IPsec tunnel up but no traffic

Hi,

I'm trying to configure a static ipsec tunnel between an SRX240 and a Linux host (using racoon).  It is now to the point where I have the security-associations showing so the tunnel seems to be active.  I can ping from either side and see the ESP packets going to the other side, but neither end responds to the ping (the ESP packet is dropped maybe?).  I can even use wireshark to decrypt the packets (using the keys from the Linux side) and I see that the contents are the ping packets with the correct private IPs inside.

Any ideas why the SRX side isn't responding to a ping?  (If I could at least get the SRX side to respond... I can work on the Linux side from there...)

My network setup is as follows:

SRX Public IP: a.b.c.d   -- Internet zone, on reth0.0

Linux Public IP: e.f.g.h

SRX VPN IP: 172.16.41.1/24  -- VPNRemote zone, on st0.0 (multipoint)

Linux VPN IP: 172.16.41.51

The goal is to set up a GRE tunnel so that several private IP ranges from the SRX side are accessible from the Linux side.

Here is my configuration so far:

interfaces {
    reth0 { ... } /* Internet interface */
    st0 {
        unit 0 {
            multipoint;
            family inet {
                next-hop-tunnel 172.16.41.51 ipsec-vpn ike-vpn-test;
                address 172.16.41.1/24;
            }
        }
    }
}
security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha-256;
            encryption-algorithm aes-256-cbc;
        }
        policy ikep1-test-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$9$qfF/u0IcSeuOhrlK7N"; ## SECRET-DATA
        }
        gateway test {
            ike-policy ikep1-test-policy;
            address e.f.g.h;
            external-interface reth0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
        }
        policy ipsec-test-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-test {
            bind-interface st0.0;
            ike {
                gateway test;
                proxy-identity {
                    local 172.16.41.0/24;
                    remote 172.16.41.51/32;
                }
                ipsec-policy ipsec-test-policy;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone junos-host to-zone VPNRemote {
            policy test {
                match {
                    source-address any;
                    destination-address VPNNet;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone VPNRemote to-zone junos-host {
            policy test {
                match {
                    source-address any;
                    destination-address VPNNet;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    zones {
        security-zone Internet {
            screen Internet-screen;
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                reth0.0;
            }
        }
        security-zone VPNRemote {
            address-book {
                address VPNNet 172.16.41.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                st0.0;
            }
        }
    }
}

Linux:

ipsec.conf:

spdadd 172.16.41.51 172.16.41.0/24 any -P out ipsec
   esp/tunnel/e.f.g.h-a.b.c.d/require;
spdadd 172.16.41.0/24 172.16.41.51 any -P in ipsec
   esp/tunnel/a.b.c.d-e.f.g.h/require;


racoon.conf:

remote a.b.c.d [500] {
        exchange_mode main;
        peers_identifier_address a.b.c.d;
        my_identifier_address e.f.g.h;
        verify_identifier off;
        nat_traversal force;
        proposal {
                encryption_algorithm aes 256;
                hash_algorithm sha256;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}


psk.conf:

a.b.c.d secret

Security associations seem to be okay:

root@fw01> show security ike security-associations
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5116024 UP     77fa7eaeb2f0f554  280affa8d6d30521  Main           e.f.g.h  

----

root@fw01> show security ipsec security-associations
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway<131073 ESP:aes-256/sha256 fbd041eb 2538/ unlim - root 4500 e.f.g.h>131073 ESP:aes-256/sha256 561bcf4 2538/ unlim - root 4500  e.f.g.h

When I ping from Linx to SRX, I can see the packets going out from Linux:

09:26:34.544851 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x94), length 132
09:26:35.552884 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x95), length 132
09:26:36.560938 IP e.f.g.h.4500 > a.b.c.d.4500: UDP-encap: ESP(spi=0xfbd041eb,seq=0x96), length 132

(and once decrypted they are pings from 172.16.41.51 to 172.16.41.1)

Showing a flow trace of the above pings using basic-datapath:

root@fw01> show log tshoot_ipsec
May  8 09:26:31 09:26:31.534228:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May  8 09:26:32 09:26:31.534228:CID-1:RT:  flow got session.
May  8 09:26:32 09:26:31.534228:CID-1:RT:  flow session id 20459
May  8 09:26:32 09:26:31.534228:CID-1:RT:  flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May  8 09:26:32 09:26:31.534228:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

May  8 09:26:32 09:26:32.542209:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May  8 09:26:32 09:26:32.542209:CID-1:RT:packet [160] ipid = 59560, @42370d9c
May  8 09:26:32 09:26:32.542209:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x42370b80, rtbl_idx = 0
May  8 09:26:32 09:26:32.542209:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May  8 09:26:32 09:26:32.542209:CID-1:RT:  reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May  8 09:26:32 09:26:32.542209:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow got session.
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow session id 99003
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow_decrypt: tun 4ee324b8(flag 10), iif 67
May  8 09:26:32 09:26:32.542209:CID-1:RT:dec vector=83bd0d8.
May  8 09:26:32 09:26:32.542209:CID-1:RT:In natt_decap Completed NATT decap
May  8 09:26:32 09:26:32.542209:CID-1:RT:In natt_decap After NATT decap, pak_ptr->src=e.f.g.h and pak_ptr->dst = a.b.c.d
May  8 09:26:32 09:26:32.542209:CID-1:RT:dec vector=83bd0d8. rc 0x0
May  8 09:26:32 09:26:32.542209:CID-1:RT:  reth0.0:e.f.g.h->a.b.c.d, 50
May  8 09:26:32 09:26:32.542209:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow got session.
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow session id 20459
May  8 09:26:32 09:26:32.542209:CID-1:RT:  flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May  8 09:26:32 09:26:32.542209:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


May  8 09:26:33 09:26:33.550175:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May  8 09:26:33 09:26:33.550175:CID-1:RT:packet [160] ipid = 59711, @4238839c
May  8 09:26:33 09:26:33.550175:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x42388180, rtbl_idx = 0
May  8 09:26:33 09:26:33.550175:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May  8 09:26:33 09:26:33.550175:CID-1:RT:  reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May  8 09:26:33 09:26:33.550175:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow got session.
May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow session id 99003
May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow_decrypt: tun 4ee324b8(flag 10), iif 67
May  8 09:26:33 09:26:33.550175:CID-1:RT:dec vector=83bd0d8.
May  8 09:26:33 09:26:33.550175:CID-1:RT:In natt_decap Completed NATT decap
May  8 09:26:33 09:26:33.550175:CID-1:RT:In natt_decap After NATT decap, pak_ptr->src=e.f.g.h and pak_ptr->dst = a.b.c.d

May  8 09:26:33 09:26:33.550175:CID-1:RT:dec vector=83bd0d8. rc 0x0
May  8 09:26:33 09:26:33.550175:CID-1:RT:  reth0.0:e.f.g.h->a.b.c.d, 50
May  8 09:26:33 09:26:33.550175:CID-1:RT: find flow: table 0x491ef1f8, hash 36516(0xffff), sa e.f.g.h, da a.b.c.d, sp 64464, dp 16875, proto 50, tok 7
May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow got session.

May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow session id 20459
May  8 09:26:33 09:26:33.550175:CID-1:RT:  flow_decrypt: tun 4cca38b8(flag 8a), iif 67
May  8 09:26:33 09:26:33.550175:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


May  8 09:26:33 09:26:33.944179:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May  8 09:26:33 09:26:33.944246:CID-1:RT:packet [29] ipid = 24964, @423b3c9c
May  8 09:26:33 09:26:33.944246:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x423b3a80, rtbl_idx = 0

May  8 09:26:33 09:26:33.944246:CID-1:RT: flow process pak fast ifl 67 in_ifp reth0.0
May  8 09:26:33 09:26:33.944246:CID-1:RT:  reth0.0:e.f.g.h/4500->a.b.c.d/4500, udp
May  8 09:26:33 09:26:33.944320:CID-1:RT: find flow: table 0x491ef1f8, hash 49795(0xffff), sa e.f.g.h, da a.b.c.d, sp 4500, dp 4500, proto 17, tok 7
May  8 09:26:33 09:26:33.944381:CID-1:RT:  flow got session.
May  8 09:26:33 09:26:33.944381:CID-1:RT:  flow session id 99003
May  8 09:26:33 09:26:33.944381:CID-1:RT:  flow_decrypt: tun 4ee324b8(flag 10), iif 67
May  8 09:26:33 09:26:33.944381:CID-1:RT:dec vector=83bd0d8.
May  8 09:26:33 09:26:33.944381:CID-1:RT:dec vector=83bd0d8. rc 0xffffffff
May  8 09:26:33 09:26:33.944443:CID-1:RT:<e.f.g.h/4500->a.b.c.d/4500;17> matched filter zzz:
May  8 09:26:33 09:26:33.944443:CID-1:RT:packet [29] ipid = 24964, @423b3c9c
May  8 09:26:33 09:26:33.944496:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)

So it looks like the packets are received at the SRX end, and it shows "flow_decrypt tun ..." and then that's it?