon-ipsec-proposal protocol esp
    set security ipsec proposal pokemon-ipsec-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal pokemon-ipsec-proposal encryption-algorithm aes-128-cbc
    set security ipsec proposal pokemon-ipsec-proposal lifetime-seconds 3600
    set security ipsec policy pokemon-ipsec-policy perfect-forward-secrecy keys group2
    set security ipsec policy pokemon-ipsec-policy proposals pokemon-ipsec-proposal
    set security ipsec vpn pokemon-vpn bind-interface st0.0
    set security ipsec vpn pokemon-vpn ike gateway pokemon-gw
    set security ipsec vpn pokemon-vpn ike ipsec-policy pokemon-ipsec-policy
    set security ipsec vpn pokemon-vpn establish-tunnels immediately
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone trust interfaces st0.0
    set security zones security-zone trust interfaces fe-0/0/1.0
    set security zones security-zone trust interfaces vlan.247
    set security zones security-zone trust interfaces fe-0/0/2.0
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
    set vlans pokemon vlan-id 30
    set vlans pokemon-1 vlan-id 247
    set vlans pokemon-1 l3-interface vlan.247
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

    Config of SRX-2:
    set version 11.4R7.5
    set system host-name pokemon-2
    set system root-authentication encrypted-password "$1$d5Gg61kC$2nQ400S4.6Lijaghh7av40"
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
    set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
    set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
    set system services dhcp propagate-settings fe-0/0/0.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0
    set interfaces fe-0/0/1 description ipsec-tunnel-phase1-pokemon
    set interfaces fe-0/0/1 unit 0 family inet address 150.150.150.1/24
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members pokemon-1
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces pt-1/0/0 unit 0
    set interfaces st0 unit 0 family inet address 150.150.151.50/30
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set interfaces vlan unit 247 family inet address 150.150.160.2/24
    set routing-options static route 0.0.0.0/0 next-hop st0.0
    set routing-options static route 150.150.160.9/32 next-hop st0.0
    set protocols stp
    set security ike proposal pokemon-ike-proposal authentication-method pre-shared-keys
    set security ike proposal pokemon-ike-proposal dh-group group2
    set security ike proposal pokemon-ike-proposal authentication-algorithm sha1
    set security ike proposal pokemon-ike-proposal encryption-algorithm aes-128-cbc
    set security ike proposal pokemon-ike-proposal lifetime-seconds 86400
    set security ike policy pokemon-ike-policy mode main
    set security ike policy pokemon-ike-policy proposals pokemon-ike-proposal
    set security ike policy pokemon-ike-policy pre-shared-key ascii-text "$9$0QWfOEyleWx-wvWjqfzCAvWLX7V"
    set security ike gateway pokemon-gw ike-policy pokemon-ike-policy
    set security ike gateway pokemon-gw address 150.150.150.2
    set security ike gateway pokemon-gw dead-peer-detection always-send
    set security ike gateway pokemon-gw external-interface fe-0/0/1.0
    set security ipsec proposal pokemon-ipsec-proposal protocol esp
    set security ipsec proposal pokemon-ipsec-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal pokemon-ipsec-proposal encryption-algorithm aes-128-cbc
    set security ipsec proposal pokemon-ipsec-proposal lifetime-seconds 3600
    set security ipsec policy pokemon-ipsec-policy perfect-forward-secrecy keys group2
    set security ipsec policy pokemon-ipsec-policy proposals pokemon-ipsec-proposal
    set security ipsec vpn pokemon-vpn bind-interface st0.0
    set security ipsec vpn pokemon-vpn ike gateway pokemon-gw
    set security ipsec vpn pokemon-vpn ike ipsec-policy pokemon-ipsec-policy
    set security ipsec vpn pokemon-vpn establish-tunnels immediately
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
    set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone trust interfaces st0.0
    set security zones security-zone trust interfaces fe-0/0/1.0
    set security zones security-zone trust interfaces vlan.247
    set security zones security-zone trust interfaces fe-0/0/2.0
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services tftp
    set vlans pokemon-1 vlan-id 247
    set vlans pokemon-1 l3-interface vlan.247
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

    Anyone have any idea why I cannot ping from one PC to the other? It must be something to do with the routing or policies, but I cannot work out what. Any help would be great.

    Many thanks




    ------------------------------
    Clive Gwyther
    ------------------------------


  • 2.  RE: SRX300 - VLAN not routing

    Posted 04-13-2023 18:30

    Clive,

    I have not loaded your configs, but I think it is a routing/layer 2 issues you are having.  The two PCs are on the same layer 2 networks.  When you ping 150.150.160.9 from PC-1, that computer thinks it is on the same subnet, so it arps out, who has 150.150.160.9, looking for the MAC address.  I would change PC-2 to be on the 150.150.161.x/24 network and updated the static route on SRX-1.  If you must have them on the same layer-two network we would have to try a proxy arp setting.  I don't know if that would work since I have never tried it before.




    ------------------------------
    John Lusk
    ------------------------------



  • 3.  RE: SRX300 - VLAN not routing

    Posted 04-21-2023 10:34

    There is a lot of confusion in your description, due to 

    a) Your PCs are using IPs 10.10.10.x - but there is no such IP in your config
    b) In fact you are using the IPs from your diagram, and here I would say you need to play around proxy-arp.... as you are trying (as John already commented) to use the same /24.

    BR



    ------------------------------
    Andrei Cebotareanu
    ------------------------------