Example: Configuring a Hub-and-Spoke VPN between 3 SRXs ... · Example: Configuring a Hub-and-Spoke...

© Juniper Networks, Inc. 1

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Last updated: 7/2013

This configuration example shows how to configure a route-based multi-point VPN, with a next-hop tunnel binding, between a Hub (Corporate office) and Spoke (Westford) using J-Web.

This example includes:

Topology

Configuring the Hub (Corporate office)

Configuring the spoke SRX (Westford Office)

Verifying the IKE Phase 1 Status

Verifying the IPsec Phase 2 Status

Verifying Static Routes for Remote Peer Local LANs

Reviewing Statistics and Errors for an IPsec Security Association

Troubleshooting

For this same example using the CLI, refer to http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-hub-and-spoke-configuring.html

For VPN configuration help, refer to http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-vpn-ipsec.html#configuration.

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-hub-and-spoke-configuring.html

http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-vpn-ipsec.html#configuration

http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-vpn-ipsec.html#configuration


Topology

The hierarchical steps and screen outputs in this document are based on the Junos 12.1X44 release.


Required Settings This example assumes the following settings:

The internal LAN interface of the hub device (Corporate office) is ge-0/0/0.0 in zone trust and has a private IP subnet.

The Internet interface of the hub device (Corporate office) is ge-0/0/3.0 in zone untrust and has a public IP subnet.

The internal LAN interface of the spoke device (Westford office) is ge-0/0/3.0 in zone trust and has a private IP subnet.

The Internet interface of the spoke device (Westford office) is ge-0/0/0.0 in zone untrust and has a public IP subnet.

Note: This example shows the configuration and verification of a multipoint interface in a hub-and spoke topology with two spokes. This example uses the following spokes as shown in Figure 1:

o Spoke 1 - Device in Westford office, which is a SRX device running Junos OS Release 10.0 or later. o Spoke 2 - Device in Sunnywale office, which is a SRX device running Junos OS Release 10.0 or later.

You can easily include additional spokes by duplicating the configuration from any existing spokes, changing IP addresses as needed, and adding any additional static routes for the new local LANs.

The secure tunnel interface is st0.0 for the devices in the Corporate office and in the Westford office. The tunnels are configured in the vpn zone. This setting allows you to configure unique policies specifically for tunnel (encrypted) traffic, while maintaining unique policies for clear (non-encrypted) traffic.

All st0 interfaces of all peer devices have IP addresses configured within the same logical subnet. Configuring all peer tunnel interface IP addresses within the same logical subnet is recommended, but not mandatory. However, if you have configured OSPF with a point-to-multipoint link, then you must configure all peer tunnel interface IP addresses within the same logical subnet.

Traffic is allowed in both directions from all remote offices (spokes) to the corporate LAN (hub). Traffic is also allowed from spoke to spoke. However, you can pass the traffic from one spoke to the other spoke only by first routing the traffic through the hub.

A static NHTB entry is not required between the devices.

http://www.juniper.net/techpubs/en_US/junos13.1/topics/example/vpn-hub-spoke-nhtb-example-configuring.html#fig-network-topology


Configuration steps for Hub (Corporate Office)

A. Configure LAN/WAN interface, static route, security zone, and address book information for the Hub:

NOTE: This section is not the VPN configuration steps; however it is required to configure a VPN. If your LAN/WAN interfaces, static route, security zone, and local address book are already configured, then Section B for the VPN related configuration.

1. Configure LAN interface on Trust side.

1. Select Configure>Interfaces>Ports 2. Select ge-0/0/0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box,

a. Add the following attributes: Unit: 0

b. Check IPv4 Address box>Enable address configuration Click Add. Provide the address attributes: IPv4 Address: 10.10.10.1 Subnet: 24

5. Click OK 2. Configure WAN interface on Untrust side (Internet side).




5. Click OK 3. Configure static route (default route).

1. Select Routing>Static Routing 2. Click Add 3. In the Add Static Route box,

a. Select IPv4 b. Add the following attributes:

IP address: 0.0.0.0 Subnet mask: 0

c. under next-hop Click Add IP Address: 1.1.1.2

d. Click OK

4. Click OK


4. Configure the untrust security zone.

1. Select Security>Zones/Screens 2. Click Add 3. In the Add Zone box,

a. Under Main TAB, provide the following details. Zone name: untrust Zone type : security

5. Assign an interface to the security zone.

1. In the Add Zone box, Under Interfaces in this zone section: Select the interface ge-0/0/3.0 from the Available list.

2. After selecting interface, you click the right arrow key to move the interface to the selected column. 6. Configure the trust security zone.


a. Under Main TAB, provide the following details. Zone name: trust Zone type : security


1. In the Add Zone box, Under Interfaces in this zone section:

Select the interface ge-0/0/0.0 from the Available list. 2. After selecting interface, you click the right arrow key to move the interface to the selected column.

8. Specify allowed system services for the trust security zone

a. In the Add Zone box, a. Under Host Inbound traffic –Zone tab,

Select the services all from the list of Available services. Select the protocol all from the list of Available protocols.

b. Click OK 9. Configure an address book and attach a zone to it.

1. select Configure>Security>Address Book 2. Click Add 3. In the Add Address Book box,

a. Add the following attributes: Address Book Name: book1

b. Click Address TAB and provide the following attributes : Address Name : local-net Address type : IP address Value : 10.10.10.0/24

c. Under Attach zone section, Select trust from the list of Available zones.

d. Click OK


B. Configure VPN related interface, static route, security zone, and address book information for the Hub: 1. Specify ‘ike’ to be allowed under interface ge-0/0/3.0 under security zone ‘untrust’.

1. In the Add Zone box, a. Select Security>Zones/Screens b. Select security zone ‘untrust’ and click ‘Edit’ c. Under Host Inbound traffic –Zone tab,

Select the services ike from the list of Available services. d. Click OK

NOTE: This step is mandatory because if ‘IKE’ is not enabled on the external interface, then the SRX will not accept inbound ike packets. Therefore they will be dropped, and IKE negotiations will not proceed further.

2. Configure the tunnel (st0) interface.

1. select Configure>Interfaces>Ports 2. select st0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box,



5. Click OK

3. Configure a route for tunnel traffic by specifying the remote destination network ( 192.168.168.0/24 for Sunnyvale and 192.168.178.0/24 for Westford) and the next-hop as the st0 interface. For Sunnyvale:




c. under next-hop Click Add Interface: st0.0

d. Click OK 4. Click OK


For Westford:






4. Configure a security zone named vpn.


a. Under Main TAB, provide the following details. Zone name: vpn Zone type: security

5. Assign the tunnel interface to the security zone (vpn in this example).

1. In the Add Zone box, a. Under Interfaces in this zone section:

Select the interface st0.0 from the Available list.

b. After selecting interface must click the right arrow key to move interface to selected column

6. Configure address book entry for the remote network and attach a zone to it.

1. select Configure>Security>Address Book 2. Click Add 3. In the Add Address Book box,


b. Click Address TAB and provide the following attributes : Address Name : sunnyvale-net Address type : IP address Value : 192.168.168.0/24 Address Name : westford-net Address type : IP address Value : 192.168.178.0/24

c. Under Attach zone section, Select vpn from the list of Available zones.

d. Click OK


C: Configure IKE for the Hub:

The IKE Phase 1 proposal, IKE policy, and IKE gateway are created in this section. Select IPSec VPN>Auto Tunnel> Phase 1

1. Create the IKE Phase 1 proposal. b. Under Proposal TAB, click Add.

Provide the following attributes: name: ike-phase1-proposal authentication-method: pre-shared-keys dh-group: group2 authentication-algorithm: sha1 encryption-algorithm: aes-128-cbc

c. Click OK

2. Create an IKE policy for main mode. Also specify the ‘ike-phase1-proposal’ (created above) and preshared key

auth method.

a. Under Policy TAB, click Add.

b. Under IKE Policy TAB Provide the following attributes: name : ike-phase1-policy mode: main Specify a reference to the IKE proposal.

Under proposal section, select User Defined.

Select ike-phase1-proposal from the list of Available proposals.

After selecting ike-phase1-proposal, you must click the right arrow key to move interface to selected

column.

c. Click OK

d. Define the IKE Phase 1 policy authentication method. Under IKE Policy options TAB Select pre-shared-key.

Select Ascii text and enter in password that will be used by both VPN endpoints for the preshared key.

e. Click OK


3. Create an IKE Phase 1 gateway. Specify the IKE policy, and external (outgoing interface) (phase 1) and the peer

IP address/FQDN:

For the VPN to the Sunnyvale site:

a. Under Gateway TAB, click Add. Provide the following attributes: name : gw-sunnyvale policy: ike-phase1-policy external-interface: ge-0/0/3.0 Address/FQDN : 2.2.2.2

For the VPN to the Westford site:

a. Under Gateway TAB, click Add. Provide the following attributes: name : gw-westford policy: ike-phase1-policy external-interface: ge-0/0/3.0 Address/FQDN : 3.3.3.2

NOTE: The address/FQDN should be the remote peer’s public IP address. It is important

also to specify the correct external interface. If either the peer address or external interface

is incorrect, then the IKE gateway is not identified during phase 1 negotiation.


D. Configure IPsec for the Hub:

The IPsec Phase 2 proposal, IPsec policy, and IPsec VPN are created in this section.

Select IPSec VPN>Auto Tunnel> Phase 2

1. Create the IPsec Phase 2 proposal.

a. Under Proposal TAB, click Add. Provide the following attributes: name: ipsec-phase2-proposal protocol: esp

authentication-algorithm: hmac-sha1-96

encryption-algorithm: aes-128-cbc

2. Create an IPSec policy and specify the IPSec Phase 2 proposal created above and along with perfect-forward-

secrecy (pfs).

a. Under IPSec Policy TAB, click Add. Provide the following attributes: name: ipsec-phase2-policy perfect-forward-secrecy: group2 Specify a reference to the IPSec proposal.

Under proposal section, select User Defined.


After selecting ike-phase2-proposal, you must click the right arrow key to move interface to selected

column.

3. Create the IPSec VPN specifying the Remote gateway, IPsec policy, and tunnel interface.

For the VPN to the Sunnyvale site:

a. Under Auto Key VPN TAB, click Add. Provide the following attributes:

Name: sunnyvale-vpn

Remote Gateway: gw-sunnyvale

Ipsec Policy: from the drop-down list select ‘ipsec-phase2-policy’

Bind to tunnel interface: from the drop-down list select ‘st0.0’

b. Click OK


For the VPN to the Westford site:

a. Under Auto Key VPN TAB, click Add. Provide the following attributes:

Name: westford-vpn

Remote Gateway: gw-westford



b. Click OK

4. Configure the st0 interface as multipoint interface, and optionally add NHTB entries.

1. Select Configure>Interfaces>Ports 2. Expand st0 and select st0.0 in the left pane 3. Click Edit. 4. In the Edit Interface st0.0 box,

a. Since this is a hub and spoke topology, the st0 interface will be multipoint. Check the multipoint checkbox.

b. Under ‘st Interface Configuration’ options Select Automatic or Manual depending on the need. To ascertain if manual NHTB configuration is required, refer the note below. If using manual NHTB, select ‘Manual’ radio button. Click on Add, and provide the NHTB attributes: Next hop tunnel address: 10.11.11.12 VPN Name: vpn-westford

5. Click OK

NOTE: NHTB or Next Hop Tunnel Binding is mandatory if the VPN is to a non-Junos device.

This is because non-Junos devices are not capable of creating the next-hop-tunnel table

dynamically, hence static entries are required.

It not required when the vpn is between all Junos devices. This is because Junos is capable

of building the NHTB table dynamically. However, optionally, you can add static entries even

for Junos devices, if need be.

For understanding NHTB refer to :

http://www.juniper.net/techpubs/en_US/junos/topics/concept/vpn-hub-spoke-nhtb-

example-overview.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/vpn-hub-spoke-nhtb-example-overview.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/vpn-hub-spoke-nhtb-example-overview.html


E. Configure Security Policies for the Hub:

The security policies are configured for tunnel traffic in both directions in this section.

In this example, a security policy permits traffic in one direction, but it also allows all reply traffic without the need for a

reverse direction policy. However, since traffic can be initiated from either direction, bidirectional policies are required.

NOTES:

Policies include zone information from initial steps setup. If required, more granular policies can be created to permit/deny certain traffic. Because the policies are regular non-tunnel policies, they do not specify the IPsec

profile. Source NAT rules can be enabled if desired, but that is beyond the scope of this

example. If more spoke sites are added, you can add the additional source/destination match

entries for the new spoke local LANs to permit the traffic.

Select Security>Policy>Apply Policy

1. Create the security policy to permit traffic from the trust zone to the vpn zone. a. Click ‘Add’ b. Under ‘Add Policy’ Window, provide the following details :

policy name: local-to-spokes c. Under policy context,

From zone: from the drop-down list select ‘trust’

To zone: from the drop-down list select ‘vpn’

d. Under Source Address, Select ‘local-net’ from the list of available Address-book entries. Under Destination Address, Select ‘sunnyvale-net’and ‘westford-net’ from the list of available Address-book entries.

e. Under Applications, Select ‘any’ from the list of available Applications/Sets entries.

f. Under Policy Action, select ‘permit’ from the drop down list. g. Click ‘OK’

2. Create the security policy to permit traffic from the vpn zone to the trust zone. a. Click ‘Add’ b. Under ‘Add Policy’ Window, provide the following details :

policy name: spokes-to-local c. Under policy context,

From zone: from the drop-down list select ‘vpn’

To zone: from the drop-down list select ‘trust

d. Under Source Address, Select ‘sunnyvale-net’and ‘westford-net’ from the list of available Address-book entries. Under Destination Address, Select ‘local-net’ from the list of available Address-book entries.




Configuration steps for ‘Westford’ spoke SRX A. Configure LAN/WAN interface, static route, security zone, and address book information for Westford spoke:

NOTE: This section is not the VPN configuration steps; however it is required to configure a VPN. If your LAN/WAN interfaces, static route, security zone, and local address book are already configured, then Section B for the VPN related configuration.

1. Configure LAN interface on Untrust side.




5. Click OK 2. Configure LAN interface on Trust side.




5. Click OK 3. Configure static route (default route).



IP address: 0.0.0.0


Subnet mask: 0 c. under next-hop

Click Add IP Address: 3.3.3.1


4. Configure the untrust security zone.


a. Under Main TAB, provide the following details. Zone name: untrust Zone type : security


1. In the Add Zone box, Under Interfaces in this zone section: Select the interface ge-0/0/3.0 from the Available list.

2. After selecting interface, you must click the right arrow key to move the interface to the selected column. i.

6. Specify allowed system services for the security zone.

1. In the Add Zone box, a. Under Host Inbound traffic –Zone tab,

Select the services ike from the list of Available services. b. Click OK

7. Configure the trust security zone.


a. Under Main TAB, provide the following details. Zone name: trust Zone type : security

8. Assign an interface to the trust security zone.

1. In the Add Zone box, a. Under Interfaces in this zone section:

Select the interface ge-0/0/0.0 from the Available list. 9. Specify allowed system services for the trust security zone

1. In the Add Zone box, a. Under Host Inbound traffic –Zone tab,

Select the services all from the list of Available services. Select the protocol all from the list of Available protocols.

b. Click OK 10. Configure an address book and attach a zone to it.

1. select Configure>Security>Address Book 2. Click Add


3. In the Add Address Book box, a. Add the following attributes:

Address Book Name: book1 b. Click Address TAB and provide the following attributes :

Address Name : local-net Address type : IP address Value : 192.168.178.0/24

c. Under Attach zone section, Select trust from the list of Available zones.

d. Click OK

B. Configure VPN related interface, static route, security zone, and address book information for Westford spoke: 1. Specify ‘ike’ to be allowed under interface ge-0/0/3.0 under security zone ‘untrust’.

1. In the Add Zone box, a. Select Security>Zones/Screens b. Select security zone ‘untrust’ and click ‘Edit’ c. Under Host Inbound traffic –Zone tab,

Select the services ike from the list of Available services. d. Click OK

NOTE: This step is mandatory because if ‘IKE’ is not enabled on the external interface, then the SRX will not accept inbound ike packets. Therefore they will be dropped, and IKE negotiations will not proceed further.

2. Configure the tunnel (st0) interface.

1. Select Configure>Interfaces>Ports 2. Select st0 in the left pane 3. Click Add>logical interface. 4. In the Add Interface box,



5. Click OK

3. Configure a route for tunnel traffic by specifying the remote destination network ( 10.10.10.0/24 for Corporate and 192.168.168.0/24 for Sunnyvale) and the next-hop as the st0 interface.

For Corporate:


a. Select IPv4


b. Add the following attributes: IP address: 10.10.10.0 Subnet mask: 24

c. Under next-hop Click Add Interface: st0.0


For Sunnyvale:






4. Configure a security zone named vpn. 1. Select Security>Zones/Screens 2. Click Add 3. In the Add Zone box,

a. Under Main TAB, provide the following details. Zone name: vpn Zone type: security

5. Assign the tunnel interface to the security zone (vpn in this example). 1. In the Add Zone box,

a. Under Interfaces in this zone section: Select the interface st0.0 from the Available list.

b. After selecting interface must click the right arrow key to move interface to selected column

6. Configure another address book entry for the remote network and attach a zone to it. 1. select Configure>Security>Address Book 2. Click Add 3. In the Add Address Book box,


b. Click Address TAB and provide the following attributes : Address Name : corp-net Address type : IP address Value : 10.10.10.0/24 Address Name : sunnyvale-net


Address type : IP address Value : 192.168.168.0/24

c. Under Attach zone section, Select vpn from the list of Available zones.

d. Click OK

C. Configure IKE for Westford spoke:

The IKE Phase 1 proposal, IKE policy, and IKE gateway are created in this section. Select IPSec VPN>Auto Tunnel> Phase 1

1. Create the IKE Phase 1 proposal. a. Under Proposal TAB, click Add.

Provide the following attributes: name: ike-phase1-proposal authentication-method: pre-shared-keys dh-group: group2 authentication-algorithm: sha1 encryption-algorithm: aes-128-cbc

b. Click OK

2. Create an IKE policy for main mode. Also specify the ‘ike-phase1-proposal’ (created above) and preshared key

auth method.

a. Under Policy TAB, click Add.

b. Under IKE Policy TAB Provide the following attributes: name : ike-phase1-policy mode: main

3. Specify a reference to the IKE proposal. a. Under proposal section, select User Defined.

b. Select ike-phase1-proposal from the list of Available proposals.

After selecting ike-phase1-proposal must click the right arrow key to move interface to selected column.

c. Click OK

d. Define the IKE Phase 1 policy authentication method.

Under IKE Policy options TAB Select pre-shared-key.

Select Ascii text and enter in password that will be used by both VPN endpoints for the preshared key.

e. Click OK


4. Create an IKE Phase 1 gateway. Specify the IKE policy, and external (outgoing interface) (phase 1) and the peer

IP address/FQDN:

For VPN to Corporate site:

a. Under Gateway TAB, click Add. Provide the following attributes: name : gw-corporate policy: ike-phase1-policy external-interface: ge-0/0/0.0 Address/FQDN : 1.1.1.2

NOTE: The address/FQDN should be the remote peer’s public IP address. It is important

also to specify the correct external interface. If either the peer address or external interface

is incorrect, then the IKE gateway is not identified during phase 1 negotiation.

D. Configure IPsec for Westford spoke:

The IPsec Phase 2 proposal, IPsec policy, and IPsec VPN are created in this section.

Select IPSec VPN>Auto Tunnel> Phase 2

1. Create the IPsec Phase 2 proposal.

a. Under Proposal TAB, click Add. Provide the following attributes: name: ipsec-phase2-proposal

protocol: esp

authentication-algorithm: hmac-sha1-96

encryption-algorithm: aes-128-cbc

2. Create an IPSec policy and specify the IPSec Phase 2 proposal created above and along with perfect-forward-

secrecy (pfs).

a. Under IPSec Policy TAB, click Add. Provide the following attributes: name: ipsec-phase2-policy perfect-forward-secrecy: group2

b. Specify a reference to the IPSec proposal. Under proposal section, select User Defined.


c. After selecting ike-phase2-proposal must click the right arrow key to move interface to selected column.


3. Create the IPSec VPN specifying the Remote gateway, IPsec policy, and tunnel interface.

a. For vpn to Corporate:

b. Under Auto Key VPN TAB, click Add. Provide the following attributes: Name: vpn-corporate

Remote Gateway: gw-corporate



c. Click OK

E. Configure Security Policies for Westford spoke:

The security policies are configured for tunnel traffic in both directions in this section.

In this example, a security policy permits traffic in one direction, but it also allows all reply traffic without the need for a

reverse direction policy. However, since traffic can be initiated from either direction, bidirectional policies are required.

NOTES:

Policies includes zone information from initial steps setup. If required, more granular policies can be created to permit/deny certain traffic. Because the policies are regular non-tunnel policies, they do not specify the IPsec

profile. Source NAT rules can be enabled if desired, but that is beyond the scope of this

example. If more spoke sites are added, you can add the additional source/destination match

entries for the new spoke local LANs to permit the traffic.

Select Security>Policy>Apply Policy

1. Create the security policy to permit traffic from the trust zone to the vpn zone. a. Click ‘Add’ b. Under ‘Add Policy’ Window, provide the following details :

policy name: to-corporate c. Under policy context,

From zone: from the drop-down list select ‘trust’

To zone: from the drop-down list select ‘vpn’

d. Under Source Address, Select ‘local-net’ from the list of available Address-book entries. Under Destination Address, Select ‘corp-net’and ‘sunnywale-net’ from the list of available Address-book entries.




2. Create the security policy to permit traffic from the vpn zone to the trust zone.

a. Click ‘Add’ b. Under ‘Add Policy’ Window, provide the following details :

policy name: from-corporate c. Under policy context,

From zone: from the drop-down list select ‘vpn’

To zone: from the drop-down list select ‘trust

d. Under Source Address, Select ‘corp-net’and ‘sunnyvale-net’ from the list of available Address-book entries. Under Destination Address, Select ‘local-net’ from the list of available Address-book entries.

e. Under Applications, Select ‘any’ from the list of available Applications/Sets entries Under Policy Action, select ‘permit’ from the drop down list.

f. Click ‘OK’.

Configuration steps for ‘Sunnyvale’ spoke SRX To configure the Sunnyvale SRX, follow the configuration steps for the Westford SRX, replacing the parameters from the

topology.


Verifying the IKE Phase 1 Status

For CLI :

From operational mode, enter the show security IPSec security-associations command.

user@host> show security ike security-associations

Index Remote Address State Initiator cookie Responder cookie Mode

1726948 2.2.2.2 UP d77t81e85fe7e7e3 8bbae363d59cc85f Main

1726949 3.3.3.2 UP 7fb608d592b38f1c 34eabfba5a363a6d Main

For J-Web :

The steps and tips to check the IKE Phase 1 status are below. (The steps to check the IPsec Phase 2 status are in the

section that follows this.)

1. Click ‘Monitor’ TAB

2. Select IPSec VPN>Phase 1

On the right hand side pane you will see the active IKE associations.

This screen lists all the active IKE Phase 1 SAs. Each SA contains the following information: Index—This value is unique for each IKE SA, which you can use the CLI command, ‘show security ike security-

associations <index> detail’, to get more information about the SA. Remote Address—Verify that the remote IP address is correct. State


o UP—The Phase 1 SA has been established. o DOWN—There was a problem establishing the Phase 1 SA.

Mode—Verify that the correct mode is being used. Things to check:

1. In the ‘show security ike security-associations’ command output, notice that the remote address is 2.2.2.2 and the state is UP. If the State shows DOWN or if there are no IKE security associations present, then there is a problem with phase 1 establishment. Confirm that the remote IP address, IKE policy, and external interfaces are all correct. Common errors include incorrect IKE policy parameters such as wrong mode type (Aggressive or Main) or mismatched preshared keys or phase 1 proposals (all must match on both peers). An incorrect external interface is another common mis-configuration. This interface must be the correct interface that receives the IKE packets.

2. If the configurations have been checked, then check the kmd log for any errors or use the traceoptions option.

Note: KMD Logs can be downloaded via J-Web for viewing by going to Maintain Tab->Files->Click on Log Files.

Locate KMD line and click on Download.

For information about traceoptions, see Troubleshooting.

Verifying the IPsec Phase 2 Status For CLI:

From operational mode, enter the show security ipsec security-associations command.

user@host> show security ipsec security-associations

total configured sa: 2

ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys

<131073 3.3.3.2 500 ESP:aes-128/sha1 f2751079 1154/ unlim - 0

>131073 3.3.3.2 500 ESP:aes-128/sha1 33d66aa 1154/ unlim - 0

<131074 2.2.2.2 500 ESP:aes-128/sha1 e76e48f5 1153/ unlim - 0

>131074 2.2.2.2 500 ESP:aes-128/sha1 316834bf 1153/ unlim - 0

For J-Web:

The steps and tips to check the IPsec Phase 2 status are below.



On the right hand side pane , click ‘IPSec SA’ TAB.


This screen contains the following information:

The ID number is 131074. Use this value with the CLI command ‘show security ipsec security-associations <index>’ to get more information about this particular SA.

There is one IPsec SA pair using port 500, which indicates that no NAT-traversal is implemented. (NAT-traversal uses port 4500 or another random high-number port.)

The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The

1155/ unlim value indicates that the Phase 2 lifetime expires in 1155 seconds, and that no lifesize has

been specified, which indicates that it is unlimited. Phase 2 lifetime can differ from Phase 1 lifetime, as

Phase 2 is not dependent on Phase 1 after the VPN is up.

Things to check:

1. If no IPsec SA is listed, confirm that the phase 2 proposals, including the proxy ID settings, are correct for both peers. Note that for route-based VPNs, the default local proxy ID is 0.0.0.0/0, the remote proxy ID is 0.0.0.0/0, and the service is any. This can cause issues if you have multiple route-based VPNs from the same peer IP. In this case, you need to specify unique proxy IDs for each IPsec SA. Also, for some third-party vendors, you may need to configure the proxy ID to match.

2. Another common reason for phase 2 failing to complete is the failure to specify ST interface binding.


3. If IPsec cannot complete, check the messages log, and look for any logs with the keyword KMD. This

should typically show whether or not the SA came up or not.

Example:

Apr 19 11:47:54 rng kmd[1319]: IKE Phase-2: Completed negotiations, connection established with

tunnel-ID:131073 and lifetime 2992 seconds/0 KB - Local gateway: 172.22.135.251, Remote gateway:

24.6.221.146, Local Proxy ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote Proxy ID:

ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction:

inbound, SPI: 93eb6df3, AUX-SPI: 0, Type: dynamic

Note: Message Logs can be downloaded via J-Web for viewing by going to maintain Tab->Files->Click on

Log Files. Locate MESSAGES line and click on Download.

If the tunnel still fails to come UP, jump to the Troubleshooting section.


Verifying Static Routes for Remote Peer Local LANs


2. Select Routing>Routing Information

3. To check the route to destination 192.168.168.10,

a. Under ‘Route Filter', set the destination address as 192.168.168.10

b. Click Search.

c. Route for the destination is seen as below :


Reviewing Statistics and Errors for an IPsec Security Association



On the right hand side pane , click ‘Statistics’ TAB.

If you see packet loss issues across a VPN, you can adjust the refresh interval and then monitor the statistics to confirm

that the encrypted and decrypted packet counters are incrementing. You should also check whether the other error

counters are incrementing.

Troubleshooting

For step-by-step troubleshooting, refer to:

KB10100 - Resolution Guide - How to Troubleshoot a VPN Tunnel that won't come up on a SRX Series device

For help with configuring traceoptions for debugging and trimming output, refer to:

http://kb.juniper.net/KB16108



Example: Configuring a Hub-and-Spoke VPN between 3 SRXs ... · Example: Configuring a Hub-and-Spoke...

Documents

Transcript of Example: Configuring a Hub-and-Spoke VPN between 3 SRXs ... · Example: Configuring a Hub-and-Spoke...