This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
We're going to run through a short scenario here. First, we will start with a working IPSEC tunnel from SRX-11 to SRX-13 through our firewall SRX-12. The only limiting factor here, is that SRX-12 only allows traffic to be initiated from the direction of the client (SRX-11) towards the server. So the client side (SRX-11) will always act as the IKE initiator.
We have our IPSEC VPN to initiate on traffic, so we'll get a couple of IPSEC Security Associations (SAs) going by kicking off some traffic from the client to the server.
Initiating IPSEC SAs from the client
juniper@client:~$ telnet 10.80.80.80 22 Trying 10.80.80.80... Connected to 10.80.80.80. Escape character is '^]'. SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 Protocol mismatch. Connection closed by foreign host. juniper@client:~$
The traffic above kicks off some IKE negotiations between SRX-11 and SRX-13. Inspecting the IKE process on both sides of the tunnel requires starting up some tracing on the IKE process. This will serve as a baseline of what the IKE negotiaions look like on both sides.
IKE trace on SRX-11
[Jan 11 09:22:44]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 2, flags = 00090000
[Jan 11 09:22:44]ike_sa_allocate: Start, SA = { e951b46a de8562b0 - 00000000 00000000 }
[Jan 11 09:22:44]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 09:22:44]ssh_ike_connect: SA = { e951b46a de8562b0 - 00000000 00000000}, nego = -1
[Jan 11 09:22:44]ike_st_o_sa_proposal: Start
[Jan 11 09:22:44]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 09:22:44]ike_st_o_private: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 09:22:44]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:22:44]ikev2_packet_allocate: Allocated packet 8c27000 from freelist
[Jan 11 09:22:44]ike_sa_find: Not found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:44]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / 00000000, remote = 192.168.13.13:500
[Jan 11 09:22:44]ike_sa_find: Not found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ike_sa_find_half: Found half SA = { e951b46a de8562b0 - 00000000 00000000 }
[Jan 11 09:22:44]ike_sa_upgrade: Start, SA = { e951b46a de8562b0 - 00000000 00000000 } -> { ... - 339a275b e543bb7a }
[Jan 11 09:22:44]ike_decode_packet: Start
[Jan 11 09:22:44]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:44]ike_decode_payload_sa: Start
[Jan 11 09:22:44]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:22:44]ike_st_i_sa_value: Start
[Jan 11 09:22:44]ike_st_i_cr: Start
[Jan 11 09:22:44]ike_st_i_cert: Start
[Jan 11 09:22:44]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:22:44]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:22:44]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:22:44]ike_st_i_private: Start
[Jan 11 09:22:44]ike_st_o_ke: Start
[Jan 11 09:22:44]ike_st_o_nonce: Start
[Jan 11 09:22:44]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 09:22:44]ike_st_o_private: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / 00000000, nego = -1
[Jan 11 09:22:44]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:22:44]ikev2_packet_allocate: Allocated packet 8c27400 from freelist
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:44]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / 00000000, remote = 192.168.13.13:500
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ike_decode_packet: Start
[Jan 11 09:22:44]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:44]ike_st_i_nonce: Start, nonce[0..16] = f0250a27 c4d220c5 ...
[Jan 11 09:22:44]ike_st_i_ke: Ke[0..96] = a0c378ca 922f9d8b ...
[Jan 11 09:22:44]ike_st_i_cr: Start
[Jan 11 09:22:44]ike_st_i_cert: Start
[Jan 11 09:22:44]ike_st_i_private: Start
[Jan 11 09:22:44]ike_st_o_id: Start
[Jan 11 09:22:44]ike_st_o_hash: Start
[Jan 11 09:22:44]ike_find_pre_shared_key: Find pre shared key key for 192.168.11.11:500, id = ipv4(any:0,[0..3]=192.168.11.11) -> 192.168.13.13:500, id = No Id
[Jan 11 09:22:44]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 09:22:44]ike_calc_mac: Start, initiator = true, local = true
[Jan 11 09:22:44]ike_st_o_status_n: Start
[Jan 11 09:22:44]ike_st_o_private: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 09:22:44]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / 00000000, nego = -1
[Jan 11 09:22:44]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:22:44]ikev2_packet_allocate: Allocated packet 8c27800 from freelist
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:44]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / 00000000, remote = 192.168.13.13:500
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ike_decode_packet: Start
[Jan 11 09:22:44]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:44]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 09:22:44]ike_st_i_id: Start
[Jan 11 09:22:44]ike_st_i_hash: Start, hash[0..20] = 81522cef 35cc3e46 ...
[Jan 11 09:22:44]ike_calc_mac: Start, initiator = true, local = false
[Jan 11 09:22:44]ike_st_i_cert: Start
[Jan 11 09:22:44]ike_st_i_private: Start
[Jan 11 09:22:44]ike_st_o_wait_done: Marking for waiting for done
[Jan 11 09:22:44]ike_st_o_all_done: MESSAGE: Phase 1 { 0xe951b46a de8562b0 - 0x339a275b e543bb7a } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1,
[Jan 11 09:22:44]192.168.11.11:500 (Initiator) <-> 192.168.13.13:500 { e951b46a de8562b0 - 339a275b e543bb7a [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sh
[Jan 11 09:22:44]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:44]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Jan 11 09:22:44]ike_alloc_negotiation: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a}
[Jan 11 09:22:44]ssh_ike_connect_ipsec: SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0
[Jan 11 09:22:44]ike_init_qm_negotiation: Start, initiator = 1, message_id = f1fe4b0a
[Jan 11 09:22:44]ike_st_o_qm_hash_1: Start
[Jan 11 09:22:44]ike_st_o_qm_sa_proposals: Start
[Jan 11 09:22:44]ike_st_o_qm_nonce: Start
[Jan 11 09:22:44]ike_policy_reply_qm_nonce_data_len: Start
[Jan 11 09:22:44]ike_st_o_qm_optional_ke: Start
[Jan 11 09:22:44]ike_st_o_qm_optional_ids: Start
[Jan 11 09:22:44]ike_st_qm_optional_id: Start
[Jan 11 09:22:44]ike_st_qm_optional_id: Start
[Jan 11 09:22:44]ike_st_o_private: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 09:22:44]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, nego = 0
[Jan 11 09:22:44]ike_finalize_qm_hash_1: Hash[0..20] = e1edf343 d7a3e745 ...
[Jan 11 09:22:44]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:22:44]ikev2_packet_allocate: Allocated packet 8c27c00 from freelist
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:44]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, remote = 192.168.13.13:500
[Jan 11 09:22:44]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:44]ike_st_o_done: ISAKMP SA negotiation done
[Jan 11 09:22:44]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:44]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 09:22:44]ike_free_negotiation: Start, nego = -1
[Jan 11 09:22:44]ike_decode_packet: Start
[Jan 11 09:22:44]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / f1fe4b0a, nego = 0
[Jan 11 09:22:44]ike_decode_payload_sa: Start
[Jan 11 09:22:44]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:22:44]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 09:22:44]ike_st_i_qm_hash_2: Start, hash[0..20] = 07851e6b 8a612c69 ...
[Jan 11 09:22:44]ike_st_i_qm_sa_values: Start
[Jan 11 09:22:44]ike_st_i_qm_nonce: Nonce[0..16] = 49e930f5 7299393b ...
[Jan 11 09:22:44]ike_st_i_status_n: Start, doi = 1, protocol = 3, code = unknown (40001), spi[0..4] = a376bbf8 00000000 ..., data[0..8] = 00010004 c0a8010c ...
[Jan 11 09:22:44]QM notification `(null)' (40001) (size 8 bytes) from 192.168.13.13 for protocol ESP spi[0...3]=a3 76 bb f8
[Jan 11 09:22:44]ike_st_i_private: Start
[Jan 11 09:22:44]ike_st_o_qm_hash_3: Start
[Jan 11 09:22:44]ike_st_o_private: Start
[Jan 11 09:22:44]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:44]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 09:22:44]:500 (Initiator) <-> 192.168.13.13:500 { e951b46a de8562b0 - 339a275b e543bb7a [0] / 0xf1fe4b0a } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 09:22:44]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 09:22:44]:500 (Initiator) <-> 192.168.13.13:500 { e951b46a de8562b0 - 339a275b e543bb7a [0] / 0xf1fe4b0a } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, tunnel, hmac-md5-96, Extended seq not used, key len =
[Jan 11 09:22:44]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, tunnel, hmac-md5-96, Extended seq not used, key len = 128, key rounds = 0
[Jan 11 09:22:44]ike_st_o_qm_wait_done: Marking for waiting for done
[Jan 11 09:22:44]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, nego = 0
[Jan 11 09:22:44]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 09:22:44]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0
IKE trace on SRX-13
[Jan 11 09:22:43]ikev2_packet_allocate: Allocated packet 8c2a000 from freelist
[Jan 11 09:22:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:43]ike_get_sa: Start, SA = { e951b46a de8562b0 - 00000000 00000000 } / 00000000, remote = 192.168.11.11:500
[Jan 11 09:22:43]ike_sa_allocate: Start, SA = { e951b46a de8562b0 - fca917a3 ff487289 }
[Jan 11 09:22:43]ike_init_isakmp_sa: Start, remote = 192.168.11.11:500, initiator = 0
[Jan 11 09:22:43]ike_decode_packet: Start
[Jan 11 09:22:43]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:43]ike_decode_payload_sa: Start
[Jan 11 09:22:43]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 09:22:43]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 09:22:43]ike_st_i_sa_proposal: Start
[Jan 11 09:22:43]ike_isakmp_sa_reply: Start
[Jan 11 09:22:43]ike_state_restart_packet: Start, restart packet SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:43]ike_st_i_sa_proposal: Start
[Jan 11 09:22:43]ike_st_i_cr: Start
[Jan 11 09:22:43]ike_st_i_cert: Start
[Jan 11 09:22:43]ike_st_i_private: Start
[Jan 11 09:22:43]ike_st_o_sa_values: Start
[Jan 11 09:22:43]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 09:22:43]ike_st_o_private: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / 00000000, nego = -1
[Jan 11 09:22:43]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1, dst = 192.168.11.11:500, routing table id = 0
[Jan 11 09:22:43]ikev2_packet_allocate: Allocated packet 8c2a400 from freelist
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:43]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / 00000000, remote = 192.168.11.11:500
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ike_decode_packet: Start
[Jan 11 09:22:43]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:43]ike_st_i_nonce: Start, nonce[0..16] = a816ee5b b91e6f6c ...
[Jan 11 09:22:43]ike_st_i_ke: Ke[0..96] = d55636fb 94cf9835 ...
[Jan 11 09:22:43]ike_st_i_cr: Start
[Jan 11 09:22:43]ike_st_i_cert: Start
[Jan 11 09:22:43]ike_st_i_private: Start
[Jan 11 09:22:43]ike_st_o_ke: Start
[Jan 11 09:22:43]ike_st_o_nonce: Start
[Jan 11 09:22:43]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 09:22:43]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = No Id -> 192.168.11.11:500, id = No Id
[Jan 11 09:22:43]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 09:22:43]ike_state_restart_packet: Start, restart packet SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:43]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = No Id -> 192.168.11.11:500, id = No Id
[Jan 11 09:22:43]ike_st_o_private: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_st_o_calc_skeyid: Calculating skeyid
[Jan 11 09:22:43]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = No Id -> 192.168.11.11:500, id = No Id
[Jan 11 09:22:43]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / 00000000, nego = -1
[Jan 11 09:22:43]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1, dst = 192.168.11.11:500, routing table id = 0
[Jan 11 09:22:43]ikev2_packet_allocate: Allocated packet 8c2a800 from freelist
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:43]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / 00000000, remote = 192.168.11.11:500
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ike_decode_packet: Start
[Jan 11 09:22:43]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / 00000000, nego = -1
[Jan 11 09:22:43]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 09:22:43]ike_st_i_id: Start
[Jan 11 09:22:43]ike_st_i_hash: Start, hash[0..20] = 060be3ba 7b10b8af ...
[Jan 11 09:22:43]ike_calc_mac: Start, initiator = false, local = false
[Jan 11 09:22:43]ike_st_i_cert: Start
[Jan 11 09:22:43]ike_st_i_status_n: Start, doi = 1, protocol = 1, code = Initial contact notification (24578), spi[0..16] = e951b46a de8562b0 ..., data[0..0] = 00000000 00000000 ...
[Jan 11 09:22:43]ike_st_i_private: Start
[Jan 11 09:22:43]ike_st_o_id: Start
[Jan 11 09:22:43]ike_policy_reply_isakmp_id: Start
[Jan 11 09:22:43]ike_state_restart_packet: Start, restart packet SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:43]ike_st_o_id: Start
[Jan 11 09:22:43]ike_st_o_hash: Start
[Jan 11 09:22:43]ike_calc_mac: Start, initiator = false, local = true
[Jan 11 09:22:43]ike_st_o_status_n: Start
[Jan 11 09:22:43]ike_st_o_private: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 09:22:43]ike_st_o_wait_done: Marking for waiting for done
[Jan 11 09:22:43]ike_st_o_all_done: MESSAGE: Phase 1 { 0xe951b46a de8562b0 - 0x339a275b e543bb7a } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher = aes-cbc, hash = sha1, prf = hmac-sha1,
[Jan 11 09:22:43]192.168.13.13:500 (Responder) <-> 192.168.11.11:500 { e951b46a de8562b0 - 339a275b e543bb7a [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sh
[Jan 11 09:22:43]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / 00000000, nego = -1
[Jan 11 09:22:43]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1, dst = 192.168.11.11:500, routing table id = 0
[Jan 11 09:22:43]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:43]ikev2_packet_allocate: Allocated packet 8c2ac00 from freelist
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:43]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, remote = 192.168.11.11:500
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ike_st_o_done: ISAKMP SA negotiation done
[Jan 11 09:22:43]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = -1
[Jan 11 09:22:43]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 09:22:43]ike_free_negotiation: Start, nego = -1
[Jan 11 09:22:43]ike_alloc_negotiation: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a}
[Jan 11 09:22:43]ike_init_qm_negotiation: Start, initiator = 0, message_id = f1fe4b0a
[Jan 11 09:22:43]ike_decode_packet: Start
[Jan 11 09:22:43]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / f1fe4b0a, nego = 0
[Jan 11 09:22:43]ike_decode_payload_sa: Start
[Jan 11 09:22:43]ike_decode_payload_t: Start, # trans = 1
[Jan 11 09:22:43]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 09:22:43]ike_st_i_qm_hash_1: Start, hash[0..20] = e1edf343 d7a3e745 ...
[Jan 11 09:22:43]ike_st_i_qm_nonce: Nonce[0..16] = db7c273e 7a58213c ...
[Jan 11 09:22:43]ike_st_i_qm_sa_proposals: Start
[Jan 11 09:22:43]ike_qm_sa_reply: Start
[Jan 11 09:22:43]ike_qm_sa_reply: Selected proposal 0, and transform 0 for protocol 0
[Jan 11 09:22:43]ike_state_restart_packet: Start, restart packet SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0
[Jan 11 09:22:43]ike_st_i_qm_sa_proposals: Start
[Jan 11 09:22:43]ike_st_i_status_n: Start, doi = 1, protocol = 0, code = unknown (40001), spi[0..4] = a376bbf8 00000000 ..., data[0..8] = 00010004 c0a8010b ...
[Jan 11 09:22:43]:500 (Responder) <-> 192.168.11.11:500 { e951b46a de8562b0 - 339a275b e543bb7a [0] / 0xf1fe4b0a } QM; Invalid protocol_id = 0
[Jan 11 09:22:43]QM notification `(null)' (40001) (size 8 bytes) from 192.168.11.11 for protocol Reserved spi[0...3]=a3 76 bb f8
[Jan 11 09:22:43]ike_st_i_private: Start
[Jan 11 09:22:43]ike_st_o_qm_hash_2: Start
[Jan 11 09:22:43]ike_st_o_qm_sa_values: Start
[Jan 11 09:22:43]ike_st_o_qm_nonce: Start
[Jan 11 09:22:43]ike_policy_reply_qm_nonce_data_len: Start
[Jan 11 09:22:43]ike_st_o_qm_optional_ke: Start
[Jan 11 09:22:43]ike_st_o_qm_optional_ids: Start
[Jan 11 09:22:43]ikev2_fb_qm_local_id: Using ipv4_subnet(any:0,[0..7]=0.0.0.0/0) as local QM identity
[Jan 11 09:22:43]ike_policy_reply_qm_local_id: Start
[Jan 11 09:22:43]ikev2_fb_qm_remote_id: Using ipv4_subnet(any:0,[0..7]=0.0.0.0/0) as remote QM identity
[Jan 11 09:22:43]ike_policy_reply_qm_remote_id: Start
[Jan 11 09:22:43]ike_st_qm_optional_id: Start
[Jan 11 09:22:43]ike_st_qm_optional_id: Start
[Jan 11 09:22:43]ike_st_o_qm_optional_responder_lifetime_n: Start
[Jan 11 09:22:43]ike_st_o_private: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_policy_reply_private_payload_out: Start
[Jan 11 09:22:43]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 09:22:43]ike_encode_packet: Start, SA = { 0xe951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, nego = 0
[Jan 11 09:22:43]ike_send_packet: Start, send SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0, dst = 192.168.11.11:500, routing table id = 0
[Jan 11 09:22:43]ikev2_packet_allocate: Allocated packet 8c2b000 from freelist
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 09:22:43]ike_get_sa: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a } / f1fe4b0a, remote = 192.168.11.11:500
[Jan 11 09:22:43]ike_sa_find: Found SA = { e951b46a de8562b0 - 339a275b e543bb7a }
[Jan 11 09:22:43]ike_decode_packet: Start
[Jan 11 09:22:43]ike_decode_packet: Start, SA = { e951b46a de8562b0 - 339a275b e543bb7a} / f1fe4b0a, nego = 0
[Jan 11 09:22:43]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 09:22:43]ike_st_i_qm_hash_3: Start, hash[0..20] = 96264e8f 63907f19 ...
[Jan 11 09:22:43]ike_st_i_private: Start
[Jan 11 09:22:43]:500 (Responder) <-> 192.168.11.11:500 { e951b46a de8562b0 - 339a275b e543bb7a [0] / 0xf1fe4b0a } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 09:22:43]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 09:22:43]:500 (Responder) <-> 192.168.11.11:500 { e951b46a de8562b0 - 339a275b e543bb7a [0] / 0xf1fe4b0a } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, tunnel, hmac-md5-96, Extended seq not used, key len =
[Jan 11 09:22:43]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, tunnel, hmac-md5-96, Extended seq not used, key len = 128, key rounds = 0
[Jan 11 09:22:43]ike_st_o_qm_wait_done: Marking for waiting for done
[Jan 11 09:22:43]ike_send_notify: Connected, SA = { e951b46a de8562b0 - 339a275b e543bb7a}, nego = 0
The SAs on SRX-11 show that IKE has completed it's Phase I and II processes.
Phase 1 and 2 SAs on SRX-11
juniper@SRX-11# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2735571 UP e951b46ade8562b0 339a275be543bb7a Main 192.168.13.13 [edit security] juniper@SRX-11# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/md5 f8bb76a3 168/ unlim - root 500 192.168.13.13 >131073 ESP:aes-cbc-128/md5 7d19844f 168/ unlim - root 500 192.168.13.13 [edit security] juniper@SRX-11#
And the SAs on SRX-13 show that it also has completed it's Phase I and Phase II negotiations successfully.
Phase 1 and 2 SAs on SRX-13
[edit security] juniper@SRX13# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3194115 UP e951b46ade8562b0 339a275be543bb7a Main 192.168.11.11 [edit security] juniper@SRX13# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/md5 7d19844f 158/ unlim - root 500 192.168.11.11 >131073 ESP:aes-cbc-128/md5 f8bb76a3 158/ unlim - root 500 192.168.11.11 [edit security] juniper@SRX13#
We can also view the IKE process by snooping traffic on any of the links between any of the SRXes. All of the snooping that we will do will be done on the link between SRX-11 and SRX-12 using tcpdump -nvv port udp 500. The raw packets may be downloaded by clicking on the previous link. Here is the packet exchange for the trace files and sessions above:
PCAP for IKE
10:22:44.908758 IP (tos 0xc0, ttl 64, id 4656, offset 0, flags [none], proto UDP (17), length 316)
192.168.11.11.isakmp > 192.168.13.13.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=e951b46ade8562b0
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
10:22:44.922681 IP (tos 0xc0, ttl 63, id 5720, offset 0, flags [none], proto UDP (17), length 188)
192.168.13.13.isakmp > 192.168.11.11.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->339a275be543bb7a: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(vid: len=16)
(vid: len=16)
(vid: len=28)
10:22:44.933759 IP (tos 0xc0, ttl 64, id 4657, offset 0, flags [none], proto UDP (17), length 224)
192.168.11.11.isakmp > 192.168.13.13.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->339a275be543bb7a: phase 1 I ident:
(ke: key len=96)
(nonce: n len=16 data=(a816ee5bb91e6f6c4bad...78c7a4147523f623f06855ca943ced9d4c530895))
(pay20)
(pay20)
10:22:44.951310 IP (tos 0xc0, ttl 63, id 5721, offset 0, flags [none], proto UDP (17), length 224)
192.168.13.13.isakmp > 192.168.11.11.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->339a275be543bb7a: phase 1 R ident:
(ke: key len=96)
(nonce: n len=16 data=(f0250a27c4d220c5936c...5dc394eeeaea4f18e7a3b63346ef94c80aad8686))
(pay20)
(pay20)
10:22:44.963751 IP (tos 0xc0, ttl 64, id 4658, offset 0, flags [none], proto UDP (17), length 120)
192.168.11.11.isakmp > 192.168.13.13.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->339a275be543bb7a: phase 1 I ident[E]: [encrypted id]
10:22:44.971818 IP (tos 0xc0, ttl 63, id 5722, offset 0, flags [none], proto UDP (17), length 104)
192.168.13.13.isakmp > 192.168.11.11.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie e951b46ade8562b0->339a275be543bb7a: phase 1 R ident[E]: [encrypted id]
10:22:44.983740 IP (tos 0xc0, ttl 64, id 4659, offset 0, flags [none], proto UDP (17), length 216)
192.168.11.11.isakmp > 192.168.13.13.isakmp: [udp sum ok] isakmp 1.0 msgid f1fe4b0a cookie e951b46ade8562b0->339a275be543bb7a: phase 2/others I oakley-quick[E]: [encrypted hash]
10:22:45.001172 IP (tos 0xc0, ttl 63, id 5723, offset 0, flags [none], proto UDP (17), length 216)
192.168.13.13.isakmp > 192.168.11.11.isakmp: [udp sum ok] isakmp 1.0 msgid f1fe4b0a cookie e951b46ade8562b0->339a275be543bb7a: phase 2/others R oakley-quick[E]: [encrypted hash]
10:22:45.013529 IP (tos 0xc0, ttl 64, id 4660, offset 0, flags [none], proto UDP (17), length 88)
192.168.11.11.isakmp > 192.168.13.13.isakmp: [udp sum ok] isakmp 1.0 msgid f1fe4b0a cookie e951b46ade8562b0->339a275be543bb7a: phase 2/others I oakley-quick[E]: [encrypted hash]
Our firewall in the middle, SRX-12, has a couple of sessions installed to support our VPN tunnel. One using UDP port 500 for IKE, and one using ESP for our actual encrypted traffic.
IKE and ESP flows on SRX-12
juniper@SRX-12# run show security flow session Session ID: 241, Policy name: ALLOW-ESP/4, Timeout: 1688, Valid In: 192.168.11.11/0 --> 192.168.13.13/0;esp, If: ge-0/0/4.0, Pkts: 7, Bytes: 968 Out: 192.168.13.13/0 --> 192.168.11.11/0;esp, If: ge-0/0/5.0, Pkts: 6, Bytes: 880 Session ID: 253, Policy name: ALLOW-IKE-500/5, Timeout: 54, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 3, Bytes: 408 Out: 192.168.13.13/500 --> 192.168.11.11/500;udp, If: ge-0/0/5.0, Pkts: 1, Bytes: 216 Total sessions: 2 [edit security] juniper@SRX-12#
By inspecting the IPSEC statistics on SRX-11, we can see that the IPSEC tunnell is doing it's job of encrypting and decrypting traffic.
IPSEC statistics on SRX-11
juniper@SRX-11# run show security ipsec statistics ESP Statistics: Encrypted bytes: 258457296 Decrypted bytes: 229110576 Encrypted packets: 440090 Decrypted packets: 440081 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 [edit security] juniper@SRX-11#