RtoDto.net
Network/Security/Programming

IPSEC Traffic Selector in SRX

rtoodtoo ipsec June 5, 2014

Starting from 12.1X46-D10 release, SRX has a new feature called traffic selector. Details of the feature can be found at juniper page here In a nutshell, it is similar to the proxy-id but has some major differences. By using proxy ids we can even establish two IPSEC tunnels to the same tunnel end point or for example use it when other end point is another vendor device. However proxy-id doesn’t really enforce anything in forwarding. Let’s explain the feature by using a topology;

traffic_selector

In this topology I have two different networks on each side of the end point and I would like to protect traffic in between them. For example NET1-NET1 , NET2-NET2 traffic. As I assume you are already familiar with SRX IPSEC configuration, I will only show here what is different than a standard config.

J23

vpn vpn-hub-ts {
    bind-interface st0.0;
    ike {
        gateway gw-hub;
        ipsec-policy ipsec-pol-1;
    }
    traffic-selector net1 {
        local-ip 10.9.9.0/24;
        remote-ip 10.11.11.0/24;
    }
    traffic-selector net2 {
        local-ip 192.168.181.0/24;
        remote-ip 212.45.63.0/24;
    }
    establish-tunnels immediately;
}

On J23 SRX device, I have two traffic selector configs and they allow only traffic

  • from 10.9.9.0/24 to 10.11.11.0/24
  • from 192.168.181.0/24 to 212.45.63.0/24

other traffic will be blocked on this tunnel. For example when I try to pass a traffic which isn’t defined here, I received the following error in flow trace. 

Doing IPSec traffic-selector match for  192.168.181.2 -> 10.11.11.1
Error occured while finding nsp_tunnel for  st0-ifp st0.0

Let’s see the remote config on J41.

J41

vpn vpn-23-ts {
  bind-interface st0.4;
  ike {
      gateway gw-23;
      ipsec-policy ipsec-pol-1;
  }
  traffic-selector net1 {
      local-ip 10.11.11.0/24;
      remote-ip 10.9.9.0/24;
  }
  traffic-selector net2 {
      local-ip 212.45.63.0/24;
      remote-ip 192.168.181.0/24;
  }
  establish-tunnels immediately;

}

As you can see, we reverse the traffic selectors.

What you should be careful is that each traffic selector means a separate Security Association (SA) as you can also see from the output below.

lab@J23-London> show security ipsec sa           
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <268173313 ESP:3des/sha1 63e9ad4a 4653/ unlim -  root 500   212.45.64.2     
  >268173313 ESP:3des/sha1 d2f4c2bb 4653/ unlim -  root 500   212.45.64.2     
  <268173314 ESP:3des/sha1 79136be6 4681/ unlim -  root 500   212.45.64.2     
  >268173314 ESP:3des/sha1 6a19e860 4681/ unlim -  root 500   212.45.64.2     

lab@J23-London> show security ipsec sa detail    
  ID: 268173313 Virtual-system: root, VPN Name: vpn-hub-ts
  Local Gateway: 192.168.197.10, Remote Gateway: 212.45.64.2
  Traffic Selector Name: net1
  Local Identity: ipv4(10.9.9.0-10.9.9.255)
  Remote Identity: ipv4(10.11.11.0-10.11.11.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 63e9ad4a, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 4652 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 4030 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: d2f4c2bb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 4652 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 4030 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173314 Virtual-system: root, VPN Name: vpn-hub-ts
  Local Gateway: 192.168.197.10, Remote Gateway: 212.45.64.2
  Traffic Selector Name: net2
  Local Identity: ipv4(192.168.181.0-192.168.181.255)
  Remote Identity: ipv4(212.45.63.0-212.45.63.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 79136be6, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 4680 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 4091 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 6a19e860, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 4680 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 4091 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

There is a nice feature coming with this traffic selector feature as well. Once you set these selector entries and commit, static routes are installed automatically towards the st0.X interface. However if you want to implement this feature, I strongly recommend you to read the limitations section on the link provided above.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading