Vpn – Juniper SRX to SRX site-to-site VPN over existing WAN in trust zone

ipsecjuniper-srxvpn

I have a client with 5 sites, each using their own private LAN subnet.

They are currently using a service provider to link their branches and for Internet breakout centrally. I need to break them out to the Internet temporarily at another branch, over the existing WAN. I cannot configure the current WAN. My plan is to drop SRX devices at the 5 sites and give them a local LAN IPs, then create a VPN tunnel to the main SRX's local LAN IP. Then route traffic to the main site and breakout to the Internet at the main site.

Since they can ping and route to each over over the existing WAN, this should work?

Can I terminate the VPN on the local LAN IP? I will have to create static routes on the site SRXs to use the existing site gateways to get to the main SRX to initialise the tunnel, and then route all other traffic over the tunnel?

Can I get some pointers?

I have played around with some success, some tunnels did connect but data not flowing etc.. I need to get my head around this first..

Best Answer

Actually I think most of what you are trying to achieve is answered in that document: http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

Since this kind of setup requires two routing instances (one flow based and another packet based) you should be able to use a local "LAN" IP on both sides of the SRX as long as you use two different interfaces.

The SRXes you need to use must be of "HighMemory" type IE: SRX100H (not SRX100B) to be able to support GRE fragmentation.

Related Solutions

Juniper SRX Site-to-Site VPN Issues – Changing IP and Default Route

so, I think I have found the solution finally.

at both sides I run this command:

show security ike security-associations

Site B showed

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
<anumber> DOWN   <some data>  <0000000000000000>  Main           <correct ip>

which is logical, since the vpn IS down.

then I ran same on the other side (side A)

it showed this: Index Remote Address State Initiator cookie Responder cookie Mode UP Main UP Main
UP Main

which is strange since again, the vpn is DOWN..

so, I tried to run this command:

clear security ike security-associations index <index from first one above>

and then the vpn came up again... and I finally alro removed the other "old ip" line, and now only have one line (site A)

    <anumber> <newip>   UP     <some data>  <some data>  Main

and similarly site B shows

<anumber> UP     <some data>  <some data>  Main           <correct ip>

and the vpn seems stable.

I did not find this solution on any of the juniper FAQ, and googled a lot, but managed by a bit of luck to solve it. so I wanted to document it a bit here just in case someone (like me) need it.

IF: I am completely wrong here, and what happened here just luck and not related, I do hope that you will comment or edit thanks!

VPN – How to Set Up Backup IP for Site-to-Site VPN on Juniper SRX?

Junos does have DPD and you can use it in conjunction with multiple endpoint IP addresses in a single IKE tunnel.

There is a bit of info about it here (which I've copied below)

http://kb.juniper.net/InfoCenter/index?page=content&id=KB29211&actp=RSS

SUMMARY: This article explains how redundancy in site-to-site VPN can be achieved using multiple address in gateway and dead-peer-detection.

PROBLEM OR GOAL: How to use different modes of dead-peer-detection for VPN failover .

CAUSE:

SOLUTION: The gateway for VPN redundancy can be configured with the following commands :

set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security ike policy p1 mode main
set security ike policy p1 proposal-set standard
set security ike policy p1 pre-shared-key ascii-text "$9$21oZjmfzCtOHqtO1RlegoJ"
set security ike gateway g1 ike-policy p1
set security ike gateway g1 address 2.2.2.1
set security ike gateway g1 address 3.3.3.1
set security ike gateway g1 dead-peer-detection interval 10
set security ike gateway g1 dead-peer-detection threshold 3
set security ike gateway g1 external-interface fe-0/0/0
set security ipsec policy p1 proposal-set standard
set security ipsec vpn v1 bind-interface st0.0
set security ipsec vpn v1 ike gateway g1
set security ipsec vpn v1 ike ipsec-policy p1
set security ipsec vpn v1 establish-tunnels immediately

The first address in the order of configuration is the one chosen to negotiate the tunnel:

gateway g1 {
            ike-policy p1;
            address [ 2.2.2.1 3.3.3.1 ];
            dead-peer-detection {
                                 interval 10;
                                 threshold 3;
                                 }
            external-interface fe-0/0/0;
            }

The above configuration is in dead-peer-detection optimal mode. It sends probes if packets were sent out (encrypted packets), but no packets were received (decrypted) for the configured interval. Three probe-packets are sent at 10 second intervals.

root@srx# run show security ike sa 
Index State Initiator cookie Responder cookie Mode Remote Address 
6770125 UP d570a30c806721ea ccc1572d2f763981 Main 2.2.2.1 


root@srx# run show security ipsec sa 
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
<131073 ESP:3des/sha1 1debda06 3397/ unlim - root 500 2.2.2.1 
>131073 ESP:3des/sha1 7a7dff24 3397/ unlim - root 500 2.2.2.1

As soon as the tunnel drops, dead-peer-detection comes into play. If a response is not received from the peer in 30 seconds, the failover takes place and the tunnel is negotiated with 3.3.3.1 and vice-versa.

root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address 
6770151 UP 36a2e145e0fd2c10 b3abc0b135cf33fe Main 3.3.3.1

root@srx# run show security ipsec sa 
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
<131073 ESP:3des/sha1 2420b2bd 3598/ unlim - root 500 3.3.3.1 
>131073 ESP:3des/sha1 5c8bb9da 3598/ unlim - root 500 3.3.3.1

Always-Send mode for dead-peer-detection:

In order to instruct the device to send dead-peer-detection requests, regardless of whether or not there is outgoing IPSec traffic to the peer, the following command is also needed:

set security ike gateway g1 dead-peer-detection always-send

UPDATE

I have configured this in a test lab and confirm that it works well. I have 3 devices, S3, S4 and S5.

S4 and S5 both have a basic IPSEC tunnel configured to connect to S3 (7.7.7.22 in my example). The config is dead simple and the same on both devices

ike {
    gateway s3-gw {
        ike-policy ike-policy;
        address 7.7.7.22;
        external-interface ge-0/0/1.0;
    }
}
ipsec {
    policy standard-ipsec-policy {
        proposal-set standard;
    }
    vpn s3 {
        bind-interface st0.0;
        ike {
            gateway s3-gw;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
}

The device S3 has a config that is very similar to the above but has 2 gateways listed and DPD enabled.

The relevant section is in the IKE config

gateway s4-s5-gw {
    address [ 7.7.7.21 192.168.211.2 ];
    dead-peer-detection {
        always-send;
        interval 10;
        threshold 3;
    }
    external-interface ge-0/0/1.0;
}

This brings up the tunnel as such

root@TEST-srx3> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1404200 UP     2f4f0465dc8c4556  d2e6022d0dc213c3  Main           7.7.7.21

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 d4428f3  3170/ unlim   -   root 500   7.7.7.21
  >131073 ESP:3des/sha1 5cda9108 3170/ unlim   -   root 500   7.7.7.21

If I deactivate the IKE/IPSEC config sections on S4 the tunnel drops and then comes back up connected to the 2nd gateway

root@TEST-srx3> show security ike security-associations

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 0

Then after about 30 seconds (10 x 3)

root@TEST-srx3> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1404202 UP     35e54d457be6132f  0444ae31577c71a2  Main           192.168.211.2

root@TEST-srx3> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 93043b2  3595/ unlim   -   root 500   192.168.211.2
  >131073 ESP:3des/sha1 e5c551e4 3595/ unlim   -   root 500   192.168.211.2

If you need any help post some config snippets and I'll do my best to have a look!

UPDATE 2

I have built this whole thing in a mini lab. The problem I have found is that while you can use multiple gateways in your IKE configuration you will still need to have an IPSEC tunnel per ISP on each device. This is because you have multiple source IP addresses you want to potentially make an IPSEC tunnel from.

Lab Config

To save me posting a lot of config each SRX (A and B) has two IPSEC tunnels configured as shown below. The things to note are I'm using a single tunnel interface on each device, these are set to multipoint. You could use multiple ones if you wanted.

This config will provide full redundancy if a single ISP at site A and/or site B goes down.

I tested this by dropping the linked between SRX-A and SRX-1 and then dropping SRX-B and SRX-4. Due to me using BGP and DPD it took just over a minute for the tunnel to come back up but worked well!

Hopefully this will ultimately help you sort out your config!

SRX-A IPSEC Config

ike {
    gateway SRX-B_via_ISP1 {
        ike-policy ike-policy;
        address [ 6.6.6.6 5.5.5.5 ];
        dead-peer-detection {
            always-send;
            interval 10;
            threshold 3;
        }
        external-interface lo0.10;
        local-address 7.7.7.5;
    }
    gateway SRX-B_via_ISP2 {
        ike-policy ike-policy;
        address [ 6.6.6.6 5.5.5.5 ];
        dead-peer-detection {
            always-send;
            interval 10;
            threshold 3;
        }
        external-interface lo0.10;
        local-address 8.8.8.9;
    }
}
ipsec {
    policy standard-ipsec-policy {
        proposal-set standard;
    }
    vpn SRX-B_via_ISP1 {
        bind-interface st0.0;
        ike {
            gateway SRX-B_via_ISP1;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
    vpn SRX-B_via_ISP2 {
        bind-interface st0.0;
        ike {
            gateway SRX-B_via_ISP2;
            ipsec-policy standard-ipsec-policy;
        }
        establish-tunnels immediately;
    }
}

Best Answer

Related Solutions

Juniper SRX Site-to-Site VPN Issues – Changing IP and Default Route

VPN – How to Set Up Backup IP for Site-to-Site VPN on Juniper SRX?

Related Topic