SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

second ipsec tunnel not working

  • 1.  second ipsec tunnel not working

    Posted 07-09-2018 08:42

    hi,

     

    i am fighting with a second ipsec vpn tunnel since winter. we got a bigger internet line in the office, i configured a port for this on the office-srx100, all our internet traffic is using this now. we have a vpn to our data center, there is a cluster of two srx100/100H2 vpn endpoint. now i wanted to make a second tunnel to the data center over the new line, transfer all routes and then switch off the old tunnel. i did this before with pf-senses, but on juniper i just cannot understand how this should be done.

     

    i copied the secrets from the config of the first to the second firewall, so this should be ok. what i dont understand is why tunnel1 endpoint from firewall 1 has a completely different secret than tunnel 1 endpoint on firewall2 and it still works. ???

     

    my ( cleaned ) config at the moment, there were so many tries and changes the last 1/2 year i tried this that i cannot recall everything i did until now, i did not push every time:

     

    firewall office:

    interfaces {
   fe-0/0/0 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
   }
    fe-0/0/7 {
        description Telekom;
        speed 100m;
        mtu 1492;
        link-mode full-duplex;
        fastether-options {
            no-auto-negotiation;
        }
        unit 0 {
            description "Feste IP";
            family inet {
                address 172.10.10.10/29;
            }
        }
     pp0 {
        traceoptions;
        unit 0 {
            apply-macro "telekom dsl";
            ppp-options {
                chap {
                    default-chap-secret "$9$/somesecretchap"";
                    local-name "fixed-ip-telekom";
                    no-rfc2486;
                    passive;
                }
                pap {
                    local-name "fixed-ip-telekom";
                    no-rfc2486;
                    local-password "$9$/somesecretchap";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 10;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 192.168.210.20/24;
            }
        }
        unit 1 {
            description MunichII;
            family inet {
                address 192.168.210.21/24;
            }
        }
    }
    ike {
        traceoptions {
            flag all;
            level 0;
        }
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$xxxxxverylongpassword1";
        }
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$notsolongpassword1";
        }
        policy ike-policy-sdsl {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$notsolongpassword1";
        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname rt1;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface pp0.0;
            xauth access-profile remote_access_profile;
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 172.10.11.146;
            external-interface pp0.0;
        }
        gateway ike-gate-sdsl {
            ike-policy ike-policy-sdsl;
            address 172.10.11.146;
            external-interface fe-0/0/7.0;
        }
    }
    ipsec {
        policy ipsec_pol_wizard_dyn_vpn {
            proposal-set compatible;
        }
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        policy ipsec-policy-sdsl {
            proposal-set standard;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
        vpn ipsec-vpn-sdsl {
            bind-interface st0.1;
            ike {
                gateway ike-gate-sdsl;
                ipsec-policy ipsec-policy-sdsl;
            }
            establish-tunnels immediately;
        }
      }

    firewall data center

    interfaces {    
     reth2 {
        description "UPLINK IPX";
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 172.10.11.146/29;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 192.168.210.10/24;
            }
        }
        unit 1 {
            family inet {
                address 192.168.210.11/24;
            }
            family inet6;
        }
    }
    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$somecompletelydifferentpasswordthentheothers";
        }
        policy ike_pol_sdsl {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$thesecreticopiedfromotherfirewall";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 172.old.ppoe.address;
            external-interface reth2.0;
        }
        gateway gw_sdsl {
            ike-policy ike_pol_sdsl;
            address 172.10.10.62;
            external-interface reth2.0;
        }
    }
    ipsec {
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        policy ipsec_pol_sdsl {
            proposal-set standard;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
        vpn sdsl {
            bind-interface st0.1;
            ike {
                gateway gw_sdsl;
                ipsec-policy ipsec_pol_sdsl;
            }
            establish-tunnels immediately;
        }
    }

    i do change the config in the webinterface cli editor. always.

    i enabled kmd logs on both firewalls.

     

    logs say tunnel from RZ to old gateway established perfectly, from new gateway to RZ office log says:

    Jul  9 16:40:14  rt1 kmd[65052]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ipsec-vpn-sdsl Gateway: ike-gate-sdsl, Local: 172.10.10.62/500, Remote: 172.10.11.146/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Jul  9 16:41:09  rt1 kmd[65052]: Config download: Processed 4 - 5 messages
Jul  9 16:41:09  rt1 kmd[65052]: Config download time: 0 seconds

    i really tried everything now. using the same policy and gateway on RZ ( its the same gate anyway ), making a st0.1 with same ip and different gateway name, using the same policy on office firewall, make a new one....

    i am out of options. i tried the

    https://www.juniper.net/support/tools/vpnconfig/#remoteSite

    configurator and copied the  relevant portions into the config, committed and it did not work. i even went as far as making a backdoor around the firewall in datacenter to not lose connectivity and tried the cli set thing, to no avail except the tunnel really went down then. luckily the commit confirmed brought it back after 10 minutes.

     

    so what to do?



  • 2.  RE: second ipsec tunnel not working

    Posted 07-09-2018 18:40

    Hi,

    I hope the VPN which is not working is "ipsec-vpn-sdsl".  If it is yes, the peer ip address configured on Datacenter SRX is wrong.

    Office SRX:
    +++++++++++++
            gateway ike-gate-sdsl {
                ike-policy ike-policy-sdsl;
                address 172.10.11.146;   <------------ IP address of reth2.0 interface of DC firewall
                external-interface fe-0/0/7.0; <------ Local IP is 172.10.10.10/29
            }

    DC Firewall:-
    ++++++++++++++
            gateway gw_sdsl {
                ike-policy ike_pol_sdsl;
                address 172.10.10.62; <--------- This ip is wrongly configured. It should be ip address of fe-0/0/7 of Office SRX: 172.10.10.10
                external-interface reth2.0; <------ Local IP is 172.10.11.146/29
            }
            
    And the VPN logs show that it is getting timed out. So I believe it is because of wrong peer ip configured in DC firewall.

     



  • 3.  RE: second ipsec tunnel not working

    Posted 07-09-2018 23:59

    hello nellikka,

     

    i changed that now, but still not better. as i said before i was changing that config over halfa year now constantly, trying to get it work. is there a condition that a juniper cannot open a second tunnel from the same interface?



  • 4.  RE: second ipsec tunnel not working

    Posted 07-10-2018 00:27

    these are the logs right now

     

    datacenter:

     

    Jul 10 09:18:53  fw1 kmd[49319]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-vpn-sdsl Gateway: ike-gate-sdsl, Local: 172.10.11.146/500, Remote: 172.10.10.10/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0


     

    office:

    cat kmd-log
    [Jul 10 09:18:53]172.10.10.10:500 (Responder) <-> 172.10.11.146:500 { 7629791d 4c0eb038 - b08ced6d 5bf26911 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Jul 10 09:18:53]iked_pm_ike_sa_done: Phase-1 failed with error (Timeout) p1_sa 7719884
[Jul 10 09:18:53] IKEv1 Error : Timeout

    cat kmd
    Jul 10 09:17:53 rt1 kmd[65052]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: ipsec-vpn-sdsl Gateway: ike-gate-sdsl, Local: 172.10.10.10/500, Remote: 172.10.11.146/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
    Jul 10 09:27:53 rt1 last message repeated 10 times

     i double/triple checked on the passwords. using the same password for all connetions now, copied the same $9$ password everywhere.



  • 5.  RE: second ipsec tunnel not working

    Posted 07-10-2018 01:16

    Hi,
    Please share the output of below mentioned commands

    Office:-
    ++++++++++
    show interfaces fe-0/0/7.0 extensive
    show interfaces st0.1  extensive
    show configuration | display set | match dsl
    show route 172.10.11.146

    DC:-
    ++++++++
    show interfaces reth2.0 extensive
    show interfaces  st0.1 extensive
    show configuration | display set | match dsl
    show route 172.10.10.10

     



  • 6.  RE: second ipsec tunnel not working

    Posted 07-10-2018 03:27

    Hi Nellikka,

    i stopped cleaning the real ip addresses of my config now, i cannot keep track in all this logs now 🙂

     

    so here again my momentary config, real addresses

     

    box1 datacenter

    interfaces
     reth2 {
        description "UPLINK IPX/QSC";
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 80.190.133.146/29;
            }
            family inet6 {
                address 2a01:0138:9014:0000::5/64;
            }
        }
    }

    }
    st0 {
        unit 0 {
            family inet {
                address 192.168.210.10/24;
            }
        }
        unit 1 {
            family inet {
                address 192.168.211.11/24;
            }
        }
    }

routing-options {
    rib inet6.0 {
        static {
            route 0::0/0 next-hop 2a01:0138:9014:0000::1;
        }
    }
    static {
        route 0.0.0.0/0 next-hop 80.190.133.145;
        route 192.168.30.0/24 next-hop st0.0;
        route 192.168.150.0/24 next-hop st0.0;
        route 192.168.161.0/24 next-hop st0.0;
        route 192.168.160.0/24 next-hop st0.0;
        route 10.95.0.0/24 next-hop 80.190.119.222;
        route 10.96.0.0/24 next-hop 80.190.119.222;
        route 10.97.0.0/16 next-hop 80.190.119.222;
        route 192.168.170.0/24 next-hop st0.0;
    }
}
    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$password1";
        }
        policy ike-policy-sdsl {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$password1";
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 217.92.249.16;
            external-interface reth2.0;
        }
        gateway ike-gate-sdsl {
            ike-policy ike-policy-sdsl;
            address 62.154.246.62;
            external-interface reth2.0;
        }
    }
    ipsec {
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        policy ipsec-policy-sdsl {
            proposal-set standard;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
        vpn ipsec-vpn-sdsl {
            bind-interface st0.1;
            ike {
                gateway ike-gate-sdsl;
                ipsec-policy ipsec-policy-sdsl;
            }
            establish-tunnels immediately;
        }
    }

    box2 office

    interfaces 
   fe-0/0/7 {
        description Telekom;
        speed 100m;
        mtu 1492;
        link-mode full-duplex;
        fastether-options {
            no-auto-negotiation;
        }
        unit 0 {
            description "Feste IP";
            family inet {
                address 62.154.246.62/29;
            }
        }
    }
    pp0 {
        traceoptions;
        unit 0 {
            apply-macro "telekom dsl";
            ppp-options {
                chap {
                    default-chap-secret "$9$passwordppoetcom";
                    local-name "somefixedip@t-online-com.de";
                    no-rfc2486;
                    passive;
                }
                pap {
                    local-name "somefixedip@t-online-com.de";
                    no-rfc2486;
                    local-password "$9$passwordppoetcom";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 10;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    st0 {
        unit 0 {
            family inet {
                address 192.168.210.20/24;
            }
        }
        unit 1 {
            description MunichII;
            family inet {
                address 192.168.211.11/24;
            }
        }
    }
routing-options {
    static {
        route 192.168.201.0/24 next-hop st0.0;
        route 192.168.161.0/24 next-hop 192.168.160.11;
        route 10.95.0.0/24 next-hop st0.0;
        route 10.96.0.0/24 next-hop st0.0;
        route 0.0.0.0/0 {
            next-hop 62.154.246.57;
            qualified-next-hop pp0.0 {
                preference 10;
            }
            preference 5;
        }
        route 80.190.133.146/32 next-hop pp0.0;
        route 10.97.0.0/16 next-hop st0.0;
        route 4.2.2.0/24 next-hop 62.154.246.57;
        route 80.190.119.222/32 next-hop pp0.0;
        route 80.190.119.214/32 next-hop pp0.0;
        route 80.190.119.218/32 next-hop pp0.0;
        route 80.190.119.211/32 next-hop pp0.0;
        route 192.168.33.0/24 next-hop st0.0;
    }
}

    ike {
        traceoptions {
            flag all;
            level 0;
        }
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$somecompletelydifferentotherpassword";
        }
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$password1";
        }
        policy ike-policy-sdsl {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$password1";
        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname rt1;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface pp0.0;
            xauth access-profile remote_access_profile;
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address 80.190.133.146;
            external-interface pp0.0;
        }
        gateway ike-gate-sdsl {
            ike-policy ike-policy-sdsl;
            address 80.190.133.146;
            external-interface fe-0/0/7.0;
        }
    }
    ipsec {
        policy ipsec_pol_wizard_dyn_vpn {
            proposal-set compatible;
        }
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        policy ipsec-policy-sdsl {
            proposal-set standard;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;
            }
            establish-tunnels immediately;
        }
        vpn ipsec-vpn-sdsl {
            bind-interface st0.1;
            ike {
                gateway ike-gate-sdsl;
                ipsec-policy ipsec-policy-sdsl;
            }
            establish-tunnels immediately;
       }

    now the output of the commands you gave me on box office

    show interfaces fe-0/0/7.0 extensive 
  Logical interface fe-0/0/7.0 (Index 85) (SNMP ifIndex 523) (Generation 150)
    Description: Feste IP
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :          82221464479
     Output bytes  :           6517232360
     Input  packets:             72974046
     Output packets:             55242341
    Local statistics:
     Input  bytes  :            108847923
     Output bytes  :             89803759
     Input  packets:               753714
     Output packets:               365479
    Transit statistics:
     Input  bytes  :          82112616556               493352 bps
     Output bytes  :           6427428601                46488 bps
     Input  packets:             72220332                   64 pps
     Output packets:             54876862                   64 pps
    Security: Zone: untrust
    Allowed host-inbound traffic : https ike ssh
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     490159
      ICMP packets :                     198353
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        82200275088
      Connections established :          23589 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        6512026745 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 50       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  5 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0 
      TCP sequence number out of window: 197
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1478, Generation: 160, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 62.154.246.56/29, Local: 62.154.246.62, Broadcast: 62.154.246.63, Generation: 156

show interfaces st0.1 extensive         
  Logical interface st0.1 (Index 70) (SNMP ifIndex 533) (Generation 135)
    Description: MunichII
    Flags: Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: vpn
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        0 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  0 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0 
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 9192, Generation: 148, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 192.168.211/24, Local: 192.168.211.11, Broadcast: Unspecified, Generation: 300

show configuration |display set |match dsl 
set interfaces pp0 unit 0 apply-macro "telekom dsl"
set interfaces pp0 unit 2 apply-macro "telekom dsl 2"

set security ike policy ike-policy-sdsl mode main
set security ike policy ike-policy-sdsl proposal-set standard
set security ike policy ike-policy-sdsl pre-shared-key ascii-text "$9$password1 ( cleaned out again)"
set security ike gateway ike-gate-sdsl ike-policy ike-policy-sdsl
set security ike gateway ike-gate-sdsl address 80.190.133.146
set security ike gateway ike-gate-sdsl external-interface fe-0/0/7.0
set security ipsec policy ipsec-policy-sdsl proposal-set standard
set security ipsec vpn ipsec-vpn-sdsl bind-interface st0.1
set security ipsec vpn ipsec-vpn-sdsl ike gateway ike-gate-sdsl
set security ipsec vpn ipsec-vpn-sdsl ike ipsec-policy ipsec-policy-sdsl
set security ipsec vpn ipsec-vpn-sdsl establish-tunnels immediately
set security zones security-zone untrust address-book address mx-office-sdsl-public-ip 62.154.246.62/32

show route 80.190.133.146 

inet.0: 31 destinations, 33 routes (31 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

80.190.133.146/32  *[Static/5] 17:20:31
                    > via pp0.0

    box datacenter now

    show interfaces reth2.0 extensive

  Logical interface reth2.0 (Index 69) (SNMP ifIndex 540) (Generation 134)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :   20757993295        117 5696621339348       132000
        Output:   24585907216        156 22011327190982      1183528
    Link:
      fe-0/0/2.0
        Input :   20757992294        117 5696621259448       132000
        Output:   24585907216        156 22011327190982      1183528
      fe-1/0/2.0
        Input :          1001          0         79900            0
        Output:             0          0             0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      fe-0/0/2.0                 0           0            0            0
      fe-1/0/2.0                 0           0            0            0
    Security: Zone: UPLINK
    Allowed host-inbound traffic : https ike ping
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     21520646
      ICMP packets :                     10259238
      VPN packets :                      2559824794
      Multicast packets :                1897
      Bytes permitted by policy :        3348589382194
      Connections established :          190217636 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        3103358881335 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  66 
      No SA for incoming SPI:            4858 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     39222934
      Security association not active:   878 
      TCP sequence number out of window: 2348781
      Syn-attack protection:             8786
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 149, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 80.190.133.144/29, Local: 80.190.133.146, Broadcast: 80.190.133.151, Generation: 153
    Protocol inet6, MTU: 1500, Generation: 150, Route table: 0
      Flags: None
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 2a01:138:9014::/64, Local: 2a01:138:9014::5
    Generation: 155
      Addresses, Flags: Is-Preferred
        Destination: fe80::/64, Local: fe80::210:dbff:feff:1002
    Generation: 157                     
                                        
{primary:node0}

show interfaces st0.1 extensive 
  Logical interface st0.1 (Index 89) (SNMP ifIndex 522) (Generation 157)
    Flags: Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Traffic statistics:
     Input  bytes  :             30838939
     Output bytes  :           4057280509
     Input  packets:               201951
     Output packets:              4118242
    Local statistics:
     Input  bytes  :                65434
     Output bytes  :                45843
     Input  packets:                  854
     Output packets:                  203
    Transit statistics:
     Input  bytes  :             30773505                    0 bps
     Output bytes  :           4057234666                    0 bps
     Input  packets:               201097                    0 pps
     Output packets:              4118039                    0 pps
    Security: Zone: vpn
    Allowed host-inbound traffic : ike
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     854
      ICMP packets :                     4036
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        30201218
      Connections established :          7341 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        4057230769 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  0 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     10566
      Security association not active:   0 
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 9192, Generation: 174, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 192.168.211/24, Local: 192.168.211.11, Broadcast: Unspecified, Generation: 183

show configuration | display set | match dsl 

set security ike policy ike-policy-sdsl mode main
set security ike policy ike-policy-sdsl proposal-set standard
set security ike policy ike-policy-sdsl pre-shared-key ascii-text "$9$Q3gPzn9RhrWLNEcKWL7VbiHq.TF69A0ORKMjqm5/9EhSlK8Xx-"
set security ike gateway ike-gate-sdsl ike-policy ike-policy-sdsl
set security ike gateway ike-gate-sdsl address 62.154.246.62
set security ike gateway ike-gate-sdsl external-interface reth2.0
set security ipsec policy ipsec-policy-sdsl proposal-set standard
set security ipsec vpn ipsec-vpn-sdsl bind-interface st0.1
set security ipsec vpn ipsec-vpn-sdsl ike gateway ike-gate-sdsl
set security ipsec vpn ipsec-vpn-sdsl ike ipsec-policy ipsec-policy-sdsl
set security ipsec vpn ipsec-vpn-sdsl establish-tunnels immediately
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match source-address addr_192_168_221_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match source-address addr_192_168_201_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match source-address addr_192_168_33_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match destination-address addr_192_168_170_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match destination-address addr_192_168_160_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match destination-address addr_192_168_150_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match destination-address addr_192_168_30_0_24
set security policies from-zone trust to-zone vpn policy policy_out_sdsl match application any
set security policies from-zone trust to-zone vpn policy policy_out_sdsl then permit
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match source-address addr_192_168_170_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match source-address addr_192_168_160_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match source-address addr_192_168_150_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match source-address addr_192_168_30_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match destination-address addr_192_168_221_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match destination-address addr_192_168_201_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match destination-address addr_192_168_33_0_24
set security policies from-zone vpn to-zone trust policy policy_in_sdsl match application any
set security policies from-zone vpn to-zone trust policy policy_in_sdsl then permit

show route 62.154.246.62 

inet.0: 23 destinations, 26 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 195w3d 20:47:03
                    > to 80.190.133.145 via reth2.0

{primary:node0}

     



  • 7.  RE: second ipsec tunnel not working

    Posted 07-10-2018 03:59

    Hello,

    Are You getting a public IP 62.154.246.62 actually assigned to Your office SRX pp0 interface via PPPoE?

    Or is there NAT involved and Your SRX pp0 interface IP is NATed to 62.154.246.62?

    HTH

    Thx

    Alex



  • 8.  RE: second ipsec tunnel not working

    Posted 07-10-2018 04:48

    Hi Alex,

     

    the ppoe interface has actually 217.92.249.16 which gets assigned on the ppoe modem. this tunnel works.

    the 62.154.246.62/29 is the new address that is assigned to fe-0/0/7.0



  • 9.  RE: second ipsec tunnel not working

    Posted 07-10-2018 04:03

    Hi, The route to reach DC SRX ip is still pointed via old Internet ISP (pp0). It should be changed to new Internet isp ip. Details below: routing-options { static { ...... route 80.190.133.146/32 next-hop pp0.0; via pp0.0 <---------------



  • 10.  RE: second ipsec tunnel not working
    Best Answer

    Posted 07-10-2018 04:04

    Hi,

    The route to reach DC SRX ip is still pointed via old Internet ISP (pp0). It should be changed to new Internet isp ip.

    Details below:

    routing-options {
        static {
    ......
            route 80.190.133.146/32 next-hop pp0.0; <------- It should be pointed towards new ISP ip 62.154.246.57 or remove this static route. There is a default route towards new isp

    show route 80.190.133.146

    inet.0: 31 destinations, 33 routes (31 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    80.190.133.146/32  *[Static/5] 17:20:31
                        > via pp0.0 <---------------

     



  • 11.  RE: second ipsec tunnel not working

    Posted 07-10-2018 05:21

    Hello Nellikka,

    thank you for your reply.

     

    ok, i see. i took out the route. seems promising now, i thought i could get both tunnels up simultaneously, but obviously that does not work.

    office-box:

    [Jul 10 13:54:24]<none>:500 (Responder) <-> 80.190.133.146:500 { 2e8bd7cb 41e0bb2f - 3fadf6c4 0219d080 [0] / 0xc79d83a0 } QM; Invalid protocol_id = 0
[Jul 10 13:54:24]QM notification `(null)' (40001) (size 8 bytes) from 80.190.133.146 for protocol Reserved spi[0...3]=92 d2 99 2
Jul 10 13:54:24  rt1 kmd[65052]: KMD_PM_SA_ESTABLISHED: Local gateway: 62.154.246.62, Remote gateway: 80.190.133.146, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x4feb162e, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Jul 10 13:54:24  rt1 kmd[65052]: KMD_PM_SA_ESTABLISHED: Local gateway: 62.154.246.62, Remote gateway: 80.190.133.146, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x92d29921, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Jul 10 13:54:24  rt1 kmd[65052]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-sdsl from 80.190.133.146 is up. Local-ip: 62.154.246.62, gateway name: ike-gate-sdsl, vpn name: ipsec-vpn-sdsl, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: 192.168.211.11, Local IKE-ID: 62.154.246.62, Remote IKE-ID: 80.190.133.146, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

    data center cluster:

    Jul 10 13:54:24  rt1 kmd[65052]: KMD_PM_SA_ESTABLISHED: Local gateway: 62.154.246.62, Remote gateway: 80.190.133.146, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x4feb162e, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Jul 10 13:54:24  rt1 kmd[65052]: KMD_PM_SA_ESTABLISHED: Local gateway: 62.154.246.62, Remote gateway: 80.190.133.146, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x92d29921, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: 
Jul 10 13:54:24  rt1 kmd[65052]: KMD_VPN_UP_ALARM_USER: VPN ipsec-vpn-sdsl from 80.190.133.146 is up. Local-ip: 62.154.246.62, gateway name: ike-gate-sdsl, vpn name: ipsec-vpn-sdsl, tunnel-id: 131074, local tunnel-if: st0.1, remote tunnel-ip: 192.168.211.11, Local IKE-ID: 62.154.246.62, Remote IKE-ID: 80.190.133.146, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

    trying now rerouting on both boxes when there is less traffic in the office.

     



  • 12.  RE: second ipsec tunnel not working



  • 13.  RE: second ipsec tunnel not working

    Posted 07-10-2018 02:56

    alex, i was reading the thread you linked for me. i dont think that applies because i have different physical interfaces on the second router.

    as far as i understood i can always make, instead of setting the one gateway to multipoint, a second interface unit ( st0.1 in my case ) with a different ip and point the tunnel over that one to the other physical interface.

    the the SPI, as far as i understood, would be different anyway because the ip of the other box's second physical interface is different?