Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Traffic loss when IPsec VPN is terminated on loopback interface

0

0

Article ID: KB22129 KB Last Updated: 21 Jun 2021Version: 9.0
Summary:
 

This article describes why traffic loss may be seen while using a loopback interface as the IKE gateway egress interface, and when the loopback and external interfaces are in different security zones. It details the configuration adjustments that would be required to prevent such traffic loss.

Note: This article is applicable to all SRX devices.

 

Symptoms:
 

Topology

 

Configuration Reference

set security ike gateway gate1 ike-policy ike_pol
set security ike gateway gate1 address 100.1.1.1
set security ike gateway gate1 external-interface lo0.0

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone loopback_test interfaces lo0.0 host-inbound-traffic system-services ike

set security policies from-zone untrust to-zone loopback_test policy vpn_setup match source-address any
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match destination-address 10.10.10.1
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match application junos-ike
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match application esp
set security policies from-zone untrust to-zone loopback_test policy vpn_setup then permit

set security policies from-zone trust to-zone vpn policy egress_vpn match source-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match destination-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match application any
set security policies from-zone trust to-zone vpn policy egress_vpn then permit

set security policies from-zone vpn to-zone trust policy ingress_vpn match source-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match destination-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match application any
set security policies from-zone vpn to-zone trust policy ingress_vpn then permit

set applications application esp protocol esp
 

Example packet flow trace showing packet loss 

May 14 21:12:42 21:12:42.589212:CID-0:RT:<192.168.2.1/0->192.168.1.1/1785;1> matched filter to_vpn:
May 14 21:12:42 21:12:42.589212:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
May 14 21:12:42 21:12:42.589212:CID-0:RT:  ge-0/0/1.0:192.168.2.1->192.168.1.1, icmp, (8/0)
May 14 21:12:42 21:12:42.589212:CID-0:RT:Doing DESTINATION addr route-lookup
May 14 21:12:42 21:12:42.589212:CID-0:RT:  routed (x_dst_ip 192.168.1.1) from trust (ge-0/0/1.0 in 0) to st0.0, Next-hop: 192.168.1.1
May 14 21:12:42 21:12:42.589212:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone vpn (0x0,0x6f9,0x6f9)
May 14 21:12:42 21:12:42.589212:CID-0:RT:  permitted by policy egress_vpn(4)
May 14 21:12:42 21:12:42.589212:CID-0:RT:  route lookup: dest-ip 192.168.2.1 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 7 out-zone 7 vsd 0
May 14 21:12:42 21:12:42.589212:CID-0:RT:  route to 192.168.2.1
May 14 21:12:42 21:12:42.589212:CID-0:RT:tunnel not ready nsp 0x611bfda0, nsp_tunnel 0x611bfe30, nspflag 0x621
May 14 21:12:42 21:12:42.589212:CID-0:RT:flow_ipv4_rt_lkup success 100.1.1.1, iifl 0x0, oifl 0x46
May 14 21:12:42 21:12:42.589212:CID-0:RT:'external-interface'(lo0.0) and 'routing-interface'(ge-0/0/0.0) belong to different zones. Re-route failed, pkt dropped.

 

Cause:
 

VPN IKE gateways that use a loopback interface as the egress interface are not supported when the loopback and physical external interfaces are in different security zones.

 

Solution:
 

When a loopback interface is used as the external interface for an IKE gateway for the VPN, the VPN is essentially being terminated on the loopback interface. In such a scenario, there are two configuration requirements due to internal packet delivery from a physical interface to the loopback interface.

  • The loopback interface and the external physical interface used in the VPN configuration for the gateway must be configured in the same security zone.

  • An intra-zone security policy must allow for both IKE and ESP traffic.

Below are the configuration adjustments necessary for a supported working design:

Intra-Zone Policy

set security policies from-zone untrust to-zone untrust policy vpn_setup match source-address any
set security policies from-zone untrust to-zone untrust policy vpn_setup match destination-address 10.10.10.1
set security policies from-zone untrust to-zone untrust policy vpn_setup match application esp
set security policies from-zone untrust to-zone untrust policy vpn_setup match application junos-ike
set security policies from-zone untrust to-zone untrust policy vpn_setup then permit

Security Zones for Physical Egress and Loopback Interfaces

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services ike

set security policies from-zone trust to-zone vpn policy egress_vpn match source-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match destination-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match application any
set security policies from-zone trust to-zone vpn policy egress_vpn then permit

set security policies from-zone vpn to-zone trust policy ingress_vpn match source-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match destination-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match application any
set security policies from-zone vpn to-zone trust policy ingress_vpn then permit

Custom Application for ESP Traffic

set applications application esp protocol esp

Note: This behavior holds true for both policy-based and route-based VPNs. The only configuration change required is as shown above. The other configuration will be the same.

 

Modification History:
 
  • 2021-06-21: Removed Junos OS Release 12.1X44 from Summary because it is EOS/EOL

  • 2021-04-19: Article check for validity in context of resolution guide; article found accurate

  • 2020-07-28: Updated configuration requirements for clarity

  • 2019-05-30: Major rework. Added topology, configuration, packet trace output, and a more detailed solution.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search