Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:42 am


Author Message
mandrei99
Post  Post subject: Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.  |  Posted: Tue Oct 29, 2013 9:22 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

Juniper SRX Spoke-to-Spoke IPSEC VPN when both spokes are behind NAT.
Attachment:
srx-ipsec-vpn-spoke-behind-nat.png [28.4 KiB]
Downloaded 1320 times

While researching on the Juniper SRX IPSEC VPN documentation and all the diverse scenarios, I noticed there is no documentation/kb article that describe the situation when one needs to connect two SRX spokes, two endpoints when both of them are behind NAT as in the above test diagram.

As a dependency, one of the spokes needs to be behind static NAT because of reasons explained later in this article.

In the diagram, SRX2 is the node behind static NAT. All IPs sourced 192.168.0.254 will be sourced NATed to 10.0.0.3 and all IP destined for 10.0.0.3 will be destination NATed to 192.168.0.254. This part of the configuration is irrelevant for now.

Ike configuration as well as interface configuration on both boxes is shown below.

SRX1 - Interface and Ike configuration:
Code:
root@SRX1# show security ike         
traceoptions {
    file kmd size 10m;
}
proposal IKE-SECURE-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy IKE-SECURE-POLICY {
    mode aggressive;
    proposals IKE-SECURE-PROPOSAL;
    pre-shared-key ascii-text "$9$GCjkPFnCBIc5QIcylLXUjHq5Q369pO1"; ## SECRET-DATA
}
gateway IKE-GW-DYNAMIC {
    ike-policy IKE-SECURE-POLICY;
    address 10.0.0.3;
    local-identity user-at-hostname "test@ivorde.ro";
    external-interface ge-0/0/15;
}

[edit]
root@SRX1# show interfaces ge-0/0/15
unit 0 {
    family inet {
        address 192.168.0.10/24;
    }
}


SRX1 - Interface and Ike configuration:
Code:
root@SRX2# show security ike
traceoptions {
    file kmd size 10m;
}
proposal IKE-SECURE-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
}
policy IKE-SECURE-POLICY {
    mode aggressive;
    proposals IKE-SECURE-PROPOSAL;
    pre-shared-key ascii-text "$9$5znCO1hKMXtuMX7-2gTz36tuBIEyev"; ## SECRET-DATA
}
gateway IKE-GW-DYNAMIC {
    ike-policy IKE-SECURE-POLICY;
    dynamic user-at-hostname "test@ivorde.ro";
    external-interface ge-0/0/15;
}

[edit]
root@SRX2# show interfaces ge-0/0/15
unit 0 {
    family inet {
        address 192.168.0.254/24;
    }
}


So both devices reside in the same private IP space with source nat on one side and static nat on the other side (SRX2).

The above configuration is missing something on SRX2 (the SRX behind static NAT).

As seen on all documentation, to support Ipsec VPN roadwarriors (i.e. Dynamic clients), ike needs to use "dynamic" identity, as see on SRX2 and no local identity. This is because most scenarios rely on the fact that the IKE gateway is using a fixed public IP address that gets sent as identity by default.

Below is a tcpdump pcap capture on the SRX2 node:
Code:
tcpdump -nni ge-0/0/15 -s1500 -v port 500
Address resolution is OFF.
Listening on ge-0/0/15, capture size 1500 bytes




13:02:15.727577  In IP (tos 0xc0, ttl  63, id 62271, offset 0, flags [none], proto: UDP (17), length: 554) 10.0.0.2.500 > 192.168.0.254.500: isakmp 1.0 msgid 00000000: phase 1 I agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1 spi=656f7e0a1b7462c5
            (t: #0 id=ike (type=enc value=0007)(type=keylen value=0100)(type=group desc value=0005)(type=hash value=0004)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=auth value=preshared))))
    (ke: key len=192)
    (nonce: n len=16)
    (id: idtype=user FQDN protoid=ip port=0 len=14 test@ivorde.ro)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=28)
13:02:15.778798 Out IP (tos 0xc0, ttl  64, id 28903, offset 0, flags [none], proto: UDP (17), length: 644) 192.168.0.254.500 > 10.0.0.2.500: isakmp 1.0 msgid 00000000: phase 1 R agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=0007)(type=keylen value=0100)(type=group desc value=0005)(type=hash value=0004)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=auth value=preshared))))
    (ke: key len=192)
    (nonce: n len=16)
    (id: idtype=IPv4 protoid=ip port=0 len=4 192.168.0.254)
    (hash: len=32)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=28)
    (#20)
    (#20)



As seen in the second packet, SRX2 sends it's identity as the outgoing IP (192.168.0.254) which will confuse SRX1 as it knows the gateway's IP is 10.0.0.3.

Obviously this fails with reason "iked_pm_ike_sa_done ID validation fails".

Fixing this needs the ike gateway to send it's identity as the IP that will be used when outgoing packets are source NATed:
Code:
[edit]
root@SRX2# set security ike gateway IKE-GW-DYNAMIC local-identity inet 10.0.0.3 

[edit]
root@SRX2# commit


And here is the difference:
Code:
13:20:06.066814  In IP (tos 0xc0, ttl  63, id 446, offset 0, flags [none], proto: UDP (17), length: 554) 10.0.0.2.500 > 192.168.0.254.500: isakmp 1.0 msgid 00000000: phase 1 I agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1 spi=0c9986425448edc1
            (t: #0 id=ike (type=enc value=0007)(type=keylen value=0100)(type=group desc value=0005)(type=hash value=0004)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=auth value=preshared))))
    (ke: key len=192)
    (nonce: n len=16)
    (id: idtype=user FQDN protoid=ip port=0 len=14 test@ivorde.ro)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=28)
13:20:06.118367 Out IP (tos 0xc0, ttl  64, id 32510, offset 0, flags [none], proto: UDP (17), length: 644) 192.168.0.254.500 > 10.0.0.2.500: isakmp 1.0 msgid 00000000: phase 1 R agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=0007)(type=keylen value=0100)(type=group desc value=0005)(type=hash value=0004)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=auth value=preshared))))
    (ke: key len=192)
    (nonce: n len=16)
    (id: idtype=IPv4 protoid=ip port=0 len=4 10.0.0.3)
    (hash: len=32)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=28)
    (#20)
    (#20)


And IKE phase1 SA is up:
Code:
root@SRX1> show security ike sa   
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
5477632 UP     0c9986425448edc1  a0db104dec71e391  Aggressive     10.0.0.3       

root@SRX1> show security ike active-peer
Remote Address                      Port     Peer IKE-ID                         XAUTH username                      Assigned IP
10.0.0.3                            4500     10.0.0.3                         





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT."
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1231

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

16254

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6563

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1925

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools

mandrei99

0

9857

Tue Jan 13, 2015 6:26 am

mandrei99 View the latest post

There are no new unread posts for this topic. Site2Site Ipsec/Dialup/ike v2

balzac123

0

584

Wed Sep 16, 2015 9:07 am

balzac123 View the latest post

There are no new unread posts for this topic. Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

mandrei99

0

2811

Wed Apr 10, 2013 5:42 am

mandrei99 View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

25654

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

mandrei99

0

1453

Fri Jan 09, 2015 11:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1010

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO