We have a IPsec site-to-site VPN from a SRX300 to SRX340. The VPN connection is working but after x hours (24 to 48 , a week sometimes) the VPN got dropped and the only way to get it back up is restarting that SRX300.
I have checked the logs the SRX300 device and I found the following error logs in the kmd-logs:
Jun 5 07:16:21 SRX300-Remote_SITE kmd[10477]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL_IP, Remote gateway: REMOTE_IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x81744d2f, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Jun 5 07:16:21 SRX300-Remote_SITE kmd[10477]: KMD_VPN_UP_ALARM_USER: VPN VPN_POLICY from REMOTE_IP is up. Local-ip: LOCAL_IP, gateway name: GW_at_HQ, vpn name: VPN_POLICY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 192.168.254.250, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Jun 5 07:16:21 SRX300-Remote_SITE kmd[10477]: IKE negotiation successfully completed. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Role: Initiator
Jun 5 07:18:19 SRX300-Remote_SITE kmd[10477]: KMD_VPN_DOWN_ALARM_USER: VPN VPN_POLICY from REMOTE_IP is down. Local-ip: LOCAL_IP, gateway name: GW_at_HQ, vpn name: VPN_POLICY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 192.168.254.250, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared
Jun 5 07:18:29 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:18:29 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Jun 5 07:18:39 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Jun 5 07:18:39 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:18:49 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Jun 5 07:18:49 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:18:59 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Jun 5 07:18:59 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:19:02 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:19:02 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
Jun 5 07:19:09 SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
Jun 5 07:19:09 SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(), Peer Proposed traffic-selector remote-ip: none()
My SRX300 config is:
ike:
proposal IKE_PROPOSAL_RSA {
authentication-method rsa-signatures;
dh-group group20;
encryption-algorithm aes-256-gcm;
}
policy IKE_POLICY_RSA {
mode main;
proposals IKE_PROPOSAL_RSA;
certificate {
local-certificate Cert_Remote_SITE;
peer-certificate-type x509-signature;
}
}
gateway GW_at_HQ {
ike-policy IKE_POLICY_RSA;
address REMOTE_IP;
local-identity distinguished-name;
remote-identity distinguished-name;
external-interface ge-0/0/0.0;
version v2-only;
}
ipsec:
policy IPSEC_POLICY {
perfect-forward-secrecy {
keys group20;
}
proposal-set suiteb-gcm-256;
}
vpn VPN_POLICY {
bind-interface st0.0;
vpn-monitor {
optimized;
destination-ip 192.168.254.250;
}
ike {
gateway GW_at_HQ;
ipsec-policy IPSEC_POLICY;
}
establish-tunnels immediately;
}
My SRX340 config is:
set security ike gateway GW_SRX300 ike-policy IKE_POLICY_RSA
set security ike gateway GW_SRX300 address Remote_Site_Public_IP
set security ike gateway GW_SRX300 local-identity distinguished-name
set security ike gateway GW_SRX300 remote-identity distinguished-name wildcard OU=SRX_VPN
set security ike gateway GW_SRX300 external-interface reth0.0
set security ike gateway GW_SRX300 version v2-only
set security ipsec vpn VPN_SRX300 bind-interface st0.0
set security ipsec vpn VPN_SRX300 vpn-monitor optimized
set security ipsec vpn VPN_SRX300 vpn-monitor destination-ip 192.168.254.27
set security ipsec vpn VPN_SRX300 ike gateway GW_SRX300
set security ipsec vpn VPN_SRX300 ike ipsec-policy IPSEC_POLICY
set security ipsec vpn VPN_SRX300 establish-tunnels immediately