SRX

Expand all | Collapse all

SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

Jump to Best Answer
  • 1.  SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

    Posted 03-13-2020 13:33

    Hi All,

     

    I am running into an issue I just cant wrap my head around at the moment.

     

    At home I have a SRX300 running JUNOS 18.2R3-S2.9 which sits behind the ISP FTTH router, ports 500, 4500 and ESP are forwarded to the SRX.

     

    I am trying to setup a VPN to the lab we have at the office, accessible by two SRX240H's running JUNOS 12.1X46-D86 in cluster mode.

     

    For some reason I can't get the tunnel up and visible on the primary SRX240, yet the SRX300 at home thinks everything is honky dory.

     

    HOME-SRX300:

     

    leon@SRX300> show security ike security-associations 
    Index State Initiator cookie Responder cookie Mode Remote Address 
    8047590 UP a7e26ece934f0485 bf66d83ad27db7b2 IKEv2 a.a.a.a
    
    leon@SRX300> show security ipsec security-associations 
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 
    <131073 ESP:aes-cbc-256/sha256 beec2d48 3590/ unlim - root 4500 a.a.a.a 
    >131073 ESP:aes-cbc-256/sha256 8005bac 3590/ unlim - root 4500 a.a.a.a

    LAB-SRX240:

     

    leon@SRX240> show security ike security-associations 
    node0:
    --------------------------------------------------------------------------
    
    {primary:node0}
    leon@SRX240> show security ipsec security-associations 
    node0:
    --------------------------------------------------------------------------
    Total active tunnels: 0
    
    {primary:node0}

     

    a.a.a.a = LAB public IP address
    b.b.b.b = HOME public IP address

     

    Configs and flow sessions are attached.

     

    Any pointers are highly appreciated 🙂


    #SRX240
    #vpn
    #ike
    #IPSec
    #srx300

    Attachment(s)

    txt
    LAB-SRX240.txt   2K 1 version
    txt
    HOME-SRX300.txt   3K 1 version


  • 2.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty
    Best Answer

     
    Posted 03-13-2020 14:10

    Hey LeonNL,

     

    Please check this: https://forums.juniper.net/t5/SRX-Services-Gateway/Trouble-with-IPSEC-1-phase-SRX-220/td-p/305245

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

     



  • 3.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

    Posted 03-13-2020 14:31

    Hi Lil,

     

    Pff can't believe I overlooked that.  Smiley Embarassed

    After setting the local and remote identity it works like a charm

     

    Have a great weekend.

     

    Leon



  • 4.  RE: SRX300/SRX240 can't establish site-to-site VPN, show security ike security-associations empty

     
    Posted 03-13-2020 16:58

    Hey LeonNL,

     

    No worries mate, it happens to me all the time and I am glad to hear that everything is up and running!! 
    You have a wonderful weekend as well.

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB