wan -- pfsense -- Juniper SRX ipsec not working.
-
Hello all,
Been a while since I have had to post here.
I am trying to get a juniper SRX firewall working for a VPN behind my pfsense for use with my remote office.
My topology is -- WAN ---- pfSense ---- LAN ----
|
|
Juniper SRXThe juniper srx works fine when plugged in front of pfSense, but not behind it. I have a single ip phone plugged into the srx which connectes to the corporate network but does not proper pass traffic, I think something to do with the ESP encapsulation process possibly....
I have tried using NAT for forwarding port 4500, protocol AH and protocol ESP to no avail. I have found a few write ups on this but nothing particular to my situation.
From my understanding, in pfsense I need to port-forward using NAT for 4500 (IPsec NAT-T) "Protocol" AH and "Protocol" ESP.
So the following 3 nat rules I have are below, which also creates the associated filter rule.
TCP/UDP * * wan * 4500 10.1.4.10 4500
ESP * * wan * 10.1.4.10 *
AH * * wan * 10.1.4.10 *I am using Automatic outbound NAT rules generation as well, I have done some packet captures but I am not sure what I am looking for.
Topology
NAT Rules
NAT 4500
NAT ESP
NAT AH
-
No one?
-
Make port 4500 for your particular device (10.1.4.10) static NAT.
See if that works.
-
To establish IPsec you also need UDP/500 for IKE. After that is established, you will use either ESP or UDP/4500 (NAT-T) for the actual data transfers. There is obviously NAT so NAT-T will be chosen so it will probably work fine without ESP forwarded. And you only need AH if you are doing that sort of tunnel which is not encrypted so almost nobody uses that.
And all of this should work if the SRX always originates. You only need the port forward if the SRX needs to respond.
You also need to make sure the identifiers match. You might need to tell the SRX to specifically use your outside IP address as the identifier.
-
Thank you both for your reply's.
I have a NAT setup for port 4500, esp and ah. I created the NAT under firewall > NAT > Port Forward and also did the auto create the rule option.
Not sure what you mean by static nat, I think that is what I did?
As for port 500, I will test that as I thought I tried that at one point but I am not sure now.
-
Not sure if I am doing something wrong or this is bugged.
I have tried all these suggestions to no avail.
Created a 1:1 nat with the outside IP and internal device IP.
Also created port forward rules for 4500, 500, ah and esp to be sure I am completely covered. Still no luck. I do however see port 4500 continuously hitting my firewall block logs as if it does not have a rule telling it where to go, but I have one setup for it.
firewall log below. It is coming from my remote work off and going to my external WAN IP in the below picture.. Edited out for obvious reasons.
-
Post your port forwards and rules. That traffic is obviously not being passed by a firewall rule or a state.
Your NAT rule posted up there had source port 4500. You don't want that. The source port is random.
-
I had to re-do the rules since I wiped everything to start fresh. I currently have ESP and AH disabled in the screenshots.
but here is what I got.
NAT Rules
4500
and the associated firewall rule.
Nat rule for port 500
Associated rule for 500
-
@virtualliquid
Hey
and what device is trying to connect to Juniper ?
Very strange, src port = 4500 / dst port random (or missing) -
I am not certain of the device on the other end it is one of our large data centers that host multiple vpn concentrators. I would imagine it is just another juniper on the other end as well.
-
Who initiated the connection ?
Little Juniper or big ?
It feels like PF is blocking traffic for the little Juniper that is going back -
took a new capture, same results. just filtered the source ip (office)
Every other one is the source of 4500 going to destination 39727 or some other random port.
-
@konstanti Little Juniper I believe initiates the connection. Since I keep restarting it (Power cycle)
-
@virtualliquid
Try so
/diagnostics/command prompt/ cat /tmp/rules.debug | grep LAN
and check.
is there a keep state when outputting
for example,pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule"
-
there is a lot of keep states, might need to filter more.
Perhaps this rule ?
pass in quick on $WAN reply-to ( em0 xxx.xxx.xxx.1 ) inet proto { tcp udp } from any to 10.1.4.10 port 4500 tracker 1549481406 keep state label "USER_RULE: NAT Juniper SRX"
-
- Are there floating rules ?
- For a small Juniper is there a separate rule on the Lan interface ?
If yes , show it
If not , show the rules of the LAN nterface
-
cat /tmp/rules.debug | grep LAN
not WAN !!!
pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state
or
pfctl -sr | grep em1
for example,
pass in quick on em1 inet from LAN_NET_IP to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" -
Trying to post the output, but it keeps telling me its spam.
-
Best I can do is a picture of the output.
