Category Archives: ipsec

IPsec NULL Encryption & NULL Authentication

Have you ever wanted to test an IPsec tunnel but wanted to see the packets in clear text instead of all those encrypted gibberish stuff? One of the ways and to me the easiest one is to use NULL encryption. In this post we will see how we can leverage this no encryption method. Below is our topology.

NULL-encryption-topology

We will first enable NULL encryption and then see what it means practically for us. I am not sharing entire config but only show what we need to enable this.
Continue reading

Practical guide to IPsec DPD

Finally my virtual SRX lab is ready for my DPD tests . As you might know, DPD (Dead Peer Detection) is a method used to detect if an IPsec peer is alive or not. Here we will see the ways DPD can be configured also why we really need a monitoring method like DPD. I will talk about VPN monitoring probably in a different post though.

For DPD tests, I will use the following IPsec topology.

ipsec-route-based-topology-lab1007

Test Environment

Continue reading

Certificate VPN troubleshooting

I am going to break my certificate VPN setup in this post and see what sort of log message we will get. If you are looking for how to set up a certificate based IPSEC VPN on SRX, you can check my other post.

ipsec_cert_vpn_auth_error

I have already an established the tunnel between those two peers you can see in the topology.

Let’s check CO-A cluster side status first.

Continue reading

Effects of packet drop and latency on IPSEC tunnels

When I was a junior engineer, I used to go to customer sites to install leased line modems and perform the initial quality checks of the lines. The most critical moment after provisioning the line was sending the first 100 ICMP packets to see if there is any packet loss or not and even if there is a single packet loss, it was a nightmare for us to find where the packet was really lost. Starting from physical layer i.e checking cablings or if it is a wireless link checking weather conditions etc 🙂 and then protocol level investigations. If we were lucky enough, it was our problem as Telco involvement wasn’t required. If it was a Telco problem unfortunately it was worse as convincing Telco that they have a problem wasn’t really an easy task during that period.
I have started with a little story but in today’s networks, packet losses aren’t so common but it happens or if you have a satellite link, latencies might go up to 1000ms even more. I will do an experimental work here as to how IPSEC tunnel establishment might be affected by packet loss/latency.

IPSEC LAB 13:
IPSEC_13_effects_of_packet_drop_jitter_latency

For this lab, we are going to use the above topology in which there is an established IPSEC tunnel between branchG and CO-A-1 SRX devices.

First of all we test the round trip times between each of the IPSEC end points.

Continue reading

IPSEC between SRX and VYOS

I wasn’t aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this post, I will show how you can configure a simple site to site IPSEC VPN between an SRX security device and VYOS. Let’s dive right into the config

vyatta_vyos_srx_ipsec

First configure IKE and IPSEC on SRX side.

Continue reading

IPSEC Traffic Selector in SRX

Starting from 12.1X46-D10 release, SRX has a new feature called traffic selector. Details of the feature can be found at juniper page here In a nutshell, it is similar to the proxy-id but has some major differences. By using proxy ids we can even establish two IPSEC tunnels to the same tunnel end point or for example use it when other end point is another vendor device. However proxy-id doesn’t really enforce anything in forwarding. Let’s explain the feature by using a topology;

traffic_selector

In this topology I have two different networks on each side of the end point and I would like to protect traffic in between them. For example NET1-NET1 , NET2-NET2 traffic. As I assume you are already familiar with SRX IPSEC configuration, I will only show here what is different than a standard config.

Continue reading

IPSEC between StrongSwan and SRX

In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX firewall and Linux with racoon. In this post, I will explain how you can set up a route based IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is below;

strong_swan

Tunnel Peers: debian1 and j41
Tunnel End point addresses: debian1(192.168.3.11) — j41(212.45.64.2)
Protected Networks: debian1(10.33.1.0/24) — j41(10.34.1.0/24)
SRX Junos Release: 12.1X46-D15.3
StrongSwan Release: 4.5.2-1.5+deb7u2

LINUX

Create your strongswan configuration files as below;

/etc/ipsec.conf

Continue reading