Category Archives: ipsec

Certificate VPN: Public key lookup failed

During one of my IPSEC VPN tests using certificate authentication, I have received the following error which really baffled me:

I had never seen this “Public key lookup failed” error message before. I thought I made a mistake during creation of my certificates. For this, I re-created certificates and this time I got the following private key error:

Continue reading

Certificate based IPSEC VPN in SRX

Here I will share how I have connected two SRX boxes via IPSEC VPN by using
certificate authentication instead of pre-shared key. Here is the outline;

1) Create certificate authority in Linux
2) Create CA profile on SRX
3) Generate Certificate Request
4) Sign the certificate
5) Load the certificates
6) Configure IPSEC/VPN
7) Verification

certificate_based_vpn_srx

Continue reading

JNCIE-SEC : Dynamic VPN

In today’s post I will write about how we can setup Dynamic VPN connection
towards an SRX device in several scenarios This is part of my JNCIE-SEC
studies although I am falling very behind my schedule:( Let’s get started:

IPsec VPNs

  • Scenario1: Client receives an IP address which is already used inside the local network by other clients and split tunneling active
  • Scenario2: Client also accesses the Internet through the tunnel, if the term is correct no-split tunneling

Continue reading

JNCIE-SEC: IPSEC VPN between SRX and Cisco

In JNCIE-SEC exam, one of the IPSEC topics is “Interoperability with 3rd party devices”.
In one of my previous post I had already written about this but this time, I will do
policy based VPN on SRX side.

IPsec VPNs

ipsec_cisco_srx

Continue reading

IPsec TCP-MSS, DF-BIT and Fragmentation

In my previous ipsec troubleshooting post, I haven’t talked about how we approach performance issues. Which is probably not a JNCIE-SEC topic but this is a very important topic for the real networks.

tcp-mss-df-bit-topology2

In this topology I will examine how throughput changes between two end points of an IPSEC tunnel depending on the configuration of IPSEC tunnel.

Change 1) Setting DF-BIT to copy

An IPsec tunnel between J23 and J41 is established and no extra configuration is done. I initiate a huge 1.6GB file download via HTTP
Continue reading

JNCIE-SEC: Traceoptions & IPSEC troubleshooting

In IPSEC topic, I am continuing with traceoptions and troubleshooting section. In this post, I will try to explain how I troubleshoot IPSEC VPNs mostly initial setup.

IPsec VPNs

NAT

  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites

ipsec_multipoint_route_policy_based_vpn

One of the challenging parts of JNCIE-SEC must be the troubleshooting part for which I need to understand under what sort of problems what type of error logs are generated. Because of this, I enabled IKE traceoptions and simulated several type of possible problems and observed the error logs.

But first let’s see how a successful IKE Phase 1 and IKE Phase 2 log looks like;

PS: All errors below are between ike peers 192.168.179.2 and 212.45.64.2

IKE & IPSEC SUCCESSFUL LOG

Phase 1

You can see the “IKE negotiation done” log in here.
Continue reading

JNCIE-SEC Multipoint tunnels/Policy and route based VPNs

After the introduction to IPSEC a little bit, I am following with the second task and third task in the list which are Multipoint tunnels and policy/route based VPNs. Some of these individual tasks have overlapping case studies because of this I may not write a single post for each task.

IPsec VPNs

NAT

  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites

Our case study is that we have a company headquarter of which is in Amsterdam and has two offices in London and Paris. We will connect these two offices to Amsterdam HQ via an IPSEC tunnel. London office is route based and Paris office will connect via policy based VPN. Protected networks are assigned to ge-0/0/1.0 interface of each SRX device.

ipsec_multipoint_route_policy_based_vpn
Continue reading