On 27-Sep 14:42, Alexandre Westfahl wrote:
Hi,
I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a
carrier router (Juniper).
SA seems to work well, I see packets going out on em0 and also see them on
enc0. However, the other side said nothing come but they also see SA
working and can see traffic going out.
There may be explanation for this situation:
- I have another IPSEC tunnel on same public IP (both on em0/enc0)
- the carrier IPs seems to be on same network so OBSD may be lost with it
*network*
dmz network (DDD.EEE.FFF.0/28) <--(AAA.BBB.CCC.192)-->Internet<--(
GGG.HHH.III.150)--> .... server (GGG.HHH.III.149)
*ipsec.conf:*
//working ipsec tunnel
ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to
192.168.1.0/24 \
local AAA.BBB.CCC.192 \
main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \
srcid "gtfwpo192" dstid "pojimusho169" \
psk secret
//carrier ipsec (not working)
ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \
local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \
main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \
quick auth hmac-sha2-256 enc aes group none lifetime 86400 \
srcid "AAA.BBB.CCC.192" dstid "GGG.HHH.III.150" \
psk secret2
Hi Alex.
That looks overly complex. Try simplifying it first (the OpenBSD config
is so easy!):
ike esp from <source network> to { <destination network/s> } \
peer <peer address> \
psk secret
However! On the juniper, many things are needed. IKE policy and
gateway, and IPSec proposal, a policy and a VPN
please excuse my indentation and inline comments.
ike policy alex {
mode main
proposal-set standard
pre-shared-key ascii-text secret
}
ike gateway alex {
ike policy alex # (the above policy name)
address <peer address>
external-interface.... <- this will be ge-0/0/x but NOT a sub-interface
- always the root. I happen to be using one over a gre tunnel through
NAT so I have dead-pear-detection running as well
}
ipsec proposal phase2-alex {
protocol esp
authentication-algorithm hmac-sha-256-128
encryption-algorithm aes-128-cbc
}
ipsec policy phase2-alex (you can get away with the same name)
ipsec vpn alex
ike {
gateway ales
ipsec-policy phase2-alex
}
establish-tunnels immediately
}
but wait! There's more!
you will also need policies on the SRX to apply security associations.
Let's assume that the SRX local network is trust, and your vpn runs
across the untrust zone. zone names are arbitrary
edit security polices from-zone trust to-zone untrust
policy alex-local-to-vpn {
match {
source-address local-ips <---- You will need address book entries
for these
destination-address remote-ips <---- more address book entries
application [ allowed-application-sets or any ]
}
then {
permit {
tunnel {
ipsec-vpn ales
pair-policy alex-vpn-to-local <---- this is the same policy in
reverse. yep. enter it twice.
}
}
}
}
I actually have these deployed. It does work.
Regards,
Graeme
I tried to enable or disable PF and use super permissive rules but nothing
change.
Do you have some ideas on what it could be?
Thanks by advance!
