SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

Jump to Best Answer
  • 1.  SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

    Posted 03-13-2020 13:33

    Hi All,

     

    I am running into an issue I just cant wrap my head around at the moment.

     

    At home I have a SRX300 running JUNOS 18.2R3-S2.9 which sits behind the ISP FTTH router, ports 500, 4500 and ESP are forwarded to the SRX.

     

    I am trying to setup a VPN to the lab we have at the office, accessible by two SRX240H's running JUNOS 12.1X46-D86 in cluster mode.

     

    For some reason I can't get the tunnel up and visible on the primary SRX240, yet the SRX300 at home thinks everything is honky dory.

     

    HOME-SRX300:

     

    leon@SRX300> show security ike security-associations 
    Index State Initiator cookie Responder cookie Mode Remote Address 
    8047590 UP a7e26ece934f0485 bf66d83ad27db7b2 IKEv2 a.a.a.a
    
    leon@SRX300> show security ipsec security-associations 
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
    <131073 ESP:aes-cbc-256/sha256 beec2d48 3590/ unlim - root 4500 a.a.a.a 
    >131073 ESP:aes-cbc-256/sha256 8005bac 3590/ unlim - root 4500 a.a.a.a

    LAB-SRX240:

     

    leon@SRX240> show security ike security-associations 
    node0:
    --------------------------------------------------------------------------
    
    {primary:node0}
    leon@SRX240> show security ipsec security-associations 
    node0:
    --------------------------------------------------------------------------
    Total active tunnels: 0
    
    {primary:node0}

     

    a.a.a.a = LAB public IP address
    b.b.b.b = HOME public IP address

     

    Configs and flow sessions are attached.

     

    Any pointers are highly appreciated 🙂


    #SRX240
    #vpn
    #ike
    #IPSec
    #srx300

    Attachment(s)

    txt
    LAB-SRX240.txt   2 KB 1 version
    txt
    HOME-SRX300.txt   3 KB 1 version


  • 2.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty
    Best Answer

     
    Posted 03-13-2020 14:10

    Hey LeonNL,

     

    Please check this: https://forums.juniper.net/t5/SRX-Services-Gateway/Trouble-with-IPSEC-1-phase-SRX-220/td-p/305245

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

     



  • 3.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

    Posted 03-13-2020 14:31

    Hi Lil,

     

    Pff can't believe I overlooked that.  Smiley Embarassed

    After setting the local and remote identity it works like a charm

     

    Have a great weekend.

     

    Leon



  • 4.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

     
    Posted 03-13-2020 16:58

    Hey LeonNL,

     

    No worries mate, it happens to me all the time and I am glad to hear that everything is up and running!! 
    You have a wonderful weekend as well.

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB