[SRX] Traffic Loss when IPSec VPN is terminated on loopback interface

  [KB22129] Show Article Properties


Summary:

This article describes the behavior of traffic loss that may be seen while using a loopback interface as the IKE gateway egress interface, and when the loopback interface and external interface are in different security zones

This article is applicable to all SRX Devices.

Note: SRX-HE support for Lo0 VPN termination in chassis clusters is available as of Junos 12.1X44 with use of 'redundant-pseudo-interface-options'.

Symptoms:

Topology:

Configuration Reference:

set security ike gateway gate1 ike-policy ike_pol
set security ike gateway gate1 address 100.1.1.1
set security ike gateway gate1 external-interface lo0.0

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone loopback_test interfaces lo0.0 host-inbound-traffic system-services ike

set security policies from-zone untrust to-zone loopback_test policy vpn_setup match source-address any
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match destination-address 10.10.10.1
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match application junos-ike
set security policies from-zone untrust to-zone loopback_test policy vpn_setup match application esp
set security policies from-zone untrust to-zone loopback_test policy vpn_setup then permit

set security policies from-zone trust to-zone vpn policy egress_vpn match source-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match destination-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match application any
set security policies from-zone trust to-zone vpn policy egress_vpn then permit

set security policies from-zone vpn to-zone trust policy ingress_vpn match source-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match destination-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match application any
set security policies from-zone vpn to-zone trust policy ingress_vpn then permit

set applications application esp protocol esp

Example packet flow trace showing packet loss 

    May 14 21:12:42 21:12:42.589212:CID-0:RT:<192.168.2.1/0->192.168.1.1/1785;1> matched filter to_vpn:
    May 14 21:12:42 21:12:42.589212:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
    May 14 21:12:42 21:12:42.589212:CID-0:RT:  ge-0/0/1.0:192.168.2.1->192.168.1.1, icmp, (8/0)
    May 14 21:12:42 21:12:42.589212:CID-0:RT:Doing DESTINATION addr route-lookup
    May 14 21:12:42 21:12:42.589212:CID-0:RT:  routed (x_dst_ip 192.168.1.1) from trust (ge-0/0/1.0 in 0) to st0.0, Next-hop: 192.168.1.1
    May 14 21:12:42 21:12:42.589212:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone vpn (0x0,0x6f9,0x6f9)
    May 14 21:12:42 21:12:42.589212:CID-0:RT:  permitted by policy egress_vpn(4)
    May 14 21:12:42 21:12:42.589212:CID-0:RT:  route lookup: dest-ip 192.168.2.1 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 orig-zone 7 out-zone 7 vsd 0
    May 14 21:12:42 21:12:42.589212:CID-0:RT:  route to 192.168.2.1
    May 14 21:12:42 21:12:42.589212:CID-0:RT:tunnel not ready nsp 0x611bfda0, nsp_tunnel 0x611bfe30, nspflag 0x621
    May 14 21:12:42 21:12:42.589212:CID-0:RT:flow_ipv4_rt_lkup success 100.1.1.1, iifl 0x0, oifl 0x46
    May 14 21:12:42 21:12:42.589212:CID-0:RT:'external-interface'(lo0.0) and 'routing-interface'(ge-0/0/0.0) belong to different zones. Re-route failed, pkt dropped.
Cause:

VPN IKE gateways using a loopback interface as the egress-interface are not supported when the loopback and physical external interfaces are in different security zones.

Solution:

When the loopback interface is used as the external interface for an IKE gateway for the VPN, the VPN is essentially being terminated on the loopback interface. In such a scenario, the loopback interface and the external physical interface used in the VPN configuration for the gateway must be configured in the same security zone, due to internal packet delivery from physical to loopback. 

Note: Intra-zone security policies must allow for both IKE and ESP traffic.

Below are the configuration adjustments necessary for a supported working design:

set security policies from-zone untrust to-zone untrust policy vpn_setup match source-address any
set security policies from-zone untrust to-zone untrust policy vpn_setup match destination-address 10.10.10.1
set security policies from-zone untrust to-zone untrust policy vpn_setup match application esp
set security policies from-zone untrust to-zone untrust policy vpn_setup match application junos-ike
set security policies from-zone untrust to-zone untrust policy vpn_setup then permit

set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services ike

set security policies from-zone trust to-zone vpn policy egress_vpn match source-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match destination-address any
set security policies from-zone trust to-zone vpn policy egress_vpn match application any
set security policies from-zone trust to-zone vpn policy egress_vpn then permit

set security policies from-zone vpn to-zone trust policy ingress_vpn match source-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match destination-address any
set security policies from-zone vpn to-zone trust policy ingress_vpn match application any
set security policies from-zone vpn to-zone trust policy ingress_vpn then permit

set applications application esp protocol esp

Note: This behavior holds true for both policy-based and route-based VPNs. The only configuration change required is as shown above. The other configuration will be the same.


 
Modification History:
2019-05-30: Major rework. Added topology, configuration, packet trace output, and a more detailed solution.
Related Links: