SRX NAT-T Issues



  • I’m seeing an issue with a site-2-site VPN through NAT.

    P1 and P2 negociate fine, but the negociated ports don’t match:

    root@FW-SRX240> show security ipsec security-associations
      Total active tunnels: 1
      ID    Gateway          Port  Algorithm      SPI      Life:sec/kb  Mon vsys
      <131073 xx.x.xxx.xxx  32652 ESP:aes-128/sha1 cd780d82 28795/unlim  -  root
      >131073 xx.x.xxx.xxx  32652 ESP:aes-128/sha1 dd980131 28795/unlim  -  root

    fwadmin@srx100> show security ipsec security-associations
      Total active tunnels: 1
      ID    Algorithm      SPI      Life:sec/kb  Mon vsys Port  Gateway 
      <131073 ESP:aes-128/sha1 719ec4e3 28732/unlim U  root 4500  194.83.179.146 
      >131073 ESP:aes-128/sha1 f8ad5a16 28732/unlim U  root 4500  194.83.179.146

    I can see both ends encrypt traffic to the destination, yet not decrypt, e.g. :

    root@FW-SRX240> show security ipsec statistics
    ESP Statistics:
      Encrypted bytes:            2776
      Decrypted bytes:                0
      Encrypted packets:            19
      Decrypted packets:              0
    AH Statistics:
      Input bytes:                    0
      Output bytes:                  0
      Input packets:                  0
      Output packets:                0
    Errors:
      AH authentication failures: 0, Replay errors: 0
      ESP authentication failures: 0, ESP decryption failures: 0
      Bad headers: 0, Bad trailers: 0

    This is the SRX 100 end, (the dynamic and NAT’d side):

    proposal PSK-G2-AES128-SHA1 {
        description “IKE proposal Pre-shared-key Group 2 AES-128 SHA-1”;
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 86400;
    }
    policy IKE-Policy {
        mode aggressive;
        description “IKE Policy”;
        proposals PSK-G2-AES128-SHA1;
        pre-shared-key ascii-text “$9$VhbgaGDkqP5GDCtOBSy24aUk.TQn”; ## SECRET-DATA
    }
    gateway IKE-Gateway-XXX {
        ike-policy IKE-Policy;
        address xxx.xx.xxx.xxx;
        local-identity user-at-hostname “xxxxxx@nptremote”;
        external-interface fe-0/0/0.0;

    fwadmin@SRX100> show configuration security ipsec 
    proposal ESP-AES128-SHA1 {
        description “IPSEC proposal ESP AES-128 SHA-1”;
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy IPSEC-Policy {
        description “IPSEC Policy for VPN”;
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ESP-AES128-SHA1;
    }
    vpn IPSEC_VPN {
        bind-interface st0.0;
        vpn-monitor {
            optimized;
            source-interface vlan.50;
            destination-ip 10.10.20.2;
        }
        ike {
            gateway IKE-Gateway-NPT;
            ipsec-policy IPSEC-Policy;
        }
        establish-tunnels immediately;
    }

    fwadmin@SRX100> show configuration security zones security-zone VPN       
    tcp-rst;
    address-book {
        address NET_10.0.0.0/8 {
            description “Internal Addresses”;
            10.0.0.0/8;
        }
        address NET_172.16.0.0/12 {
            description “Internal Addresses”;
            172.16.0.0/12;
        }
        address NET_192.168.0.0/16 {
            description “Internal Addresses”;
            192.168.0.0/16;
        }
        address-set RFC_1918 {
            address NET_10.0.0.0/8;
            address NET_172.16.0.0/12;
            address NET_192.168.0.0/16;
        }
    }
    host-inbound-traffic {
        system-services {
            ssh;
            ping;
            all;
        }
    }
    interfaces {
        st0.0;
    }

    This is the SRX240 side, (fixed IP address/Hub Site):

    root@FW-SRX240> show configuration interfaces st0
    description “Tunnel interface to XXXXXXXX”;
    unit 0 {
        family inet;
    }

    root@FW-SRX240> show configuration security ike
    proposal PSK-G2-AES128-SHA1 {
        description “IKE proposal Pre-shared-key Group 2 AES-128 SHA-1”;
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 86400;
    }
    policy IKE-Policy {
        mode aggressive;
        description “IKE Policy”;
        proposals PSK-G2-AES128-SHA1;
        pre-shared-key ascii-text “$9$mPzn9A0OIE9AM87NY2QFnC0Bhcl”; ## SECRET-DATA
    }
    gateway IKE-Gateway-XXXXX {
        ike-policy IKE-Policy;
        dynamic user-at-hostname “xxxxxx@nptremote”;
        external-interface vlan.2;
    }

    root@FW-SRX240> show configuration security ipsec
    proposal ESP-AES128-SHA1 {
        description “IPSEC proposal ESP AES-128 SHA-1”;
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy IPSEC-Policy {
        description “IPSEC Policy for VPN”;
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ESP-AES128-SHA1;
    }
    vpn IPSEC_VPN_XXXXXX{
        bind-interface st0.0;
        ike {
            gateway IKE-Gateway-XXXXXX;
            ipsec-policy IPSEC-Policy;
        }
    }

    root@FW-SRX240>
    root@FW-SRX240> show configuration security zones security-zone NPT_VPNs
    host-inbound-traffic {
        system-services {
            traceroute;
            ping;
            ike;
        }
    }
    interfaces {
        st0.0;
    }

    If I remove the NAT router and amend the external IP address on the SRX100 to an address in the same subnet as the SRX240, all works fine.  So I know that the base config works correctly.

    So….What am I missing?


  • Global Moderator

    It should wotk I think, udp 4500 is the active port, so nat-traversal. Did you try a trace on ike ? set secuirty ike trace-options  etc ……



  • Come on you beautiful people.

    One of you must know the error of my ways.  🙂


 

29
Online

38.4k
Users

12.7k
Topics

44.5k
Posts