Hi there,
I am unable to establish the pahse 1 correctly, can you please advise if there is any missconfiguration?
set security ike proposal phase1-proposal authentication-method pre-shared-keys
set security ike proposal phase1-proposal dh-group group2
set security ike proposal phase1-proposal authentication-algorithm sha1
set security ike proposal phase1-proposal encryption-algorithm aes-128-cbc
set security ike proposal phase1-proposal lifetime-seconds 28800
set security ike policy phase1-policy mode main
set security ike policy phase1-policy proposals phase1-proposal
set security ike policy phase1-policy pre-shared-key ascii-text XXX
set security ike gateway vpn2-mpls ike-policy phase1-policy
set security ike gateway vpn2-mpls address 10.5.107.33
set security ike gateway vpn2-mpls dead-peer-detection always-send
set security ike gateway vpn2-mpls dead-peer-detection interval 10
set security ike gateway vpn2-mpls dead-peer-detection threshold 5
set security ike gateway vpn2-mpls external-interface ge-0/0/1.0
set security ipsec proposal phase2-proposal protocol esp
set security ipsec proposal phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal phase2-proposal lifetime-seconds 3600
set security ipsec policy phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy phase2-policy proposals phase2-proposal
set security ipsec vpn vpn2-mpls bind-interface st0.13
set security ipsec vpn vpn2-mpls vpn-monitor source-interface ge-0/0/1.0
set security ipsec vpn vpn2-mpls vpn-monitor destination-ip 10.8.107.33
set security ipsec vpn vpn2-mpls ike gateway vpn2-mpls
set security ipsec vpn vpn2-mpls ike no-anti-replay
set security ipsec vpn vpn2-mpls ike ipsec-policy phase2-policy
set security ipsec vpn vpn2-mpls establish-tunnels immediately
set security zones security-zone WAN screen untrust-screen
set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services traceroute
set security zones security-zone WAN interfaces st0.13 host-inbound-traffic system-services ping
set security zones security-zone Untrust screen untrust-screen
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services traceroute
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services snmp
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ssh
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services https
I tried to allow everythingn through the TRUSTED VPN prefix list.
set interfaces st0 unit 13 family inet address 10.8.107.44/32
set routing-options static route 10.5.0.0/16 next-hop st0.13
set routing-options static route 10.5.107.32/30 next-hop 10.8.107.33
set policy-options prefix-list TRUSTED-VPN-IPs 0.0.0.0/0
set policy-options prefix-list TRUSTED-VPN-IPs 10.0.0.0/8
set policy-options prefix-list TRUSTED-VPN-IPs 10.5.107.33/32
set policy-options prefix-list TRUSTED-VPN-IPs 10.8.107.32/30
set policy-options prefix-list TRUSTED-VPN-IPs 10.8.107.33/32
set firewall family inet filter vpn-filter term good-esp from source-prefix-list TRUSTED-VPN-IPs
I am getting IKE Time out...
[Apr 26 17:31:57]Initiate IKE P1 SA 5836568 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
[Apr 26 17:31:57]iked_pm_ike_sa_delete_done_cb: For p1 sa index 5836568, ref cnt 2, status: Error ok
[Apr 26 17:31:57]10.8.107.34:500 (Initiator) <-> 10.5.107.33:500 { a007f91f 5e65808c - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 26 17:31:57]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
[Apr 26 17:31:57]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
[Apr 26 17:31:57]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Apr 26 17:31:57]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 5836568
[Apr 26 17:31:57] IKEv1 Error : Timeout
[Apr 26 17:31:57]IPSec Rekey for SPI 0x0 failed
[Apr 26 17:31:57]IPSec SA done callback called for sa-cfg vpn2-mpls local:10.8.107.34, remote:10.5.107.33 IKEv1 with status Timed out
[Apr 26 17:31:57]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Apr 26 17:31:57]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Apr 26 17:31:57]ike_sa_delete: Start, SA = { a007f91f 5e65808c - 00000000 00000000 }
[Apr 26 17:31:57]IKE SA delete called for p1 sa 5836568 (ref cnt 1) local:10.8.107.34, remote:10.5.107.33, IKEv1
[Apr 26 17:31:57]iked_pm_p1_sa_destroy: p1 sa 5836568 (ref cnt 0), waiting_for_del 0x0
[Apr 26 17:31:57]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[Apr 26 17:31:57]iked_pm_ike_spd_notify_request: Sending Initial contact
[Apr 26 17:31:57]ssh_ike_connect: Start, remote_name = 10.5.107.33:500, xchg = 2, flags = 00090000
[Apr 26 17:31:57]ike_sa_allocate: Start, SA = { 940371ed defd21d3 - 00000000 00000000 }
[Apr 26 17:31:57]ssh_ike_connect: SA = { 940371ed defd21d3 - 00000000 00000000}, nego = -1
[Apr 26 17:31:57]ike_st_o_sa_proposal: Start
[Apr 26 17:31:57]ike_policy_reply_isakmp_vendor_ids: Start
[Apr 26 17:31:57]ike_st_o_private: Start
[Apr 26 17:31:57]ike_policy_reply_private_payload_out: Start
[Apr 26 17:31:57]ike_send_packet: <-------- sending SA = { 940371ed defd21d3 - 00000000 00000000}, len = 288, nego = -1, local ip= 10.8.107.34, dst = 10.5.107.33:500, routing table id = 0
PLease let me know something..
Thanks