Category: ipsec

IPsec NULL Encryption & NULL Authentication

Have you ever wanted to test an IPsec tunnel but wanted to see the packets in clear text instead of all those encrypted gibberish stuff? One of the ways and to me the easiest one is to use NULL encryption. In this post we will see how we can leverage this no encryption method. Below
Read More »

Practical guide to IPsec DPD

Finally my virtual SRX lab is ready for my DPD tests . As you might know, DPD (Dead Peer Detection) is a method used to detect if an IPsec peer is alive or not. Here we will see the ways DPD can be configured also why we really need a monitoring method like DPD. I
Read More »

IPSEC between SRX and VYOS

I wasn’t aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this post, I will show
Read More »

IPSEC Traffic Selector in SRX

Starting from 12.1X46-D10 release, SRX has a new feature called traffic selector. Details of the feature can be found at juniper page here In a nutshell, it is similar to the proxy-id but has some major differences. By using proxy ids we can even establish two IPSEC tunnels to the same tunnel end point or
Read More »

IPSEC between StrongSwan and SRX

In one of my earlier posts I provided my configuration for an IPSEC VPN setup between an SRX firewall and Linux with racoon. In this post, I will explain how you can set up a route based IPSEC tunnel between StrongSwan (pre-shared key) and SRX firewall. Topology of my setup is below; Tunnel Peers: debian1
Read More »

Certificate VPN: Public key lookup failed

During one of my IPSEC VPN tests using certificate authentication, I have received the following error which really baffled me: ike_find_public_key: Find public key for 192.168.1.1:500, id = No Id -> 192.168.2.1:500, id = fqdn(any:0,[0..19]=srx1.example.com) ikev2_fb_find_public_key_cb: Public key lookup failed, error 'Authentication failed' ike_policy_reply_find_public_key: Start 192.168.1.1:500 (Responder) < -> 192.168.2.1:500 { b0c74fc4 ae9a22d3 - d1afb9e8
Read More »

Certificate based IPSEC VPN in SRX

Here I will share how I have connected two SRX boxes via IPSEC VPN by using certificate authentication instead of pre-shared key. Here is the outline; 1) Create certificate authority in Linux 2) Create CA profile on SRX 3) Generate Certificate Request 4) Sign the certificate 5) Load the certificates 6) Configure IPSEC/VPN 7) Verification

JNCIE-SEC : Dynamic VPN

In today’s post I will write about how we can setup Dynamic VPN connection towards an SRX device in several scenarios This is part of my JNCIE-SEC studies although I am falling very behind my schedule:( Let’s get started: IPsec VPNs Implementation of IPsec VPNs Multipoint tunnels Policy and route-based VPNs Traceoptions Dual and backup
Read More »