Re: The VPN is up, but I have no access on servers

Hi synackray!

Thank you very much for the information.I performed all the procedures you reported. Unfortunately I am not a firewall expert and it's the first time I'm configuring a juniper equipment, so I could not understand the log that was generated.
I am submitting all the procedures and the log that was generated.
Thank you again!!

#############################################

root@srx340> ping source 192.168.5.2 10.2.18.1
PING 10.2.18.1 (10.2.18.1): 56 data bytes
--- 10.2.18.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root@srx340> show security ipsec security-associations brief
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-128/sha1 33758b7f 2030/ unlim - root 500 200.155.97.50
  >131073 ESP:aes-cbc-128/sha1 d323853b 2030/ unlim - root 500 200.155.97.50

root@srx340> show security ipsec statistics index 131073
ESP Statistics:
  Encrypted bytes:          1522936
  Decrypted bytes:                0
  Encrypted packets:          10021
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@srx340> configure
Entering configuration mode

[edit]
root@srx340# set security flow traceoptions file tshoot-flow

[edit]
root@srx340# set security flow traceoptions flag basic-datapath

[edit]
root@srx340# set security flow traceoptions packet-filter PF1 source-prefix 192.168.5.2/23

[edit]
root@srx340# set security flow traceoptions packet-filter PF1 destination-prefix 10.2.18.1/23

[edit]
root@srx340# set security flow traceoptions packet-filter PF2 source-prefix 192.168.5.2/23

[edit]
root@srx340# set security flow traceoptions packet-filter PF2 destination-prefix 10.2.18.1/23

[edit]
root@srx340# exit

############Executing ping to generate the log below#########

root@srx340> show log tshoot-flow
Apr  6 08:10:20 08:10:20.175882:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.5.2->10.2.18.1 nsp2 0.0.0.0->10.2.18.1.

Apr  6 08:10:20 08:10:20.175882:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.5.2, x_dst_ip 10.2.18.1, in ifp .local..0, out ifp N/A sp 139, dp 5762, ip_proto 1, tos 0

Apr  6 08:10:20 08:10:20.175912:CID-0:RToing DESTINATION addr route-lookup

Apr  6 08:10:20 08:10:20.175912:CID-0:RT:flow_ipv4_rt_lkup success 10.2.18.1, iifl 0x0, oifl 0x46

Apr  6 08:10:20 08:10:20.175912:CID-0:RT:Checking in-ifp from .local..0 to ge-0/0/2.0 for src: 192.168.5.2 in vr_id:0

Apr  6 08:10:20 08:10:20.175912:CID-0:RT:  routed (x_dst_ip 10.2.18.1) from junos-host (.local..0 in 0) to st0.0, Next-hop: 10.2.18.1

Apr  6 08:10:20 08:10:20.175960:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone VPN (0x0,0x8b1682,0x1682)

Apr  6 08:10:20 08:10:20.175964:CID-0:RTolicy lkup: vsys 0 zone(2:junos-host) -> zone(11:VPN) scope:0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:             192.168.5.2/2048 -> 10.2.18.1/52867 proto 1

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  permitted by policy self-traffic-policy(1)

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  packet passed, Permitted by policy.

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate:  incoming src port is : 139.

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  dip id = 0/0, 192.168.5.2/139->192.168.5.2/139 protocol 0

Apr  6 08:10:20 08:10:20.175964:CID-0:RTflow_first_get_tun_info) Valid IP, using IP from session

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  Doing IPSec traffic-selector match for  192.168.5.2 -> 10.2.18.1

Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Found IPSec nsp_tunnel 0x583f6c38 for bind-ifp st0.0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_get_tun_info: tunnel out 0x583f6c38, tun id 131073

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x583f6c38, tun id 131073, tun if ge-0/0/0.0, tun bind if st0.0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  choose interface ge-0/0/0.0(P2P) as outgoing phy if

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.2.18.1, rtt_idx:0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:-jsf : Alloc sess plugin info for session 4295163017

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4295163017, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:-jsf : no plugin interested for session 4295163017, free sess plugin info

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Releasing plugin info blocks

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_service_lookup(): natp(0x5afc2cc8): app_id, 0(0).

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  service lookup identified service 0.

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:In flow_first_complete_session

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51028a10, nsp: 0x5afc2cc8, in_tunnel: 0x0

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:construct v4 vector for nsp2

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  existing vector list 0x204-0x4ae2e5a0.

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  Session (id:195721) created for first pak 204

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:first pak processing successful

Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  flow_first_install_session======> 0x5afc2cc8

Apr  6 08:10:20 08:10:20.175964:CID-0:RT: nsp 0x5afc2cc8, nsp2 0x5afc2d58

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  make_nsp_ready_no_resolve()

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:flow_ipv4_rt_lkup success 192.168.5.2, iifl 0x0, oifl 0x0

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  route lookup: dest-ip 192.168.5.2 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  route to 192.168.5.2

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:no need update ha

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:Installing c2s NP session wing

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:first path session installation succeeded

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow got session.

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow session id 195721

Apr  6 08:10:20 08:10:20.176253:CID-0:RT: vector bits 0x204 vector 0x4ae2e5a0

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:ttl vector, out_tunnel = 0x583f6c38

Apr  6 08:10:20 08:10:20.176253:CID-0:RTre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  encap vector

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  going into tunnel 131073 (nsp_tunnel=0x583f6c38).

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow_encrypt: tun 0x583f6c38, type 1

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:mbuf 0x45e82580, exit nh 0x120010

Apr  6 08:10:20 08:10:20.176253:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51028a10 associated with mbuf 0x45e82580

Apr  6 08:10:20 08:10:20.176253:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


Apr  6 08:10:20 08:10:20.333663:CID-0:RT:jsf sess close notify

Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 195212, in hash 32

Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 195212, in hash 32

Apr  6 08:10:20 08:10:20.333663:CID-0:RT:jsf sess close notify

Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 194793, in hash 32

Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 194793, in hash 32

Apr  6 08:10:21 08:10:21.176701:CID-0:RT:<192.168.5.2/140->10.2.18.1/5762;1> matched filter PF1:

Apr  6 08:10:21 08:10:21.176701:CID-0:RTacket [84] ipid = 39918, @0x45e84bc1

Apr  6 08:10:21 08:10:21.176755:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 0, common flag 0x0, mbuf 0x45e82580, rtbl_idx = 0

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:flow process pak, mbuf 0x45e82580, ifl 0, ctxt_type 0 inq type 5

Apr  6 08:10:21 08:10:21.176766:CID-0:RT: in_ifp <junos-host:.local..0>

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6ade0790

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:host inq check inq_type 0x5

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:Using vr id from pfe_tag with value= 0

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0

Apr  6 08:10:21 08:10:21.176766:CID-0:RTver-riding lpak->vsys with 0

Apr  6 08:10:21 08:10:21.176766:CID-0:RT:  .local..0:192.168.5.2->10.2.18.1, icmp, (8/0)

Apr  6 08:10:21 08:10:21.176816:CID-0:RT: find flow: table 0x525d9c00, hash 44881(0xffff), sa 192.168.5.2, da 10.2.18.1, sp 140, dp 5762, proto 1, tok 2, conn-tag 0x00000000

Apr  6 08:10:21 08:10:21.176816:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

Apr  6 08:10:21 08:10:21.176816:CID-0:RT:  flow_first_create_session

Apr  6 08:10:21 08:10:21.176846:CID-0:RTave init hash spu id 0 to nsp and nsp2!

Apr  6 08:10:21 08:10:21.176846:CID-0:RTflow_first_create_session) usp_tagged set session as mng session

Apr  6 08:10:21 08:10:21.176846:CID-0:RT:First path alloc and instl pending session, natp=0x5afc30a8, id=195723

Apr  6 08:10:21 08:10:21.176846:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.2.18.1, sp 140, dp 5762

Apr  6 08:10:21 08:10:21.176846:CID-0:RT:  chose interface .local..0 as incoming nat if.

Apr  6 08:10:21 08:10:21.176846:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.5.2->10.2.18.1 nsp2 0.0.0.0->10.2.18.1.

Apr  6 08:10:21 08:10:21.176895:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.5.2, x_dst_ip 10.2.18.1, in ifp .local..0, out ifp N/A sp 140, dp 5762, ip_proto 1, tos 0

Apr  6 08:10:21 08:10:21.176906:CID-0:RToing DESTINATION addr route-lookup

Apr  6 08:10:21 08:10:21.176918:CID-0:RT:flow_ipv4_rt_lkup success 10.2.18.1, iifl 0x0, oifl 0x46

Apr  6 08:10:21 08:10:21.176918:CID-0:RT:Checking in-ifp from .local..0 to ge-0/0/2.0 for src: 192.168.5.2 in vr_id:0

Apr  6 08:10:21 08:10:21.176918:CID-0:RT:  routed (x_dst_ip 10.2.18.1) from junos-host (.local..0 in 0) to st0.0, Next-hop: 10.2.18.1

Apr  6 08:10:21 08:10:21.176955:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone VPN (0x0,0x8c1682,0x1682)

Apr  6 08:10:21 08:10:21.176963:CID-0:RTolicy lkup: vsys 0 zone(2:junos-host) -> zone(11:VPN) scope:0

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:             192.168.5.2/2048 -> 10.2.18.1/51823 proto 1

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  permitted by policy self-traffic-policy(1)

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  packet passed, Permitted by policy.

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Apr  6 08:10:21 08:10:21.176963:CID-0:RT:flow_first_src_xlate:  incoming src port is : 140.

Apr  6 08:10:21 08:10:21.177020:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Apr  6 08:10:21 08:10:21.177020:CID-0:RT:  dip id = 0/0, 192.168.5.2/140->192.168.5.2/140 protocol 0

Apr  6 08:10:21 08:10:21.177020:CID-0:RTflow_first_get_tun_info) Valid IP, using IP from session

Apr  6 08:10:21 08:10:21.177020:CID-0:RT:  Doing IPSec traffic-selector match for  192.168.5.2 -> 10.2.18.1

Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Found IPSec nsp_tunnel 0x583f6c38 for bind-ifp st0.0

Apr  6 08:10:21 08:10:21.177067:CID-0:RT:flow_first_get_tun_info: tunnel out 0x583f6c38, tun id 131073

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x583f6c38, tun id 131073, tun if ge-0/0/0.0, tun bind if st0.0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  choose interface ge-0/0/0.0(P2P) as outgoing phy if

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.2.18.1, rtt_idx:0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:-jsf : Alloc sess plugin info for session 4295163019

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4295163019, impli mask(0x0), post_nat cnt 0 svc req(0x0)

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:-jsf : no plugin interested for session 4295163019, free sess plugin info

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Releasing plugin info blocks

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_service_lookup(): natp(0x5afc30a8): app_id, 0(0).

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  service lookup identified service 0.

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:In flow_first_complete_session

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51048a10, nsp: 0x5afc30a8, in_tunnel: 0x0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:construct v4 vector for nsp2

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  existing vector list 0x204-0x4ae2e5a0.

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  Session (id:195723) created for first pak 204

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:first pak processing successful

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_first_install_session======> 0x5afc30a8

Apr  6 08:10:21 08:10:21.177074:CID-0:RT: nsp 0x5afc30a8, nsp2 0x5afc3138

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  make_nsp_ready_no_resolve()

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_ipv4_rt_lkup success 192.168.5.2, iifl 0x0, oifl 0x0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  route lookup: dest-ip 192.168.5.2 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  route to 192.168.5.2

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:no need update ha

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:Installing c2s NP session wing

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:first path session installation succeeded

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow got session.

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow session id 195723

Apr  6 08:10:21 08:10:21.177074:CID-0:RT: vector bits 0x204 vector 0x4ae2e5a0

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:ttl vector, out_tunnel = 0x583f6c38

Apr  6 08:10:21 08:10:21.177074:CID-0:RTre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  encap vector

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  going into tunnel 131073 (nsp_tunnel=0x583f6c38).

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_encrypt: tun 0x583f6c38, type 1

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:mbuf 0x45e82580, exit nh 0x120010

Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51048a10 associated with mbuf 0x45e82580

Apr  6 08:10:21 08:10:21.177074:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)