Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Bi-directional VPN is not working when adding multiple services to the ScreenOS VPN policy.

0

0

Article ID: KB8991 KB Last Updated: 13 Aug 2010Version: 3.0
Summary:
The bi-directional VPN on a Juniper firewall is not working when adding multiple services to the VPN policy.
Symptoms:

Customer is adding multiple services to the VPN policy and the bi-directional VPN traffic is not working. Additionally, the Customer is creating a VPN policy with multiple services and the ScreenOS is creating multiple bi-directional SA's one for each out going and incoming policy. Even though the source, destination, services and VPN are same on both the policies.

In the "get sa" output below, 2 bi-direcional SAs were created.  Each SA has only one policy bound, based on incoming and outgoing created.  This will be a problem when the remote box has one SA configured, and the traffic works one way, because the remote box will use the same SA ID to encrypt and decrypt packets in both directions.

But the packets can drop on the box configured , where multiple services are configured, as the polices are bound to 2 different SA ID's.

set policy id 1 from "Untrust" to "Trust" "63.72.166.252" "MIP(198.151.13.24)" "PING" tunnel vpn "AMSEC-EMA-VPN"
set policy id 1
set service "SQL*Net V2"
set service "TCP-1433"
set service "TRACEROUTE"
exit

set policy id 2 from "Trust" to "Untrust" "10.26.16.52" "63.72.166.252" "PING" tunnel vpn "AMSEC-EMA-VPN" pair-policy 1
set policy id 2
set service "SQL*Net V2"
set service "TCP-1433"
set service "TRACEROUTE"
exit

 

The get sa shows 2 bi-directional SAs for the same policy when just adding multiple services and no service group.

nsisg2000-> get sa
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I 1 0
00000001> 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000002< 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I -1 0
00000002> 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I 2 0
Solution:

There are 2 ways to resolve this problem.

  1. According to ScreenOS if you are using multiple services in the VPN policy, then you need to pair the policy manually, but this is not the same when the policies have just a single service, or ANY.  With a single service on the policy, ScreenOS can identify that it has a pair policy.
    Solution 1: set policy id 1 from "Untrust" to "Trust"  "63.72.166.252" "MIP(198.151.13.24)""PING" tunnel vpn "AMSEC-EMA-VPN" id 4 pair-policy 2
    set policy id 1
    set service "SQL*Net V2"
    set service "TCP-1433"
    set service "TRACEROUTE"
    exit
    set policy id 2 from "Trust" to "Untrust"  "10.26.16.52" "63.72.166.252" "PING"tunnel vpn "AMSEC-EMA-VPN" id 4 pair-policy 1
    set policy id 2
    set service "SQL*Net V2"
    set service "TCP-1433"
    set service "TRACEROUTE"
    exit
  2. OR

  3. Create a service group instead and add it to the policy; then there is no need to make it pair.  The firewall can still recognize it has a pair policy.
    Solution 2:
    set policy id 1 from "Untrust" to "Trust" "63.72.166.252" "MIP(198.151.13.24)" "test" tunnel vpn "AMSEC-EMA-VPN"
    set policy id 2 from "trust" to "Untrust" "10.26.16.52" "63.72.166.252" "test" tunnel vpn "AMSEC-EMA-VPN"

    nsisg2000-> get config | i test
    set group service "test"
    set group service "test" add "PING"
    set group service "test" add "SQL*Net V2"
    set group service "test" add "TCP-1434"
    set group service "test" add "TRACEROUTE"

The second solution is more feasible for customers using NSM to add this type of policy.  With NSM,  there is no option to manual pair the policy.


Output of get sa is good with one bi-directional policy:

nsisg2000-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000009< 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I 1 0
00000009> 63.72.166.253 500 esp:3des/sha1 00000000 expir unlim I/I 2 0

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search