Re: IPSEC with Juniper SRX220

Mon, 28 Sep 2015 00:37:51 -0700 

On Sun, Sep 27 2015 at 42:13, Alexandre Westfahl wrote:
> Hi,
Hello,

> 
> I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
> carrier router (Juniper).
> SA seems to work well, I see packets going out on em0 and also see them on
> enc0. However, the other side said nothing come but they also see SA
> working and can see traffic going out.
> 
> There may be explanation for this situation:
> 
>    - I have another IPSEC tunnel on same public IP (both on em0/enc0)
>    - the carrier IPs seems to be on same network so OBSD may be lost with it
> 
> 
> *network*
> dmz network (DDD.EEE.FFF.0/28)  <--(AAA.BBB.CCC.192)-->Internet<--(
> GGG.HHH.III.150)--> .... server (GGG.HHH.III.149)
If you dont want to show your real address, at least use real numbers.

> *ipsec.conf:*
> //working ipsec tunnel
> ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
> 192.168.1.0/24 \
> local AAA.BBB.CCC.192 \
> main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
> quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
> srcid "gtfwpo192" dstid "pojimusho169" \
> psk secret
> 
> //carrier ipsec (not working)
> ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
> local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
> main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
> quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
> srcid "AAA.BBB.CCC.192"   dstid "GGG.HHH.III.150" \
> psk secret2
src and dst ids are not needed.

> I tried to enable or disable PF and use super permissive rules but nothing
> change.
> 
> Do you have some ideas on what it could be?
When debuging ipsec, it is really easy to turn on ike packet capture 
unencrypted then analysing them with tcpdump.

See isakmpd -L or 'p=on' on the fifo file.
By default the capture file is located in /var/run/isakmpd.pcap

I usually type tcpdump -nevvs 1550 -r /var/run/isakmpd.pcap |less
to check what's wrong.

With ScreenOS software (not JunOS like you, but they should be similar)
the "encryption domain" is usually set to 0/0 and the OS manages routes
to determine what to send to the tunnel. This will not work with your
configuration and the network/sys admin on the other side needs to do
some ajustments.  Do you have the configuration of the other side?

Good luck with troubleshooting.

Claer

Reply via email to