Author Topic: VPN policy based - SRX to SSG5  (Read 4248 times)

apedersen

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
VPN policy based - SRX to SSG5
« on: April 04, 2012, 08:34:22 am »
I'm having issues to ping from my SRX router over to my SSG5 router I can't find whats wrong with my configuration. There are not issues to ping from SSG5 to my hosts behind the SRX router.


I have followed this tutorial:
http://www.juniper.net/techpubs/en_US/junos/topics/example/policy-based-vpn-using-j-series-srx-series-device-configuring.html

As I understand from this tutorial my policy from management network to internet is not right, but my order is right or is it?
See step 23

# run show security policies from-zone management to-zone internet
From zone: management, To zone: internet
  Policy: vpnpolicy-tr-unt, State: enabled, Index: 13, Scope Policy: 0, Sequence number: 1
    Source addresses: local-net
    Destination addresses: remote-net
    Applications: any
    Action: permit, tunnel
  Policy: management-to-internet, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit, log


SRX interface:
vlan.0 is 172.16.20.0/24
ge-0/0/0.0 internet (cloud)

Here is my log when i tried to ping from my SRX device over to SSG5 device:

# run ping 192.168.222.1 interface vlan.0 count 5
PING 192.168.222.1 (192.168.222.1): 56 data bytes

--- 192.168.222.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Apr  3 20:58:41 20:58:41.927927:CID-0:RT:<172.16.20.1/0->192.168.222.1/42372;1> matched filter local-to-remote:
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:packet [84] ipid = 43457, @42e32e8e
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x42e32c80, rtbl_idx = 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: in_ifp <junos-self:.local..0>
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 4ff5f3e8
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Using out_ifp from pfe_tag with index 68
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Using vr id from pfe_tag with value= 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Over-riding lpak->vsys with 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  .local..0:172.16.20.1->192.168.222.1, icmp, (8/0)
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: find flow: table 0x4a1aab48, hash 22636(0xffff), sa 172.16.20.1, da 192.168.222.1, sp 0, dp 42372, proto 1, tok 2
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  flow_first_create_session
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <vlan.0> dst_adr 192.168.222.1, sp 0, dp 42372
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  chose interface .local..0 as incoming nat if.
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_first_rule_dst_xlate: packet 172.16.20.1->192.168.222.1 nsp2 0.0.0.0->192.168.222.1.
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 172.16.20.1, x_dst_ip 192.168.222.1, in ifp .local..0, out ifp vlan.0 sp 0, dp 42372, ip_proto 1, tos 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Doing DESTINATION addr route-lookup
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  routed (x_dst_ip 192.168.222.1) from junos-self (.local..0 in 0) to ge-0/0/0.0, Next-hop: 123.4.5.6
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  policy search from zone junos-self-> zone internet (0x0,0xa584,0xa584)
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  dip id = 0/0, 172.16.20.1/0->172.16.20.1/0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  choose interface ge-0/0/0.0 as outgoing phy if
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 192.168.222.1, rtt_idx:0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:jsf sess interest check. regd plugins 13
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: Allocating plugin info block for 12 plugin(s) from OL
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  1, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x2. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id 10, svc_req 0x0. rc 4
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 2
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: No JSF plugins enabled for session
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: Releasing plugin info block for 12 plugin(s) to OL
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:flow_first_service_lookup(): natp(0x4c4abb20): app_id, 0(0).
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  service lookup identified service 0.
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:construct v4 vector for nsp2
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  existing vector list 200-458adea8.
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  Session (id:29356) created for first pak 200
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  flow_first_install_session======> 0x4c4abb20
Apr  3 20:58:41 20:58:41.927927:CID-0:RT: nsp 0x4c4abb20, nsp2 0x4c4abb84
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  make_nsp_ready_no_resolve()
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  route lookup: dest-ip 172.16.20.1 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  route to 172.16.20.1
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Installing c2s NP session wing
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:Installing s2c NP session wing
Apr  3 20:58:41 20:58:41.927927:CID-0:RT:  flow got session.
Apr  3 20:58:42 20:58:41.927927:CID-0:RT:  flow session id 29356
Apr  3 20:58:42 20:58:41.927927:CID-0:RT: vector bits 0x200 vector 0x458adea8
Apr  3 20:58:42 20:58:41.927927:CID-0:RT:mbuf 0x42e32c80, exit nh 0x45df22
Apr  3 20:58:42 20:58:41.927927:CID-0:RT:flow_process_pkt_exception: Freeing lpak 48bb9940 associated with mbuf 0x42e32c80
Apr  3 20:58:42 20:58:41.927927:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

sneuman

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: VPN policy based - SRX to SSG5
« Reply #1 on: April 24, 2012, 09:42:46 am »
apedersen

I am having the exact same issue, have you resolved the issue?

apedersen

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: VPN policy based - SRX to SSG5
« Reply #2 on: April 24, 2012, 09:47:55 am »
I'm sorry but I have not found any solution for this issue.

But I got my VPN working to use route-based instead, change over to route-based for I now need to route more then one network back and fourth.


Capt_Winters

  • Sr. Member
  • ****
  • Posts: 320
  • Karma: +0/-0
    • View Profile
Re: VPN policy based - SRX to SSG5
« Reply #4 on: June 27, 2012, 12:33:12 am »
basically, what juniper recommends is to use route based vpn,,,utilizing the tunnel interface if both parties are juniper..
some points to consider;
   -creation of tunnel interfaces on both firewalls (st.0 and tunnel.1 for instance)
   -routing entries  of the subnets who will participate in the tunnel...ex. 192.168.1.0 next hop is tunnel.1
   -policy is important, it should have both the same policy content....both firewalls ...../24 to /24
   -enable vpn monitoring since this is recommended for both juniper
   -vpn policies should be on top
   -initiate a ping from the vpn subnet towards the other site
   -make sure host's firewall is disabled
   -evaluate the logs and see if there are p1 and p2 errors

my 2 cents,
winters