Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to interpret SPI from Passthrough ESP session

0

0

Article ID: KB11322 KB Last Updated: 16 Oct 2013Version: 4.0
Summary:

This article explains how to find out SPI of Passthrough ESP traffic from session table in ScreenOS.

Symptoms:
For Passthrough ESP traffic, the Juniper firewall creates a parent session with SRC / DST port equal to 0. It also creates a child session for each direction based on SPI, i.e. there wlll be 3 sessions created in total for one passthrough ESP session; and whenever there is a VPN rekey (or SPI changes), a new child session will be created.

From the example below, how do I calculate / find the SPI information?

Here is an example:
MGT2-A(M)-> get sess
slot 1: sw alloc 52/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 1000012
slot 2: hw0 alloc 4/max 1048576
slot 2: hw1 alloc 0/max 1048576
id 999997/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 1000003
 if 8(nspflag 804004):10.128.0.10/10599->1.1.1.10/57633,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
 if 20(nspflag 4001):10.128.0.10/10599<-1.1.1.10/57633,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
id 1000002/s0*,vsys 1,flag 00200440/0000/0003,policy 320002,time 6, dip 0 module 0
 if 20(nspflag 0001):1.1.1.10/500->10.128.0.10/500,17,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 800004):1.1.1.10/500<-10.128.0.10/500,17,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
id 1000003/s0*,vsys 1,flag 00201440/4400/0013,policy 320002,time 180, dip 0 module 0
 if 8(nspflag 800005):10.128.0.10/0->1.1.1.10/0,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
 if 20(nspflag 0000):10.128.0.10/0<-1.1.1.10/0,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
id 1000005/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 1000003
 if 8(nspflag 800005):10.128.0.10/35312->1.1.1.10/65458,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
 if 20(nspflag 0000):10.128.0.10/35312<-1.1.1.10/65458,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
Total 4 sessions shown

The following is the SPI of ESP traffic between 1.1.1.10 and 10.128.0.10 passthrough -  NS5200 running Route Mode.
VPN-Responder-> get sa ac
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
0001000b< 1.1.1.10         500 esp: des/null e1212967 28769 unlim A/U    21 0
0001000b> 1.1.1.10         500 esp: des/null 89f0ffb2 28769 unlim A/U    22 0

VPN-Initiator-> get sa ac
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
0001000b<     10.128.0.10  500 esp: des/null 89f0ffb2 28798 unlim A/U    21 0
0001000b>     10.128.0.10  500 esp: des/null e1212967 28798 unlim A/U    22 0
Cause:

Solution:
To calculate SPI in passthrough - ESP, find the corresponding ESP session in session table, here is an example:

To find the SPI for:
SPI to 1.1.1.10 => 89F0FFB2
SPI to 10.128.0.10 => E1212967


Identify the ESP Session SRC and DST port:

ESP Session handling ESP traffic from 10.128.0.10 to 1.1.1.10 (see above)
id 1000005/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 1000003
 if 8(nspflag 800005):10.128.0.10/35312->1.1.1.10/65458,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
 if 20(nspflag 0000):10.128.0.10/35312<-1.1.1.10/65458,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29

Hex value of SRC / DST port:
  SRC port 35312=>89F0
  DST port 65458=>FFB2
  Example: SPI = SRC port + DST Port = 89F0FFB2

ESP session handling ESP traffic from 1.1.1.10 to 10.128.0.10 (see above)
id 999997/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 1000003
 if 8(nspflag 804004):10.128.0.10/10599->1.1.1.10/57633,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
 if 20(nspflag 4001):10.128.0.10/10599<-1.1.1.10/57633,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29

Hex value of SRC / DST port
SRC port 10599=>2967
DST port 57633=>E121

Example: SPI = DST port + SRC port =E1212967
(Please note that SRC / DST port is swapped since the session handled traffic in opposite direction but child session only creates on one direction based on parent session)

Below is another example for a session created in the opposite direction:
MGT2-A(M)-> get sess
slot 1: sw alloc 53/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 1000011
slot 2: hw0 alloc 5/max 1048576
slot 2: hw1 alloc 0/max 1048576
id 999996/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 999998
 if 20(nspflag 4000):1.1.1.10/65450->10.128.0.10/35312,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 804005):1.1.1.10/65450<-10.128.0.10/35312,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
id 999998/s0*,vsys 1,flag 00201440/0400/0013,policy 320002,time 180, dip 0 module 0
 if 20(nspflag 0001):1.1.1.10/0->10.128.0.10/0,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 0004):1.1.1.10/0<-10.128.0.10/0,50,000000000000,sess token 32,vlan 502,tun 0,vsd 0,route 2
id 999999/s0*,vsys 1,flag 00201440/0800/0013,policy 320002,time 180, dip 0 module 0,parent 999998
 if 20(nspflag 4001):1.1.1.10/57633->10.128.0.10/10591,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 800004):1.1.1.10/57633<-10.128.0.10/10591,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
id 1000006/s0*,vsys 1,flag 00201440/0800/0013,policy 320002,time 168, dip 0 module 0,parent 999998
 if 20(nspflag 4001):1.1.1.10/57633->10.128.0.10/10590,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 800004):1.1.1.10/57633<-10.128.0.10/10590,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
id 1000009/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 168, dip 0 module 0,parent 999998
 if 20(nspflag 4000):1.1.1.10/65449->10.128.0.10/35312,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 804005):1.1.1.10/65449<-10.128.0.10/35312,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
Total 5 sessions shown

MGT2-A(M)->
VPN-Responder-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
0001000b< 1.1.1.10         500 esp:3des/sha1 e121295f  1680 unlim A/U    21 0
0001000b> 1.1.1.10         500 esp:3des/sha1 89f0ffaa  1680 unlim A/U    22 0 


VPN-Initiator-> get sa ac
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
0001000b<     10.128.0.10  500 esp:3des/sha1 89f0ffaa  1718 unlim A/U    21 0
0001000b>     10.128.0.10  500 esp:3des/sha1 e121295f  1718 unlim A/U    22 0

SPI:
SPI to 1.1.1.10 => 89F0FFAA
SPI to 10.128.0.10 => E121295F

Identify the ESP Session SRC and DST port:

ESP session handling ESP traffic from 1.1.1.10 to 10.128.0.10:
id 999999/s0*,vsys 1,flag 00201440/0800/0013,policy 320002,time 180, dip 0 module 0,parent 999998
 if 20(nspflag 4001):1.1.1.10/57633->10.128.0.10/10591,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 800004):1.1.1.10/57633<-10.128.0.10/10591,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2
Hex value of SRC / DST port:
SRC port 57633=>E121
DST port 10591=>295F
Example: SPI = SRC port + DST Port = E121295F

ESP Session handling ESP traffic from 10.128.0.10 to 1.1.1.10
id 999996/s0*,vsys 1,flag 00201440/4800/0013,policy 320002,time 180, dip 0 module 0,parent 999998
 if 20(nspflag 4000):1.1.1.10/65450->10.128.0.10/35312,50,000000000000,sess token 33,vlan 0,tun 40010001,vsd 0,route 29
 if 8(nspflag 804005):1.1.1.10/65450<-10.128.0.10/35312,50,0010db2a35a5,sess token 32,vlan 502,tun 0,vsd 0,route 2

Hex value of SRC / DST port
SRC port 65450=>FFAA
DST port 35312=>89F0

Example:  SPI = DST port + SRC Port = 89F0FFAA (again, opposite direction)

Please note that this behavior should applies to ScreenOS 5.4 and 6.0 as of the time the KB is written.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search