This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
Although it doesn't seem to be used much anymore, NAT and IPSEC AH are inherently incompatible. AH, Authentication Headers, hash the entire IP packet except for mutable fields ( TTL, CRC, IP Options, etc). Both the source and destination addresses are included in the hash. Any NAT device that modifies an AH packet will cause the check at the destination gateway to fail and the packet will be discarded.
We'll do a quick demo of this phenomenon. We'll modify our IPSEC tunnel to use AH instead of ESP. We'll also turn of the NAT function of the firewall, SRX-12, to we can see that the tunnel works.
We setup a new IPSEC proposal on both SRX-11 and SRX-13 which uses AH.
[edit security ipsec] proposal AH { protocol ah; authentication-algorithm hmac-sha-256-128; lifetime-seconds 200; } policy AH-POL { proposals AH; } vpn SRX-13 { bind-interface st0.0; ike { gateway SRX-13; ipsec-policy AH-POL; } establish-tunnels on-traffic; }
[edit security ipsec] juniper@SRX13# show proposal AH { protocol ah; authentication-algorithm hmac-sha-256-128; lifetime-seconds 200; } policy AH-POL { proposals AH; } vpn SRX-11 { bind-interface st0.0; ike { gateway SRX-11; ipsec-policy AH-POL; } establish-tunnels on-traffic; } [edit security ipsec] juniper@SRX13#
We adjust the firewall to allow AH through both interfaces in both directions
[edit security policies] juniper@SRX-12# show from-zone SRX11 to-zone SRX13 { policy ALLOW-AH { match { source-address any; destination-address any; application AH; } then { permit; count; } } policy ALLOW-IKE-500 { match { source-address any; destination-address any; application junos-ike; } then { permit; count; } } policy ALLOW-PING { match { source-address any; destination-address any; application junos-icmp-ping; } then { permit; } } policy DENY-ALL { match { source-address any; destination-address any; application any; } then { deny; log { session-init; session-close; } count; } } } from-zone SRX13 to-zone SRX11 { policy ALLOW-AH { match { source-address any; destination-address any; application AH; } then { permit; } } } policy-rematch; [edit security policies] juniper@SRX-12#
We start some traffic flowing over the AH version of our IPSEC tunnel to confirm that it works. The client can talk to the server.
juniper@client:~$ ping -c 5 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. 64 bytes from 10.80.80.80: icmp_req=1 ttl=62 time=6.26 ms 64 bytes from 10.80.80.80: icmp_req=2 ttl=62 time=5.89 ms 64 bytes from 10.80.80.80: icmp_req=3 ttl=62 time=4.51 ms 64 bytes from 10.80.80.80: icmp_req=4 ttl=62 time=6.43 ms 64 bytes from 10.80.80.80: icmp_req=5 ttl=62 time=5.44 ms --- 10.80.80.80 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 4.519/5.710/6.431/0.692 ms juniper@client:~$
SAs are established on both IPSEC tunnel peers.
juniper@SRX-11> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 4736178 UP 8e86ff6a2147d10b 5031bb37d2b60324 Aggressive 192.168.13.13 juniper@SRX-11> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 AH: sha256 73957b7c 182/ unlim - root 500 192.168.13.13 >131073 AH: sha256 904b8798 182/ unlim - root 500 192.168.13.13 juniper@SRX-11>
juniper@SRX13> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3099947 UP 8e86ff6a2147d10b 5031bb37d2b60324 Aggressive 192.168.11.11 juniper@SRX13> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173324 AH: sha256 904b8798 171/ unlim - root 500 192.168.11.11 >268173324 AH: sha256 73957b7c 171/ unlim - root 500 192.168.11.11 juniper@SRX13>
And we have sessions on the firewall for our AH traffic.
juniper@SRX-12> show security flow session Session ID: 2203, Policy name: ALLOW-IKE-500/4, Timeout: 28, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 3, Bytes: 408 Out: 192.168.13.13/500 --> 192.168.11.11/500;udp, If: ge-0/0/5.0, Pkts: 1, Bytes: 216 Session ID: 2211, Policy name: ALLOW-AH/7, Timeout: 1798, Valid In: 192.168.11.11/6654 --> 192.168.13.13/34567;ah, If: ge-0/0/4.0, Pkts: 5, Bytes: 660 Out: 192.168.13.13/34567 --> 192.168.11.11/6654;ah, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 2212, Policy name: ALLOW-AH/8, Timeout: 1798, Valid In: 192.168.13.13/34084 --> 192.168.11.11/5895;ah, If: ge-0/0/5.0, Pkts: 5, Bytes: 660 Out: 192.168.11.11/5895 --> 192.168.13.13/34084;ah, If: ge-0/0/4.0, Pkts: 0, Bytes: 0 Total sessions: 3 juniper@SRX-12>
Next we turn on NAT on our firewall.
juniper@SRX-12# activate security nat [edit] juniper@SRX-12# commit commit complete [edit] juniper@SRX-12#
No more pingy!
juniper@client:~$ ping -c 5 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. --- 10.80.80.80 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4031ms juniper@client:~$
SRX-11 and SRX-13 still have active SAs for Phase 1 and Phase 2
juniper@SRX-11> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 4736179 UP ae011a16773a18c1 79be49406ab678fa Aggressive 192.168.13.13 juniper@SRX-11> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 AH: sha256 ad3bee38 108/ unlim - root 500 192.168.13.13 >131073 AH: sha256 2223bbb3 108/ unlim - root 500 192.168.13.13 juniper@SRX-11>
juniper@SRX13> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3099948 UP ae011a16773a18c1 79be49406ab678fa Aggressive 192.168.11.11 juniper@SRX13> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173324 AH: sha256 2223bbb3 100/ unlim - root 500 192.168.11.11 >268173324 AH: sha256 ad3bee38 100/ unlim - root 500 192.168.11.11 juniper@SRX13>
The firewall, SRX-12, has active sessions for the traffic in both directions.
juniper@SRX-12> show security flow session Session ID: 2211, Policy name: ALLOW-AH/7, Timeout: 1634, Valid In: 192.168.11.11/6654 --> 192.168.13.13/34567;ah, If: ge-0/0/4.0, Pkts: 5, Bytes: 660 Out: 192.168.13.13/34567 --> 192.168.11.11/6654;ah, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 2212, Policy name: ALLOW-AH/8, Timeout: 1634, Valid In: 192.168.13.13/34084 --> 192.168.11.11/5895;ah, If: ge-0/0/5.0, Pkts: 5, Bytes: 660 Out: 192.168.11.11/5895 --> 192.168.13.13/34084;ah, If: ge-0/0/4.0, Pkts: 0, Bytes: 0 Session ID: 2233, Policy name: ALLOW-AH/7, Timeout: 1770, Valid In: 192.168.11.11/8739 --> 192.168.13.13/48051;ah, If: ge-0/0/4.0, Pkts: 5, Bytes: 660 Out: 192.168.13.13/48051 --> 172.18.2.224/7038;ah, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 2238, Policy name: ALLOW-IKE-500/4, Timeout: 60, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 3, Bytes: 408 Out: 192.168.13.13/500 --> 172.18.2.224/23705;udp, If: ge-0/0/5.0, Pkts: 1, Bytes: 216 Total sessions: 4 juniper@SRX-12>
But now on the side that recieved the NAT'ed traffic, we have AH authentication errors and packets are being discarded.
juniper@SRX13> show security ipsec statistics ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0 AH Statistics: Input bytes: 5399940 Output bytes: 8485620 Input packets: 64285 Output packets: 64285 Errors: AH authentication failures: 4, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 juniper@SRX13>
Note that AH does not have any provisions to use NAT-T, so this is just broken and will never work. Time for some GRE tunnel nastiness.