"Local private net"/24="Local public IP" "Remote public IP"="Remote public net"/24
The automatic firewall rules option was enabled, no further firewall rules concerning these networks were configured. The IPSec log shows no errors; the firewall log shows no dropped packets throughout our tests. Both the local software UTM (version 9.206-35) and the remote Juniper firewall are configured to allow ICMP traffic.
A computer attached to the "local private net"/24 network with the IP address "local private IP" in the same network was used to ping the remote IP "Remote IP 1" computer in the "remote public net"/24. The ping yields no response. We can ping into other local networks from the "local private IP" computer.
Another test was to request an HTTPS site using wget on the "local private IP" from "Remote IP 2" in the "remote public net"/24. This did not work either and the firewall log showed no dropped packets.
We captured the IP traffic on the public facing interface of the UTM using tcpdump and saw no IPSec related traffic at all, but we did see unencrypted ICMP requests from "local private IP" to "remote IP 1" on that interface. As far as we understand, we should not see that traffic but instead the encrypted IPSec traffic?
We tried to see if we can gather more information on what is going on on the IPSec connection and tried:
# ip -s xfrm state
src "remote public IP" dst "local public IP"
proto esp spi 0xfd72dd09(4252163337) reqid 16385(0x00004001) mode tunnel
replay-window 32 seq 0x00000000 flag noecn nopmtudisc af-unspec (0x00100101)
auth-trunc hmac(sha1)
0***************************************xx (160 bits) 96
enc cbc(aes) 0***************************************************************xx (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2014-09-12 09:48:37 use -
stats:
replay-window 0 replay 0 failed 0
src "local public IP" dst "remote public IP"
proto esp spi 0x51a16278(1369531000) reqid 16385(0x00004001) mode tunnel
replay-window 32 seq 0x00000000 flag noecn nopmtudisc af-unspec (0x00100101)
auth-trunc hmac(sha1) 0***************************************xx (160 bits) 96
enc cbc(aes) 0***************************************************************xx (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
2772(bytes), 33(packets)
add 2014-09-12 09:48:37 use 2014-09-12 10:36:58
stats:
replay-window 0 replay 0 failed 0
According to our understanding, this shows that packets are transmitted into the IPSec tunnel. The packet counter for the second entry is increasing while the ping continues. No response packets from the remote end are received.
On the remote end a Juniper firewall is used and the network engineer there can also see that packets are transmitted into the tunnel but no response packets are received.
Do any of you have any idea on how we can solve this problem? Do you need any additional information?
This thread was automatically locked due to age.
