Author Topic: SRX NAT-T Issues  (Read 5992 times)

nanomoog

  • Newbie
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
SRX NAT-T Issues
« on: August 02, 2012, 04:19:01 am »
I'm seeing an issue with a site-2-site VPN through NAT.

P1 and P2 negociate fine, but the negociated ports don't match:

root@FW-SRX240> show security ipsec security-associations
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131073 xx.x.xxx.xxx   32652 ESP:aes-128/sha1 cd780d82 28795/unlim  -   root
  >131073 xx.x.xxx.xxx   32652 ESP:aes-128/sha1 dd980131 28795/unlim  -   root


fwadmin@srx100> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:aes-128/sha1 719ec4e3 28732/unlim U  root 4500  194.83.179.146 
  >131073 ESP:aes-128/sha1 f8ad5a16 28732/unlim U  root 4500  194.83.179.146 


I can see both ends encrypt traffic to the destination, yet not decrypt, e.g. :

root@FW-SRX240> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:             2776
  Decrypted bytes:                0
  Encrypted packets:             19
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0


This is the SRX 100 end, (the dynamic and NAT'd side):

proposal PSK-G2-AES128-SHA1 {
    description "IKE proposal Pre-shared-key Group 2 AES-128 SHA-1";
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
}
policy IKE-Policy {
    mode aggressive;
    description "IKE Policy";
    proposals PSK-G2-AES128-SHA1;
    pre-shared-key ascii-text "$9$VhbgaGDkqP5GDCtOBSy24aUk.TQn"; ## SECRET-DATA
}
gateway IKE-Gateway-XXX {
    ike-policy IKE-Policy;
    address xxx.xx.xxx.xxx;
    local-identity user-at-hostname "xxxxxx@nptremote";
    external-interface fe-0/0/0.0;


fwadmin@SRX100> show configuration security ipsec 
proposal ESP-AES128-SHA1 {
    description "IPSEC proposal ESP AES-128 SHA-1";
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy IPSEC-Policy {
    description "IPSEC Policy for VPN";
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ESP-AES128-SHA1;
}
vpn IPSEC_VPN {
    bind-interface st0.0;
    vpn-monitor {
        optimized;
        source-interface vlan.50;
        destination-ip 10.10.20.2;
    }
    ike {
        gateway IKE-Gateway-NPT;
        ipsec-policy IPSEC-Policy;
    }
    establish-tunnels immediately;
}



fwadmin@SRX100> show configuration security zones security-zone VPN       
tcp-rst;
address-book {
    address NET_10.0.0.0/8 {
        description "Internal Addresses";
        10.0.0.0/8;
    }
    address NET_172.16.0.0/12 {
        description "Internal Addresses";
        172.16.0.0/12;
    }
    address NET_192.168.0.0/16 {
        description "Internal Addresses";
        192.168.0.0/16;
    }
    address-set RFC_1918 {
        address NET_10.0.0.0/8;
        address NET_172.16.0.0/12;
        address NET_192.168.0.0/16;
    }
}
host-inbound-traffic {
    system-services {
        ssh;
        ping;
        all;
    }
}
interfaces {
    st0.0;
}


This is the SRX240 side, (fixed IP address/Hub Site):

root@FW-SRX240> show configuration interfaces st0
description "Tunnel interface to XXXXXXXX";
unit 0 {
    family inet;
}

root@FW-SRX240> show configuration security ike
proposal PSK-G2-AES128-SHA1 {
    description "IKE proposal Pre-shared-key Group 2 AES-128 SHA-1";
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
}
policy IKE-Policy {
    mode aggressive;
    description "IKE Policy";
    proposals PSK-G2-AES128-SHA1;
    pre-shared-key ascii-text "$9$mPzn9A0OIE9AM87NY2QFnC0Bhcl"; ## SECRET-DATA
}
gateway IKE-Gateway-XXXXX {
    ike-policy IKE-Policy;
    dynamic user-at-hostname "xxxxxx@nptremote";
    external-interface vlan.2;
}


root@FW-SRX240> show configuration security ipsec
proposal ESP-AES128-SHA1 {
    description "IPSEC proposal ESP AES-128 SHA-1";
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy IPSEC-Policy {
    description "IPSEC Policy for VPN";
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ESP-AES128-SHA1;
}
vpn IPSEC_VPN_XXXXXX{
    bind-interface st0.0;
    ike {
        gateway IKE-Gateway-XXXXXX;
        ipsec-policy IPSEC-Policy;
    }
}

root@FW-SRX240>
root@FW-SRX240> show configuration security zones security-zone NPT_VPNs
host-inbound-traffic {
    system-services {
        traceroute;
        ping;
        ike;
    }
}
interfaces {
    st0.0;
}


If I remove the NAT router and amend the external IP address on the SRX100 to an address in the same subnet as the SRX240, all works fine.  So I know that the base config works correctly.

So....What am I missing?

nanomoog

  • Newbie
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: SRX NAT-T Issues
« Reply #1 on: August 03, 2012, 06:16:04 am »
Come on you beautiful people.

One of you must know the error of my ways.  :)

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: SRX NAT-T Issues
« Reply #2 on: September 15, 2012, 05:42:37 pm »
It should wotk I think, udp 4500 is the active port, so nat-traversal. Did you try a trace on ike ? set secuirty ike trace-options  etc .....
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI