- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Multiple VPN site-to-site trought LiveBoxPro with SRX5308
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple VPN site-to-site trought LiveBoxPro with SRX5308
Hello there !
I wondering if it's possible to make multiple VPN site-to-site connexion trought a LiveBoxPro. Here a skeleton schema
SITE 0 192.168.0.0/24 [EdgeRouterLite] A.B.C.D(IP public) -------- H.I.J.K(IP public) [LiveBox] 192.168.1.1 ----- 192.168.1.254 [SRX5308] 192.168.60.0/24
SITE 1 192.168.20.0/24 [EdgeRouterLite] E.F.G.H(IP public) -------- H.I.J.K(IP public) [LiveBox] 192.168.1.1 ----- 192.168.1.254 [SRX5308] 192.168.60.0/24
Site 2 ...etc... up to 5 VPN
I configure the Live box Pro full open in NAT from everywhere to my SRX5308:
pplication / service | protocole | adresse IP externe | masque réseau externe | port external | port internal | équipement / adresse IP | activer | ||
Tous | Tous | Tous | Tous | Tous | Tous | @macSRX5308 |
I configure my SRX5308 into DMZ and set the firewall on low on my liveBoxPro
I configure classique VPN on my SRX5308:
List of IKE Policies | |||||||||||||||||
|
SITE1 | Main | 192.168.1.254 | E.F.G.H | AES-256 | SHA-1 | Group 2 (1024 bit) | |
SITE2 | Main | 192.168.1.254 | I.J.K.L | AES-256 | SHA-1 | Group 2 (1024 bit) | |
SITE3 | Main | 192.168.1.254 | M.N.O.P | AES-256 | SHA-1 | Group 2 (1024 bit) | |
SITE4 | Main | 192.168.1.254 | Q.R.S.T | AES-256 | SHA-1 | Group 2 (1024 bit) |
List of VPN Policies | |||||||||||||||||
|
SITE1 | Auto Policy | 192.168.60.0 / 255.255.255.0 | 192.168.90.0 / 255.255.255.0 | SHA-1 | AES-256 | ||
SITE2 | Auto Policy | 192.168.60.0 / 255.255.255.0 | 192.168.100.0 / 255.255.255.0 | SHA-1 | AES-256 | ||
SITE3 | Auto Policy | 192.168.60.0 / 255.255.255.0 | 192.168.80.0 / 255.255.255.0 | SHA-1 | AES-256 | ||
SITE4 | Auto Policy | 192.168.60.0 / 255.255.255.0 | 192.168.20.0 / 255.255.255.0 | SHA-1 | AES-256 |
Already check configuration like same encryption key, timelife ..etc..
Here the exact version of my SRX5308:
System Name: | SRX5308 |
Firmware Version: | 4.3.0-19 |
Here some logs on my SRX5308
Wed Feb 15 17:00:10 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP E.F.G.H->192.168.1.254 Wed Feb 15 17:00:10 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP I.J.K.L->192.168.1.254 Wed Feb 15 17:00:09 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP M.N.O.P->192.168.1.254 Wed Feb 15 17:00:08 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP Q.R.S.T->192.168.1.254 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet. Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet. Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: for debugging :: changing portsWed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: port changed !! Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT detected: ME Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT-D payload matches for E.F.G.H[500] Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT-D payload does not match for 192.168.1.254[500] Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: for debugging :: changing portsWed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: port changed !! Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT detected: ME Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT-D payload matches for I.J.K.L[500] Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: NAT-D payload does not match for 192.168.1.254[500] Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: For E.F.G.H[500], Selected NAT-T version: RFC 3947 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: RFC 3947 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: DPD Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: For I.J.K.L[500], Selected NAT-T version: RFC 3947 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: RFC 3947 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: DPD Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet. Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3 Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Beginning Identity Protection mode. Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.254[500]<=>E.F.G.H[500] Wed Feb 15 16:59:39 2017 (GMT +0100): [SRX5308] [IKE] INFO: Configuration found for E.F.G.H.
Seems to have some NAT issues but can't figure it out. Only VPN to site 0 can connect ! Did i miss something ?
If someone have an idea !
Best regards,
Julien