Hello forum guys and security experts,
I need some help with ipsec configuration. I followed guide from http://www.juniper.net/techpubs/en_US/junos13.2/topics/example/ipsec-configuring-on-ms-mic.html.
this is my security configuration for ike and vpn:
service-set ipsec_ss_ms-0_2_0_1 {
next-hop-service {
inside-service-interface ms-0/2/0.1;
outside-service-interface ms-0/2/0.2;
}
ipsec-vpn-options {
local-gateway 10.42.131.81;
}
ipsec-vpn-rules vpn_rule_eNB101032_Uplane;
rule vpn_rule_eNB101032_Uplane {
term vpn_rule_eNB101032_Uplane {
from {
source-address {
10.42.131.84/32;
}
destination-address {
10.42.159.5/32;
}
}
then {
remote-gateway 10.42.147.32;
dynamic {
ike-policy all-ca-level-l3;
ipsec-policy Feve3-TT_ipsec_policy;
}
}
}
match-direction input;
}
ipsec {
proposal Feve3-TT_ipsec_proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Feve3-TT_ipsec_policy {
proposals Feve3-TT_ipsec_proposal;
}
}
ike {
proposal Feve3-TT_ike_proposal {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy all-ca-level-l1 {
mode main;
version 1;
proposals Feve3-TT_ike_proposal;
local-certificate CA_Level_L1a;
}
policy all-ca-level-l2 {
mode main;
proposals Feve3-TT_ike_proposal;
local-certificate CA_Level_L2a;
}
policy all-ca-level-l3 {
mode main;
proposals Feve3-TT_ike_proposal;
local-certificate CA_Level_L3a;
}
}
traceoptions {
file ipsec-ike_log size 5m files 10;
flag all;
}I also created subinterfaces under mc and assigned to proper domain:
run show configuration interfaces ms-0/2/0
unit 0 {
family inet;
}
unit 1 {
family inet {
mtu 1500;
address 10.42.131.81/28;
address 10.42.131.82/28;
address 10.42.131.83/28;
address 10.42.131.84/28;
address 10.42.131.85/28;
address 10.42.131.86/28;
}
service-domain inside;
}
unit 2 {
family inet;
service-domain outside;
}policy is routed staticly via ms-0/2/0.1
run show route 10.42.159.5
inet.0: 292 destinations, 293 routes (292 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.42.159.5/32 *[Static/5] 1w3d 06:19:17
> via ms-0/2/0.1MX is also vlan GW for hosts - so is both vlan GW and SecGEW. I know it is not really recomended design - but Juniper by providing MIC card, left that option available. So we use it.
policy is using digital certifiactes:
run show security pki local-certificate brief
Certificate identifier: CA_Level_L2a
Issued to: JuniperSRX, Issued by: DC = NSN Ulm, DC = Intermediate, CN = Sub CA_L2a
Validity:
Not before: 09- 5-2016 06:26 UTC
Not after: 12- 4-2016 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: CA_Level_L3a
Issued to: JuniperSRX, Issued by: DC = NSN Ulm, DC = Intermediate, CN = Sub CA_L3a
Validity:
Not before: 09- 5-2016 08:36 UTC
Not after: 09- 5-2019 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: CA_Level_L1a
Issued to: JuniperSRX, Issued by: DC = NSN Ulm, CN = Root CA
Validity:
Not before: 09- 5-2016 06:23 UTC
Not after: 09- 5-2019 23:59 UTC
Public key algorithm: rsaEncryption(2048 bits)
which are loaded and can be verified.
However I do not see any logs in traceoption I set:
run show log ipsec-ike_log 16 12:50:17 Enable trace flag: ffffffff trace level: 0
Sep 16 12:50:18 Enable trace flag: ffffffff trace level: 0
Sep 16 14:23:20 Enable trace flag: ffffffff trace level: 0
Sep 16 14:23:21 Enable trace flag: ffffffff trace level: 0
Sep 16 15:02:08 Enable trace flag: ffffffff trace level: 0
Sep 16 15:02:08 Enable trace flag: ffffffff trace level: 0
Sep 16 15:03:21 Enable trace flag: ffffffff trace level: 0
Sep 16 15:03:21 Enable trace flag: ffffffff trace level: 0
ike security association can not establish:
run show services ipsec-vpn ike security-associations brief [edit]
for phase 2 I see following:
run show services ipsec-vpn ipsec security-associations ipsec_ss_ms-0_2_0_1 Service set: ipsec_ss_ms-0_2_0_1, IKE Routing-instance: default Rule: vpn_rule_eNB101032_Uplane, Term: vpn_rule_eNB101032_Uplane, Tunnel index: 3 Local gateway: 10.42.131.81, Remote gateway: 10.42.147.32 IPSec inside interface: ms-0/2/0.1, Tunnel MTU: 1500 --- No IPSec SA information available ---
Any idea what is missing ?