Fixing IPSEC with NAT -- The Wrong Way

The quick and easy fix might seem like just adjusting some of the IP addresses to try to get both sides of the IKE exchange to agree who each other is. The only way this will really work reliably is if the NAT'd IP pairing is constant. The big changes are now the two sides on the IKE exchange can't use their IP addresses to identify each other as they IPs mutate along the way. We need to tell IKE to use something else for the identity check. For this hack of a fix, we'll force the ID that the initiator uses to be it's post-NAT IP address, and tell the responder to expect a session from the reflexive IP that the initiator winds up with. The reflexive IP for our NAT'd session is 172.18.2.12. So we use local-identity 172.18.2.12 on SRX-11, and 172.18.2.12 as the address of our gateway on SRX-13.

One caveot here. In order for this to work, we need to allow NAT-T (UDP port 4500) to pass through SRX-12. NAT-T will be discussed in detail in the "proper" fix in the next section.

We modify the config on SRX-11 to the following:

modified SRX-11 config

[edit security ike]
juniper@SRX-11# show                                                  
traceoptions {
    file ike.log size 10m;
    flag ike;
}
proposal REKEY-ALOT {
    authentication-method pre-shared-keys;
    dh-group group1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 180;
}
policy IKE-POL {
    mode main;
    proposals REKEY-ALOT;
    pre-shared-key ascii-text "$9$byY4ZHqfn/tUj/tuOcSwYgoUjk.PQ36"; ## SECRET-DATA
}
gateway SRX-13 {
    ike-policy IKE-POL;
    address 192.168.13.13;
    local-identity inet 172.18.2.12;
    external-interface lo0.0;
}

[edit security ike]
juniper@SRX-11# 

And on SRX-13, the config is modified to the following:

modified SRX-11 config

[edit security ike]
juniper@SRX13# show 
traceoptions {
    file ike.log size 10m;
    flag ike;
}
proposal REKEY-ALOT {
    authentication-method pre-shared-keys;
    dh-group group1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 180;
}
policy IKE-POL {
    mode main;
    proposals REKEY-ALOT;
    pre-shared-key ascii-text "$9$YQ4JD.PQ9A0ikA0BIrl24aZikmfT3/C"; ## SECRET-DATA
}
gateway SRX-11 {
    ike-policy IKE-POL;
    address 172.18.2.12;
    external-interface lo0.0;
}

[edit security ike]
juniper@SRX13# 

Once we do this, and initiate some traffic from the client towards the server, the VPN tunnel comes back up.

SAs restored on SRX-11

[edit security ike]
juniper@SRX-11# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2735903 UP     0aa64f9c42c91905  64574d3eb3bea0d4  Main           192.168.13.13   

[edit security ike]
juniper@SRX-11# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 20e2db45 149/ unlim - root 4500 192.168.13.13   
  >131073 ESP:aes-cbc-128/md5 aff5ff7a 149/ unlim - root 4500 192.168.13.13   

[edit security ike]
juniper@SRX-11# 

And on SRX-13, we have an SA as well:

SAs restored on SRX-13

[edit security ike]
juniper@SRX13# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 aff5ff7a 139/ unlim - root 16960 172.18.2.12     
  >131073 ESP:aes-cbc-128/md5 20e2db45 139/ unlim - root 16960 172.18.2.12     

[edit security ike]
juniper@SRX13# 

And the user on the client reports "pingy worky!"

IPSEC VPN connectivity restored for client

juniper@client:~$ ping -c 10 -i .2 10.80.80.80 
PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data.
64 bytes from 10.80.80.80: icmp_req=1 ttl=62 time=8.59 ms
64 bytes from 10.80.80.80: icmp_req=2 ttl=62 time=5.73 ms
64 bytes from 10.80.80.80: icmp_req=3 ttl=62 time=4.55 ms
64 bytes from 10.80.80.80: icmp_req=4 ttl=62 time=4.93 ms
64 bytes from 10.80.80.80: icmp_req=5 ttl=62 time=6.80 ms
64 bytes from 10.80.80.80: icmp_req=6 ttl=62 time=5.77 ms
64 bytes from 10.80.80.80: icmp_req=7 ttl=62 time=6.48 ms
64 bytes from 10.80.80.80: icmp_req=8 ttl=62 time=6.32 ms
64 bytes from 10.80.80.80: icmp_req=9 ttl=62 time=5.69 ms
64 bytes from 10.80.80.80: icmp_req=10 ttl=62 time=5.15 ms

--- 10.80.80.80 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 1806ms
rtt min/avg/max/mdev = 4.557/6.005/8.593/1.092 ms
juniper@client:~$ 

But what happens to this session if the reflexive IP address changes for some reason? This could change because the session timed out, and a new once recieved a new IP from a pool, or the address assigned to interface NAT changed because it was assinged via DHCP. We'll simulate this by replacing the IP address that is being used for interface based NAT on SRX-12.

changing NAT'ed IP address with interface IP address change on SRX-12

[edit interfaces ge-0/0/5]
juniper@SRX-12# show 
unit 0 {
    family inet {
        address 172.18.2.12/24;
    }
    family iso;
}

[edit interfaces ge-0/0/5]
juniper@SRX-12# replace pattern 172.18.2.12 with 172.18.2.122 

[edit interfaces ge-0/0/5]
juniper@SRX-12# commit 
commit complete

[edit interfaces ge-0/0/5]
juniper@SRX-12# 

The client's precious "pingy" is now back to "no worky!"

Client connectivity again broken through IPSEC VPN

juniper@client:~$ ping  -i 10 10.80.80.80 
PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data.
64 bytes from 10.80.80.80: icmp_req=1 ttl=62 time=8.86 ms
64 bytes from 10.80.80.80: icmp_req=2 ttl=62 time=7.69 ms
64 bytes from 10.80.80.80: icmp_req=3 ttl=62 time=18.8 ms
^C
--- 10.80.80.80 ping statistics ---
8 packets transmitted, 3 received, 62% packet loss, time 70031ms
rtt min/avg/max/mdev = 7.696/11.801/18.848/5.006 ms
juniper@client:~$ 

Inspecting the SRXs on both sides of the tunnel we find that the IKE SAs went down, and our IPSEC SAs are now stale.

SAs on SRX-11

juniper@SRX-11# run show security ike security-associations      
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2735908 DOWN   5aac792d789937db  0000000000000000  Main           192.168.13.13   

[edit security ike]
juniper@SRX-11# run show security ipsec security-associations    
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 8e6254cb 72/ unlim - root 4500  192.168.13.13   
  >131073 ESP:aes-cbc-128/md5 7edf4177 72/ unlim - root 4500  192.168.13.13   

[edit security ike]
juniper@SRX-11# 

And on the responder:

SAs on SRX-13

juniper@SRX13# run show security ike security-associations      
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
3194450 DOWN   76f9de1f338e9077  375119725a113d12  Any            172.18.2.122    
3194452 DOWN   923ee55e52739979  cd1d76b6a472333e  Any            172.18.2.122    
3194454 DOWN   8f5e98c9716dac07  0c8cd52fbdbb6c6c  Any            172.18.2.122    
3194449 DOWN   41fa28be9f8f6dab  b068ed9c837ed7dd  Any            172.18.2.122    
3194453 DOWN   5aac792d789937db  7cf1ec34bfdd81c5  Any            172.18.2.122    
3194451 DOWN   a086cdc3bd1801cf  250aae47dcac4857  Any            172.18.2.122    
3194455 DOWN   b2a2c1125fbe09c9  6119f4297c8cfe13  Any            172.18.2.122    

[edit security ike]
juniper@SRX13# run show security ipsec security-associations    
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 7edf4177 64/ unlim - root 16960 172.18.2.12     
  >131073 ESP:aes-cbc-128/md5 8e6254cb 64/ unlim - root 16960 172.18.2.12     

[edit security ike]
juniper@SRX13# 

To restore the session, we need to manually adjust the IPs on both sides to get our tunnel back up.

Adjusting configuration on SRX-11 to restore IPSEC VPN

[edit security ike]
juniper@SRX-11# replace pattern 172.18.2.12 with 172.18.2.122 

[edit security ike]
juniper@SRX-11# commit 
commit complete

[edit security ike]
juniper@SRX-11# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2735929 UP     6b18e236484ae0c1  8630eafece85cd9e  Main           192.168.13.13   

[edit security ike]
juniper@SRX-11# run show security ipsec security-associations  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 fdad8d74 174/ unlim - root 4500 192.168.13.13   
  >131073 ESP:aes-cbc-128/md5 7af47132 174/ unlim - root 4500 192.168.13.13   

[edit security ike]
juniper@SRX-11# 

Adjusting configuration on SRX-13 to restore IPSEC VPN

[edit security ike]
juniper@SRX13# replace pattern 172.18.2.12 with 172.18.2.122 

[edit security ike]
juniper@SRX13# commit 
commit complete

[edit security ike]
juniper@SRX13# run show security ike security-associations      
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
3194475 UP     6b18e236484ae0c1  8630eafece85cd9e  Main           172.18.2.122    

[edit security ike]
juniper@SRX13# run show security ipsec security-associations    
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/md5 7af47132 156/ unlim - root 31234 172.18.2.122    
  >131073 ESP:aes-cbc-128/md5 fdad8d74 156/ unlim - root 31234 172.18.2.122    

[edit security ike]
juniper@SRX13# 

A much better way, that won't require any manual intervention is discussed in the next section.