SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Site to Site VPN SRX100 to SSG520 stuck in Phase 2

  • 1.  Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-05-2015 23:58

    Hi Folks!

     

    I have a huge problem getting an simple IPSec VPN tunnel between a SRX100 and a SSG520 working Smiley Mad

    On my SSG520, I have many IPSec tunnel from various router (netgear, cisco, other netscreenOS) - without any problem.

    Now, I have a new SRX100 - the only junos driven device in my environment - and I can't get this VPN tunnel up!

     

    Logging on my SSG520:

    2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                           53b6e132: Responded to the peer's 
                                           first message.
    2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 1: Completed 
                                           Aggressive mode negotiations with a 
                                           28800-second lifetime.
    2015-02-06 08:20:59 system info  00536 IKE<46.142.93.122> Phase 1: IKE 
                                           responder has detected NAT in front of 
                                           the remote device.
    2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 phase 1:The 
                                           symmetric crypto key has been 
                                           generated successfully.
    2015-02-06 08:20:59 system info  00536 IKE 46.142.93.122 Phase 1: Responder 
                                           starts AGGRESSIVE mode negotiations.
    2015-02-06 08:20:39 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                           09f7a4fb: Responded to the peer's 
                                           first message.
    2015-02-06 08:19:59 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                           09f7a4fb: Responded to the peer's 
                                           first message.
    2015-02-06 08:19:49 system info  00536 Rejected an IKE packet on ethernet2/
                                           2.1 from 46.142.93.122:4500 to 
                                           86.103.130.68:4500 with cookies 
                                           b70c1283f245cb78 and 6e5538e5f9d70375 
                                           because There was a preexisting 
                                           session from the same peer.
    2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 Phase 2 msg ID 
                                           09f7a4fb: Responded to the peer's 
                                           first message.
    2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 Phase 1: Completed 
                                           Aggressive mode negotiations with a 
                                           28800-second lifetime.
    2015-02-06 08:19:49 system info  00536 IKE<46.142.93.122> Phase 1: IKE 
                                           responder has detected NAT in front of 
                                           the remote device.
    2015-02-06 08:19:49 system info  00536 IKE 46.142.93.122 phase 1:The 
                                           symmetric crypto key has been 
                                           generated successfully.
    

     This repeats over and over again...

     

    So I thought to have a look at the logs on my SRX100 - but WHERE Smiley Surprised

     

    I googled around and found this kb: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10099&smlogin=true

     

    I wonder, why I have to enable logging at the first place...

     

    So, I set a new log-file as described in this kb article:

     

    # set system syslog file kmd-logs daemon info
    # set system syslog file kmd-logs match KMD
    # commit

     

    I tried to get the tunnel up (SRX is initiator) and reviewed the kmd-logfile and it said:

     

    Feb  5 11:21:54  metzi kmd[1374]: Initialized Empty Buffer (44 bytes), Message length: 44
    Feb  5 11:21:56  metzi kmd[1374]: LIBJSNMP_SA_IPC_REG_ROWS: ns_subagent_register_mibs: registering 4 rows
    Feb  5 11:22:00  metzi kmd[1374]: Config download: Processed 1 - 1 messages
    Feb  5 11:22:00  metzi kmd[1374]: Config download time: 0 seconds
    Feb  5 11:22:01  metzi kmd[1374]: LIBJSNMP_NS_LOG_INFO: INFO: ns_subagent_open_session: NET-SNMP version 5.3.1 AgentX subagent connected
    Feb  5 11:56:53  metzi kmd[1374]: Config download: Processed 2 - 3 messages
    Feb  5 11:56:53  metzi kmd[1374]: Config download time: 0 seconds
    Feb  5 12:02:53  metzi kmd[3126]: Initialized Empty Buffer (44 bytes), Message length: 44
    Feb  5 12:02:53  metzi kmd[3126]: LIBJSNMP_SA_IPC_REG_ROWS: ns_subagent_register_mibs: registering 4 rows
    Feb  5 12:02:54  metzi kmd[3126]: Config download: Processed 1 - 1 messages
    Feb  5 12:02:54  metzi kmd[3126]: Config download time: 0 seconds
    Feb  5 12:02:54  metzi kmd[3126]: LIBJSNMP_NS_LOG_INFO: INFO: ns_subagent_open_session: NET-SNMP version 5.3.1 AgentX subagent connected
    Feb  6 06:27:09  metzi kmd[3126]: Config download: Processed 1 - 2 messages
    Feb  6 06:27:09  metzi kmd[3126]: Config download time: 0 seconds

     Why didn't I see any entrys like "IKE Phase-2 Failure: Quick mode - no proposal chosen" or anything like that?

     

    What do I have to do to get my SRX log the same my SSG520 does? Or, which logfile do I have to review?

     

    VPN Config SSG520:

    cluster:tfkiel_kiwi_fw_2(M)-> get config | inc vpn_metzinger
    set ike gateway "vpn_metzinger" address 0.0.0.0 id "metzinger@tfkiel.de" Aggr outgoing-interface "ethernet2/2.1" preshare "9bN0F3a8NY6yMwsr21Cc6TJmqRnJ2LSgjfLjZS6WoiDuWBPoiAafLS8=" proposal "pre-g5-aes256-sha"
    unset ike gateway "vpn_metzinger" nat-traversal udp-checksum
    set ike gateway "vpn_metzinger" nat-traversal keepalive-frequency 5
    set vpn "vpn_metzinger" gateway "vpn_metzinger" replay tunnel idletime 0 proposal "g5-esp-aes256-sha" 
    set vpn "vpn_metzinger" monitor source-interface ethernet0/1.3 destination-ip 192.168.179.14 optimized
    set vpn "vpn_metzinger" id 0x16e bind interface tunnel.1
    set vpn "vpn_metzinger" proxy-id local-ip 192.168.8.0/24 remote-ip 192.168.179.0/24 "ANY" 

     

    VPN Config SRX100:

    set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
    set security ike proposal pre-g5-aes256-sha dh-group group5
    set security ike proposal pre-g5-aes256-sha authentication-algorithm sha1
    set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
    set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
    set security ike policy vpn_transfair mode aggressive
    set security ike policy vpn_transfair proposals pre-g5-aes256-sha
    set security ike policy vpn_transfair pre-shared-key ascii-text "$9$HmQ3CtO1EcmfRSleW84aZjHmQzn9tOzF/tpOcSYg4JDkP5Fftsge"
    set security ike gateway vpn_transfair ike-policy vpn_transfair
    set security ike gateway vpn_transfair address 1.1.1.1
    set security ike gateway vpn_transfair local-identity user-at-hostname "metzinger@tfkiel.de"
    set security ike gateway vpn_transfair external-interface fe-0/0/0
    set security ike gateway vpn_transfair version v1-only
    set security ipsec proposal esp-aes256-sha protocol esp
    set security ipsec proposal esp-aes256-sha authentication-algorithm hmac-sha1-96
    set security ipsec proposal esp-aes256-sha encryption-algorithm aes-256-cbc
    set security ipsec proposal esp-aes256-sha lifetime-seconds 3600
    set security ipsec policy g5-esp-aes256-sha perfect-forward-secrecy keys group5
    set security ipsec policy g5-esp-aes256-sha proposals esp-aes256-sha
    set security ipsec vpn vpn_transfair bind-interface st0.1
    set security ipsec vpn vpn_transfair ike gateway vpn_transfair
    set security ipsec vpn vpn_transfair ike proxy-identity local 192.168.179.0/24
    set security ipsec vpn vpn_transfair ike proxy-identity remote 192.168.8.0/24
    set security ipsec vpn vpn_transfair ike proxy-identity service any
    set security ipsec vpn vpn_transfair ike ipsec-policy g5-esp-aes256-sha
    set security ipsec vpn vpn_transfair establish-tunnels immediately

     



  • 2.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-06-2015 02:26

    Please enable ike/ipsec traceoptions as below.

     

    set security ike traceoptions flag all

    set security ipsec traceoptions flag all

    commt

     

    the logs wil be in "kmd" file

     

    >show log kmd

     

    Please refer to SRX Resolution Guide for more details on troubleshooting

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100&smlogin=true

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

     

    Thanks,

    Suraj

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 3.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-06-2015 02:44

    Thanks for the quick reply!

     

    I enabled the logging as you described. This is what I get:

     

    [Feb  5 13:25:53]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [Feb  5 11:22:01]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

    Why is this?

    The command restart ipsec-key-management has no effect on this.

    Thanks in advance!

     

    Cheers

     

    Andy



  • 4.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-06-2015 03:08

    This is not giving much information.. Can you make sure the life time is configured same on both SSG and SRX?

     

    Also try deactivate/activate of ike/ipsec configuration and see if you see any other messages

     

    deactivate security ike

    deactivate security ipsec

    commit

     

    activate security ike

    activate security ipsec

    commit

     

    Please make sure st0 is assigned to a security zone.

     

    Also please provide the below outputs

     

    show security ike security -association

     

    show security ipsec security -association

     

    Thanks,

    Suraj

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 5.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-08-2015 22:56

    Hello Suraj!

     

    I deactivated and activated ike and ipsec security. I also deleted the vpn config on both sides and created a new config -> same result! Stuck on phase 2...

     

    Here`s my output as you requested:

     

    root@metzi> show security ike security-associations      
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
    4277358 UP     988c11c7c5233dcc  f8eac1e99c7bd84d  Aggressive     86.103.130.68   
    
    root@metzi> show security ipsec security-associations    
     Total active tunnels: 0

    Interface st0.1 is assigned to my untrust zone "internet" .

     

    What the heck is wrong with my config?! So many other vpn tunnels are working with the same proposals...



  • 6.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-09-2015 05:58

    I don't get it!

     

    I just load the factory defaults into my srx100 and configured from scratch.

    Here's my all new config:

     

    root@metze> show configuration | display set 
    set version 12.1X44.3
    set system host-name metze
    set system time-zone GMT+1
    set system root-authentication encrypted-password "$1$9TAa31UU$lSJgl9v5bQIIbL6LUrL4d2"
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system name-resolution no-resolve-on-input
    set system services ssh
    set system services web-management http interface fe-0/0/1.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fe-0/0/1.0
    set system services web-management session idle-timeout 60
    set system services dhcp pool 192.168.179.0/24 address-range low 192.168.179.110
    set system services dhcp pool 192.168.179.0/24 address-range high 192.168.179.254
    set system services dhcp pool 192.168.179.0/24 router 192.168.179.1
    set system services dhcp propagate-settings fe-0/0/0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server de.pool.ntp.org
    set interfaces fe-0/0/0 unit 0 family inet dhcp
    set interfaces fe-0/0/1 unit 0 family inet address 192.168.179.1/24
    set interfaces st0 unit 1 family inet
    set interfaces st0 unit 1 family inet6
    set routing-options static route 192.168.8.0/24 next-hop st0.1
    set protocols stp
    set security ike proposal pre-g5-aes256-sha authentication-method pre-shared-keys
    set security ike proposal pre-g5-aes256-sha dh-group group5
    set security ike proposal pre-g5-aes256-sha authentication-algorithm sha1
    set security ike proposal pre-g5-aes256-sha encryption-algorithm aes-256-cbc
    set security ike proposal pre-g5-aes256-sha lifetime-seconds 28800
    set security ike policy pre-g5-aes256-sha-St1 mode aggressive
    set security ike policy pre-g5-aes256-sha-St1 proposals pre-g5-aes256-sha
    set security ike policy pre-g5-aes256-sha-St1 pre-shared-key ascii-text "secret_psk"
    set security ike gateway vpn_transfair_p1 ike-policy pre-g5-aes256-sha-St1
    set security ike gateway vpn_transfair_p1 address 86.103.130.68
    set security ike gateway vpn_transfair_p1 local-identity user-at-hostname "metzinger@tfkiel.de"
    set security ike gateway vpn_transfair_p1 external-interface fe-0/0/0
    set security ike gateway vpn_transfair_p1 version v1-only
    set security ipsec proposal esp-aes256-sha protocol esp
    set security ipsec proposal esp-aes256-sha authentication-algorithm hmac-sha1-96
    set security ipsec proposal esp-aes256-sha encryption-algorithm aes-256-cbc
    set security ipsec proposal esp-aes256-sha lifetime-seconds 3600
    set security ipsec policy g5-esp-aes256-sha perfect-forward-secrecy keys group5
    set security ipsec policy g5-esp-aes256-sha proposals esp-aes256-sha
    set security ipsec vpn vpn_transfair_p2 bind-interface st0.1
    set security ipsec vpn vpn_transfair_p2 ike gateway vpn_transfair_p1
    set security ipsec vpn vpn_transfair_p2 ike proxy-identity local 192.168.179.0/24
    set security ipsec vpn vpn_transfair_p2 ike proxy-identity remote 192.168.8.0/24
    set security ipsec vpn vpn_transfair_p2 ike proxy-identity service any
    set security ipsec vpn vpn_transfair_p2 ike ipsec-policy g5-esp-aes256-sha
    set security ipsec vpn vpn_transfair_p2 establish-tunnels on-traffic
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set nat_source from zone home
    set security nat source rule-set nat_source to zone Internet
    set security nat source rule-set nat_source rule nat match source-address 192.168.179.0/24
    set security nat source rule-set nat_source rule nat match destination-address 8.8.8.8/32
    set security nat source rule-set nat_source rule nat then source-nat interface
    set security policies from-zone home to-zone Internet policy All_home_Internet match source-address any
    set security policies from-zone home to-zone Internet policy All_home_Internet match destination-address any
    set security policies from-zone home to-zone Internet policy All_home_Internet match application any
    set security policies from-zone home to-zone Internet policy All_home_Internet then permit
    set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcp
    set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone home interfaces fe-0/0/1.0 host-inbound-traffic system-services ssh
    set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone Internet interfaces st0.1

     

    What is wrong with this config?!

     

    Any help will be appreciated...



  • 7.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-09-2015 06:06

    I've had similar issues and it was down to the Proxy ID, make sure it's mirroed on both ends or as a test don't use ProxyID and see if phase 2 comes up.

     

    Also I don't see you have allowed IKE on the host-inbound on the Internet zone.

     

    Thanks.

    Mas



  • 8.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-09-2015 07:03

    Hi Mas.

     

    Thanks for your reply!

    I now have allowed IKE on the host-inbound on the Internet zone -> same result

    I also unchecked the proxy-id's on both sides -> same result

     

    I never had so much issues on building a vpn tunnel...

     

    Here`s the config on my ssg520 - just in case I missed something:

     

    set ike p1-proposal "pre-g5-aes256-sha" preshare group5 esp aes256 sha-1 hour 8
    set ike p2-proposal "g5-esp-aes256-sha" group5 esp aes256 sha-1 hour 1
    set ike gateway "vpn_metzinger" address 0.0.0.0 id "metzinger@tfkiel.de" Aggr outgoing-interface "ethernet2/2.1" preshare "secret_psk" proposal "pre-g5-aes256-sha"
    set ike gateway "vpn_metzinger" nat-traversal keepalive-frequency 5
    set vpn "vpn_metzinger" gateway "vpn_metzinger" replay tunnel idletime 0 proposal "g5-esp-aes256-sha" 
    set vpn "vpn_metzinger" monitor optimized
    set vpn "vpn_metzinger" id 0x170 bind interface tunnel.1
    set route 192.168.179.0/24 interface tunnel.1
    

    Policys are also set.

    Thanks in advance!

     

     

    Cheers

     

    Andy



  • 9.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-10-2015 01:49

    Hey Andy,

     

    Can you PM your full config from both firewalls if that's ok?  I'll lab it up for you when I have some spare time.  The config looks correct to me, can't see anything wrong with it.

     

    Cheers.

    Mas



  • 10.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-10-2015 02:30

    I generally wouldn't put the st0.1 interface into the same zone as your Internet-edge.  I would create a new zone for the tunnel-interface, and then make sure you have appropriate security policies for the traffic between your internal and the new VPN zone.  Also, it looks like your current source-NAT policy only matches on the destination-address of 8.8.8.8?  Is it your intention that traffic to all other Internet sites does not work?



  • 11.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-10-2015 03:19

    Also, is it possible there is another VPN tunnel on the SSG side that uses the ID:  metzinger@tfkiel.de?  Since you are using that as your identifier, it has to be unique among your VPN tunnels.



  • 12.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-10-2015 06:06

    Hi!

     

    I put st0.1 in a newly created zone "vpn" and set appropriate security policies for the traffic.

    My source nat policy was only for testing purposes. Meanwhile I added 0.0.0.0/0 for interface nat an 192.168.8.0/24 for no nat.

    Result is sadly still the same.

    I will try another srx100...

    I'm desperate.

     

     

    Thank you all so far for your help!

     

    Andy



  • 13.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-10-2015 09:46

    Can you try adding "set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike"?

     

    Without this command, the SRX's internet-facing interface never allows in port 500 traffic, and IKE negotiation fails.

     

    I verified this on SRX210 (12.1X44-D40) and SSG-350M (6.3.0r17).

     

    Regards,

    Sam

     

     



  • 14.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-10-2015 08:56

    Hello.

     

    Are you able to provide debugs from the ScreenOS firewall?

     

    set sa-filter <pubic_ip_srx>

    set dbuf size 4096

    debug ike detail

    clear db

    *** let a few iterations of ipsec failure occur ***

    undebug all

    get db stream

     

     

    Regards,

    Sam



  • 15.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-10-2015 09:53

    Hi Sam!

     

    Thanks for your input! I'll do this tomorrow since I don't have access to my ssg right now 😉

    I'll post the results as soon as possible.

     

    Cheers

     

    Andy



  • 16.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2
    Best Answer

     
    Posted 02-10-2015 10:24

    Please verify you have configured:

     

     

    "set security zones security-zone Internet interfaces fe-0/0/0.0 host-inbound-traffic system-services ike"

     

    I took this out on our lab srx, and i got the same exact event logs on our screenos firewall.

     

    When I put this back in, the VPN came up.

     

     

    Regards,

    Sam



  • 17.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-11-2015 04:03

    Hi Sam!!

     

    I could give you a big hug right now! Smiley Happy

    Setting the host-inbound-traffic system-services ike on the interface did the trick!

     

    VPN tunnel's up BUT no traffic is coming through...

    I double checked the config on both sides and also was going through this kb:

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB9276

     

    This described exactly what I tested anyway Smiley Wink

     

    Since I know my SSG (screen os) very well, I will post the SRX side:

     

    IKE:

     

    root@metze> show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    7910063 UP     986abde0dca36582  d818606d4904bb6b  Aggressive     86.103.130.68

     IPSec:

    root@metze> show security ipsec security-associations
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
      <131073 ESP:aes-256/sha1 9544ecfe 1350/ unlim -  root 4500  86.103.130.68
      >131073 ESP:aes-256/sha1 3d15cd47 1350/ unlim -  root 4500  86.103.130.68

     NAT:

    root@metze> show security nat source rule all
    Total rules: 2
    Total referenced IPv4/IPv6 ip-prefixes: 4/0
    
    source NAT rule: no_nat               Rule-set: nsw_srcnat
      Rule-Id                    : 1
      Rule position              : 1
      From zone                  : trust
      To zone                    : Internet
      Match
        Source addresses         : 192.168.179.0   - 192.168.179.255
        Destination addresses    : 192.168.8.0     - 192.168.8.255
        Destination port         : 0               - 0
      Action                        : off
        Persistent NAT type         : N/A
        Persistent NAT mapping type : address-port-mapping
        Inactivity timeout          : 0
        Max session number          : 0
      Translation hits           : 4868
    
    source NAT rule: nsw-src-interface    Rule-set: nsw_srcnat
      Rule-Id                    : 2
      Rule position              : 2
      From zone                  : trust
      To zone                    : Internet
      Match
        Source addresses         : 192.168.179.0   - 192.168.179.255
        Destination addresses    : 0.0.0.0         - 255.255.255.255
        Destination port         : 0               - 0
      Action                        : interface
        Persistent NAT type         : N/A
        Persistent NAT mapping type : address-port-mapping
        Inactivity timeout          : 0
        Max session number          : 0
      Translation hits           : 1241
    

     

    Policies:

    root@metze> show security policies from-zone Internet to-zone trust
    From zone: Internet, To zone: trust
      Policy: from_transfair, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
        Source addresses: netz_transfair
        Destination addresses: netz_metze
        Applications: any
        Action: permit, log
    
    
    
    root@metze> show security policies from-zone trust to-zone Internet
    From zone: trust, To zone: Internet
      Policy: to_transfair, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
        Source addresses: netz_metze
        Destination addresses: netz_transfair
        Applications: any
        Action: permit, log
      Policy: All_trust_Internet, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit

     

    Route:

    root@metze> show route 192.168.8.1
    
    inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    192.168.8.0/24     *[Static/5] 03:46:46
                        > via st0.0

     Security flow:

    root@metze> ...prefix 192.168.179.0/24 destination-prefix 192.168.8.0/24
    Session ID: 23416, Policy name: to_transfair/4, Timeout: 2, Valid
      In: 192.168.179.99/13128 --> 192.168.8.14/12868;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 84
      Out: 192.168.8.14/12868 --> 192.168.179.99/13128;icmp, If: st0.0, Pkts: 0, Bytes: 0

     So, the correct policy (4) and correct tunnel interface (st0.0).

     

    Logging on my SSG520:

    cluster:tfkiel_kiwi_fw_2(M)-> get log traffic src-ip 192.168.179.99
    No entry matched.
    

     

     

    I want to go from 192.168.179.0/24 (home) to 192.168.8.0/24 (remote) and vice versa.

    Everything looks fine to me...

     

    Thank you so much for your help so far!!

     

     

    Cheers

     

    Andy



  • 18.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-11-2015 05:58

    Hi Andy,

     

    Very good news...

     

    Is your st0.1 interface still part of the "Internet" zone? Or a new 'vpn' zone?

     

    If both fe-0/0/0 and st01 are part of the same "Internet" zone, then my gut feeling is that we'll need to create an intra-zone policy...  not sure exactly what the parameters would be.

     

    Regards,

    Sam



  • 19.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-11-2015 06:34

    Hi Sam.

     

    To avoid the use of intra zone policies (I'm not a friend of them), I just created a new zone "vpn" and bound the interface st0.0 to it.

     

    Policies are set from trust to untrust and the other way round.

    Security flow shows that the newly created policy takes care of my ICMP pakets. The results are still the same -> no answer...

     

    Why is this so hard? It was so easy on netscreen os...

    Thanks for your help.

     

    Cheers

     

    Andy

     



  • 20.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-11-2015 06:51

    In that case, you'll need rules permitting traffic from trust <--> vpn zone.  And not between trust <--> untrust zones.

     

    Hang in there.  I felt the same way moving from ScreenOS to SRX.  It grows on you... you'll learn to love it, esp. the CLI  🙂

     

     

    Also, i found it's a very different behavior when initiating pings from the firewall itself, or from a PC attached to the firewall (dffierent from screenos, eh?).  If pinging from the firewall itself, you'll need to create rules from the junos-host zone....

     

     

    hope this helps.

     

    Regards,

    Sam



  • 21.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-11-2015 07:10

    ARGH!! Of course I meant from trust to vpn and from vpn to trust...

    That's what I configured.

    Otherwise there would have been no traffic shown in this new policy Smiley Wink

    Ping from cli (policy from junos-host to vpn set ) does't work either.

     

    ping 192.168.8.110 interface fe-0/0/1.0

    100% packet loss

     

    Any other idea?

     

    Cheers

     

    Andy



  • 22.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 02-11-2015 07:46

    I hardly dare to say: Due to my many changes in both configs, I didn't realize, that my tunnel interface in my ssg520 was bound to the zone "trust" instead of "untrust". That's why no traffic was sent through this tunnel! *facepalm*

     

     

    Thank you all so much for your help!!



  • 23.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 02-11-2015 11:37

    I'm glad you're able to get it going!

     

    Best Regards,

    Sam



  • 24.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 06-27-2019 09:30
      |   view attached

    Hi Sam,

     

    I have the same issue , could check my config and please advise me,

     

    Completed phase 1 

    Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.

     

    Was stuck at phase 1.

    (SRX config file attached)

     

    Thanks,

    Zen 

    Attachment(s)

    rtf
    SRX100 .rtf   11 KB 1 version


  • 25.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 06-27-2019 10:01

    zenchowmv, The configuration looks perfectly fine, Phase 1 is up but phase 2 is down. I would suggest start looking parameters on remote side to see these are exacly matching on peer side. 

     

    Can you run these commands to check the status further.

     

    show security ipsec inactive-tunnels

    If you are unable to conclude the reason from above output, then please run the following traceoptions

     

    set security ike traceoptions file iketrace.txt 

    set security ike traceoptions level 12

    set security ike traceoptions flag all 

    set security ipsec traceoptions flag all

     

    These traces will give you more information, if you are abel to collect and attach the traces. I can take a look.

     

     

     



  • 26.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 06-27-2019 23:44
      |   view attached

    Hi deepakcr,

     

    i tried show security ipsec inactive-tunnelshere but syntax error occur..

     

    here is the iketrace.txt..  after look the iketrace i saw timeout error during the vpn monitor kick in..

     

    Many thanks.... 


    Regards,

    Zen

    Attachment(s)

    txt
    ike-trace.txt   86 KB 1 version


  • 27.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-03-2019 19:35
      |   view attached

    Can anyone help me on this ??

     

    Still cant figure out whats the problem.. 

     

    Phase 1 is up, Phase 2  retransmission timeout , internal error..

     

    Regards,

    Zen 

    Attachment(s)

    txt
    ike-trace (1).txt   86 KB 1 version


  • 28.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 07-03-2019 21:52

    Hi,

     

    I see that the SRX is behind a NAT device and you are using aggressive mode with specific ike-id defined as expected.

     

    Are you sure Ph1 is up. I do not see Ph1 coming up. The remote end SSG does not seem to be responding.

     

    From the IKE trace we can see the responder cookie is all 000s and we see constant retransmission from the SRX side.

     

    [Jun 27 22:08:54]ike_send_packet: Start, retransmit previous packet SA = { 92376b2f 3896b6bf - 00000000 00000000}, nego = -1, dst = 121.122.23.81:500 routing table id = 0
    [Jun 27 22:08:54]ike_send_packet: Inserting retransmission timer after 10.000000 seconds
    [Jun 27 22:09:04]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 3401921

     

    SRX config is fine. I guess the problem is with the Peer-ID not set properly on the SSG side or on the intermediate NAT device.

     

    SRX config example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB28108
    SSG Config example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB6322

     

    Regards,

     

    Vikas



  • 29.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-04-2019 01:19

    Hi Vikas

     

    I have attached my config file perhaps you could check my config and please advise me many thanks.

     

    Completed phase 1 

    Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.

     

    in the SSG i configure Remote gateway with the same Peer Id : FQDN 

     

    Was stuck at phase 1.

    (SRX config file attached)

     

    Thanks,

    Zen 

    Attachment(s)

    rtf
    SRX100 .rtf   11 KB 1 version
    txt
    ike-trace (2).txt   86 KB 1 version


  • 30.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 07-04-2019 01:25

    Hi,

     

    I believe these two you are provided already.

     

    As I mentioned SRX side config looks fine. Can you share the SSG config perhaps just the VPN part and any logs you are seeing on the SSG side?

     

    Regards,

     

    Vikas



  • 31.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-04-2019 18:17
      |   view attached

    Hi Vikas,

     

    Attached are the ssg config file and i only have the event log screenshot below info. (it keep on repeating)

    how this will help!! 

     

    2019-07-04 22:04:49 info IKE<202.184.51.183> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
    2019-07-04 22:04:49 info IKE<202.184.51.183> Phase 1: Responder starts AGGRESSIVE mode negotiations.
    2019-07-04 22:03:49 info IKE<202.184.51.183> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
    2019-07-04 22:03:49 info IKE<202.184.51.183> Phase 1: Responder starts AGGRESSIVE mode negotiations.

     

    Thanks 

    Zen

     

     

    Attachment(s)

    rtf
    SSG_cfg.rtf   1 KB 1 version


  • 32.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

     
    Posted 07-06-2019 21:54

     Hello Zen,

     

    Thanks for sharing this.

     

    I see nat-traversal is disabled on the SSG. Can you enable it please?

     

    unset ike gateway “REMOTE-GW" nat-traversal

     

    Regards,

     

    Vikas



  • 33.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-07-2019 19:30

    Hi Vikas ,

     

    Tried:

    set ike gateway "REMOTE-GW" nat-traversal udp-checksum
    set ike gateway "REMOTE-GW" nat-traversal keepalive-frequency 2

     

    Tried my both SRX & NetScreen same setting Same result!! unchange.

     

    Weird, i have 8 x SSG5 & 1 x SRX110 remote vpn connect to netscreen25 (Screen OS 5.0)  with no issue , i just bought this SRX300 recently cant connect.. 

     

    Is it because of the version or model or firmware?

     

    i have tried all the config setting.. really no idea... 

     

    Thanks

     

    Regards,

    Zen



  • 34.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-16-2019 07:07

    Hi all..

     

    Really need help ! anyone can advise - Site to site VPN

     

    Thanks

    Zen



  • 35.  RE: Site to Site VPN SRX100 to SSG520 stuck in Phase 2

    Posted 07-23-2019 05:15

    VPN is Up !!

     

    Thanks for the Help!!

     

    Issue from the Phase 1 Local Indentity ID , once i have set in the ID .

     

    VPN is Up!

     

    Thanks

    Zen