Reply
Aspirant
Posts: 5
Registered: ‎2015-12-09

Multiple VPN site-to-site trought LiveBoxPro with SRX5308

[ Edited ]

Hello there !

I wondering if it's possible to make multiple VPN site-to-site connexion trought a LiveBoxPro. Here a skeleton schema

 

SITE 0 192.168.0.0/24 [EdgeRouterLite] A.B.C.D(IP public) -------- H.I.J.K(IP public) [LiveBox] 192.168.1.1 ----- 192.168.1.254 [SRX5308] 192.168.60.0/24

SITE 1 192.168.20.0/24 [EdgeRouterLite] E.F.G.H(IP public) -------- H.I.J.K(IP public) [LiveBox] 192.168.1.1 ----- 192.168.1.254 [SRX5308] 192.168.60.0/24

Site 2 ...etc... up to 5 VPN

 

I configure the Live box Pro full open in NAT from everywhere to my SRX5308:

pplication / service
protocole
adresse IP externe
masque réseau externe
port external
port internal
équipement / adresse IP
activer
 
  
Tous
Tous
Tous
Tous
Tous
Tous
@macSRX5308
 

I configure my SRX5308 into DMZ and set the firewall on low on my liveBoxPro

 

I configure classique VPN on my SRX5308:

List of IKE Policies
 NameModeLocal IDRemote IDEncrAuthDHAction
SITE0Main192.168.1.254A.B.C.DAES-256SHA-1Group 2 (1024 bit) 
SITE1Main192.168.1.254E.F.G.HAES-256SHA-1Group 2 (1024 bit) 
SITE2Main192.168.1.254I.J.K.LAES-256SHA-1Group 2 (1024 bit) 
SITE3Main192.168.1.254M.N.O.PAES-256SHA-1Group 2 (1024 bit) 
SITE4Main192.168.1.254Q.R.S.TAES-256SHA-1Group 2 (1024 bit) 

 

List of VPN Policies
 !NameTypeLocalRemoteAuthEncrAction
SITE0Auto Policy192.168.60.0 / 255.255.255.0192.168.0.0 / 255.255.255.0SHA-1AES-256 
SITE1Auto Policy192.168.60.0 / 255.255.255.0192.168.90.0 / 255.255.255.0SHA-1AES-256 
SITE2Auto Policy192.168.60.0 / 255.255.255.0192.168.100.0 / 255.255.255.0SHA-1AES-256 
SITE3Auto Policy192.168.60.0 / 255.255.255.0192.168.80.0 / 255.255.255.0SHA-1AES-256 
SITE4Auto Policy192.168.60.0 / 255.255.255.0192.168.20.0 / 255.255.255.0SHA-1AES-256 

Already check configuration like same encryption key, timelife ..etc..

Here the exact version of my SRX5308:

System Name:SRX5308
Firmware Version:4.3.0-19

 

Here some logs on my SRX5308

Wed Feb 15 17:00:10 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP E.F.G.H->192.168.1.254 
Wed Feb 15 17:00:10 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP I.J.K.L->192.168.1.254 
Wed Feb 15 17:00:09 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP M.N.O.P->192.168.1.254 
Wed Feb 15 17:00:08 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP Q.R.S.T->192.168.1.254 
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Ignore information because ISAKMP-SA has not been established yet.
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Ignore information because ISAKMP-SA has not been established yet.
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  for debugging :: changing portsWed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  port changed !!
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT detected: ME 
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT-D payload matches for E.F.G.H[500]
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT-D payload does not match for 192.168.1.254[500]
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  for debugging :: changing portsWed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  port changed !!
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT detected: ME 
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT-D payload matches for I.J.K.L[500]
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  NAT-D payload does not match for 192.168.1.254[500]
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  For E.F.G.H[500], Selected NAT-T version: RFC 3947
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: RFC 3947
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: DPD
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  For I.J.K.L[500], Selected NAT-T version: RFC 3947
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: RFC 3947
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: DPD
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Ignore information because ISAKMP-SA has not been established yet.
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: 192.168.1.254[500]<=>E.F.G.H[500]
Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Configuration found for E.F.G.H.

Seems to have some NAT issues but can't figure it out. Only VPN to site 0 can connect ! Did i miss something ?

If someone have an idea !

Best regards,

Julien

Discussion Stats
  • 0 replies
  • 230 views
  • 0 kudos
  • 1 in conversation
Top Contributors
User Kudos Count
1
1
1