Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] How Stateful Firewall detects ESP packets

0

0

Article ID: KB35317 KB Last Updated: 04 Jan 2020Version: 1.0
Summary:

For IPSec ESP packets, Stateful firewall will show 4 sessions instead of 2 sessions. However, there will be 2 sessions with 0 counters. This article will explain this behavior.

Symptoms:

These are IPSec sessions from peers:

Local gateway: 10.0.1.2, Remote gateway: 192.168.0.1
  inbound   C949 D4B8  0           tunnel     dynamic  ESP      
  outbound  F4B8 82AD  0           tunnel     dynamic  ESP      
 
Local gateway: 192.168.0.1, Remote gateway: 10.0.1.2
  inbound   F4B8 82AD  0           tunnel     dynamic  ESP      
  outbound  C949 D4B8  0           tunnel     dynamic  ESP      


This is what the Stateful firewall shows for this IPsec session between the peers:

ESP         192.168.0.1:51529 ->        10.0.1.2:54456 Forward  O   1197
ESP            10.0.1.2:54456 ->     192.168.0.1:51529 Forward  I      0

ESP            10.0.1.2:62648 ->     192.168.0.1:33453 Forward  I   1197
ESP         192.168.0.1:33453 ->        10.0.1.2:62648 Forward  O      0
Solution:

Since ESP packet does not have a port like TCP or UDP, we assigned the outbound SPI’s last 2 bytes for ESP in the SFW output as a port number. Port numbers were changed to HEX for better understanding the output.

Since the outbound SPI is different on each side, it will create two sessions. The return traffic will not match the forward traffic due to difference in SPI.

This session is created by traffic originated from the 192.168.0.1 with SPI C949D4B8:

ESP    192.168.0.1:C949  ->        10.0.1.2:D4B8  Forward  O    1197
ESP       10.0.1.2:D4B8  ->     192.168.0.1:C949  Forward  I       0

 
This session is created by traffic originated from 10.0.1.2 with SPI F4B882AD:

ESP       10.0.1.2:F4B8  ->     192.168.0.1:82AD  Forward  I     1197
ESP    192.168.0.1:82AD  ->        10.0.1.2:F4B8  Forward  O        0

Local gateway: 10.0.1.2, Remote gateway: 192.168.0.1
    inbound   C949 D4B8  0           tunnel     dynamic  ESP      
    outbound  F4B8 82AD  0           tunnel     dynamic  ESP      
 
Local gateway: 192.168.0.1, Remote gateway: 10.0.1.2
    inbound   F4B8 82AD  0           tunnel     dynamic  ESP      
    outbound  C949 D4B8  0           tunnel     dynamic  ESP      
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search