Category Archives: ipsec

JNCIE-SEC: IPSEC VPN between SRX and Cisco

In JNCIE-SEC exam, one of the IPSEC topics is “Interoperability with 3rd party devices”.
In one of my previous post I had already written about this but this time, I will do
policy based VPN on SRX side.

IPsec VPNs

ipsec_cisco_srx

Continue reading

IPsec TCP-MSS, DF-BIT and Fragmentation

In my previous ipsec troubleshooting post, I haven’t talked about how we approach performance issues. Which is probably not a JNCIE-SEC topic but this is a very important topic for the real networks.

tcp-mss-df-bit-topology2

In this topology I will examine how throughput changes between two end points of an IPSEC tunnel depending on the configuration of IPSEC tunnel.

Change 1) Setting DF-BIT to copy

An IPsec tunnel between J23 and J41 is established and no extra configuration is done. I initiate a huge 1.6GB file download via HTTP
Continue reading

JNCIE-SEC: Traceoptions & IPSEC troubleshooting

In IPSEC topic, I am continuing with traceoptions and troubleshooting section. In this post, I will try to explain how I troubleshoot IPSEC VPNs mostly initial setup.

IPsec VPNs

NAT

  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites

ipsec_multipoint_route_policy_based_vpn

One of the challenging parts of JNCIE-SEC must be the troubleshooting part for which I need to understand under what sort of problems what type of error logs are generated. Because of this, I enabled IKE traceoptions and simulated several type of possible problems and observed the error logs.

But first let’s see how a successful IKE Phase 1 and IKE Phase 2 log looks like;

PS: All errors below are between ike peers 192.168.179.2 and 212.45.64.2

IKE & IPSEC SUCCESSFUL LOG

Phase 1

You can see the “IKE negotiation done” log in here.
Continue reading

JNCIE-SEC Multipoint tunnels/Policy and route based VPNs

After the introduction to IPSEC a little bit, I am following with the second task and third task in the list which are Multipoint tunnels and policy/route based VPNs. Some of these individual tasks have overlapping case studies because of this I may not write a single post for each task.

IPsec VPNs

NAT

  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites

Our case study is that we have a company headquarter of which is in Amsterdam and has two offices in London and Paris. We will connect these two offices to Amsterdam HQ via an IPSEC tunnel. London office is route based and Paris office will connect via policy based VPN. Protected networks are assigned to ge-0/0/1.0 interface of each SRX device.

ipsec_multipoint_route_policy_based_vpn
Continue reading

Dual IKE gateway with OSPF

I would like to share some of my IPSEC testings which I hope very close to a real life example.  Below is the topology of this lab. J41 device is the IPSEC HUB and J23 and J21 devices are spokes. What I wanted to achieve is if J23 loses connectivity with the primary IKE end point (212.45.64.2) it should fail over to the other interface i.e 212.45.65.2 and OSPF neighborship should be established again. This is of course based on a scenario that BGP link between J41 and J36 goes down and network isn’t reachable via that path any more. I am not going to give whole configuration but some configuration which are the basis for this setup and the issues I have experienced so far including BGP.

ipsec_vpn_dual_ike_bgp_ospf

Continue reading

JWEB and Dynamic VPN page

There seems to be a confusion about how JWEB and dynamic VPN authentication page are working in parallel.
I hope to give some tips I know in this post. For example, if you have the following config, what does it really mean for JWEB?

This config enforces that JWEB web service can only be served on the configured ge-0/0/0.0 and ge-0/0/1.0 interfaces. Of course if the https service is allowed on the security zone that these interfaces belong to. So far so good but what happens if you enable dynamic VPN service for which you also provide an authentication page. In that case what happens to JWEB? In this case you should look at the IKE gateway stanza. For instance if you have the following IKE gateway config;

Junos will disable JWEB on ge-0/0/1.0 interface and you will be redirected to the dynamic-vpn authentication page. What if the dynamic-vpn page itself returns a 404 not found error. In that case I would recommend you to check if you have proper configuration under “security dynamic-vpn” hierarchy. For example if you don’t have a config like below, you won’t get dynamic-vpn page but a 404 error.

I hope this helps someone out there. Of course if you see any mistake or have comments, don’t hesitate tell.

IPSEC VPN between SRX and Cisco

In this post, I would like to share my site-to-site ipsec vpn configuration between srx100 (junos 11.1R4.4) and cisco3725 (ios 12.4) (on dynamips)


Cisco Configuration

Continue reading

IPSEC VPN between SRX and Netscreen

Below you will find my ipsec vpn configuration between an SRX100 device and Netscreen 5GT. Here is the topology;

Protected Networks on Netscreen: 10.10.10.0/24
Protected Network on SRX : 192.168.0.0/24

ipsec_srx100_netscreen

Continue reading

JNCIP-SEC [ 5 – Advanced IPSEC ] Part 2

This post is a continuation of the first part of Advanced IPSEC topic. This post’s topic is HUB and SPOKE topology in SRX devices. I will use the following topology for this post;

Because I have only two srx210 deviceS, I am using a linux box as the second spoke instead of an srx in my hub and spoke ipsec vpn setup. I will also attach my linux setup as a reference.

Continue reading

JNCIP-SEC [ 5 – Advanced IPSEC ] Part 1

Yes again I would like to write something about ipsec vpn. It won’t cover everything about the jncip-sec exam but I would like to compile something that I can also use in the future as a reference. As I have said in my previous posts, any constructive comment,feedback is welcomed. Lets get started.

1) Point to Point IPSEC VPN configuration and troubleshooting in SRX

The first topic I have chosen is point to point IPSEC VPN. Below is the topology I have used.

IP Allocation:
SRX1
ge-0/0/0.0 : 10.1.1.2/24
ge-0/0.1.0 : 172.16.100.1/24
GW: 10.1.1.1
SRX2
ge-0/0/0.0 : 10.2.2.2/24
ge-0/0/1.0: 172.16.200.1/24
GW: 10.2.2.1
Server1: 172.16.100.2/24
Server2: 172.16. 200.2/24

Continue reading