IPSEC VPN between SRX and Linux

After a little struggle, I have managed to establish an IPSEC VPN tunnel between an SRX box and a Linux machine. In case someone else needs below is my configuration.

SRX 650, JunOS 10.4R5.5

IKE CONFIG

[edit security]
root@host# show ike
traceoptions {
    file ike.log;
    flag all;
}
proposal pro-basic {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    mode main;
    proposals pro-basic;
    pre-shared-key ascii-text "$9$RQBccvvxNboJDWLJDikTQEcylWL7-VY4a"; ## SECRET-DATA
}
gateway gateway-lin {
    ike-policy pol-basic;
    address 172.30.73.219;
    external-interface ge-0/0/0.0;
}


IPSEC CONFIG

[edit security]
root@host# show ipsec
traceoptions {
    flag all;
}
proposal prop-basic {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 3600;
}
policy pol-basic {
    proposals prop-basic;
}
vpn vpn-lin {
    bind-interface st0.0;
    ike {
        gateway gateway-lin;
        proxy-identity {
            local 192.168.100.0/24;
            remote 192.168.200.0/24;
        }
        ipsec-policy pol-basic;
    }
    establish-tunnels immediately;
}

Make sure interfaces are assigned to zones properly and permissive security policies are in place. Main problem I got was the proposal mismatch because of which I didn’t use standard proposal set in Junos but adjust it according to my setting in linux.
One configlet that needs emphasis is proxy-identity without it only phase1 comes up but not phase2 and in linux racoon debug log I have found the following when proxy-identity was missing;

2011-08-03 16:56:23: DEBUG: configuration found for 172.30.72.244.
2011-08-03 16:56:23: DEBUG: getsainfo params: loc='0.0.0.0/0', rmt='0.0.0.0/0', peer='172.30.72.244', id=0
2011-08-03 16:56:23: DEBUG: getsainfo pass #1
2011-08-03 16:56:23: DEBUG: evaluating sainfo: loc='192.168.200.0/24', rmt='192.168.100.0/24', peer='ANY', id=0
2011-08-03 16:56:23: DEBUG: getsainfo pass #2
2011-08-03 16:56:23: DEBUG: evaluating sainfo: loc='192.168.200.0/24', rmt='192.168.100.0/24', peer='ANY', id=0
2011-08-03 16:56:23: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2011-08-03 16:56:23: DEBUG: cmpid target: '0.0.0.0/0'
2011-08-03 16:56:23: DEBUG: cmpid source: '192.168.200.0/24'
2011-08-03 16:56:23: ERROR: failed to get sainfo.
2011-08-03 16:56:23: ERROR: failed to get sainfo.
2011-08-03 16:56:23: ERROR: failed to pre-process packet.
2011-08-03 16:56:23: DEBUG: IV freed   

Here is racoon.conf and setkey.conf
racoon.conf

path pre_shared_key "/etc/psk.txt";

remote 172.30.72.244 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address 192.168.200.0/24 any address 192.168.100.0/24 any {
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

setkey.conf


#!/usr/sbin/setkey -f
flush;
spdflush;
#Security Policies
spdadd 192.168.200.0/24 192.168.100.0/24 any -P out ipsec
           esp/tunnel/172.30.73.219-172.30.72.244/require;
spdadd 192.168.100.0/24 192.168.200.0/24 any -P in ipsec
           esp/tunnel/172.30.72.244-172.30.73.219/require;

Here is a proof how the VPN is up and running:)

[edit security]
root@host# run show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
320014  172.30.73.219   UP     c2470c9d8631fc12  5c935e06de9da1da  Main
[edit security]
root@host# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131073 172.30.73.219  500   ESP:3des/md5    40daef28 2475/ unlim   -   root
  >131073 172.30.73.219  500   ESP:3des/md5    3ea78c0  2475/ unlim   -   root

Troubleshooting
1) Make sure each interface involved are properly assigned to zones
2) There is a route towards Linux box like;

root@host# run show route 192.168.200.0/24
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.200.0/24   *[Static/5] 00:12:26
                    > via st0.0 

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


9 thoughts on “IPSEC VPN between SRX and Linux”

  1. Have you tried enabling DPD in racoon for ipsec between SRX and linux?
    SRX is not acknowledging the dpd
    DPD: remote (ISAKMP-SA remote: 10.0.120.20[500] spi=7bcd4864810cbf9f:e717172e2cde1d93) Seq#/Fail 0x2b4/44. Did not rx DPD ack but sending next packet.

    Let me know if you have tried this and works for you.

  2. Hi,
    Unfortunately I haven’t tried DPD. To be honest, I used linux when I didn’t have a 3rd SRX device during my studies. I don’t recall that I enabled DPD. If I try this setup again, I will update this post of course.

    Genco.

  3. Hi,
    can you explain your Network topology. Like what IP st0.0 using? and what are the Networks behind Linux and Juniper-SRX. Thnx

  4. Hi Atul,
    I don’t have the setup right now but networks can be seen in proxy-identity section of SRX

    proxy-identity {
    local 192.168.100.0/24;
    remote 192.168.200.0/24;
    }

    SRX has 100.0/24 and linux has 200.0/24 networks. As far as I remember IP on st0.0 interface can be any IP on this setup but I will try to confirm this in a different post as this post is quite primitive.

    1. If you mean the dynamic vpn connection, probably not. As far as I recall only pulse works.

  5. Hi , how did u setup/configure this setkey.conf, i am not finding that on my linux machine ??

  6. Is it possible to create detailed instruction for creating connection from newest ubuntu and SRX (as it do Pulse Secure for windows) ?

Leave a Reply to sathishCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading