Recently I did changes on one of our SRX devices which introduced the need of NAT-T enabled on other devices.
I dont get why this is needed with the new configuration.
Let me explain =)
Source NAT has changed from:
"from zone Local_Office zone Users to Untrust"
To
set security nat source rule-set SNAT_use_interface from routing-instance default
set security nat source rule-set SNAT_use_interface to zone Untrust
set security nat source rule-set SNAT_use_interface rule snat_on_interface match source-address 0.0.0.0/0
set security nat source rule-set SNAT_use_interface rule snat_on_interface match destination-address 0.0.0.0/0
set security nat source rule-set SNAT_use_interface rule snat_on_interface then source-nat interface
After this change NAT-T was needed for the following IPSEC:
set security ike proposal ike-proposal-company-hq authentication-method pre-shared-keys
set security ike proposal ike-proposal-company-hq dh-group group5
set security ike proposal ike-proposal-company-hq authentication-algorithm sha1
set security ike proposal ike-proposal-company-hq encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-company-hq lifetime-seconds 28800
set security ike policy ike-policy-Local_Office mode main
set security ike policy ike-policy-Local_Office proposals ike-proposal-company-hq
set security ike policy ike-policy-Local_Office pre-shared-key ascii-text "XXX"
set security ike gateway remoteoffice ike-policy ike-policy-Local_Office
set security ike gateway remoteoffice address 10.1.1.1
set security ike gateway remoteoffice external-interface reth5.0
set security ipsec proposal ipsec-proposal-company-hq protocol esp
set security ipsec proposal ipsec-proposal-company-hq authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-company-hq encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal-company-hq lifetime-seconds 3600
set security ipsec policy ipsec-policy-Local_Office perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-Local_Office proposals ipsec-proposal-company-hq
set security ipsec vpn remoteoffice-ipsec-vpn bind-interface st0.1
set security ipsec vpn remoteoffice-ipsec-vpn ike gateway remoteoffice
set security ipsec vpn remoteoffice-ipsec-vpn ike ipsec-policy ipsec-policy-Local_Office
set interfaces st0 unit 1 family inet mtu 1500
set interfaces st0 unit 1 family inet address 172.31.3.90/29
set security zones security-zone Local_Office interfaces st0.1
Where reth5.0 is Untrust.
If i dont enable NAT-T on the remote device. The SRX is logging:
[Jan 25 11:01:22]<none>:500 (Initiator) <-> 10.1.1.1:500 { 97d97d5d d3375535 - 33591868 346af7ff [0] / 0x65c29767 } QM; Error = Timeout (8197)
[Jan 25 11:01:22]ike_send_notify: Private notification, do not send notification
[Jan 25 11:01:22]ike_delete_negotiation: Start, SA = { 97d97d5d d3375535 - 33591868 346af7ff}, nego = 0
[Jan 25 11:01:22]ike_free_negotiation_qm: Start, nego = 0
[Jan 25 11:01:22]ike_free_negotiation: Start, nego = 0
[Jan 25 11:01:22]ike_free_id_payload: Start, id type = 4
[Jan 25 11:01:22]ike_free_id_payload: Start, id type = 4
[Jan 25 11:01:22] IKEv1 Error : Timeout
The only thing I can think of is that the SRX SNAT rule has changed the behavior so the st0.1 that is bound to the Local_Office zone is getting SNATed in the negotiating process.
Maybe some SRX guru has a good idea what the SRX is doing with this traffic that is causing it to use NAT-T instead?
Thanks in advance
Robert