I'm trying to setup an IPsec vpn to AWS from an SRX 110 and am having some trouble getting it to work. I've download the config file and my tunnels seem to be up, but I can't seem to ping anything in AWS.
show security ipsec security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 9e84c351 3427/ unlim - root 500 52.55.170.166
>131073 ESP:aes-cbc-128/sha1 62e0325 3427/ unlim - root 500 52.55.170.166
<131074 ESP:aes-cbc-128/sha1 2128ae3d 3431/ unlim - root 500 52.207.67.71
>131074 ESP:aes-cbc-128/sha1 3d29fbfe 3431/ unlim - root 500 52.207.67.71
show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6550418 UP 81a741b305932303 5cded1ed9120865f Main 52.207.67.71
6550417 UP 028df2e8bf768421 0f0010a4a0fe461a Main 52.55.170.166
on the aws side, I see this:
VPN Tunnel IP Address Status Status Last Changed Details
Tunnel 1 52.55.170.166 DOWN 2016-11-02 23:04 UTC-4 IPSEC IS UP
Tunnel 2 52.207.67.71 DOWN 2016-11-02 23:04 UTC-4 IPSEC IS UP
I think I don't have something configured in my zones correctly but am not sure, I have two zones that are:
zone1
Name: Internal
Type: Security
Interface: vlan.1
Zone2:
Name: Internet
Type: Security
Interfaces: fe-0/0/0.0
when I ran my config, it created two more zones as follows:
Name: trust
Type: Security
Protocals: bgp
interfaces: st0.1,st0.2
and this one:
Name: untrust
Type: Security
Services: ike
Interfaces: blank
how come the tunnels seem to be up but I can't seem to ping anything inside the vpc?
Also, I'm very new to this as well…..
——————EDIT—————-
On the aws side, its now showing this:
VPN Tunnel IP Address Status Status Last Changed Details
Tunnel 1 52.55.170.166 UP 2016-11-02 23:04 UTC-4 1
Tunnel 2 52.207.67.71 UP 2016-11-02 23:04 UTC-4 1
what my current config looks like now:
system {
host-name RonakLab;
time-zone EST;
root-authentication {
encrypted-password "xxxxxxxxx"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.1;
}
https {
system-generated-certificate;
interface vlan.1;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 192.168.2.0/24 {
address-range low 192.168.2.1 high 192.168.2.254;
router {
192.168.2.1;
}
}
propagate-settings fe-0/0/0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan1;
}
}
}
}
st0 {
unit 1 {
family inet {
mtu 1436;
address 169.254.47.18/30;
}
}
unit 2 {
family inet {
mtu 1436;
address 169.254.45.38/30;
}
}
}
vlan {
unit 1 {
family inet {
address 192.168.2.1/24;
}
}
}
}
protocols {
stp;
}
security {
ike {
proposal ike-prop-vpn-f7584996-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal ike-prop-vpn-f7584996-2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ike-pol-vpn-f7584996-1 {
mode main;
proposals ike-prop-vpn-f7584996-1;
pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
}
policy ike-pol-vpn-f7584996-2 {
mode main;
proposals ike-prop-vpn-f7584996-2;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
gateway gw-vpn-f7584996-1 {
ike-policy ike-pol-vpn-f7584996-1;
address 52.45.108.91;
dead-peer-detection;
no-nat-traversal;
external-interface fe-0/0/0.0;
}
gateway gw-vpn-f7584996-2 {
ike-policy ike-pol-vpn-f7584996-2;
address 52.54.120.173;
dead-peer-detection;
no-nat-traversal;
external-interface fe-0/0/0.0;
}
}
ipsec {
proposal ipsec-prop-vpn-f7584996-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
proposal ipsec-prop-vpn-f7584996-2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec-pol-vpn-f7584996-1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-f7584996-1;
}
policy ipsec-pol-vpn-f7584996-2 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-f7584996-2;
}
vpn vpn-f7584996-1 {
bind-interface st0.1;
df-bit clear;
vpn-monitor {
source-interface st0.1;
destination-ip 169.254.47.17;
}
ike {
gateway gw-vpn-f7584996-1;
ipsec-policy ipsec-pol-vpn-f7584996-1;
}
}
vpn vpn-f7584996-2 {
bind-interface st0.2;
df-bit clear;
vpn-monitor {
source-interface st0.2;
destination-ip 169.254.45.37;
}
ike {
gateway gw-vpn-f7584996-2;
ipsec-policy ipsec-pol-vpn-f7584996-2;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1387;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone aws {
policy TO-aws {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone aws to-zone Internal {
policy FROM-aws {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
interfaces {
vlan.1 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
security-zone aws {
host-inbound-traffic {
protocols {
bgp;
}
}
interfaces {
st0.1;
st0.2;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
}
}
}
vlans {
vlan1 {
vlan-id 3;
l3-interface vlan.1;
}
}
Best Answer
From your output, it looks like there are a couple of things wrong:
st0.0andst0.1interfaces are what you connect to AWS over, however they are currently located in a zonetrustwhich has no security policies bound to it.To resolve these, I would recommend the following changes (as a starting point):
I would start with something simpler like just advertising the attached
vlan.1prefix:After that, you'll need to make sure you're propagating routes from your VPC within AWS (so that you receive them via BGP) - the rough process for this is:
Route Tables, and then select the route table (usually the main route table for the VPC).Route Propagationtab in theDetailspane, clickEdit, pick the gateway and thenSave.