SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Unable to pass traffic across IPSEC tunnel.

    Posted 11-21-2018 08:31

    I have a VSRX located in AWS and an IPSEC tunnel that is connected to a VPN connection in a different AWS VPC.  The tunnel itself comes up, but I cannot ping the hosts on the other side of it, including the other IP in the interconnect subnet. 

    The tunnel is up:

    ec2-user> show security ipsec inactive-tunnels
      Total inactive tunnels: 0
      Total inactive tunnels with establish immediately: 0

    ec2-user> show security ipsec statistics
    ESP Statistics:
      Encrypted bytes:                0
      Decrypted bytes:            13860
      Encrypted packets:              0
      Decrypted packets:            231
    AH Statistics:
      Input bytes:                    0
      Output bytes:                   0
      Input packets:                  0
      Output packets:                 0
    Errors:
      AH authentication failures: 0, Replay errors: 0
      ESP authentication failures: 0, ESP decryption failures: 0
      Bad headers: 0, Bad trailers: 0

     

    The IP configuration on it is about as simple as can be:

    ec2-user> show configuration interfaces st0.1
    enable;
    description VPN-06ab852-1;
    family inet {
        mtu 1436;
        address 169.254.15.246/30;
    }

    As are the security zone and policy settings:

    ec2-user> show configuration security zones
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
            st0.1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
            }
        }
    }

    ec2-user> show configuration security policies
    from-zone trust to-zone trust {
        policy everything {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }

    But I cannot ping the far side of the tunnel, even when sourced from it:

    ec2-user> ping 169.254.15.245 source 169.254.15.246
    PING 169.254.15.245 (169.254.15.245): 56 data bytes
    ^C
    --- 169.254.15.245 ping statistics ---
    12 packets transmitted, 0 packets received, 100% packet loss

    I do see traffic coming out of the tunnel interface when I do a packet capture, but I never see anything coming back in:

    16:30:28.794614 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 2, length 64
    16:30:29.794818 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 3, length 64
    16:30:30.795552 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 4, length 64
    16:30:31.796620 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 5, length 64
    16:30:32.796766 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 6, length 64

     

    Any suggestions are welcomed.

     

     



  • 2.  RE: Unable to pass traffic across IPSEC tunnel.

    Posted 11-21-2018 09:46

    Hi,

     

    show security ipsec statistics shows NO encrypted bytes. Can you check the details of your IPSEC-SA e.g. negotiated proxy-id etc. ALso, check the route table for the destination IP that you are trying to ping.

     

    In AWS, we mostly use different routing-instance for the PFE/ge traffic than FXP. Can you try initiating a ping from that routing-instance.

     

    Thanks,

    Vikas

     



  • 3.  RE: Unable to pass traffic across IPSEC tunnel.

    Posted 11-21-2018 10:28

    Thanks for getting back to me Vikas.  Good catch on the lack of encrypted bytes.

    I'm pretty new to Juniper gear, but I have not set up any routing instances, so I think everything is in the same one:

     

    ec2-user> show route instance
    Instance             Type
             Primary RIB                                     Active/holddown/hidden
    master               forwarding
             inet.0                                          9/0/0
             inet6.0                                         1/0/0

    __juniper_private1__ forwarding
             __juniper_private1__.inet.0                     5/0/0

    __juniper_private2__ forwarding
             __juniper_private2__.inet.0                     0/0/1

    __juniper_private3__ forwarding

    __juniper_private4__ forwarding

    __master.anon__      forwarding

    mgmt_junos           forwarding

     

    Here are my SAs:

    ec2-user> show security ipsec security-associations
      Total active tunnels: 1     Total Ipsec sas: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
      <67108865 ESP:aes-cbc-128/sha1 e7986607 3595/ unlim - root 4500 XXX.YYY.ZZZ.PPP
      >67108865 ESP:aes-cbc-128/sha1 3e2708fb 3595/ unlim - root 4500 XXX.YYY.ZZZ.PPP

    The route is trying to go across the tunnel too.

    ec2-user> show route
    ...
    169.254.15.244/30  *[Direct/0] 00:00:24
                        > via st0.1
    169.254.15.246/32  *[Local/0] 00:00:24
                          Local via st0.1

     



  • 4.  RE: Unable to pass traffic across IPSEC tunnel.
    Best Answer

    Posted 11-21-2018 15:55

    It turns out that the issue was with the tunnel flapping.  It is up and passing traffic now.  Here are how things look.

     

    Sanitized IKE config:

    proposal ike-prop-vpn-06ab852-1 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy ike-pol-vpn-06ab852-1 {
        mode main;
        proposals ike-prop-vpn-06ab852-1;
        pre-shared-key ascii-text "*redacted*"; ## SECRET-DATA
    }
    gateway gw-vpn-06ab852-1 {
        ike-policy ike-pol-vpn-06ab852-1;
        address XXX.YYY.ZZZ.PPP;
        dead-peer-detection;
        nat-keepalive 5;
        local-identity inet XXX.YYY.ZZZ.PPP;
        external-interface ge-0/0/0.0;
    }

    IPSEC config:

    proposal ipsec-prop-vpn-06ab852-1 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy ipsec-pol-vpn-06ab852-1 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ipsec-prop-vpn-06ab852-1;
    }
    vpn VPN-06ab852-1 {
        bind-interface st0.1;
        df-bit copy;
        ike {
            gateway gw-vpn-06ab852-1;
            ipsec-policy ipsec-pol-vpn-06ab852-1;
        }
        establish-tunnels immediately;
    }