IPSEC Traffic Selector in SRX
Starting from 12.1X46-D10 release, SRX has a new feature called traffic selector. Details of the feature can be found at juniper page here In a nutshell, it is similar to the proxy-id but has some major differences. By using proxy ids we can even establish two IPSEC tunnels to the same tunnel end point or for example use it when other end point is another vendor device. However proxy-id doesn’t really enforce anything in forwarding. Let’s explain the feature by using a topology;
In this topology I have two different networks on each side of the end point and I would like to protect traffic in between them. For example NET1-NET1 , NET2-NET2 traffic. As I assume you are already familiar with SRX IPSEC configuration, I will only show here what is different than a standard config.
J23
vpn vpn-hub-ts { bind-interface st0.0; ike { gateway gw-hub; ipsec-policy ipsec-pol-1; } traffic-selector net1 { local-ip 10.9.9.0/24; remote-ip 10.11.11.0/24; } traffic-selector net2 { local-ip 192.168.181.0/24; remote-ip 212.45.63.0/24; } establish-tunnels immediately; }
On J23 SRX device, I have two traffic selector configs and they allow only traffic
- from 10.9.9.0/24 to 10.11.11.0/24
- from 192.168.181.0/24 to 212.45.63.0/24
other traffic will be blocked on this tunnel. For example when I try to pass a traffic which isn’t defined here, I received the following error in flow trace.
Doing IPSec traffic-selector match for 192.168.181.2 -> 10.11.11.1 Error occured while finding nsp_tunnel for st0-ifp st0.0
Let’s see the remote config on J41.
J41
vpn vpn-23-ts { bind-interface st0.4; ike { gateway gw-23; ipsec-policy ipsec-pol-1; } traffic-selector net1 { local-ip 10.11.11.0/24; remote-ip 10.9.9.0/24; } traffic-selector net2 { local-ip 212.45.63.0/24; remote-ip 192.168.181.0/24; } establish-tunnels immediately; }
As you can see, we reverse the traffic selectors.
What you should be careful is that each traffic selector means a separate Security Association (SA) as you can also see from the output below.
lab@J23-London> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173313 ESP:3des/sha1 63e9ad4a 4653/ unlim - root 500 212.45.64.2 >268173313 ESP:3des/sha1 d2f4c2bb 4653/ unlim - root 500 212.45.64.2 <268173314 ESP:3des/sha1 79136be6 4681/ unlim - root 500 212.45.64.2 >268173314 ESP:3des/sha1 6a19e860 4681/ unlim - root 500 212.45.64.2 lab@J23-London> show security ipsec sa detail ID: 268173313 Virtual-system: root, VPN Name: vpn-hub-ts Local Gateway: 192.168.197.10, Remote Gateway: 212.45.64.2 Traffic Selector Name: net1 Local Identity: ipv4(10.9.9.0-10.9.9.255) Remote Identity: ipv4(10.11.11.0-10.11.11.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 Last Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 63e9ad4a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 4652 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 4030 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: d2f4c2bb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 4652 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 4030 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ID: 268173314 Virtual-system: root, VPN Name: vpn-hub-ts Local Gateway: 192.168.197.10, Remote Gateway: 212.45.64.2 Traffic Selector Name: net2 Local Identity: ipv4(192.168.181.0-192.168.181.255) Remote Identity: ipv4(212.45.63.0-212.45.63.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 Last Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 79136be6, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 4680 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 4091 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 6a19e860, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 4680 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 4091 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
There is a nice feature coming with this traffic selector feature as well. Once you set these selector entries and commit, static routes are installed automatically towards the st0.X interface. However if you want to implement this feature, I strongly recommend you to read the limitations section on the link provided above.