IPSEC VPN between SRX and Linux
After a little struggle, I have managed to establish an IPSEC VPN tunnel between an SRX box and a Linux machine. In case someone else needs below is my configuration.
SRX 650, JunOS 10.4R5.5
IKE CONFIG
[edit security]
root@host# show ike
traceoptions {
file ike.log;
flag all;
}
proposal pro-basic {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
mode main;
proposals pro-basic;
pre-shared-key ascii-text "$9$RQBccvvxNboJDWLJDikTQEcylWL7-VY4a"; ## SECRET-DATA
}
gateway gateway-lin {
ike-policy pol-basic;
address 172.30.73.219;
external-interface ge-0/0/0.0;
}
IPSEC CONFIG
[edit security]
root@host# show ipsec
traceoptions {
flag all;
}
proposal prop-basic {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
proposals prop-basic;
}
vpn vpn-lin {
bind-interface st0.0;
ike {
gateway gateway-lin;
proxy-identity {
local 192.168.100.0/24;
remote 192.168.200.0/24;
}
ipsec-policy pol-basic;
}
establish-tunnels immediately;
}
Make sure interfaces are assigned to zones properly and permissive security policies are in place. Main problem I got was the proposal mismatch because of which I didn’t use standard proposal set in Junos but adjust it according to my setting in linux.
One configlet that needs emphasis is proxy-identity without it only phase1 comes up but not phase2 and in linux racoon debug log I have found the following when proxy-identity was missing;
2011-08-03 16:56:23: DEBUG: configuration found for 172.30.72.244. 2011-08-03 16:56:23: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='0.0.0.0/0', peer='172.30.72.244', id=0 2011-08-03 16:56:23: DEBUG: getsainfo pass #1 2011-08-03 16:56:23: DEBUG: evaluating sainfo: loc='192.168.200.0/24', rmt='192.168.100.0/24', peer='ANY', id=0 2011-08-03 16:56:23: DEBUG: getsainfo pass #2 2011-08-03 16:56:23: DEBUG: evaluating sainfo: loc='192.168.200.0/24', rmt='192.168.100.0/24', peer='ANY', id=0 2011-08-03 16:56:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet) 2011-08-03 16:56:23: DEBUG: cmpid target: '0.0.0.0/0' 2011-08-03 16:56:23: DEBUG: cmpid source: '192.168.200.0/24' 2011-08-03 16:56:23: ERROR: failed to get sainfo. 2011-08-03 16:56:23: ERROR: failed to get sainfo. 2011-08-03 16:56:23: ERROR: failed to pre-process packet. 2011-08-03 16:56:23: DEBUG: IV freed
Here is racoon.conf and setkey.conf
racoon.conf
path pre_shared_key "/etc/psk.txt";
remote 172.30.72.244 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 192.168.200.0/24 any address 192.168.100.0/24 any {
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
setkey.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
#Security Policies
spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec
esp/tunnel/172.30.73.219-172.30.72.244/require;
spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec
esp/tunnel/172.30.72.244-172.30.73.219/require;
Here is a proof how the VPN is up and running:)
[edit security] root@host# run show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 320014 172.30.73.219 UP c2470c9d8631fc12 5c935e06de9da1da Main [edit security] root@host# run show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <131073 172.30.73.219 500 ESP:3des/md5 40daef28 2475/ unlim - root >131073 172.30.73.219 500 ESP:3des/md5 3ea78c0 2475/ unlim - root
Troubleshooting
1) Make sure each interface involved are properly assigned to zones
2) There is a route towards Linux box like;
root@host# run show route 192.168.200.0/24
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.200.0/24 *[Static/5] 00:12:26
> via st0.0
Have you tried enabling DPD in racoon for ipsec between SRX and linux?
SRX is not acknowledging the dpd
DPD: remote (ISAKMP-SA remote: 10.0.120.20[500] spi=7bcd4864810cbf9f:e717172e2cde1d93) Seq#/Fail 0x2b4/44. Did not rx DPD ack but sending next packet.
Let me know if you have tried this and works for you.
Hi,
Unfortunately I haven’t tried DPD. To be honest, I used linux when I didn’t have a 3rd SRX device during my studies. I don’t recall that I enabled DPD. If I try this setup again, I will update this post of course.
Genco.
Hi,
can you explain your Network topology. Like what IP st0.0 using? and what are the Networks behind Linux and Juniper-SRX. Thnx
Hi Atul,
I don’t have the setup right now but networks can be seen in proxy-identity section of SRX
proxy-identity {
local 192.168.100.0/24;
remote 192.168.200.0/24;
}
SRX has 100.0/24 and linux has 200.0/24 networks. As far as I remember IP on st0.0 interface can be any IP on this setup but I will try to confirm this in a different post as this post is quite primitive.
is it possible to connect to srx using vpnc? With NetScreen it is possible.
If you mean the dynamic vpn connection, probably not. As far as I recall only pulse works.
Hi , how did u setup/configure this setkey.conf, i am not finding that on my linux machine ??
As far as I recall, there wasn’t a file, I created based on official docs.
Is it possible to create detailed instruction for creating connection from newest ubuntu and SRX (as it do Pulse Secure for windows) ?