Juniper SRX Blank Proxy-Identity – Troubleshooting

ipsecjuniper-junossrxvpn

I would really appreciate some clarification in the following matter.

What I'm seeing

I'm looking at two different SRX210 firewalls and specifically at their ipsec stanza.
I'm seeing the following which makes me wonder about proxy-identity:

admin@firewall> show configuration security ipsec vpn <vpn-name>
bind-interface st0.1;
ike {
    gateway <gateway>;
    proxy-identity;
    ipsec-policy <policy-name>;
}

If I make a questionmark after ike, the following is produced which is of no help to me in understanding this:

admin@firewall# set security ipsec vpn <vpn-name> ike ?
Possible completions:
> proxy-identity       IPSec proxy-id to use in IKE negotiations

The question

What are the effects, if any, by entering nothing after proxy-identity in the configuration of a SRX?

Mark: all names and identites have been replaced for security sakes

Thanks in advance!

Best Answer

Proxy-identity defaults to whatever you have set on the policy (in case of policy-based VPN). In case of route-based VPN, it defaults to:

proxy-identity {
   local 0.0.0.0/0;
   remote 0.0.0.0/0;
   service any;
}

Proxy-identity is used only for negotiating the IKE phase of the VPN, and has to mirror the proxy-identity that is set on the other site of the VPN tunnel. It has no effect on actually routing or permitting traffic through the tunnel once it has been established, that has to be done with routes and/or policies.

This is easily verified if you have access to Juniper routers where you can mess around with the VPN settings.

no proxy-identity settings

Testing default settings without mentioning proxy-identity.

vpn ike-vpn {
    bind-interface st0.0;
    ike {
        gateway gw-vpn;
        ipsec-policy ipsec-phase2-policy;
    }
}

The VPN is established, using 0.0.0.0/0 as local and remote subnets:

root@srx-01> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn
  Local Gateway: 192.168.159.133, Remote Gateway: 192.168.159.128
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0

real proxy-identity settings

As a second test, I've added real proxy-identity settings to match my remote and local subnets:

vpn ike-vpn {
    bind-interface st0.0;
    ike {
        gateway gw-vpn;
        proxy-identity {
            local 10.2.1.0/24;
            remote 10.1.1.0/24;
        }
        ipsec-policy ipsec-phase2-policy;
    }
}

As expected, the tunnel is established using the proper local and remote subnet information:

root@srx-01# run show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn
  Local Gateway: 192.168.159.133, Remote Gateway: 192.168.159.128
  Local Identity: ipv4_subnet(any:0,[0..7]=10.2.1.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.1.1.0/24)

blank proxy-identity

Now I'll remove the local and remote subnets from the proxy-identity stanza:

vpn ike-vpn {
    bind-interface st0.0;
    ike {
        gateway gw-vpn;
        proxy-identity;
        ipsec-policy ipsec-phase2-policy;
    }
}

The tunnel is reastablished using 0.0.0.0/0 as local and remote subnets.

root@srx-02# run show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn
  Local Gateway: 192.168.159.128, Remote Gateway: 192.168.159.133
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

In other words, my assumption is correct and leaving the stanza blank means the router uses its default settings.

Related Solutions

Juniper SRX Issue – No Traffic After 17 Minutes

I solved this problem finally. By capturing and comparing DHCP Discover packets sent from JunOS and Cisco, I found Cisco sends Option 64 Client Identifier and Option 12 Host Name by default. However, JunOS will not send them without explicit instructions.

I think my ISP sets up a filter or something on their side. The above two options are mandatory. When I configure my SRX to send them, everything went through.

Juniper – How to Get Around ‘Configure One Application-DDOS Definition for Each Protected Server’ in Juniper SRX IDP

I would recommend not using AppDDoS moving forward. Juniper announced its deprecation some time ago, and this is probably the reason you can't find many solid examples of its use: http://kb.juniper.net/InfoCenter/index?page=content&id=KB28592&actp=search&viewlocale=en_US&searchid=1374905420170

Ironically, that KB recommends using the DDos Secure Product which has also been canned.

To somewhat reproduce AppDDoS behaviour, you can do the following:

Create a custom-attack referencing the protocol you are specifically hunting (e.g.: SQL), and just pick a context to match a normal operation (e.g.: mssql-login). You can then apply time-binding count 100 to it, which basically means - if you see 100 of these within a minute, this is an attack. The scope variable determines: from a single source to multiple destinations (DoS), from multiple sources to a single destination (DDoS), or just a single a single peer to a single destination.

The whole thing looks like:

custom-attack SQL-DDOS {
    recommended-action drop;
    severity major;
    time-binding {
        count 100;
        scope destination;
    }
    attack-type {
        signature {
            context mssql-login;
            direction client-to-server;
            protocol {
                tcp {
                    destination-port {
                        match equal;
                        value 1433;
                    }
                }
            }
        }
    }
}

Reference your attack(s) in an IPS policy, and make the then term something like:

idp-policy FRONTEND-SERVICS {
   rulebase-ips {
        rule SQL-SERVER {
            match {
                application junos-ms-sql;
                attacks {
                    custom-attacks SQL-DDOS;
                }
            }
            then {
                action {
                    drop-connection;
                }
                ip-action {
                    ip-block;
                    target source-address;
                    log;
                    timeout 60;
                    refresh-timeout;
                }
            }
        }
    }
}

This will put in an ip-block action against any source addresses that trigger this attack for 1 minute, and if any further attacks from the same source are detected (e.g.: it's a dumb bot), keep restarting the 60-second timer every time you see one.