SRX

Expand all | Collapse all

VPN Connection Issues

Jump to Best Answer
  • 1.  VPN Connection Issues

    Posted 05-10-2018 17:36

    Hi,

    I am trying to setup a VPN connection through GoogleCLoud from office location. The phase1 seems to be up but IKEPhase2 does not seem to be up. I turned on the debug and searched for the error messages but could not find anything. Does antbody has an idea on the issue please ?

     

    The debug error messages are :

    ay 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ssh_ikev2_sav1_select: Proposals do not match
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] P2 SA payload match failed for sa-cfg VPN-GCP. Aborting negotiation for tunnel local:64.13.163.35 remote:35.196.82.3 IKEv1.
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fb_spd_select_qm_sa_cb: IKEv2 SA select failed with error No proposal chosen
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fb_spd_select_qm_sa_cb: SA selection failed, no matching proposal (neg c49000)
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_qm_sa_reply: Start
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Fallback negotiation c49000 has still 2 references
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_restart_packet: Start, restart packet SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 11
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_step: Current state = Start QM R (15)/5, exchange = 32, auth_method = any, Responder
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_i_qm_sa_proposals: Start
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_i_private: Start
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_o_qm_hash_2: Start
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_o_qm_sa_values: Start
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_restart_packet: Error, send notify
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] <none>:500 (Responder) <-> 35.196.82.3:500 { 84211c9d 4b8cf302 - ae045fad b0b5e00a [11] / 0x9244da74 } QM; Error = No proposal chosen (14)
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_alloc_negotiation: Start, SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_alloc_negotiation: Found slot 12, max 13
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_init_info_exchange: Created random message id = 76f13ae3
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_init_info_exchange: Phase 1 done, use HASH and N or D payload
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Start, SA = { 0x84211c9d 4b8cf302 - ae045fad b0b5e00a } / 76f13ae3, nego = 12
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Encrypting packet
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Final length = 124
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_send_notify: Sending notification to 35.196.82.3:500
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_send_packet: Start, send SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 12, dst = 35.196.82.3:500, routing table id = 0
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_delete_negotiation: Start, SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 12
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_free_negotiation_info: Start, nego = 12
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_free_negotiation: Start, nego = 12
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] IPSec negotiation failed for SA-CFG VPN-GCP for local:64.13.163.35, remote:35.196.82.3 IKEv1. status: No proposal chosen
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] P2 ed info: flags 0x0, P2 error: No proposal chosen
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Fallback negotiation c49000 has still 1 references
    May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Freeing fallback negotiation c49000

     

    > show configuration security ike

     


    traceoptions {
    file ike-trace;
    flag all;
    }
    proposal hq {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
    }

    proposal IKE-PROP-1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
    }
    policy hq {
    mode main;
    proposals hq;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
    }

    policy IKE-POLICY-GCP {
    mode main;
    proposals IKE-PROP-1;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
    }
    gateway hq {
    ike-policy hq;
    address 12.xxx.yy.zzz;
    local-identity hostname xxxx.yyyy.com;
    remote-identity hostname aaaa.bbb.net;
    external-interface reth0.1298;
    }

    gateway IKE-PEER-GCP {
    ike-policy IKE-POLICY-GCP;
    address 35.196.82.3;
    external-interface reth0.1298;
    version v1-only;
    }

     

    > show configuration security ipsec 

     


    proposal hq {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 28800;
    }

    proposal IPSEC-PROP-1 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    }
    policy hq {
    proposals hq;
    }

    policy IPSEC-POLICY {
    proposals IPSEC-PROP-1;
    }
    vpn hq {
    ike {
    gateway hq;
    ipsec-policy hq;
    }
    establish-tunnels immediately;
    }

    establish-tunnels immediately;
    }
    vpn VPN-GCP {
    bind-interface st0.0;
    ike {
    gateway IKE-PEER-GCP;
    ipsec-policy IPSEC-POLICY;
    }
    establish-tunnels immediately;
    }



  • 2.  RE: VPN Connection Issues
    Best Answer

    Posted 05-10-2018 20:06

    Hi,

     

    There is a mismatch in your Phase 2 proposal configuration with peer device,

     

    Peer Phase 2 config should match with your config.

     

    proposal IPSEC-PROP-1 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    }
    policy IPSEC-POLICY {
    proposals IPSEC-PROP-1;
    }

     



  • 3.  RE: VPN Connection Issues

    Posted 05-11-2018 11:10

    Hi, thanks for spending time for me.. I had a running configuration from another office location and firewall ... So I compared both and added the following difference to the configuration which are  :

    > set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2

    > set security ipsec vpn VPN-GCP df-bit clear

    > set security ipsec vpn VPN-GCP vpn-monitor source-interface st0.0

    > set security ipsec vpn VPN-GCP vpn-monitor destination-ip 35.196.82.3

     

    And it is working now...

    Thank you