I'm trying to setup an IPsec VPN tunnel between a Debian Jessie system running strongSwan and an SRX. The end goal is to use the Debian host as a reverse-proxy for hosts behind the SRX, which I assume will require a split-tunnel.
The Debian host is debian.example.com/1.2.3.4
.
The SRX is at srx.example.com
and has a dynamically assigned IP which I've replaced with 5.6.7.8
below.
Both sides seem to think the SA is up, but I am unable to ping anything in the 192.168.1.0/24
subnet from the Debian host.
SRX:
root@srx# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3981725 UP b1cbd62070dd2779 f49d3bd11b69a018 IKEv2 1.2.3.4
Debian:
# ipsec status srx.example.com
Security Associations (1 up, 0 connecting):
srx.example.com[1]: ESTABLISHED 32 minutes ago, 1.2.3.4[debian.example.com]...5.6.7.8[srx.example.com]
srx.example.com{1}: INSTALLED, TUNNEL, ESP SPIs: ca2f0887_i 516e8cf8_o
srx.example.com{1}: 192.168.2.0/24 === 192.168.1.0/24
# ip -s xfrm policy list src 192.168.2.0/24
src 192.168.2.0/24 dst 192.168.1.0/24 uid 0
dir out action allow index 2593 priority 2883 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-08-16 18:14:21 use -
tmpl src 1.2.3.4 dst 5.6.7.8
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
SRX config:
interfaces {
interface-range interfaces-trust {
member fe-0/0/0;
member fe-0/0/1;
member fe-0/0/2;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 100 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
ike {
proposal ike-vpn-proposal {
authentication-method pre-shared-keys;
dh-group group24;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy ike-vpn-policy {
mode aggressive;
proposals ike-vpn-proposal;
pre-shared-key ascii-text "$9$KJiWxdaJDkqf7-qfQzAtNdb"; ## SECRET-DATA
}
gateway vpn-local-gw {
ike-policy ike-vpn-policy;
address 1.2.3.4;
local-identity hostname srx.example.com;
remote-identity hostname debian.example.com;
external-interface fe-0/0/7.0;
version v2-only;
}
}
ipsec {
proposal ipsec-vpn-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
}
policy ipsec-vpn-policy {
perfect-forward-secrecy {
keys group24;
}
proposals ipsec-vpn-proposal;
}
vpn vpn {
bind-interface st0.0;
ike {
gateway vpn-local-gw;
proxy-identity {
local 192.168.1.0/24;
remote 192.168.2.0/24;
}
ipsec-policy ipsec-vpn-policy;
}
establish-tunnels immediately;
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.100;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
ike;
}
}
}
}
}
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 100;
l3-interface vlan.100;
}
}
Debian strongSwan config:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# Add connections here.
conn srx.example.com
auto=start
keyexchange=ikev2
authby=secret
ike=aes128-sha256-modp2048s256
ikelifetime=3h
esp=aes128-sha256
leftid=@debian.example.com
rightid=@srx.example.com
left=1.2.3.4
right=srx.example.com
leftsubnet=192.168.2.0/24
rightsubnet=192.168.1.0/24
include /var/lib/strongswan/ipsec.conf.inc
Update:
I think I may be missing the routes to make things work.
SRX:
root@srx> show security flow session destination-prefix 192.168.1.0
Total sessions: 0
root@dravis> show route table inet.0 brief
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Access-internal/12] 22:20:39
> to 5.6.7.1 via fe-0/0/7.0
5.6.7.0/24 *[Direct/0] 10w3d 12:43:15
> via fe-0/0/7.0
5.6.7.8/32 *[Local/0] 10w3d 12:43:15
Local via fe-0/0/7.0
192.168.1.0/24 *[Direct/0] 4w6d 13:21:42
> via vlan.100
192.168.1.1/32 *[Local/0] 10w3d 12:43:40
Local via vlan.100
Debian:
$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Best Answer
On the SRX you have no security policy configured between the vpn zone (which is where your tunnel interface st0.0 resides) and the trust zone.
Add the following and you should be up and running: