---

 wrote:

From the top of my head, you have configured a chassis cluster with switching but only with layer3 fabric. To utilize switching in a cluster, you will also need seperate interfaces for "switch fabric" (swfab0 + swfab1). That could be the reason for the behaviour you are seing.

---

Hi Jonas,

Thank you so much for the hint, this has indeed solved the issue!

Spent the entire day trying to figure this out and feel a bit dumb now.

I hadn't found instructions on swfab in the manual when setting up the device. That has indeed resolved the issues!

Huge thanks to Pooja as well for the super helpful debugging instructions.

Thanks for letting us know Pascal!

Have a good one

Pooja

Hi SRX Services Gateway community. I am a relative newcomer in JunOS and would like to implement an IKEv2 IPSEC VPN between a legacy (Junos 12.1) SRX-210H-POE gateway, behind a NAT device, at home, dynamic public IP address and a Mikrotik (RouterOS 6.45) Cloud Hosted Router installed in a virtual machine, with a public fixed IP address. 

I just spent some days studying the July 2019 edition of  IPsec VPN Feature Guide for Security Devices, and found it really detailed, but too much detail really. I am at this moment about to start  reviewing DAY ONE: IPSEC VPN COOKBOOK 2018 

I am planning to try to implement the VPN from the SRX210 gateway (initiator) to Mikrotik CHR (responder). What I found a bit confusing at first read is the requirement to specify the identify of the initiator to the responder. Any tips / general advice would be welcome. 

From my friends at Mikrotik support they wrote (on the possibilty that after the VPN is setup, GRE could be implemented):

This is somehow a tricky setup. The IPsec part is easy and possible, however it is not possible to establish GRE tunnel without knowing the remote address without some scripting. If JunOS supports mode config requesting as initiator, you can use this example:

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_GRE_tunnel_over_IPsec_.28IKEv2.29_using_DNS

The example is not yet updated to 6.45 version, but is working on 6.44.x versions, but the principle is the same. It is using IKEv2 also, but simply changing exchange-mode to main uses IKEv1.

If JunOS does not support mode config, you will have to use some RouterOS scripting to update remote address of the GRE interface.

I should say, the above exercise is just for learning, and not production. Explanation: My project is in the process of planning a buy of current and future generation of Juniper hardware, so at this point, before the project start, I am just experimenting having had Cisco, Nortel Networks/Bay Networks and Mikrotik deep experience. I also tried to spin up a vSRX platform (nice product) and finally got frustrated with the setup issues and opted to find Ebay items; $19 each, new-in-box ancient stock (a lot of them) SRX210H-POE for self-training, and guess what, the hardware really really works well, and the programming modes are beautiful for a 10 year old box (2010 vintage). But finally when I could install 12.1 instead of the stock 10.0, I had an issue, everything is fine, except J-Web is refusing connections - I can putty, I can serial into the box and get things done, but J-Web is kaput. Possibly due to:J-Web incorrect user password after Junos upgrade on SRX

Regards to all. 

Hi Shaque,

Can you elaborate more on this part: " What I found a bit confusing at first read is the requirement to specify the identify of the initiator to the responder."? Where are you reading that or to what part of the SRX configuration you are refering to?

I believe you might be referring to the following:

Find below a configuration example of a VPN between two SRXs where one of the SRXs has a dynamic IP address (like in your case).

See: https://www.fir3net.com/Firewalls/Juniper/srx-dyn.html

Example Topology in reference to the above article:

  Local_SRX-(Dyn IP)-----------INTERNET---------(Static IP)-Remote_SRX

 In this case, the Remote_SRX cant be configured with the address of the Local_SRX because this last one has a dynamic address. Because of the same, we configure the Remote_SRX in the following way:

root@srx100> show configuration security ike gateway IKE-PEER-DYNAMIC
ike-policy IKE-POLICY-VPNRICH;dynamic hostname fir3net.com; 

With the above configuration we are telling the Remote_SRX that its peer has a dynamic address and that it will be idetifying itself as fir3net.com.

We need to make sure that the Local_SRX identifies itselfs as fir3net.com when connecting to the Remote_SRX and we do this with the following command:

root@srx100> show configuration security ike gateway IKE-PEER-STATIClocal-identity hostname fir3net.com;

These values we are hardcoding are known as IKE-IDs and are values that have to match if we want the VPN to be established. These values are used for the peers to "authenticate" between each other and each device will have a Local IKE-IDand a Remote IKE-ID. You could understand them in the following way from the perspective of each device:

Local IKE-ID: this how I will identify myself when communicating with the remote peer.

Remote IKE-ID: this is how I expect that my peer identifies himself when contacting me.

These values always have to match during the negotiation of the tunnel, however we dont normally configured/hardcode them because by default the devices will use the following values as the IKE-IDs:

Local IKE-ID: the IP address of the device's external interface

Remote IKE-ID: the IP address of the remote peer

In a normal situation note that these values will match by using these default values, see this example topology:

SRXA-(1.1.1.1)------INTERNET-----(2.2.2.2)-SRXB

• SRXA is configured with 1.1.1.1 on its external interface hence this value will be used as its Local IKE-ID. SRXA is also configured to establish a VPN communication against 2.2.2.2 hence this value will be used as the Remote IKE-ID.

• SRXB is configured with 2.2.2.2 on its external interface hence this value will be used as its Local IKE-ID. SRXB is also configured to establish a VPN communication against 1.1.1.1 hence this value will be used as the Remote IKE-ID.

During the negotaition, SRXA identifies itself with its local IKE-ID (1.1.1.1) and SRXB, because of its Remote IKE-ID, is expecting that its peer will be identifying itself as 1.1.1.1. At this point everything matches. The SRXB will then identify itself as 2.2.2.2 (its Local IKE-ID) and SRXA will be expecting, because of its Remote IKE-ID, that SRXB identifies itself as 2.2.2.2. Again everything matches and we are good to go.

The problem in your case is that the address of one of the peers will be dynamically changing hence we cannot rely on the default values for the IKE-IDs (IP addresses) and because of this we manually configure them to fir3net.com, like in the configuration example, to play with fixed values and make sure they will match.

I havent work with Mikrotik but based on the following link, we can hardcode the IKE-IDs as well with a command simillar to:

myid=fqdn: hostname

https://bittenbytes.nl/2018/08/28/ipsec-tunnel-between-sonicos-and-mikrotik/ (note that the 1st image of Sonicwall also shows the IKE-IDs)

The only thing you will need to confirm is what is the correct command to hardcode the Remote IKE-ID on Mikrotik, because on the SRX you already know that you have to use " set security ike gateway [gateway_name] local-identity hostname [hostname]"

I really hope this helps you

Also make sure you use "aggresive" mode because it is required when one of the peers has a dynamic IP address and that "NAT-T" is enable because there is a nAT device in between the VPN peers. NAT-T is enabled by default on the SRX and aggresive mode is configured unde [edit security ike policy Policy_Name] hierarchy.

Thanks @epaniagua, I appreciate your suggestions. I am curious if the 'hostname' parameter has to be a valid hostname (how is it verified)? is a FQDN applicable here, or is the domain name (e.g., your use of fre3net.com) applicable here - or does it matter at all what we set here? I think I have also seen current JunOS documentation that allows several other types:

local-identity (distinguished-name | hostname identity-hostname | inet identity-ipv4 | inet6 identity-ipv6 | key-id | user-at-hostname identity-user);

So, is there a specification of what is valid input to the 'parameter' -- could we just say "abcdefghijk"  or "somedomain.tld"? Of course I understand the inet, inet6 parameters or key-id, but was thrown off by not having a formal syntax/parameter spec and it not being in the PDF of Security VPN IPSEC. 

---

 wrote:

Can you elaborate more on this part: " What I found a bit confusing at first read is the requirement to specify the identify of the initiator to the responder."? Where are you reading that or to what part of the SRX configuration you are refering to?

 

[...]

With the above configuration we are telling the Remote_SRX that its peer has a dynamic address and that it will be idetifying itself as fir3net.com.

 

We need to make sure that the Local_SRX identifies itselfs as fir3net.com when connecting to the Remote_SRX and we do this with the following command:

 

 

root@srx100> show configuration security ike gateway IKE-PEER-STATIClocal-identity hostname fir3net.com;

 

 

These values we are hardcoding are known as IKE-IDs and are values that have to match if we want the VPN to be established. These values are used for the peers to "authenticate" between each other and each device will have a Local IKE-IDand a Remote IKE-ID. You could understand them in the following way from the perspective of each device:

 

Local IKE-ID: this how I will identify myself when communicating with the remote peer.

Remote IKE-ID: this is how I expect that my peer identifies himself when contacting me.

 

These values always have to match during the negotiation of the tunnel, however we dont normally configured/hardcode them because by default the devices will use the following values as the IKE-IDs:

 

Local IKE-ID: the IP address of the device's external interface

Remote IKE-ID: the IP address of the remote peer

---

Shaque,

The hostname/fqdn doesnt has to be resolved. It is just a format used for this value that has to match between the peers during the negotiation. As you said you could use different value's formats like IP address (IPv4 pr IPv6), FQDN, user-at-FQDN or Distinguished Name.

local-identity (distinguished-name | hostname identity-hostname | inet identity-ipv4 | inet6 identity-ipv6 | key-id | user-at-hostname identity-user);

Hi all,

What does the following statements say under the flow stanza? Is it for ipsec tunnel? What is purpose of no-syn-check-in-tunnel there? Lastly when adding a new more reduced mss value statement(set security flow tcp-mss ipsec-vpn mss 1350) for ipsec, is there any thing is going to be wrong or miss config? 

set security flow tcp-mss all-tcp mss 1470
set security flow tcp-session no-syn-check
set security flow tcp-session no-syn-check-in-tunnel
set security flow tcp-session no-sequence-check

thx.

Ar

Thanks Nellikka....

Yes, you are right...mss is high...typically it is 1460....

Can I ask about when generating icmp traffic throught ipsec tunnel on the box, typically I use 1460-28=1432 to determine whether or not resizing is happening...I know 1460 is still quite high size for ipsec but I want to double check with you about  is this math is correct to making normal final pakets size to ipsec tunnel in order to troubleshooting purpose?

And also can you give a simple example/explaination for asymmetric routing for ipsec tunnel? It is unusual for me.... For instanse current situation is that there are 2 secure tunnel hubs (2X650srx). And each has 45 secure tunnels to connect to the their remote sites... each remote site has a 3rd party ISP(mpls) to conncet to the 650srx hub on my mpls backbone...where can be asymmetric routing happening?

appreciate your ideas...

That math is not right. Please go through this URL to understand about ipsec overhead. https://packetpushers.net/ipsec-bandwidth-overhead-using-aes/

When you have multiple tunnels assymtric routing may happen if it is not properly designed. You have to ensure that incoming and outgoing traffic are going through via same tunnel. 

Thanks Nellikka,

According to the link that you provided...

My icmp packet throught ipsec tunnel should be

1460+orgIP 20B+org ICMP 8+ESP 38B+ExtIP 20B+ADSL 8B =1554B. ipsec sits on adsl int on spoke srx.

Now is it okay or?

Normally, ICMP payload will be very small in size. 64 bytes or less. In SRX it is 56 bytes by default. Remaining calcuation is ok. You can find out working packet size (without fragmentation) using "do-not-fragment" option in SRX ping command. In windows, use -f flag.  In Linux, it is -M flag. Example are given below. Decrease the packet size gradually to find out a working packet size like below:

SRX:

+++++++++

root> ping 192.168.1.10 size 1500 do-not-fragment

PING 192.168.1.10 (192.168.1.10): 1500 data bytes
ping: sendto: Message too long
ping: sendto: Message too long

root> ping 192.168.1.10 size 1472 do-not-fragment
PING 192.168.1.10 (192.168.1.10): 1472 data bytes
1480 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.966 ms
1480 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.942 ms

Windows:

++++++++++

C:\Users\Nellikka>ping 8.8.8.8 -f -l 1490

Pinging 8.8.8.8 with 1490 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Nellikka>ping 8.8.8.8 -f -l 1400

Pinging 8.8.8.8 with 1400 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1400) time=21ms TTL=50
Reply from 8.8.8.8: bytes=68 (sent 1400) time=36ms TTL=50
Reply from 8.8.8.8: bytes=68 (sent 1400) time=11ms TTL=50
Reply from 8.8.8.8: bytes=68 (sent 1400) time=11ms TTL=50

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Linux:-
++++++++

Nellikka@linx01:~$ ping 8.8.8.8 -M do -s 1500 -c 2
PING 8.8.8.8 (8.8.8.8) 1500(1528) bytes of data.
From 192.168.1.254 icmp_seq=1 Frag needed and DF set (mtu = 1500)
From 192.168.1.254 icmp_seq=1 Frag needed and DF set (mtu = 1500)

--- 8.8.8.8 ping statistics ---
0 packets transmitted, 0 received, +2 errors

Nellikka@linx01:~$ ping 8.8.8.8 -M do -s 1472 -c 2
PING 8.8.8.8 (8.8.8.8) 1472(1500) bytes of data.
76 bytes from 8.8.8.8: icmp_req=1 ttl=55 (truncated)
76 bytes from 8.8.8.8: icmp_req=2 ttl=55 (truncated)

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.922/1.929/1.937/0.044 ms

The response from 192.168.1.10 is 1480B. Is this perfect mss value? can we say or?

SRX:

+++++++++

root> ping 192.168.1.10 size 1500 do-not-fragment

PING 192.168.1.10 (192.168.1.10): 1500 data bytes
ping: sendto: Message too long
ping: sendto: Message too long

root> ping 192.168.1.10 size 1472 do-not-fragment 
PING 192.168.1.10 (192.168.1.10): 1472 data bytes
1480 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.966 ms
1480 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.942 ms

Yo have to check from your end system/srx as you are using IPsec. My example was without IPsec. 1350 bytes is safe and recommended size in your case for tunnel considering ESP and ADSL overhead. You may try with different packet size to find out working packet size.

Calculation from my ping example with 1472 payload: 

Payload size = 1472 bytes

ICMP Header = 8 bytes

IP Header = 20 bytes

Total packet size = 1500 bytes = default interface MTU

I do understand what you are pointing about determining the proper packet size for ipsec vpn and having some experiment about 1350 or 1328 to see frag happens or not etc.... Thats fine...

What I was asking previously is that response "1480" ? What  Is this typically called?  is this size accepted ferfect size by both ends over the network path or?

It is known as IP Payload length. 1480+20=1500 is the packet size (MTU) supported/accepted by the network path between source and destination (end to end) without fragmentation. To find out TCP MSS (TCP payload length) from this, deduct TCP header size 20 from the IP payload length (1480-20=1460)

Hi all,

How to check about when junos upgrade and what previous version etc... Are there cli command to check this historical upgrade check?

On SRX, try "show system software backup".  And on EX, "show system snapshot media internal".  Hope that answers your query.

Example:

root> run show version                                                                                                                                                         
Model: srx3400                                                                                                                                                                 
JUNOS Software Release [12.3X48-D30.7]                                                                                                                                         
root> show system software backup                                                                                                                                              
Backup JUNOS package information:                                                                                                                                              
File name: /cf/packages/junos-12.3X48-D75.4-domestic                                                                                                                           
File size: 278776304                                                                                                                                                                                                                                                                                                      
root> request system software rollback                                                                                                                                         
Restoring boot file package                                                                                                                                                    
junos-12.3X48-D75.4-domestic will become active at next reboot                                                                                                                 
WARNING: A reboot is required to load this software correctly                                                                                                                  
WARNING:     Use the 'request system reboot' command                                                                                                                           
WARNING:         when software installation is complete   

root@EX3200-24T-r001-S1> show version                                                                                                                                          
Hostname: EX3200-24T-r001-S1                                                                                                                                                   
Model: ex3200-24t                                                                                                                                                              
JUNOS Base OS boot [12.3R12.4]                                                                                                                                                 
JUNOS Base OS Software Suite [12.3R12.4]                                                                                                                                       
JUNOS Kernel Software Suite [12.3R12.4]                                                                                                                                        
JUNOS Crypto Software Suite [12.3R12.4]                                                                                                                                        
JUNOS Online Documentation [12.3R12.4]                                                                                                                                         
JUNOS Enterprise Software Suite [12.3R12.4]                                                                                                                                    
JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R12.4]                                                                                                           
JUNOS Routing Software Suite [12.3R12.4]                                                                                                                                       
JUNOS Web Management [12.3R12.4]                                                                                                                                               
JUNOS FIPS mode utilities [12.3R12.4]                                                                                                                                          
root@EX3200-24T-r001-S1> show system storage partitions ?                                                                                                                      
Possible completions:                                                                                                                                                          <[Enter]>            Execute this command                                                                                                                                    
  |                    Pipe through a command                                                                                                                                  
root@EX3200-24T-r001-S1> show system storage partitions                                                                                                                        
Boot Media: internal (da0)                                                                                                                                                     
Active Partition: da0s2a                                                                                                                                                       
Backup Partition: da0s1a                                                                                                                                                       
Currently booted from: active (da0s2a)                                                                                                                                         
Partitions information:                                                                                                                                                        
  Partition  Size   Mountpoint                                                                                                                                                 
  s1a        183M   altroot                                                                                                                                                    
  s2a        184M   /                                                                                                                                                          
  s3d        369M   /var/tmp                                                                                                                                                   
  s3e        123M   /var                                                                                                                                                       
  s4d        62M    /config                                                                                                                                                    
root@EX3200-24T-r001-S1> show system snapshot media internal                                                                                                                   
Information for snapshot on       internal (/dev/da0s1a) (backup)                                                                                                              
Creation date: Nov 8 21:59:37 2016                                                                                                                                             
JUNOS version on snapshot:                                                                                                                                                     
  jdocs-ex: 14.1X53-D40.8                                                                                                                                                      
  jweb-ex: 14.1X53-D40.8                                                                                                                                                       
  fips-mode-powerpc: 14.1X53-D40.8                                                                                                                                             
WARNING: snapshot format is incompatible with the software currently running                                                                                                   
Information for snapshot on       internal (/dev/da0s2a) (primary)                                                                                                             
Creation date: Jan 19 23:05:04 2016                                                                                                                                            
JUNOS version on snapshot:                                                                                                                                                     
  jbase  : ex-12.3R12.4                                                                                                                                                        
  jkernel-ex: 12.3R12.4                                                                                                                                                        
  jcrypto-ex: 12.3R12.4                                                                                                                                                        
  jdocs-ex: 12.3R12.4                                                                                                                                                          
  jswitch-ex: 12.3R12.4                                                                                                                                                        
  jpfe-ex42x: 12.3R12.4                                                                                                                                                        
  jroute-ex: 12.3R12.4                                                                                                                                                         
  jweb-ex: 12.3R12.4                                                                                                                                                           
  fips-mode-powerpc: 12.3R12.4 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .