Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

Juniper SRX Spoke-to-Spoke IPSEC VPN when both spokes are behind NAT.

While researching on the Juniper SRX IPSEC VPN documentation and all the diverse scenarios, I noticed there is no documentation/kb article that describe the situation when one needs to connect two SRX spokes, two endpoints when both of them are behind NAT as in the above test diagram.

As a dependency, one of the spokes needs to be behind static NAT because of reasons explained later in this article.

In the diagram, SRX2 is the node behind static NAT. All IPs sourced 192.168.0.254 will be sourced NATed to 10.0.0.3 and all IP destined for 10.0.0.3 will be destination NATed to 192.168.0.254. This part of the configuration is irrelevant for now.

Ike configuration as well as interface configuration on both boxes is shown below.

SRX1 - Interface and Ike configuration:


SRX1 - Interface and Ike configuration:


So both devices reside in the same private IP space with source nat on one side and static nat on the other side (SRX2).

The above configuration is missing something on SRX2 (the SRX behind static NAT).

As seen on all documentation, to support Ipsec VPN roadwarriors (i.e. Dynamic clients), ike needs to use "dynamic" identity, as see on SRX2 and no local identity. This is because most scenarios rely on the fact that the IKE gateway is using a fixed public IP address that gets sent as identity by default.

Below is a tcpdump pcap capture on the SRX2 node:


As seen in the second packet, SRX2 sends it's identity as the outgoing IP (192.168.0.254) which will confuse SRX1 as it knows the gateway's IP is 10.0.0.3.

Obviously this fails with reason "iked_pm_ike_sa_done ID validation fails".

Fixing this needs the ike gateway to send it's identity as the IP that will be used when outgoing packets are source NATed:


And here is the difference:


And IKE phase1 SA is up: