SRX

Expand all | Collapse all

IKE gateway configuration lookup failed during negotiation

Jump to Best Answer
  • 1.  IKE gateway configuration lookup failed during negotiation

    Posted 06-16-2017 16:01

    Hi

    I am receiving the error "IKE gateway configuration lookup failed during negotiation" in the kmd-logs. 


    Does anyone know what specifically causes this IKE error?

    I can not find the cause of the error in the tunnel events
    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/security-ipsec-vpn-tunnel-event.html

     

    I have checked the config between the 2 sites (Peer is a Palo Alto device) multiple times, and the configurations are the same. There is routing between external interfaces as well. 

    My Config

    root@Brach-1# show security ike
    proposal TEST-PROPOSAL {
    authentication-method pre-shared-keys;
    dh-group group20;
    authentication-algorithm sha-384;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 180;
    }
    policy TEST-Policy {
    mode main;
    proposals TEST-PROPOSAL;
    pre-shared-key ascii-text "$9$equvX7dbs4JGVb"; ## SECRET-DATA
    }
    gateway TEST-GW {
    ike-policy TEST-Policy;
    address 192.168.100.2;
    external-interface ge-0/0/1.0;
    }

    [edit]
    root@Brach-1# show security ipsec
    proposal TEST-Proposal {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 600;
    }
    policy TEST-Policy {
    perfect-forward-secrecy {
    keys group20;
    }
    proposals TEST-Proposal;
    }
    vpn TEST-VPN {
    bind-interface st0.0;
    ike {
    gateway TEST-GW;
    ipsec-policy TEST-Policy;
    }
    establish-tunnels immediately;
    }

     

    Regards
    Oscar



  • 2.  RE: IKE gateway configuration lookup failed during negotiation

     
    Posted 06-20-2017 01:25

    Hello , 

     

    This error shows that there is some configuration on SRX gateway which is not correct . Can you update the interface ge-0/0/1.0 configuration ? Please paste the output of :

     

    > show configuration | display set  | match ge-0/0/1 

    > show route 192.168.100.2 

    > show arp no-resolve | match ge-0/0/1 

     

     



  • 3.  RE: IKE gateway configuration lookup failed during negotiation

    Posted 06-20-2017 01:47

    Hi Joses, 

     

    Thank you for your reply, below are the outputs that you asked for, and static route + ping to show connectivity

     

    root@Brach-1> show configuration | display set | match ge-0/0/1
    set security ike gateway PALO-GW external-interface ge-0/0/1.0
    set security zones security-zone untrust interfaces ge-0/0/1.0
    set interfaces ge-0/0/1 description GW
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.200.2/24


    root@Brach-1> show route 192.168.100.2

    inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 3d 17:05:49
    > to 192.168.200.1 via ge-0/0/1.0



    root@Brach-1> show arp no-resolve | match ge-0/0/1
    00:0c:29:d2:1d:35 192.168.200.1 ge-0/0/1.0 none

     

    root@Brach-1# show routing-options
    static {
    route 0.0.0.0/0 next-hop 192.168.200.1;
    route 192.168.10.0/24 next-hop st0.0;



    root@Brach-1# run ping 192.168.100.2 source 192.168.200.2
    PING 192.168.100.2 (192.168.100.2): 56 data bytes
    64 bytes from 192.168.100.2: icmp_seq=0 ttl=63 time=2.085 ms
    64 bytes from 192.168.100.2: icmp_seq=1 ttl=63 time=1.207 ms
    64 bytes from 192.168.100.2: icmp_seq=2 ttl=63 time=1.316 ms
    ^C
    --- 192.168.100.2 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 1.207/1.536/2.085/0.391 ms



  • 4.  RE: IKE gateway configuration lookup failed during negotiation
    Best Answer

     
    Posted 06-20-2017 02:05

    Hello , 

     

    Thanks for the update . Can you share the configuration from PA device . Also please make sure there is not NAT involved in this ( specially source NAT ) . Can you share the output . :

     

    > show security ipsec inactive-tunnels 

     

    Also if possible enable per tunnel debug :

     

    > request security ike debug-enable local  192.168.200.2 remote 192.168.100.2 level 12 

     

    And if possible attach  the KMD file  . 



  • 5.  RE: IKE gateway configuration lookup failed during negotiation

    Posted 06-20-2017 02:52

    Hi Joses
    Thank you very much, it turned out to be a simple missing config. The command you mentioned below showed what I was missing

    root@Brach-1> show security ipsec inactive-tunnels
    Total inactive tunnels: 1
    Total inactive tunnels with establish immediately: 1
    ID Port Gateway Tunnel Down Reason
    131073 500 192.168.100.2 Bind-interface's zone information is not available (1 times)

     

    I added so0.0 to correct zone and the tunnel is up. 

    I appreciate your help. Marking solution as accepted


    Have a nice day