SRV 1400 (ha cluster) with policy-based VPN to Vyatta FW *need the experts here*

#Output has been sanitized.

#Scenario: VPN between Vyatta Firewall and SRX1400 cluster.

-VPN type: policy-based (route-based @Vyatta FW not an offering; so not an option as of now)

-Pre-Shared Auth

-IKE interface reth0.0

-IKE GW (remote peer Vyatta is reachable)

-Site-A has 6 networks / Site-B has 1 network

-Site-B SRX has static routes (even though policy-based doesn't require) to reach Site-A networks due to IP design.

-Traffic initiated @Site-A builds the tunnel.

-Traffic Type: IP ANY

-Dead Peer-Detection: No

#Behavior: Tunnel is sporadic. When the tunnel does comes up, there is high packet-loss and reachability issues to nodes other than the interface of the SRX (Trust Reth1.10)

-Problem 1: Most of the day phase-1 fails to complete. See output below

#output during tunnel failure

#NOTE: the date shown below is in the past! 1987??

root@site-b-srx1400a> show log kmd-logs | last | no-more

Jul  4 02:44:17  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=1.1.1.1]

Jul  4 02:45:16  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1: (Initiator) The symmetric crypto key has been generated successfully [local_ip=1.1.1.2, local_port=500, remote_ip=1.1.1.1, remote_port=500]

Jul  4 02:45:16  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1: Negotiation completed; SA expires on Sun Jul 05 1987 02:45:16 { 9063bbbf 4a860b74 - 797bcf1d cf677729 } - [local_id=1.1.1.2, local_ip=1.1.1.2, local_port=500, remote_id=1.1.1.1, remote_ip=1.1.1.1, remote_port=500, Exchange Mode:main]

Jul  4 02:45:19  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=1.1.1.1]

Jul  4 02:46:16  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1: (Initiator) The symmetric crypto key has been generated successfully [local_ip=1.1.1.2, local_port=500, remote_ip=1.1.1.1, remote_port=500]

Jul  4 02:46:16  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1: Negotiation completed; SA expires on Sun Jul 05 1987 02:46:16 { 4f649387 ad08122c - a02b9c1d fbf9ba3d } - [local_id=1.1.1.2, local_ip=1.1.1.2, local_port=500, remote_id=1.1.1.1, remote_ip=1.1.1.1, remote_port=500, Exchange Mode:main]

Jul  4 02:46:18  site-b-srx1400a (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[215]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=1.1.1.1]

#Problem 2: When tunnel is up, Site-A Networks can only reach the SRX (trust) interface. Policy tests follow this line.

#policy test B to A####################################

Policy: Site-B to Site-A, action-type: permit, State: enabled, Index: 4

0

  Policy Type: Configured

  Sequence number: 1

  From zone: TRUST, To zone: UNTRUST

  Source addresses:

    SITE-B_VLAN10(TRUST): 192.168.10.0/24

  Destination addresses:

   SITE-A_NET_6(SITE-A_VPN_ENCR_DOM): 10.170.192.0/27

   SITE-A_NET_5(SITE-A_VPN_ENCR_DOM): 10.170.191.128/26

   SITE-A_NET_4(SITE-A_VPN_ENCR_DOM): 10.170.170.0/27

   SITE-A_NET_3(SITE-A_VPN_ENCR_DOM): 10.170.110.0/28

   SITE-A_NET_2(SITE-A_VPN_ENCR_DOM): 10.170.90.0/26

   SITE-A_NET_1(SITE-A_VPN_ENCR_DOM): 10.170.68.64/27

  Application: any

    IP protocol: 0, ALG: 0, Inactivity timeout: 0

      Source port range: [0-0]

      Destination port range: [0-0]

  Per policy TCP Options: SYN check: No, SEQ check: No

  Tunnel: IKE_UNTRUST_SITE-A, Type: IPSec, Index: 2

    Pair policyITE-A_VPN_TO_SITE-B

#policy test A to B shows good######################

PolicyITE-A_VPN_TO_SITE-B, action-type: permit, State: enabled, Index: 7

0

  Policy Type: Configured

  Sequence number: 1

  From zone: UNTRUST, To zone: TRUST

  Source addresses:

   SITE-A_NET_6(SITE-A_VPN_ENCR_DOM): 10.170.192.0/27

   SITE-A_NET_5(SITE-A_VPN_ENCR_DOM): 10.170.191.128/26

   SITE-A_NET_4(SITE-A_VPN_ENCR_DOM): 10.170.170.0/27

   SITE-A_NET_3(SITE-A_VPN_ENCR_DOM): 10.170.110.0/28

   SITE-A_NET_2(SITE-A_VPN_ENCR_DOM): 10.170.90.0/26

   SITE-A_NET_1(SITE-A_VPN_ENCR_DOM): 10.170.68.64/27

  Destination addresses:

    SITE-B_VLAN10(TRUST): 192.168.10.0/24

  Application: any

    IP protocol: 0, ALG: 0, Inactivity timeout: 0

      Source port range: [0-0]

      Destination port range: [0-0]

  Per policy TCP Options: SYN check: No, SEQ check: No

  Tunnel: IKE_UNTRUST_SITE-A, Type: IPSec, Index: 2

    Pair policy: SITE-B_VPN_TO_SITE-A

#IPSEC stats, for ICMP from Site-A networks to Site-B SRX (trust interface). Note: only ICMP to SRX interface traffic is good.

show security ipsec statistics

node0:

--------------------------------------------------------------------------

ESP Statistics:

  Encrypted bytes:          1283032

  Decrypted bytes:           992376

  Encrypted packets:           8441

  Decrypted packets:          11814

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0

node1:

--------------------------------------------------------------------------

ESP Statistics:

  Encrypted bytes:                0

  Decrypted bytes:                0

  Encrypted packets:              0

  Decrypted packets:              0

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0