subject:"\[j\-nsp\] VPN tunnel between OpenSwan and SRX220"

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

2013-08-18 Thread Ben Dale

Hi Laurent.

Is your ultimate goal to get the GRE running over IPSEC, or just a vanilla 
IPSEC tunnel?  Your configuration will need to change either way:

If you want GRE over IPSEC:

You need to remove the /32 on the st0.0 interface and the Openswan 
rightsourceip and make them a contiguous subnet eg:
172.31.254.41/30 on the Juniper side
172.31.254.42/30 on the Openswan side

Now adjust your GRE configuration to use these addresses for source and 
destination on both ends
Now adjust your remote proxy-id on the SRX  and leftsubnet on Openswan to match 
(just the IPs, leave the mask as /32).

The logic behind this is that you will only encrypt traffic between 
172.31.254.41/32 and 172.31.254.42/32 which will be your GRE tunnelled traffic 
(all other traffic will be wrapped up inside this GRE).  

As an aside - the last time I checked, the SRX seemed to only use the Proxy-ID 
to negotiate the tunnel and then promptly ignored it and allowed you to send 
and receive whatever traffic your routes and policy allowed.

If you're just trying to do vanilla IPSEC tunnels:

Again, change the /32s on the st0.0 and Openswan rightsourceip:
172.31.254.41/30 on the Juniper side (or leave it unnumbered)
172.31.254.42/30 on the Openswan side

Now on the SRX change your proxy-id local to 192.168.123.0/24 and remote to 
whatever is sitting behind the Openswan box (eg: leftsubnet)
On Openswan, change the right-subnet to 192.168.123.0/24 and left-subnet to 
whatever you're trying to tunnel across (or leave it as-is if it's just this 
host, or you're source-natting)

Once you've got this in place and st0.0 comes up, you'll just need to point 
static routes on the SRX side to st0.0 or the Openswan next-hop (172.31.254.42) 
and vice-versa.

If it's still not working, send through the output of:

show security ipsec security-associations

Cheers,

Ben

On 07/08/2013, at 1:55 AM, Laurent CARON  wrote:

> Hi,
> 
> I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
> 
> SRX is:
> Model: srx220h
> JUNOS Software Release [12.1X44-D20.3]
> 
> OpenSwan: 2.6.37
> 
> Both are currently hooked on a test LAN.
> 
> 192.168.0.18 = openswan box on lan
> 192.168.0.120 = juniper box on lan
> 
> 172.31.254.41 = ipsec on juniper box
> 172.31.254.27 = ipsec on openswan box
> 
> 172.31.255.27 = loopback on juniper box
> 
> Not relevant for now:
> 10.254.2.33 = gre tunnel on openswan side
> 10.254.2.34 = gre tunnel on juniper side
> 
> Here is the config on the Juniper side:
> 
> set interfaces ge-0/0/0 mtu 1514
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
> 
> set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
> set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
> set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
> 
> set interfaces lo0 unit 0 family inet address 172.31.255.41/32
> 
> set interfaces st0 unit 0 family inet address 172.31.254.41/32
> 
> set interfaces vlan unit 0 family inet address 192.168.123.1/24
> 
> set routing-options static route 172.31.254.27/32 next-hop st0.0
> 
> set security ike traceoptions file vpn-debug-ike
> set security ike traceoptions flag all
> 
> set security ike proposal ike_aes_128 authentication-method pre-shared-keys
> 
> set security ike proposal ike_aes_128 dh-group group2
> set security ike proposal ike_aes_128 authentication-algorithm sha1
> set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
> set security ike proposal ike_aes_128 lifetime-seconds 3600
> 
> set security ike policy phase1_aes_128 mode main
> set security ike policy phase1_aes_128 proposals ike_aes_128
> set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
> 
> set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
> set security ike gateway RTR-SIEGE-001 address 192.168.0.18
> set security ike gateway RTR-SIEGE-001 no-nat-traversal
> set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
> 
> set security ipsec proposal ipsec_aes_128 protocol esp
> set security ipsec proposal ipsec_aes_128 authentication-algorithm 
> hmac-sha1-96
> 
> set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
> set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
> 
> set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
> 
> set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
> set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local 
> 172.31.254.41/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote 
> 172.31.254.27/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
> set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
> set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
> 
> set security flow traceoptions file vpn-debug
> set security flow traceoptions flag basic-datapath
> set security flow traceoptions flag packe

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

2013-08-18 Thread Phil Fagan

Any resolve?
On Aug 6, 2013 10:34 AM, "Laurent CARON"  wrote:

> Hi,
>
> I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
>
> SRX is:
> Model: srx220h
> JUNOS Software Release [12.1X44-D20.3]
>
> OpenSwan: 2.6.37
>
> Both are currently hooked on a test LAN.
>
> 192.168.0.18 = openswan box on lan
> 192.168.0.120 = juniper box on lan
>
> 172.31.254.41 = ipsec on juniper box
> 172.31.254.27 = ipsec on openswan box
>
> 172.31.255.27 = loopback on juniper box
>
> Not relevant for now:
> 10.254.2.33 = gre tunnel on openswan side
> 10.254.2.34 = gre tunnel on juniper side
>
> Here is the config on the Juniper side:
>
> set interfaces ge-0/0/0 mtu 1514
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
>
> set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
> set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
> set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
>
> set interfaces lo0 unit 0 family inet address 172.31.255.41/32
>
> set interfaces st0 unit 0 family inet address 172.31.254.41/32
>
> set interfaces vlan unit 0 family inet address 192.168.123.1/24
>
> set routing-options static route 172.31.254.27/32 next-hop st0.0
>
> set security ike traceoptions file vpn-debug-ike
> set security ike traceoptions flag all
>
> set security ike proposal ike_aes_128 authentication-method pre-shared-keys
>
> set security ike proposal ike_aes_128 dh-group group2
> set security ike proposal ike_aes_128 authentication-algorithm sha1
> set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
> set security ike proposal ike_aes_128 lifetime-seconds 3600
>
> set security ike policy phase1_aes_128 mode main
> set security ike policy phase1_aes_128 proposals ike_aes_128
> set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
>
> set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
> set security ike gateway RTR-SIEGE-001 address 192.168.0.18
> set security ike gateway RTR-SIEGE-001 no-nat-traversal
> set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
>
> set security ipsec proposal ipsec_aes_128 protocol esp
> set security ipsec proposal ipsec_aes_128 authentication-algorithm
> hmac-sha1-96
>
> set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
> set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
>
> set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
>
> set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
> set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local
> 172.31.254.41/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote
> 172.31.254.27/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
> set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
> set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
>
> set security flow traceoptions file vpn-debug
> set security flow traceoptions flag basic-datapath
> set security flow traceoptions flag packet-drops
>
> set security flow tcp-mss ipsec-vpn mss 1412
>
>
> Here is the config on the OpenSwan side:
>
> conn rtr-siege-001_TO_jun-noi-001
> left=192.168.0.18
> leftsubnet=172.31.254.27/32
> leftsourceip=172.31.254.27
> right=192.168.0.120
> rightsubnet=172.31.254.41/32
> rightsourceip=172.31.254.41
> ike=3des-sha1
> auth=esp
> keyingtries=0
> keyexchange=ike
> authby=secret
> compress=no
> auto=start
> pfs=no
> mtu=1412
>
> The connection establishes fine but drops 10 seconds after and is
> renegociated, then drops again, endlessly.
>
> I do have those logs on the openswan side):
> Aug  6 17:42:42 rtr-siege-001 pluto[28569]: added connection description
> "rtr-siege-001_TO_jun-noi-001"
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: initiating Main Mode
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: received Vendor ID payload [Dead Peer Detection]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: ignoring unknown Vendor ID payload [**699369228741c6d4ca094c93e242c9**
> de19e7b7c600050500]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: STATE_MAIN_I2: sent MI2, expecting MR2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: STATE_MAIN_I3: sent MI3, expecting MR3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.120'
> Aug  6 17:42:43 rtr-siege-001 p

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

2013-08-07 Thread Phil Fagan

try turning up your IKE debug on the SRX to help expose more:

>request security ike debug-enable local  remote  level 15


On Tue, Aug 6, 2013 at 9:55 AM, Laurent CARON wrote:

> Hi,
>
> I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
>
> SRX is:
> Model: srx220h
> JUNOS Software Release [12.1X44-D20.3]
>
> OpenSwan: 2.6.37
>
> Both are currently hooked on a test LAN.
>
> 192.168.0.18 = openswan box on lan
> 192.168.0.120 = juniper box on lan
>
> 172.31.254.41 = ipsec on juniper box
> 172.31.254.27 = ipsec on openswan box
>
> 172.31.255.27 = loopback on juniper box
>
> Not relevant for now:
> 10.254.2.33 = gre tunnel on openswan side
> 10.254.2.34 = gre tunnel on juniper side
>
> Here is the config on the Juniper side:
>
> set interfaces ge-0/0/0 mtu 1514
> set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
>
> set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
> set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
> set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
>
> set interfaces lo0 unit 0 family inet address 172.31.255.41/32
>
> set interfaces st0 unit 0 family inet address 172.31.254.41/32
>
> set interfaces vlan unit 0 family inet address 192.168.123.1/24
>
> set routing-options static route 172.31.254.27/32 next-hop st0.0
>
> set security ike traceoptions file vpn-debug-ike
> set security ike traceoptions flag all
>
> set security ike proposal ike_aes_128 authentication-method pre-shared-keys
>
> set security ike proposal ike_aes_128 dh-group group2
> set security ike proposal ike_aes_128 authentication-algorithm sha1
> set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
> set security ike proposal ike_aes_128 lifetime-seconds 3600
>
> set security ike policy phase1_aes_128 mode main
> set security ike policy phase1_aes_128 proposals ike_aes_128
> set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
>
> set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
> set security ike gateway RTR-SIEGE-001 address 192.168.0.18
> set security ike gateway RTR-SIEGE-001 no-nat-traversal
> set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
>
> set security ipsec proposal ipsec_aes_128 protocol esp
> set security ipsec proposal ipsec_aes_128 authentication-algorithm
> hmac-sha1-96
>
> set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
> set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
>
> set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
>
> set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
> set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local
> 172.31.254.41/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote
> 172.31.254.27/32
> set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
> set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
> set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
>
> set security flow traceoptions file vpn-debug
> set security flow traceoptions flag basic-datapath
> set security flow traceoptions flag packet-drops
>
> set security flow tcp-mss ipsec-vpn mss 1412
>
>
> Here is the config on the OpenSwan side:
>
> conn rtr-siege-001_TO_jun-noi-001
> left=192.168.0.18
> leftsubnet=172.31.254.27/32
> leftsourceip=172.31.254.27
> right=192.168.0.120
> rightsubnet=172.31.254.41/32
> rightsourceip=172.31.254.41
> ike=3des-sha1
> auth=esp
> keyingtries=0
> keyexchange=ike
> authby=secret
> compress=no
> auto=start
> pfs=no
> mtu=1412
>
> The connection establishes fine but drops 10 seconds after and is
> renegociated, then drops again, endlessly.
>
> I do have those logs on the openswan side):
> Aug  6 17:42:42 rtr-siege-001 pluto[28569]: added connection description
> "rtr-siege-001_TO_jun-noi-001"
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: initiating Main Mode
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: received Vendor ID payload [Dead Peer Detection]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: ignoring unknown Vendor ID payload [**699369228741c6d4ca094c93e242c9**
> de19e7b7c600050500]
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: STATE_MAIN_I2: sent MI2, expecting MR2
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001"
> #6: STATE_MAIN_I3: sent MI3, expecting MR3
> Aug  6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-s

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

2013-08-06 Thread Luca Salvatore

Thats a confusing config
Why do you need GRE interfaces?

I have numerous VPNs running between SRX boxes and OpenSwan, I use policy based 
VPNs all the time, they seem to work better with OpenSwan
Maybe give that a try.

-Original Message-
From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
Laurent CARON
Sent: Wednesday, 7 August 2013 1:55 AM
To: juniper-nsp
Subject: [j-nsp] VPN tunnel between OpenSwan and SRX220

Hi,

I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.

SRX is:
Model: srx220h
JUNOS Software Release [12.1X44-D20.3]

OpenSwan: 2.6.37

Both are currently hooked on a test LAN.

192.168.0.18 = openswan box on lan
192.168.0.120 = juniper box on lan

172.31.254.41 = ipsec on juniper box
172.31.254.27 = ipsec on openswan box

172.31.255.27 = loopback on juniper box

Not relevant for now:
10.254.2.33 = gre tunnel on openswan side
10.254.2.34 = gre tunnel on juniper side

Here is the config on the Juniper side:

set interfaces ge-0/0/0 mtu 1514
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24

set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 set interfaces 
gr-0/0/0 unit 0 tunnel destination 172.31.254.27 set interfaces gr-0/0/0 unit 0 
family inet address 10.254.2.34/32

set interfaces lo0 unit 0 family inet address 172.31.255.41/32

set interfaces st0 unit 0 family inet address 172.31.254.41/32

set interfaces vlan unit 0 family inet address 192.168.123.1/24

set routing-options static route 172.31.254.27/32 next-hop st0.0

set security ike traceoptions file vpn-debug-ike set security ike traceoptions 
flag all

set security ike proposal ike_aes_128 authentication-method pre-shared-keys

set security ike proposal ike_aes_128 dh-group group2 set security ike proposal 
ike_aes_128 authentication-algorithm sha1 set security ike proposal ike_aes_128 
encryption-algorithm 3des-cbc set security ike proposal ike_aes_128 
lifetime-seconds 3600

set security ike policy phase1_aes_128 mode main set security ike policy 
phase1_aes_128 proposals ike_aes_128 set security ike policy phase1_aes_128 
pre-shared-key ascii-text "pwd"

set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 set security 
ike gateway RTR-SIEGE-001 address 192.168.0.18 set security ike gateway 
RTR-SIEGE-001 no-nat-traversal set security ike gateway RTR-SIEGE-001 
external-interface ge-0/0/0.0

set security ipsec proposal ipsec_aes_128 protocol esp set security ipsec 
proposal ipsec_aes_128 authentication-algorithm
hmac-sha1-96

set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc set 
security ipsec proposal ipsec_aes_128 lifetime-seconds 3600

set security ipsec policy phase2_aes_128 proposals ipsec_aes_128

set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 set security ipsec 
vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 set security ipsec vpn 
VPN_TO_SIEGE-001 ike proxy-identity local
172.31.254.41/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote
172.31.254.27/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any set 
security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 set 
security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately

set security flow traceoptions file vpn-debug set security flow traceoptions 
flag basic-datapath set security flow traceoptions flag packet-drops

set security flow tcp-mss ipsec-vpn mss 1412


Here is the config on the OpenSwan side:

conn rtr-siege-001_TO_jun-noi-001
 left=192.168.0.18
 leftsubnet=172.31.254.27/32
 leftsourceip=172.31.254.27
 right=192.168.0.120
 rightsubnet=172.31.254.41/32
 rightsourceip=172.31.254.41
 ike=3des-sha1
 auth=esp
 keyingtries=0
 keyexchange=ike
 authby=secret
 compress=no
 auto=start
 pfs=no
 mtu=1412

The connection establishes fine but drops 10 seconds after and is renegociated, 
then drops again, endlessly.

I do have those logs on the openswan side):
Aug  6 17:42:42 rtr-siege-001 pluto[28569]: added connection description 
"rtr-siege-001_TO_jun-noi-001"
Aug  6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode Aug  6 17:42:43 
rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer 
Detection] Aug  6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload 
[699369228741c6d4ca094c93e242c9de19e7b7c600050500]
Aug  6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2 Aug  6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2 Aug  
6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 to state 
STATE_

[j-nsp] VPN tunnel between OpenSwan and SRX220

2013-08-06 Thread Laurent CARON


Hi,

I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.

SRX is:
Model: srx220h
JUNOS Software Release [12.1X44-D20.3]

OpenSwan: 2.6.37

Both are currently hooked on a test LAN.

192.168.0.18 = openswan box on lan
192.168.0.120 = juniper box on lan

172.31.254.41 = ipsec on juniper box
172.31.254.27 = ipsec on openswan box

172.31.255.27 = loopback on juniper box

Not relevant for now:
10.254.2.33 = gre tunnel on openswan side
10.254.2.34 = gre tunnel on juniper side

Here is the config on the Juniper side:

set interfaces ge-0/0/0 mtu 1514
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24

set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32

set interfaces lo0 unit 0 family inet address 172.31.255.41/32

set interfaces st0 unit 0 family inet address 172.31.254.41/32

set interfaces vlan unit 0 family inet address 192.168.123.1/24

set routing-options static route 172.31.254.27/32 next-hop st0.0

set security ike traceoptions file vpn-debug-ike
set security ike traceoptions flag all

set security ike proposal ike_aes_128 authentication-method pre-shared-keys

set security ike proposal ike_aes_128 dh-group group2
set security ike proposal ike_aes_128 authentication-algorithm sha1
set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
set security ike proposal ike_aes_128 lifetime-seconds 3600

set security ike policy phase1_aes_128 mode main
set security ike policy phase1_aes_128 proposals ike_aes_128
set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"

set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
set security ike gateway RTR-SIEGE-001 address 192.168.0.18
set security ike gateway RTR-SIEGE-001 no-nat-traversal
set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0

set security ipsec proposal ipsec_aes_128 protocol esp
set security ipsec proposal ipsec_aes_128 authentication-algorithm 
hmac-sha1-96


set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600

set security ipsec policy phase2_aes_128 proposals ipsec_aes_128

set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local 
172.31.254.41/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote 
172.31.254.27/32

set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately

set security flow traceoptions file vpn-debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops

set security flow tcp-mss ipsec-vpn mss 1412


Here is the config on the OpenSwan side:

conn rtr-siege-001_TO_jun-noi-001
left=192.168.0.18
leftsubnet=172.31.254.27/32
leftsourceip=172.31.254.27
right=192.168.0.120
rightsubnet=172.31.254.41/32
rightsourceip=172.31.254.41
ike=3des-sha1
auth=esp
keyingtries=0
keyexchange=ike
authby=secret
compress=no
auto=start
pfs=no
mtu=1412

The connection establishes fine but drops 10 seconds after and is 
renegociated, then drops again, endlessly.


I do have those logs on the openswan side):
Aug  6 17:42:42 rtr-siege-001 pluto[28569]: added connection description 
"rtr-siege-001_TO_jun-noi-001"
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer 
Detection]
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload 
[699369228741c6d4ca094c93e242c9de19e7b7c600050500]
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 
to state STATE_MAIN_I2
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 
to state STATE_MAIN_I3
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I3: sent MI3, expecting MR3
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: Main mode peer ID is ID_IPV4_ADDR: 
'192.168.0.120'
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I3 
to state STATE_MAIN_I4
Aug  6 17:42:43 rtr-siege-001 pluto[28569]: 
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

Re: [j-nsp] VPN tunnel between OpenSwan and SRX220

[j-nsp] VPN tunnel between OpenSwan and SRX220

5 matches

Site Navigation

Mail list logo

Footer information