Hello,
We have a policy based VPN between two of our locations and I can't get them to talk. The issue this that they share the same subnet and I had to do S and D NAT. The IKE comes up but IPSEC shows 0 tunnels. I know that if I switch to route based VPN my problem will go away, but management insists it to be policy based (don't ask why I don't understand myself). Configuration is below
DC-Site
proposal LAS-IKE-Preposal {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy LAS-IKE-Policy {
mode main;
proposals LAS-IKE-Preposal;
pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
gateway LAS-IKE-GATEWAY {
ike-policy LAS-IKE-Policy;
address X.X.X.X;
dead-peer-detection optimized;
external-interface reth0.0;
}
proposal LAS-IPSEC-Proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-kilobytes 1048576;
}
policy LAS-IPSEC-Policy {
proposals LAS-IPSEC-Proposal;
}
vpn LAS-IPSEC-VPN {
ike {
gateway LAS-IKE-GATEWAY;
proxy-identity {
local X.X.210.0/24;
remote X.X.200.0/24;
}
ipsec-policy LAS-IPSEC-Policy;
}
establish-tunnels immediately;
}
from-zone untrust to-zone trust {
policy LAS-2-DC-VPN {
match {
source-address LAS-NAT-X.X.200.0;
destination-address DC-LOCAL-X.X.110.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn LAS-IPSEC-VPN;
pair-policy DC-2-LAS-VPN;
}
}
}
}
}
from-zone trust to-zone untrust {
policy DC-2-LAS-VPN {
match {
source-address DC-LOCAL-X.X.110.0;
destination-address LAS-NAT-X.X.200.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn LAS-IPSEC-VPN;
pair-policy LAS-2-DC-VPN;
}
}
}
}
}
source {
pool DC-LOCAL-2-NAT {
address {
X.X.210.0/24;
}
}
address-persistent;
rule-set NAT-LOCAL {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address-name DC-LOCAL-X.X.110.0;
destination-address-name LAS-NAT-X.X.200.0;
}
then {
source-nat {
pool {
DC-LOCAL-2-NAT;
}
}
}
}
}
}
destination {
pool DC-NAT-2-LOCAL {
address X.X.110.0/24;
}
rule-set NAT-BACK-2-LOCAL {
from zone untrust;
rule 1 {
match {
source-address-name LAS-NAT-X.X.200.0;
destination-address X.X.210.0/24;
application any;
}
then {
destination-nat {
pool {
DC-NAT-2-LOCAL;
}
}
}
}
}
}
LAS-Site
proposal DC-IKE-Preposal {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy DC-IKE-Policy {
mode main;
proposals DC-IKE-Preposal;
pre-shared-key ascii-text "XXXXXXX"; ## SECRET-DATA
}
gateway DC-IKE-GATEWAY {
ike-policy DC-IKE-Policy;
address X.X.X.105;
dead-peer-detection optimized;
external-interface ge-0/0/0;
}
proposal DC-IPSEC-Proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-kilobytes 1048576;
}
policy DC-IPSEC-Policy {
proposal-set standard;
}
vpn DC-IPSEC-VPN {
ike {
gateway DC-IKE-GATEWAY;
proxy-identity {
local X.X.200.0/24;
remote X.X.210.0/24;
}
ipsec-policy DC-IPSEC-Policy;
}
establish-tunnels immediately;
}
from-zone trust to-zone untrust {
policy LAS-2-DC-VPN {
match {
source-address LAS-LOCAL-X.X.110.0;
destination-address DC-NAT-X.X.210.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DC-IPSEC-VPN;
pair-policy DC-2-LAS-VPN;
}
}
}
}
}
from-zone untrust to-zone trust {
policy DC-2-LAS-VPN {
match {
source-address DC-NAT-X.X.210.0;
destination-address LAS-LOCAL-X.X.110.0;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DC-IPSEC-VPN;
pair-policy LAS-2-DC-VPN;
}
}
}
}
}
source {
pool LAS-LOCAL-2-NAT {
address {
X.X.200.0/24;
}
}
address-persistent;
rule-set NAT-LOCAL {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address-name LAS-LOCAL-X.X.110.0;
destination-address-name DC-NAT-X.X.210.0;
}
then {
source-nat {
pool {
LAS-LOCAL-2-NAT;
}
}
}
}
}
}
destination {
pool LAS-NAT-2-LOCAL {
address X.X.110.0/24;
}
rule-set NAT-BACK-2-LOCAL {
from zone untrust;
rule 1 {
match {
source-address-name DC-NAT-X.X.210.0;
destination-address X.X.200.0/24;
application any;
}
then {
destination-nat {
pool {
LAS-NAT-2-LOCAL;
}
}
}
}
}
}
Verification:
show security ike sa Index State Initiator cookie Responder cookie Mode Remote Address 2655583 UP 109b52008c9929c2 7f69bc9e87cd1395 Main X.X.X.105
Session ID: 65215, Policy name: LAS-2-DC-VPN/6, Timeout: 60, Valid In: X.X.110.100/27083 --> X.X.210.1/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, Out: X.X.210.1/1 --> X.X.200.100/9473;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0, Total sessions: 12
show security ipsec sa Total active tunnels: 0
Logical system: root-logical-system Index From zone To zone Name Policy count 12 trust untrust LAS-2-DC-VPN 27089
Any help is greatly appriciated!