Before you start reading this I should clarify that I'm not a Juniper expert, but I'm pretty decent at most network stuff and I am pretty familiar with IPsec and have set up a large number of tunnels on Linux and other firewalls (Watchguard, Sophos UTM etc).
We have a client we deployed an SRX300 to for an office environment on a 100/100 connection.
They have an Azure Active Directory Domain Services configuration and after some research I configured an IPSEC connection from the Juniper SRX to an Azure Virtual Network Gateway.
I based my configuration on the SRX route based example here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable
I enabled VPN Monitor functionality which was described as monitoring the connection (when it did not detect traffic) for drops and re-establishing/re-keying.
Here is where the tifu comes in.
I assumed VPN Monitor was a smarted Dead Peer Detection replacement, it is not.
DPD operates on IKE (Phase 1) and re-keys it as required.
VPN Monitor does a similar job more intelligently, but operates only on Phase 2.
It took me about 8-10 hours of testing other stuff, checking azure, etc, etc to figure it out.
Hopefully this helps someone else avoid this particular pain.
No comments:
Post a Comment