JNCIP-SEC [ 5 – Advanced IPSEC ] Part 1

Yes again I would like to write something about ipsec vpn. It won’t cover everything about the jncip-sec exam but I would like to compile something that I can also use in the future as a reference. As I have said in my previous posts, any constructive comment,feedback is welcomed. Lets get started.

1) Point to Point IPSEC VPN configuration and troubleshooting in SRX

The first topic I have chosen is point to point IPSEC VPN. Below is the topology I have used.

IP Allocation:
SRX1
ge-0/0/0.0 : 10.1.1.2/24
ge-0/0.1.0 : 172.16.100.1/24
GW: 10.1.1.1
SRX2
ge-0/0/0.0 : 10.2.2.2/24
ge-0/0/1.0: 172.16.200.1/24
GW: 10.2.2.1
Server1: 172.16.100.2/24
Server2: 172.16. 200.2/24

First Configure SRX1 as follows:

Tunnel interface address may even be an arbitrary address. We also decrease the MTU of st0 interface because of the extra header stemming from tunnel.

I am not going to fill up this post with configurations. So I attached the entire configuration of srx2 configure so far here. You can also take a look at the security policies.

Now after I configured these two SRX devices for point-to-point ipsec vpn configuration I got two issues because of those “show security ike security-associations” returned no output.

  • I noticed that I forgot to add ike protocol on srx2’s outside interface ge-0/0/0.0
  • After ike protocol activation, I stil got no output upon show command. Then I enabled traceoptions under ike as follows

This generate the file /var/log/ike-p2p.log content of which was below;

Actually this didn’t ring any bell firstly but then I noticed that I forgot to assign st0.0 interface to a zone. (I do it always:) After I assigned st0.0 tunnel interfaces on both nodes to the zone named vpn I got the following output.

We brought the tunnel up!
TIP: In order traffic to flow make sure security policies are created from zone vpn to trust and from trust to vpn separately in each device. Once the security polices are created, lets troubleshoot the traffic.

To get detail output regarding security associations on both IKE and IPSEC, we can issue following commands;

I have generated a continuos ping from server1 device (172.16.100.2) to address 172.16.200.1 which is ge-0/0/1.0 of srx2 device. Lets check session table of this traffic

As it can be seen policy “vpn-permit” allows packets coming from ge-0/0/1.0 destined to st0.0

So far all the configuration was based on route-based vpn. I must also add policy based configuration. After some minor changes I transformed the route-based configuration to policy based. Here it is;

To transform route-based to policy based, I did the followings:

  • static routes pointing to st0.0 removed
  • bind-interface ipsec/vpn configuration removed
  • policies for inbound and outbound initiated connections are added with permit tunnel action.

All jncip-sec posts in this blog are the result of my own studies with my SRX 210 hardware and shouldn’t be considered as an exam training replacement.

You have a feedback?