Tuesday, August 14, 2018

SRX 340--> SRX1500 GRE over IPSec

Hi there,

I'm trying to build a Layer3 GRE Tunnel over IPSec using SRX 1500 and SRX340 but I'm having issues to establish connectivity between the remote VLANs. I'd be very grateful if you can shed some light on what I'm missing here. Next, I'm adding a diagram:

Diagram HERE

The goal for this test is to ping from 10.171.128.254/24 to the remote end 10.170.179.252/24.

For this scenario there are 2 Zones configured INTERNET and LAN

Thanks for your help.

When I try to ping SRX340 ---> SRX1500

SRX340> ping 10.170.179.252 source 10.171.128.254 SRX340> monitor traffic interface st0 14:54:27.550106 Out IP truncated-ip - 40 bytes missing! 172.16.30.1 > 172.16.30.2: IP 10.171.128.254 > 10.170.179.252: ICMP echo request, id 4694, seq 85, length 64 (gre encap) 14:54:28.551101 Out IP truncated-ip - 40 bytes missing! 172.16.30.1 > 172.16.30.2: IP 10.171.128.254 > 10.170.179.252: ICMP echo request, id 4694, seq 86, length 64 (gre encap) 14:54:29.552068 Out IP truncated-ip - 40 bytes missing! 172.16.30.1 > 172.16.30.2: IP 10.171.128.254 > 10.170.179.252: ICMP echo request, id 4694, seq 87, length 64 (gre encap)

I can't see any return traffic.

SRX1500> ping 10.171.128.254 source 10.170.179.252 SRX1500> monitor traffic interface st0 ho request, id 16511, seq 76, length 64 (gre encap) 15:08:48.166765 Out IP truncated-ip - 40 bytes missing! 172.16.30.2 > 172.16.30.1: IP 10.170.179.252 > 10.171.128.254: ICMP echo request, id 16511, seq 77, length 64 (gre encap) 15:08:49.176781 Out IP truncated-ip - 40 bytes missing! 172.16.30.2 > 172.16.30.1: IP 10.170.179.252 > 10.171.128.254: ICMP echo request, id 16511, seq 78, length 64 (gre encap) 15:08:50.181797 Out IP truncated-ip - 40 bytes missing! 172.16.30.2 > 172.16.30.1: IP 10.170.179.252 > 10.171.128.254: ICMP echo request, id 16511, seq 79, length 64 (gre encap) 15:08:51.189703 Out IP truncated-ip - 40 bytes missing! 172.16.30.2 > 172.16.30.1: IP 10.170.179.252 > 10.171.128.254: ICMP echo request, id 16511, seq 80, length 64 (gre encap)

Same case here, I couldn't see any return traffic.

- ROUTING

SRX 340 set routing-options static route 10.0.0.2/32 next-hop st0.30 set routing-options static route 10.170.176.0/22 next-hop gr-0/0/0.0 SRX1500 set routing-options static route 10.0.0.1/32 next-hop st0.10 set routing-options static route 10.171.128.0/24 next-hop gr-0/0/0.0

- ZONES

SRX 340 set security zones security-zone INTERNET host-inbound-traffic system-services ping set security zones security-zone INTERNET host-inbound-traffic system-services ike set security zones security-zone INTERNET interfaces ge-0/0/0.0 set security zones security-zone INTERNET interfaces st0.30 set security zones security-zone LAN host-inbound-traffic system-services ping set security zones security-zone LAN host-inbound-traffic system-services traceroute set security zones security-zone LAN host-inbound-traffic protocols bgp set security zones security-zone LAN host-inbound-traffic protocols ospf set security zones security-zone LAN interfaces irb.10 SRX 1500 set security zones security-zone INTERNET host-inbound-traffic system-services ike set security zones security-zone INTERNET host-inbound-traffic system-services ping set security zones security-zone INTERNET interfaces ge-0/0/0.0 set security zones security-zone INTERNET interfaces gr-0/0/0.0 set security zones security-zone INTERNET interfaces st0.10 set security zones security-zone LAN interfaces ae1.176 set security zones security-zone LAN host-inbound-traffic system-services all set security zones security-zone LAN host-inbound-traffic protocols all

- INTERFACES

SRX 340 set interfaces gr-0/0/0 unit 0 tunnel source 172.16.30.1 set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.30.2 set interfaces gr-0/0/0 unit 0 family inet mtu 1300 set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces st0 unit 30 family inet address 172.16.30.1/30 set interfaces ge-0/0/0 unit 0 family inet address 89.1.1.213/27 set interfaces irb unit 10 family inet address 10.171.128.254/24 SRX 1500 set interfaces gr-0/0/0 unit 0 tunnel source 172.16.30.2 set interfaces gr-0/0/0 unit 0 tunnel destination 172.16.30.1 set interfaces gr-0/0/0 unit 0 family inet mtu 1300 set interfaces gr-0/0/0 unit 0 family inet address 10.0.0.2/30 set interfaces st0 unit 10 family inet address 172.16.30.2/30 set interfaces ge-0/0/0 unit 0 family inet address 164.1.70.1/27 set interfaces ae1 unit 176 vlan-id 176 set interfaces ae1 unit 176 family inet address 10.170.179.252/22 vrrp-group 176 virtual-address 10.170.179.254 set interfaces ae1 unit 176 family inet address 10.170.179.252/22 vrrp-group 176 priority 200 set interfaces ae1 unit 176 family inet address 10.170.179.252/22 vrrp-group 176 preempt set interfaces ae1 unit 176 family inet address 10.170.179.252/22 vrrp-group 176 accept-data

TUNNELS

SRX340 set security ike policy IKE_Policy_LON1-MAN3 mode main set security ike policy IKE_Policy_LON1-MAN3 proposal-set compatible set security ike policy IKE_Policy_LON1-MAN3 pre-shared-key ascii-text "kdkdjirinfieijr - Any Encrypted Pass" set security ike gateway IKE_GW_LON1-MAN3 ike-policy IKE_Policy_LON1-MAN3 set security ike gateway IKE_GW_LON1-MAN3 address 164.1.70.1 set security ike gateway IKE_GW_LON1-MAN3 dead-peer-detection always-send set security ike gateway IKE_GW_LON1-MAN3 local-identity inet 89.1.1.213 set security ike gateway IKE_GW_LON1-MAN3 external-interface ge-0/0/0 set security ike gateway IKE_GW_LON1-MAN3 general-ikeid set security ipsec policy IPSEC_Policy_LHR-MAN3 perfect-forward-secrecy keys group5 set security ipsec policy IPSEC_Policy_LHR-MAN3 proposal-set compatible set security ipsec vpn IPSEC_VPN_LHR-MAN3 bind-interface st0.30 set security ipsec vpn IPSEC_VPN_LHR-MAN3 ike gateway IKE_GW_LON1-MAN3 set security ipsec vpn IPSEC_VPN_LHR-MAN3 ike ipsec-policy IPSEC_Policy_LHR-MAN3 set security ipsec vpn IPSEC_VPN_LHR-MAN3 establish-tunnels immediately

SRX 1500 set security ike policy IKE_Policy_LON1-MAN3 mode main set security ike policy IKE_Policy_LON1-MAN3 proposal-set compatible set security ike policy IKE_Policy_LON1-MAN3 pre-shared-key ascii-text ""kdkdjirinfieijr - Any Encrypted Pass"

set security ike gateway IKE_GW_LON1-MAN3 ike-policy IKE_Policy_LON1-MAN3 set security ike gateway IKE_GW_LON1-MAN3 address 89.1.1.213 set security ike gateway IKE_GW_LON1-MAN3 dead-peer-detection always-send set security ike gateway IKE_GW_LON1-MAN3 local-identity inet 164.1.70.1 set security ike gateway IKE_GW_LON1-MAN3 external-interface ge-0/0/0 set security ike gateway IKE_GW_LON1-MAN3 general-ikeid set security ipsec policy IPSEC_Policy_LHR-MAN3 perfect-forward-secrecy keys group5 set security ipsec policy IPSEC_Policy_LHR-MAN3 proposal-set compatible set security ipsec vpn IPSEC_VPN_LHR-MAN3 bind-interface st0.10 set security ipsec vpn IPSEC_VPN_LHR-MAN3 ike gateway IKE_GW_LON1-MAN3 set security ipsec vpn IPSEC_VPN_LHR-MAN3 ike ipsec-policy IPSEC_Policy_LHR-MAN3 set security ipsec vpn IPSEC_VPN_LHR-MAN3 establish-tunnels immediately

TSHOOT

I can ping from gr-0/0/0 to the remote gr-0/0/0 All interfaces are in the up - up state I cannot see any traffic being denied by the security policies. I'm logging denied traffic and can't see anything being denied from the remotes.


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)