SRX

Expand all | Collapse all

Site-to-Site VPN Issue

  • 1.  Site-to-Site VPN Issue

    Posted 04-26-2017 09:44

    Hi there, 

     

    I am unable to establish the pahse 1 correctly, can you please advise if there is any missconfiguration?

     

    set security ike proposal phase1-proposal authentication-method pre-shared-keys
    set security ike proposal phase1-proposal dh-group group2
    set security ike proposal phase1-proposal authentication-algorithm sha1
    set security ike proposal phase1-proposal encryption-algorithm aes-128-cbc
    set security ike proposal phase1-proposal lifetime-seconds 28800
    set security ike policy phase1-policy mode main
    set security ike policy phase1-policy proposals phase1-proposal
    set security ike policy phase1-policy pre-shared-key ascii-text XXX
    set security ike gateway vpn2-mpls ike-policy phase1-policy
    set security ike gateway vpn2-mpls address 10.5.107.33
    set security ike gateway vpn2-mpls dead-peer-detection always-send
    set security ike gateway vpn2-mpls dead-peer-detection interval 10
    set security ike gateway vpn2-mpls dead-peer-detection threshold 5
    set security ike gateway vpn2-mpls external-interface ge-0/0/1.0
    set security ipsec proposal phase2-proposal protocol esp
    set security ipsec proposal phase2-proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal phase2-proposal encryption-algorithm aes-128-cbc
    set security ipsec proposal phase2-proposal lifetime-seconds 3600
    set security ipsec policy phase2-policy perfect-forward-secrecy keys group2
    set security ipsec policy phase2-policy proposals phase2-proposal
    set security ipsec vpn vpn2-mpls bind-interface st0.13
    set security ipsec vpn vpn2-mpls vpn-monitor source-interface ge-0/0/1.0
    set security ipsec vpn vpn2-mpls vpn-monitor destination-ip 10.8.107.33
    set security ipsec vpn vpn2-mpls ike gateway vpn2-mpls
    set security ipsec vpn vpn2-mpls ike no-anti-replay
    set security ipsec vpn vpn2-mpls ike ipsec-policy phase2-policy
    set security ipsec vpn vpn2-mpls establish-tunnels immediately

     

    set security zones security-zone WAN screen untrust-screen
    set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
    set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services all
    set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic protocols all
    set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services traceroute
    set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services ping
    set security zones security-zone Untrust screen untrust-screen
    set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services traceroute
    set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services snmp
    set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ssh
    set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services https

     

    I tried to allow everythingn through the TRUSTED VPN prefix list.

     

    set interfaces st0 unit 13 family inet address 10.8.107.44/32
    set routing-options static route 10.5.0.0/16 next-hop st0.13
    set routing-options static route 10.5.107.32/30 next-hop 10.8.107.33
    set policy-options prefix-list TRUSTED-VPN-IPs 0.0.0.0/0
    set policy-options prefix-list TRUSTED-VPN-IPs 10.0.0.0/8
    set policy-options prefix-list TRUSTED-VPN-IPs 10.5.107.33/32
    set policy-options prefix-list TRUSTED-VPN-IPs 10.8.107.32/30
    set policy-options prefix-list TRUSTED-VPN-IPs 10.8.107.33/32
    set firewall family inet filter vpn-filter term good-esp from source-prefix-list TRUSTED-VPN-IPs

     

     

     

    I am getting IKE Time out...

     

     

    [Apr 26 17:31:57]Initiate IKE P1 SA 5836568 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
    [Apr 26 17:31:57]iked_pm_ike_sa_delete_done_cb: For p1 sa index 5836568, ref cnt 2, status: Error ok
    [Apr 26 17:31:57]10.8.107.34:500 (Initiator) <-> 10.5.107.33:500 { a007f91f 5e65808c - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
    [Apr 26 17:31:57]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
    [Apr 26 17:31:57]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
    [Apr 26 17:31:57]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
    [Apr 26 17:31:57]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 5836568
    [Apr 26 17:31:57] IKEv1 Error : Timeout
    [Apr 26 17:31:57]IPSec Rekey for SPI 0x0 failed
    [Apr 26 17:31:57]IPSec SA done callback called for sa-cfg vpn2-mpls local:10.8.107.34, remote:10.5.107.33 IKEv1 with status Timed out
    [Apr 26 17:31:57]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    [Apr 26 17:31:57]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    [Apr 26 17:31:57]ike_sa_delete: Start, SA = { a007f91f 5e65808c - 00000000 00000000 }
    [Apr 26 17:31:57]IKE SA delete called for p1 sa 5836568 (ref cnt 1) local:10.8.107.34, remote:10.5.107.33, IKEv1
    [Apr 26 17:31:57]iked_pm_p1_sa_destroy: p1 sa 5836568 (ref cnt 0), waiting_for_del 0x0
    [Apr 26 17:31:57]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [Apr 26 17:31:57]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Apr 26 17:31:57]ssh_ike_connect: Start, remote_name = 10.5.107.33:500, xchg = 2, flags = 00090000
    [Apr 26 17:31:57]ike_sa_allocate: Start, SA = { 940371ed defd21d3 - 00000000 00000000 }
    [Apr 26 17:31:57]ssh_ike_connect: SA = { 940371ed defd21d3 - 00000000 00000000}, nego = -1
    [Apr 26 17:31:57]ike_st_o_sa_proposal: Start
    [Apr 26 17:31:57]ike_policy_reply_isakmp_vendor_ids: Start
    [Apr 26 17:31:57]ike_st_o_private: Start
    [Apr 26 17:31:57]ike_policy_reply_private_payload_out: Start
    [Apr 26 17:31:57]ike_send_packet: <-------- sending SA = { 940371ed defd21d3 - 00000000 00000000}, len = 288, nego = -1, local ip= 10.8.107.34, dst = 10.5.107.33:500, routing table id = 0

     

     

    PLease let me know something..

     

    Thanks

     



  • 2.  RE: Site-to-Site VPN Issue

    Posted 04-28-2017 03:48

    Hi,

     

    Can you share the configuration from the other side as well of the tunnel.

    from the debug it looks like the remote side devise is not responding to your ike negotiation request.

    So it could be a anything from the below which is causing the issue.

    1. Misconfiguration on the other side or we can say the configuration on the remote does not match with the configuration on the SRX.

    2. Something in between is dropping the udp 500 packets between the 2 devises terminating the VPN.

     

    Please cross verify tha the configuration on both the sides match exactly.

     

    Regards,

    Guru Prasad

     



  • 3.  RE: Site-to-Site VPN Issue

    Posted 04-29-2017 05:36

    hi

     

    try to add this command 

     

    Spoiler
    set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services ike

    or delete this 

    set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services 

    and commit