SRX

Hi,

I am trying to setup a VPN connection through GoogleCLoud from office location. The phase1 seems to be up but IKEPhase2 does not seem to be up. I turned on the debug and searched for the error messages but could not find anything. Does antbody has an idea on the issue please ?

The debug error messages are :

ay 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ssh_ikev2_sav1_select: Proposals do not match
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] P2 SA payload match failed for sa-cfg VPN-GCP. Aborting negotiation for tunnel local:64.13.163.35 remote:35.196.82.3 IKEv1.
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fb_spd_select_qm_sa_cb: IKEv2 SA select failed with error No proposal chosen
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fb_spd_select_qm_sa_cb: SA selection failed, no matching proposal (neg c49000)
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_qm_sa_reply: Start
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Fallback negotiation c49000 has still 2 references
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_restart_packet: Start, restart packet SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 11
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_step: Current state = Start QM R (15)/5, exchange = 32, auth_method = any, Responder
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_i_qm_sa_proposals: Start
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_i_private: Start
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_o_qm_hash_2: Start
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_st_o_qm_sa_values: Start
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_state_restart_packet: Error, send notify
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] <none>:500 (Responder) <-> 35.196.82.3:500 { 84211c9d 4b8cf302 - ae045fad b0b5e00a [11] / 0x9244da74 } QM; Error = No proposal chosen (14)
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_alloc_negotiation: Start, SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_alloc_negotiation: Found slot 12, max 13
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_init_info_exchange: Created random message id = 76f13ae3
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_init_info_exchange: Phase 1 done, use HASH and N or D payload
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Start, SA = { 0x84211c9d 4b8cf302 - ae045fad b0b5e00a } / 76f13ae3, nego = 12
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Encrypting packet
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_encode_packet: Final length = 124
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_send_notify: Sending notification to 35.196.82.3:500
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_send_packet: Start, send SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 12, dst = 35.196.82.3:500, routing table id = 0
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_delete_negotiation: Start, SA = { 84211c9d 4b8cf302 - ae045fad b0b5e00a}, nego = 12
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_free_negotiation_info: Start, nego = 12
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ike_free_negotiation: Start, nego = 12
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] IPSec negotiation failed for SA-CFG VPN-GCP for local:64.13.163.35, remote:35.196.82.3 IKEv1. status: No proposal chosen
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] P2 ed info: flags 0x0, P2 error: No proposal chosen
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Fallback negotiation c49000 has still 1 references
May 11 00:20:48 [64.13.163.35 <-> 35.196.82.3] ikev2_fallback_negotiation_free: Freeing fallback negotiation c49000

> show configuration security ike

traceoptions {
file ike-trace;
flag all;
}
proposal hq {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}

proposal IKE-PROP-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
}
policy hq {
mode main;
proposals hq;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}

policy IKE-POLICY-GCP {
mode main;
proposals IKE-PROP-1;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway hq {
ike-policy hq;
address 12.xxx.yy.zzz;
local-identity hostname xxxx.yyyy.com;
remote-identity hostname aaaa.bbb.net;
external-interface reth0.1298;
}

gateway IKE-PEER-GCP {
ike-policy IKE-POLICY-GCP;
address 35.196.82.3;
external-interface reth0.1298;
version v1-only;
}

> show configuration security ipsec 

proposal hq {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}

proposal IPSEC-PROP-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy hq {
proposals hq;
}

policy IPSEC-POLICY {
proposals IPSEC-PROP-1;
}
vpn hq {
ike {
gateway hq;
ipsec-policy hq;
}
establish-tunnels immediately;
}

establish-tunnels immediately;
}
vpn VPN-GCP {
bind-interface st0.0;
ike {
gateway IKE-PEER-GCP;
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}

Hi,

There is a mismatch in your Phase 2 proposal configuration with peer device,

Peer Phase 2 config should match with your config.

proposal IPSEC-PROP-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POLICY {
proposals IPSEC-PROP-1;
}

Hi, thanks for spending time for me.. I had a running configuration from another office location and firewall ... So I compared both and added the following difference to the configuration which are  :

> set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group2

> set security ipsec vpn VPN-GCP df-bit clear

> set security ipsec vpn VPN-GCP vpn-monitor source-interface st0.0

> set security ipsec vpn VPN-GCP vpn-monitor destination-ip 35.196.82.3

And it is working now...

Thank you