SRX (REMOTE SITE) set interfaces ge-6/0/13 unit 0 family inet address 10.8.8.1/30 set interfaces st0 unit 6 family inet mtu 9000 set interfaces lo0 unit 11 family inet address 10.11.6.1/32 set interfaces lo0 unit 11 family inet address 10.11.6.2/32 set security ike proposal PSK-AES256-SHA256-DH14 authentication-method pre-shared-keys set security ike proposal PSK-AES256-SHA256-DH14 dh-group group14 set security ike proposal PSK-AES256-SHA256-DH14 authentication-algorithm sha-256 set security ike proposal PSK-AES256-SHA256-DH14 encryption-algorithm aes-256-cbc set security ike proposal PSK-AES256-SHA256-DH14 lifetime-seconds 3600 set security ipsec proposal HMAC-SHA1 protocol esp set security ipsec proposal HMAC-SHA1 authentication-algorithm hmac-sha1-96 set security ipsec proposal HMAC-SHA1 encryption-algorithm aes-256-cbc set security ipsec proposal HMAC-SHA1 lifetime-seconds 3600 set security ike policy BP-TEST-SITE7 mode main set security ike policy BP-TEST-SITE7 proposals PSK-AES256-SHA256-DH14 set security ike policy BP-TEST-SITE7 pre-shared-key ascii-text Ct1Bl0ck#1234 set security ike gateway BP-TEST-SITE7 ike-policy BP-TEST-SITE7 set security ike gateway BP-TEST-SITE7 address 10.10.6.1 set security ike gateway BP-TEST-SITE7 dead-peer-detection interval 10 set security ike gateway BP-TEST-SITE7 dead-peer-detection threshold 2 set security ike gateway BP-TEST-SITE7 external-interface lo0.11 set security ike gateway BP-TEST-SITE7 local-address 10.11.6.1 set security ipsec policy BP-TEST-SITE7 perfect-forward-secrecy keys group14 set security ipsec policy BP-TEST-SITE7 proposals HMAC-SHA1 set security ipsec vpn BP-TEST-SITE7 bind-interface st0.6 set security ipsec vpn BP-TEST-SITE7 ike gateway BP-TEST-SITE7 set security ipsec vpn BP-TEST-SITE7 ike ipsec-policy BP-TEST-SITE7 set security ipsec vpn BP-TEST-SITE7 establish-tunnels immediately set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match source-address any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match destination-address any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match application any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic then permit set security zones security-zone BP-TEST-SITE7 host-inbound-traffic system-services all set security zones security-zone BP-TEST-SITE7 host-inbound-traffic protocols all set security zones security-zone BP-TEST-SITE7 interfaces lo0.11 set security zones security-zone BP-TEST-SITE7 interfaces ge-6/0/13.0 set security zones security-zone BP-TEST-SITE7 interfaces st0.6 set routing-instances BP-TEST-SITE7 instance-type virtual-router set routing-instances BP-TEST-SITE7 interface ge-6/0/13.0 set routing-instances BP-TEST-SITE7 interface lo0.11 set routing-instances BP-TEST-SITE7 interface st0.6 set routing-instances BP-TEST-SITE7 routing-options static route 10.10.6.1/32 next-hop 10.8.8.2 set routing-instances BP-TEST-SITE7 routing-options static route 10.10.6.2/32 next-hop st0.6 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 type external set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 multihop ttl 3 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 local-address 10.11.6.2 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 peer-as 64007 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 local-as 63007 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 neighbor 10.10.6.2 RESULTS show security ike security-associations 10.10.6.1 Index State Initiator cookie Responder cookie Mode Remote Address 5452848 UP b1733b8b83d1d7ec e86d30ac137f40b1 Main 10.10.6.1 show security ike security-associations 10.10.6.1 detail IKE peer 10.10.6.1, Index 5452848, Gateway Name: BP-TEST-SITE7 Role: Responder, State: UP Initiator cookie: b1733b8b83d1d7ec, Responder cookie: e86d30ac137f40b1 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.11.6.1:500, Remote: 10.10.6.1:500 Lifetime: Expires in 3547 seconds Peer ike-id: 10.10.6.1 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 Traffic statistics: Input bytes : 1404 Output bytes : 1168 Input packets: 6 Output packets: 5 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 10.11.6.1:500, Remote: 10.10.6.1:500 Local identity: 10.11.6.1 Remote identity: 10.10.6.1 Flags: IKE SA is created show security ipsec security-associations vpn-name BP-TEST-SITE7 Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131086 ESP:aes-cbc-256/sha1 806f096a 3499/ unlim - root 500 10.10.6.1 >131086 ESP:aes-cbc-256/sha1 e9fc8953 3499/ unlim - root 500 10.10.6.1 show security ipsec security-associations vpn-name BP-TEST-SITE7 detail ID: 131086 Virtual-system: root, VPN Name: BP-TEST-SITE7 Local Gateway: 10.11.6.1, Remote Gateway: 10.10.6.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear Bind-interface: st0.6 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Last Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 806f096a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3495 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2930 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: e9fc8953, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3495 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2930 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 ping routing-instance BP-TEST-SITE7 10.10.6.2 source 10.11.6.2 PING 10.10.6.2 (10.10.6.2): 56 data bytes 64 bytes from 10.10.6.2: icmp_seq=0 ttl=64 time=1.267 ms 64 bytes from 10.10.6.2: icmp_seq=1 ttl=64 time=1.028 ms 64 bytes from 10.10.6.2: icmp_seq=2 ttl=64 time=0.987 ms 64 bytes from 10.10.6.2: icmp_seq=3 ttl=64 time=1.194 ms 64 bytes from 10.10.6.2: icmp_seq=4 ttl=64 time=1.079 ms ^C --- 10.10.6.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.987/1.111/1.267/0.104 ms show bgp neighbor 10.10.6.2 Peer: 10.10.6.2+62760 AS 64007 Local: 10.11.6.2+179 AS 63007 Type: External State: Established Flags: Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Options: Local Address: 10.11.6.2 Holdtime: 90 Preference: 170 Local AS: 63007 Local System AS: 65534 Number of flaps: 0 Peer ID: 10.10.6.1 Local ID: 10.11.6.1 Active Holdtime: 90 Keepalive Interval: 30 Peer index: 0 BFD: disabled, down NLRI for restart configured on peer: inet-unicast NLRI advertised by peer: inet-unicast NLRI for this session: inet-unicast Peer supports Refresh capability (2) Stale routes from peer are kept for: 300 Peer does not support Restarter functionality NLRI that restart is negotiated for: inet-unicast NLRI of received end-of-rib markers: inet-unicast NLRI of all end-of-rib markers sent: inet-unicast Peer supports 4 byte AS extension (peer-as 64007) Peer does not support Addpath Table BP-TEST-SITE7.inet.0 Bit: 150000 RIB State: BGP restart is complete RIB State: VPN restart is complete Send state: in sync Active prefixes: 0 Received prefixes: 0 Accepted prefixes: 0 Suppressed due to damping: 0 Advertised prefixes: 0 Last traffic (seconds): Received 5 Sent 15 Checked 85 Input messages: Total 9 Updates 1 Refreshes 0 Octets 215 Output messages: Total 9 Updates 0 Refreshes 0 Octets 234 Output Queue[20]: 0 show log kmd | match 10.11.6.1 [Dec 18 13:37:43]iked_pm_ike_spd_notify_received: Received authenticated notification payload unknown from local:10.11.6.1 remote:10.10.6.1 IKEv1 for P1 SA 5452848 [Dec 18 13:37:43]10.11.6.1:500 (Responder) <-> 10.10.6.1:500 { b1733b8b 83d1d7ec - e86d30ac 137f40b1 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha256, prf = hmac-sha256, [Dec 18 13:37:43]iked_pm_ike_sa_done: local:10.11.6.1, remote:10.10.6.1 IKEv1 [Dec 18 13:37:43]IKE negotiation done for local:10.11.6.1, remote:10.10.6.1 IKEv1 with status: Error ok [Dec 18 13:37:43]10.11.6.1:500 (Initiator) <-> 10.10.6.1:500 { 0b1d794e 76b6ada5 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback [Dec 18 13:37:43]IPSec SA done callback called for sa-cfg BP-TEST-SITE7 local:10.11.6.1, remote:10.10.6.1 IKEv1 with status Timed out [Dec 18 13:37:43]IKE SA delete called for p1 sa 5452847 (ref cnt 1) local:10.11.6.1, remote:10.10.6.1, IKEv1 [Dec 18 13:37:43]Construction NHTB payload for local:10.11.6.1, remote:10.10.6.1 IKEv1 P1 SA index 5452848 sa-cfg BP-TEST-SITE7 [Dec 18 13:37:43]iked_pm_ipsec_sa_install: local:10.11.6.1, remote:10.10.6.1 IKEv1 for SA-CFG BP-TEST-SITE7 [Dec 18 13:37:43]Added (spi=0x806f096a, protocol=ESP dst=10.11.6.1) entry to the peer hash table [Dec 18 13:37:43]IPSec negotiation done successfully for SA-CFG BP-TEST-SITE7 for local:10.11.6.1, remote:10.10.6.1 IKEv1 [Dec 18 13:37:57]iked_pm_ike_spd_notify_received: Received authenticated notification payload unknown from local:10.11.6.1 remote:10.10.6.1 IKEv1 for P1 SA 5452848 ************************************************************************************************************************************ SRX - (ROUTE-LEAK SITE) set interfaces ge-6/0/13 unit 0 family inet address 10.8.8.2/30 set interfaces st0 unit 6 family inet mtu 9000 set interfaces lo0 unit 11 family inet address 10.10.6.1/32 set interfaces lo0 unit 11 family inet address 10.10.6.2/32 set security ike proposal PSK-AES256-SHA256-DH14 authentication-method pre-shared-keys set security ike proposal PSK-AES256-SHA256-DH14 dh-group group14 set security ike proposal PSK-AES256-SHA256-DH14 authentication-algorithm sha-256 set security ike proposal PSK-AES256-SHA256-DH14 encryption-algorithm aes-256-cbc set security ike proposal PSK-AES256-SHA256-DH14 lifetime-seconds 3600 set security ipsec proposal HMAC-SHA1-96 protocol esp set security ipsec proposal HMAC-SHA1-96 authentication-algorithm hmac-sha1-96 set security ipsec proposal HMAC-SHA1-96 encryption-algorithm aes-256-cbc set security ipsec proposal HMAC-SHA1-96 lifetime-seconds 3600 set security ike policy BP-TEST-SITE7 mode main set security ike policy BP-TEST-SITE7 proposals PSK-AES256-SHA256-DH14 set security ike policy BP-TEST-SITE7 pre-shared-key ascii-text Ct1Bl0ck#1234 set security ike gateway BP-TEST-SITE7 ike-policy BP-TEST-SITE7 set security ike gateway BP-TEST-SITE7 address 10.11.6.1 set security ike gateway BP-TEST-SITE7 dead-peer-detection interval 10 set security ike gateway BP-TEST-SITE7 dead-peer-detection threshold 2 set security ike gateway BP-TEST-SITE7 external-interface lo0.11 set security ike gateway BP-TEST-SITE7 local-address 10.10.6.1 set security ipsec policy BP-TEST-SITE7 perfect-forward-secrecy keys group14 set security ipsec policy BP-TEST-SITE7 proposals HMAC-SHA1-96 set security ipsec vpn BP-TEST-SITE7 bind-interface st0.6 set security ipsec vpn BP-TEST-SITE7 ike gateway BP-TEST-SITE7 set security ipsec vpn BP-TEST-SITE7 ike ipsec-policy BP-TEST-SITE7 set security ipsec vpn BP-TEST-SITE7 establish-tunnels immediately set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match source-address any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match destination-address any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic match application any set security policies from-zone BP-TEST-SITE7 to-zone BP-TEST-SITE7 policy all-traffic then permit set security zones security-zone BP-TEST-SITE7 host-inbound-traffic system-services all set security zones security-zone BP-TEST-SITE7 host-inbound-traffic protocols all set security zones security-zone BP-TEST-SITE7 interfaces lo0.11 set security zones security-zone BP-TEST-SITE7 interfaces ge-6/0/13.0 set security zones security-zone BP-TEST-SITE7 interfaces st0.6 set routing-instances BP-TEST-SITE7 instance-type virtual-router set routing-instances BP-TEST-SITE7 interface ge-6/0/13.0 set routing-instances BP-TEST-SITE7 interface lo0.11 set routing-instances BP-TEST-SITE7 interface st0.6 set routing-instances BP-TEST-SITE7 routing-options interface-routes rib-group inet BP-TEST-SITE7 set routing-instances BP-TEST-SITE7 routing-options static rib-group BP-TEST-SITE7 set routing-instances BP-TEST-SITE7 routing-options static route 10.11.6.1/32 next-hop 10.8.8.1 set routing-instances BP-TEST-SITE7 routing-options static route 10.11.6.2/32 next-hop st0.6 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 type external set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 multihop ttl 3 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 local-address 10.10.6.2 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 peer-as 63007 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 local-as 64007 set routing-instances BP-TEST-SITE7 protocols bgp group BP-TEST-SITE7 neighbor 10.11.6.2 set routing-options static rib-group master-route-leak-vr set routing-options rib-groups master-route-leak-vr import-rib inet.0 set routing-options rib-groups master-route-leak-vr import-rib BP-TEST-SITE7.inet.0 set routing-options rib-groups master-route-leak-vr import-policy IKE-GATEWAY-ROUTE set routing-options rib-groups BP-TEST-SITE7 import-rib BP-TEST-SITE7.inet.0 set routing-options rib-groups BP-TEST-SITE7 import-rib inet.0 set routing-options rib-groups BP-TEST-SITE7 import-policy IKE-LOCAL-ROUTE set policy-options policy-statement IKE-GATEWAY-ROUTE term 10 from route-filter 10.11.6.1/32 exact set policy-options policy-statement IKE-GATEWAY-ROUTE term 10 then accept set policy-options policy-statement IKE-GATEWAY-ROUTE term 20 then reject RESULTS show route table BP-TEST-SITE7.inet.0 BP-TEST-SITE7.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.8.8.0/30 *[Direct/0] 00:11:53 > via ge-6/0/13.0 10.8.8.2/32 *[Local/0] 00:11:53 Local via ge-6/0/13.0 10.10.6.1/32 *[Direct/0] 00:11:53 > via lo0.11 10.10.6.2/32 *[Direct/0] 00:11:53 > via lo0.11 10.11.6.1/32 *[Static/5] 00:07:36 > to 10.8.8.1 via ge-6/0/13.0 10.11.6.2/32 *[Static/5] 00:05:10 > via st0.6 show route table inet.0 inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:29:06 > to 184.183.183.225 via ge-0/0/5.0 10.11.6.1/32 *[Static/5] 00:07:36 > to 10.8.8.1 via ge-6/0/13.0 10.10.6.1/32 *[Direct/0] 00:07:55 > via lo0.11 show security ike security-associations 10.11.6.1 Index State Initiator cookie Responder cookie Mode Remote Address 5916709 UP b1733b8b83d1d7ec e86d30ac137f40b1 Main 10.11.6.1 show security ike security-associations 10.11.6.1 detail IKE peer 10.11.6.1, Index 5916709, Gateway Name: BP-TEST-SITE7 Role: Initiator, State: UP Initiator cookie: b1733b8b83d1d7ec, Responder cookie: e86d30ac137f40b1 Exchange type: Main, Authentication method: Pre-shared-keys Local: 10.10.6.1:500, Remote: 10.11.6.1:500 Lifetime: Expires in 3036 seconds Peer ike-id: 10.11.6.1 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 Traffic statistics: Input bytes : 1276 Output bytes : 1512 Input packets: 6 Output packets: 7 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 10.10.6.1:500, Remote: 10.11.6.1:500 Local identity: 10.10.6.1 Remote identity: 10.11.6.1 Flags: IKE SA is created show security ipsec security-associations vpn-name BP-TEST-SITE7 Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131088 ESP:aes-cbc-256/sha1 e9fc8953 2986/ unlim - root 500 10.11.6.1 >131088 ESP:aes-cbc-256/sha1 806f096a 2986/ unlim - root 500 10.11.6.1 show security ipsec security-associations vpn-name BP-TEST-SITE7 detail ID: 131088 Virtual-system: root, VPN Name: BP-TEST-SITE7 Local Gateway: 10.10.6.1, Remote Gateway: 10.11.6.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear Bind-interface: st0.6 Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Last Tunnel Down Reason: SA not initiated Direction: inbound, SPI: e9fc8953, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2983 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2360 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 806f096a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2983 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2360 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 ping routing-instance BP-TEST-SITE7 10.11.6.2 source 10.10.6.2 PING 10.11.6.2 (10.11.6.2): 56 data bytes 64 bytes from 10.11.6.2: icmp_seq=0 ttl=64 time=1.709 ms 64 bytes from 10.11.6.2: icmp_seq=1 ttl=64 time=1.116 ms 64 bytes from 10.11.6.2: icmp_seq=2 ttl=64 time=1.111 ms 64 bytes from 10.11.6.2: icmp_seq=3 ttl=64 time=1.041 ms 64 bytes from 10.11.6.2: icmp_seq=4 ttl=64 time=1.047 ms 64 bytes from 10.11.6.2: icmp_seq=5 ttl=64 time=1.162 ms 64 bytes from 10.11.6.2: icmp_seq=6 ttl=64 time=1.041 ms ^C64 bytes from 10.11.6.2: icmp_seq=7 ttl=64 time=1.079 ms 64 bytes from 10.11.6.2: icmp_seq=8 ttl=64 time=7.577 ms 64 bytes from 10.11.6.2: icmp_seq=9 ttl=64 time=1.046 ms ^C --- 10.11.6.2 ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.041/1.793/7.577/1.937 ms