IPSEC with Juniper SRX220

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

IPSEC with Juniper SRX220

Alexandre Westfahl-2
Hi,

I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
carrier router (Juniper).
SA seems to work well, I see packets going out on em0 and also see them on
enc0. However, the other side said nothing come but they also see SA
working and can see traffic going out.

There may be explanation for this situation:

   - I have another IPSEC tunnel on same public IP (both on em0/enc0)
   - the carrier IPs seems to be on same network so OBSD may be lost with it


*network*
dmz network (DDD.EEE.FFF.0/28)  <--(AAA.BBB.CCC.192)-->Internet<--(
GGG.HHH.III.150)--> .... server (GGG.HHH.III.149)



*ipsec.conf:*
//working ipsec tunnel
ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
192.168.1.0/24 \
local AAA.BBB.CCC.192 \
main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
srcid "gtfwpo192" dstid "pojimusho169" \
psk secret

//carrier ipsec (not working)
ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
srcid "AAA.BBB.CCC.192"   dstid "GGG.HHH.III.150" \
psk secret2


I tried to enable or disable PF and use super permissive rules but nothing
change.

Do you have some ideas on what it could be?

Thanks by advance!

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC with Juniper SRX220

Claer-2
On Sun, Sep 27 2015 at 42:13, Alexandre Westfahl wrote:
> Hi,
Hello,

>
> I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
> carrier router (Juniper).
> SA seems to work well, I see packets going out on em0 and also see them on
> enc0. However, the other side said nothing come but they also see SA
> working and can see traffic going out.
>
> There may be explanation for this situation:
>
>    - I have another IPSEC tunnel on same public IP (both on em0/enc0)
>    - the carrier IPs seems to be on same network so OBSD may be lost with it
>
>
> *network*
> dmz network (DDD.EEE.FFF.0/28)  <--(AAA.BBB.CCC.192)-->Internet<--(
> GGG.HHH.III.150)--> .... server (GGG.HHH.III.149)
If you dont want to show your real address, at least use real numbers.

> *ipsec.conf:*
> //working ipsec tunnel
> ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
> 192.168.1.0/24 \
> local AAA.BBB.CCC.192 \
> main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
> quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
> srcid "gtfwpo192" dstid "pojimusho169" \
> psk secret
>
> //carrier ipsec (not working)
> ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
> local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
> main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
> quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
> srcid "AAA.BBB.CCC.192"   dstid "GGG.HHH.III.150" \
> psk secret2
src and dst ids are not needed.

> I tried to enable or disable PF and use super permissive rules but nothing
> change.
>
> Do you have some ideas on what it could be?
When debuging ipsec, it is really easy to turn on ike packet capture
unencrypted then analysing them with tcpdump.

See isakmpd -L or 'p=on' on the fifo file.
By default the capture file is located in /var/run/isakmpd.pcap

I usually type tcpdump -nevvs 1550 -r /var/run/isakmpd.pcap |less
to check what's wrong.

With ScreenOS software (not JunOS like you, but they should be similar)
the "encryption domain" is usually set to 0/0 and the OS manages routes
to determine what to send to the tunnel. This will not work with your
configuration and the network/sys admin on the other side needs to do
some ajustments.  Do you have the configuration of the other side?

Good luck with troubleshooting.

Claer

Reply | Threaded
Open this post in threaded view
|

Re: IPSEC with Juniper SRX220

Graeme Lee
In reply to this post by Alexandre Westfahl-2
On 27-Sep 14:42, Alexandre Westfahl wrote:

> Hi,
>
> I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
> carrier router (Juniper).
> SA seems to work well, I see packets going out on em0 and also see them on
> enc0. However, the other side said nothing come but they also see SA
> working and can see traffic going out.
>
> There may be explanation for this situation:
>
>     - I have another IPSEC tunnel on same public IP (both on em0/enc0)
>     - the carrier IPs seems to be on same network so OBSD may be lost with it
>
>
> *network*
> dmz network (DDD.EEE.FFF.0/28)  <--(AAA.BBB.CCC.192)-->Internet<--(
> GGG.HHH.III.150)--> .... server (GGG.HHH.III.149)
>
>
>
> *ipsec.conf:*
> //working ipsec tunnel
> ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
> 192.168.1.0/24 \
> local AAA.BBB.CCC.192 \
> main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
> quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
> srcid "gtfwpo192" dstid "pojimusho169" \
> psk secret
>
> //carrier ipsec (not working)
> ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
> local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
> main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
> quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
> srcid "AAA.BBB.CCC.192"   dstid "GGG.HHH.III.150" \
> psk secret2
Hi Alex.

That looks overly complex.  Try simplifying it first (the OpenBSD config
is so easy!):

ike esp from <source network> to { <destination network/s> } \
  peer <peer address> \
  psk secret

However!  On the juniper, many things are needed.  IKE policy and
gateway, and IPSec proposal, a policy and a VPN
please excuse my indentation and inline comments.

ike policy alex {
mode main
proposal-set standard
pre-shared-key ascii-text secret
}

ike gateway alex {
ike policy alex # (the above policy name)
address <peer address>
external-interface.... <- this will be ge-0/0/x but NOT a sub-interface
- always the root.  I happen to be using one over a gre tunnel through
NAT so I have dead-pear-detection running as well
}

ipsec proposal phase2-alex {
protocol esp
authentication-algorithm hmac-sha-256-128
encryption-algorithm aes-128-cbc
}

ipsec policy phase2-alex (you can get away with the same name)

ipsec vpn alex
ike {
     gateway ales
     ipsec-policy phase2-alex
}
establish-tunnels immediately
}

but wait!  There's more!

you will also need policies on the SRX to apply security associations.  
Let's assume that the SRX local network is trust, and your vpn runs
across the untrust zone.  zone names are arbitrary

edit security polices from-zone trust to-zone untrust
policy alex-local-to-vpn {
   match {
     source-address local-ips  <---- You will need address book entries
for these
     destination-address remote-ips  <---- more address book entries
     application [ allowed-application-sets or any ]
   }
   then {
     permit {
       tunnel {
         ipsec-vpn ales
         pair-policy alex-vpn-to-local  <---- this is the same policy in
reverse.  yep.  enter it twice.
       }
     }
   }
}

I actually have these deployed.  It does work.

Regards,

Graeme

>
> I tried to enable or disable PF and use super permissive rules but nothing
> change.
>
> Do you have some ideas on what it could be?
>
> Thanks by advance!