SRX

Expand all | Collapse all

ipsec stops working when upgrading srx from 17.3 to 18.4

Jump to Best Answer
  • 1.  ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 06-12-2020 05:50

    Hello

     

    Could use some fresh input on problem. Basicly i have working solution involving Juniper Srx 5400 (17.3) and Mikrotik Router. Between them there is route based ipsec tunnel. I wanted to create duplicate setup in lab where i could test new configs. That led to buying new Juniper Srx 345 and new Mikrotik Router. Problems started when i tryed to get Srx 345 into same version as Srx 5400, with 17.3 interfaces arent working but with recomended version 18.4 interfaces work. So i took working config from 5400 and cut everything exessiv out, leaving only basic ipsec and ip config with one router. But ipsec never comes up. Mikrotik keeps saying "peer authorized", "no policy found" but since its duplicate config i am more than certain the problem comes from version difference. Any ideas where to look?



  • 2.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

     
    Posted 06-12-2020 06:06

    Hello , 

     

    Did we have the VPN configuration duplicated on peer side also ?  18.4 is pritty stable version for VPN . You can apply per tunnel debug to see where its failing 

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-ike-debug-enable.html

     

     



  • 3.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 06-12-2020 06:26

    Vpn configuration is duplicated on both sides. 

     

    Tunnel Debug log:

     

    Juniper ip  1.2.3.4
    mikrotik ip 5.6.7.8
    
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ---------> Received from 5.6.7.8:500 to 1.2.3.4:0, VR 0, length 512 on IF
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_verify: [1437400/148f800] R: IKE SA REFCNT: 1
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Receiving packet: HDR, Nonce, KE, SA, TSi, TSr
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet R(<none>:500 <- 5.6.7.8:500): len=  440, mID=0, HDR, Nonce, KE, SA, TSi, TSr
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_child_responder_in
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: [1437400/148f800] Responder side CREATE_CHILD_SA
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in: FSM_SET_NEXT:ikev2_state_child_responder_in_check_rekey
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_check_rekey: FSM_SET_NEXT:ikev2_state_child_responder_in_alloc_sa
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_alloc_sa: FSM_SET_NEXT:ikev2_state_child_responder_in_sa
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ipsec_spi_allocate: local:1.2.3.4, remote:5.6.7.8 IKEv2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_sa: FSM_SET_NEXT:ikev2_state_child_responder_in_nonce
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Selecting IPSec SA payload for local:1.2.3.4 remote:5.6.7.8IKEv2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Peer's proposed IPSec SA payload is SA([0] protocol = ESP (3), spi_len = 4, spi = 0x0933ce6c, AES CBC key len = 256, HMAC-SHA256-128, 2048 bit MODP, No ESN; )
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Inside iked_pm_phase2_sa_cfg_lookup
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_phase2_sa_cfg_lookup_by_addr call match for sa_cfg <195-Vpn-Mikrotik>
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_match_traffic_selectors_for_sa_cfg vpn<195-Vpn-Mikrotik> exact<0> from end_point
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_match_traffic_selectors_for_sa_cfg Peer's proposed traffic selectors is his local: none() his remote: none()
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_match_traffic_selectors_for_sa_cfg Peer's proposed ts_r local_in_ts: ipv4(10.255.24.15) ts_i remote_in_ts: ipv4(10.255.24.14)
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_match_traffic_selectors_for_sa_cfg Configured traffic selectors is local: ipv4(10.255.24.12-10.255.24.15)  Remote: ipv4(10.255.24.12-10.255.24.15)
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Found SA-CFG 195-Vpn-Mikrotik by ip address for local:1.2.3.4, remote:5.6.7.8 IKEv2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_nhtb_use_proxyid_as_nhtb_payload: Using peer local remote traffic selector @ as NHTB IP
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Found SA-CFG 195-Vpn-Mikrotik for phase 2 for local:1.2.3.4, remote:5.6.7.8 IKEv2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Configured IPSec SA payload is SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA256-128, 2048 bit MODP, No ESN; )
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Setting lifetime 43200 and lifesize 0 for IPSec SA
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_select_sa_reply: [1437400/148f800] SA selected successfully
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_nonce: FSM_SET_NEXT:ikev2_state_child_responder_in_ke
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_ke: FSM_SET_NEXT:ikev2_state_child_responder_in_ts
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_in_ts: FSM_SET_NEXT:ikev2_state_child_responder_in_end
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_narrow_traffic_selectors: Not a CP tunnel, TS Narrow not needed
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out: FSM_SET_NEXT:ikev2_state_child_responder_out_sa
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_sa: FSM_SET_NEXT:ikev2_state_child_responder_out_nonce
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_nonce: FSM_SET_NEXT:ikev2_state_child_responder_out_ke
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_ke: FSM_SET_NEXT:ikev2_state_child_responder_out_ts
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [11863]
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_ts: FSM_SET_NEXT:ikev2_state_responder_notify_vid
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify_vid: FSM_SET_NEXT:ikev2_state_responder_notify
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify: FSM_SET_NEXT:ikev2_state_responder_vid
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_spd_notify_request Parse notification paylad in last received pkt
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_vid: FSM_SET_NEXT:ikev2_state_responder_private_payload
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_private_payload: FSM_SET_NEXT:ikev2_state_responder_notify_vid_continue
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Construction NHTB payload for  local:1.2.3.4, remote:5.6.7.8 IKEv2 P1 SA index 5739419 sa-cfg 195-Vpn-Mikrotik
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg 195-Vpn-Mikrotik, p1_sa=5739419
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify_vid_continue: FSM_SET_NEXT:ikev2_state_child_responder_out_agree
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_agree: FSM_SET_NEXT:ikev2_state_child_responder_out_install
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  juniper_dlp_diffie_hellman_final_async: DH Compute Secs [0] USecs [11278]
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  juniper_dlp_diffie_hellman_final_async: Computed DH using hardware
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_install: FSM_SET_NEXT:ikev2_state_child_responder_out_install_done
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ipsec_sa_install: local:1.2.3.4, remote:5.6.7.8  IKEv2 for SA-CFG 195-Vpn-Mikrotik, rekey:no
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_update_sa_cfg_port sa_cfg(195-Vpn-Mikrotik) local_port(0) and remote_port(500)
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Setting lifetime 43200 and lifesize 0 for IPSec SA
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ipsec_sa_create: encr key len 32, auth key len: 32, salt len: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Creating a SA spi=0xc4936c55, proto=ESP pair_index = 1
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Added (spi=0xc4936c55, protocol=ESP dst=1.2.3.4) entry to the peer hash table
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_peer_insert_sa_cfg_entry: insert sa_cfg tunnel_id entry 131073 into peer entry 0x147b400
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Creating a SA spi=0x933ce6c, proto=ESP pair_index = 1
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Added (spi=0x933ce6c, protocol=ESP dst=5.6.7.8) entry to the peer hash table
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_nhtb_update_on_sa_create: Interface st0.195 is P2P for sa_cfg 195-Vpn-Mikrotik. Thus ignoring NHTB notification message
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_pm_ipsec_sa_install: NHTB add passed for sa-cfg 195-Vpn-Mikrotik
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Hardlife timer started for inbound 195-Vpn-Mikrotik with 43200 seconds/0 kilobytes
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Softlife timer started for inbound 195-Vpn-Mikrotik with 42627 seconds/0 kilobytes
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_sa_bundle
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  195-Vpn-Mikrotik : VPN Monitor Interval=0(0) Optimized=0(0) flags<40020>
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_fill_sa_bundle : DPD Interval=0
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  SA bundle remote gateway: IP 5.6.7.8 chosen
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  SA bundle local  gateway: IP 1.2.3.4 chosen
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_ipsec_ipc_sa_pair
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_ipc_sa_keys
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_ipc_sa_keys
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_ipc_sa_keys
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_fill_ipc_sa_keys
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ----------------ipsec SA BUNDLE -------------------
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  SA pair update request for:
      Tunnel index: 131073
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Local Gateway address: 1.2.3.4
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Primary remote Gateway address: 5.6.7.8
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Backup remote Gateway State: Standby
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   Anti replay: counter-based enabled
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   Window_size: 64
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   D3P type: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   Peer : Static
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   Mode : Tunnel
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]   VPN Type : route-based
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Tunnel mtu: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      DF bit: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      local-if ifl idx: 72
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      tunnel-if ifl idx: 88
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Tunnel mtu: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      DPD interval: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      policy id: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      NATT enabled: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      NATT version: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      NAT position: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      SA Idle time: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      SA Outbound install delay time: 1
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      IKED ID: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      DIST ID: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      FC-ID: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Keepalive interval: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      VPN monitoring interval: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      VPN monitoring optimized: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Respond-bad-SPI: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      seq_out: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Local port: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Remote port: 500
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      SA CFG name: 195-Vpn-Mikrotik
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Dial-up IKE ID:
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      RG ID: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      Group template tunnel ID: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      IPsec Anchor SPU id: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]      IPsec Anchor thread id: 0
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ----------------Incoming SA -------------------
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          SPI: 0xc4936c55   Protocol: 2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          Algorithm: 516 Auth key. length: 32
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          Encr key. length; 32
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ----------------Outgoing SA -------------------
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          SPI: 0x933ce6c   Protocol: 2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          Algorithm: 516 Auth key. length: 32
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]          Encr key. length; 32
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xc4936c55
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Added dependency on SA config blob with tunnelid = 131073
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Successfully added ipsec SA PAIR
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  kmd_update_tunnel_interface:
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  iked_update_tunnel_interface_by_ifname: update ifl st0.195 status UP
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_install_done: FSM_SET_NEXT:ikev2_state_child_responder_out_encrypt
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  Inside iked_pm_ipsec_sa_done
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  IPSec  negotiation done successfully for SA-CFG 195-Vpn-Mikrotik for local:1.2.3.4, remote:5.6.7.8  IKEv2
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_state_child_responder_out_encrypt: FSM_SET_NEXT:ikev2_state_send
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Sending packet: HDR, SA, Nonce, KE, TSi, TSr
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet S(<none>:500 -> 5.6.7.8:500): len=  480, mID=0, HDR, SA, Nonce, KE, TSi, TSr
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_udp_send_packet: [1434800/0] <-------- Sending packet - length = 0  VR id 0
    
    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_done
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ---------> Received from 5.6.7.8:500 to 1.2.3.4:0, VR 0, length 224 on IF
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ---------> Received from 5.6.7.8:500 to 1.2.3.4:0, VR 0, length 240 on IF
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_verify: [1435000/148f800] R: IKE SA REFCNT: 1
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Receiving packet: HDR, N(NO_PROPOSAL_CHOSEN)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet R(<none>:500 <- 5.6.7.8:500): len=   56, mID=1, HDR, N(NO_PROPOSAL_CHOSEN)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_spd_notify_received - START
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_info_responder_in
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: [1435000/148f800] Responder side INFORMATIONAL
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in: FSM_SET_NEXT:ikev2_state_info_responder_in_check_notify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in_check_notify: FSM_SET_NEXT:ikev2_state_info_responder_in_check_delete
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_process_notify: [1435000/148f800] Received error notify No proposal chosen (14)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_error: [1435000/148f800] Negotiation failed because of error No proposal chosen (14)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_start: FSM_SET_NEXT:ikev2_packet_st_input_get_or_create_sa
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_input_get_or_create_sa: FSM_SET_NEXT:ikev2_packet_st_verify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_verify: [1437c00/148f800] R: IKE SA REFCNT: 2
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_decode: FSM_SET_NEXT:ikev2_state_dispatch
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Receiving packet: HDR, DEL
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet R(<none>:500 <- 5.6.7.8:500): len=   56, mID=2, HDR, DEL
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: FSM_SET_NEXT:ikev2_state_info_responder_in
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_dispatch: [1437c00/148f800] Responder side INFORMATIONAL
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in: FSM_SET_NEXT:ikev2_state_info_responder_in_check_notify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in_check_notify: FSM_SET_NEXT:ikev2_state_info_responder_in_check_delete
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  IKE SA delete called for p1 sa 5739419 (ref cnt 3) local:1.2.3.4, remote:5.6.7.8, IKEv2
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  P1 SA 5739419 stop timer. timer duration 86400, reason 2.
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Freeing all P2 SAs for IKEv2 p1 SA 5739419
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  kmd_sa_free free sa for 195-Vpn-Mikrotik
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Freeing the SA spi=0xc4936c55, proto=ESP
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Deleted (spi=0xc4936c55, protocol=ESP dst=1.2.3.4) entry from the peer hash table. Reason: IPSec SAs cleared as corresponding IKE SA deleted
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131073;SPI-In = 0xc4936c55
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Deleted SA pair for tunnel = 131073 with SPI-In = 0xc4936c55 to kernel
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Deleted (spi=0xc4936c55, protocol=ESP) entry from the inbound sa spi hash table
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  kmd_sa_free free sa for 195-Vpn-Mikrotik
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Freeing the SA spi=0x933ce6c, proto=ESP
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Out bound SA. Not sending notification
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  Deleted (spi=0x933ce6c, protocol=ESP dst=5.6.7.8) entry from the peer hash table. Reason: IPSec SAs cleared as corresponding IKE SA deleted
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  kmd_sa_free child_sa_cnt = 0
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  NHTB entry not found. Not deleting NHTB entry
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  NHTB entry not found. Not deleting NHTB entry
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  NHTB entry not found. Not deleting NHTB entry
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg 195-Vpn-Mikrotik count is 0
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_deactivate_bind_interface: No more NHTB entries are active for st0.195. Bringing down the interface
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  kmd_update_tunnel_interface:
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_update_tunnel_interface_by_ifname: update ifl st0.195 status DOWN
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_peer_remove_sa_cfg_entry: remove sa_cfg tunnel_id entry 131073 from peer entry 0x147b400
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  P1 SA 5739419 reference count is not zero (2). Delaying deletion of SA
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in_check_delete: FSM_SET_NEXT:ikev2_state_info_responder_in_check_nat
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_in_check_nat: FSM_SET_NEXT:ikev2_state_info_responder_in_end
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Sending packet: HDR, N(NO_PROPOSAL_CHOSEN)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet S(<none>:500 -> 5.6.7.8:500): len=   80, mID=1, HDR, N(NO_PROPOSAL_CHOSEN)
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_send_error: FSM_SET_NEXT:ikev2_state_send
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_udp_send_packet: [1438800/0] <-------- Sending packet - length = 0  VR id 0
    
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_done
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_out: FSM_SET_NEXT:ikev2_state_info_responder_out_add_delete
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_out_add_delete: FSM_SET_NEXT:ikev2_state_info_responder_out_add_notify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_out_add_notify: FSM_SET_NEXT:ikev2_state_info_responder_out_add_conf
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_out_add_conf: FSM_SET_NEXT:ikev2_state_responder_notify_vid
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify_vid: FSM_SET_NEXT:ikev2_state_responder_notify
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify: FSM_SET_NEXT:ikev2_state_responder_vid
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_spd_notify_request: UNUSABLE P1 SA 5739419
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_vid: FSM_SET_NEXT:ikev2_state_responder_private_payload
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_request_vendor_id: UNUSABLE p1_sa 5739419
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_private_payload: FSM_SET_NEXT:ikev2_state_responder_notify_vid_continue
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  iked_pm_ike_private_payload_request: UNUSABLE P1 SA index 5739419
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_responder_notify_vid_continue: FSM_SET_NEXT:ikev2_state_info_responder_out_encrypt
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_state_info_responder_out_encrypt: FSM_SET_NEXT:ikev2_state_send
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_list_packet_payloads: Sending packet: HDR
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  IKEv2 packet S(<none>:500 -> 5.6.7.8:500): len=   80, mID=2, HDR
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send_request_address: FSM_SET_NEXT:ikev2_packet_st_send
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_udp_send_packet: [1438400/0] <-------- Sending packet - length = 0  VR id 0
    
    [Jun 12 13:38:17][1.2.3.4 <-> 5.6.7.8]  ikev2_packet_st_send: FSM_SET_NEXT:ikev2_packet_st_send_done


  • 4.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

     
    Posted 06-12-2020 06:34

    Hello , 

     

    As per the logs , I see that initiaor mode is set on both Juniper and peer device . Because When we are responder mode , the IPSEC is getting complted :

     

    [Jun 12 13:38:16][1.2.3.4 <-> 5.6.7.8] IPSec negotiation done successfully for SA-CFG 195-Vpn-Mikrotik for local:1.2.3.4, remote:5.6.7.8 IKEv2

     

    But then we initate the IKE again and that is getting " NO PROPOSAL CHOSEN" error from peer . So kinldy make SRX as Just responder and test . Let the peer be initiator . 

     

    Also what error are you getting form peer end debugs . 



  • 5.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 06-15-2020 00:55

    Back to testing. 

     

    First i tryed to remove Juniper "Establishh-Tunnels immediately".  After that, juniper is showing "Tunnel is ready. Waiting for trigger event or peer to trigger negotiation." So it seems that Mikrotik ipsec packet never reaches Juniper. I have tryed to allow all protocols in uplink interface and also made accept all default policy. In Mikrotik i see constant "Killing ike2 SA:::fff:5.6.7.8<->:fff:1.2.3.4"

     

    i can ping both routers public ip from each end. For what it matters, public network is simulated with third router.

     

    Config for both routers, i edided non important parts out:

    version 18.4R3-S2;
    
    
    security {
     
        ike {
            proposal TestA {
                authentication-method pre-shared-keys;
                dh-group group14;
                authentication-algorithm sha-256;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 86400;
            }
            policy 195-SiteA {
                mode main;
                proposals TestA;
                pre-shared-key ascii-text "Removed"; ## SECRET-DATA
            }
            gateway 195-Vpn-SiteA {
                ike-policy 195-SiteA;
                address 5.6.7.8;
                no-nat-traversal;
                local-identity inet 1.2.3.4;
                remote-identity inet 5.6.7.8;
                external-interface ge-0/0/0;
                version v2-only;
            }
        }
        ipsec {
            proposal TestA {
                protocol esp;
                authentication-algorithm hmac-sha-256-128;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 43200;
            }
            policy TestA {
                perfect-forward-secrecy {
                    keys group14;
                }
                proposals TestA;
            }
            vpn 195-Vpn-SiteA {
                bind-interface st0.195;
                ike {
                    gateway 195-Vpn-SiteA;
                    proxy-identity {
                        local 10.255.24.13/30;
                        remote 10.255.24.14/30;
                        service any;
                    }
                    ipsec-policy TestA;
                }
            }
        }
    
        policies {
            global {
                policy Test_Allow_All {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Uplink {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
    
            security-zone VPN-195 {
                interfaces {
                    st0.195 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone 195-SiteA {
                interfaces {
                    gr-0/0/0.195 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                            protocols {
                                ospf;
                            }
                        }
                    }
                }
            }
    
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 1.2.3.4/28;
                }
            }
        }
        gr-0/0/0 {
            unit 195 {
                tunnel {
                    source 10.255.24.13;
                    destination 10.255.24.14;
                }
                family inet {
                    address 10.255.4.13/30;
                }
            }
        }
    
    
        st0 {
            unit 195 {
                family inet {
                    address 10.255.24.13/30;
                }
            }
        }
    }
    routing-options {
        static {
            route 5.6.7.8/32 next-hop 9.10.11.12;
        }
    }
    
    
    
    ##### Mikrotik #####
    
    Version 6.45.5
    
    /interface bridge
    add name="Loopback A" protocol-mode=none
    
    /interface gre
    add allow-fast-path=no !keepalive local-address=10.255.24.14 name="gre-tunnel A" remote-address=10.255.24.13
    
    /ip address
    add address=10.255.24.14/30 interface="Loopback A" network=10.255.24.12
    add address=10.255.4.14/30 interface="gre-tunnel A" network=10.255.4.12
    add address=5.6.7.8/30 interface=ether1 network=13.14.15.16
    	
    /ip ipsec profile
    add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile_1 nat-traversal=no
    	
    /ip ipsec peer
    add address=1.2.3.4/32 exchange-mode=ike2 local-address=5.6.7.8 name=peer1 profile=profile_1
    	
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=12h name="SrxA" pfs-group=modp2048
    
    /ip ipsec identity
    add peer=peer1 secret=Removed
    
    /ip ipsec policy
    add dst-address=10.255.24.13/32 peer=peer1 proposal="SrxA" sa-dst-address=1.2.3.4 sa-src-address=5.6.7.8 src-address=10.255.24.14/32 tunnel=yes
    	
    /ip route
    add distance=1 dst-address=1.2.3.4/32 gateway=195.80.97.125


  • 6.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

     
    Posted 06-15-2020 01:07

    Hello , 

     

    Does the 3rd router doing any NAT or PAT ? between these connection . 



  • 7.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 06-15-2020 01:17

    Just simple routing. From that third router i can see that Mikrotik is connecting to juniper via udp 4500.

     

     



  • 8.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

     
    Posted 06-15-2020 01:23

    Hello , 

     

    If it UDP4500 , than somehow the NAT-T is getting triggered  even when there is no-nat-t in config :

     

    Network Address Translation-Traversal (NAT-T) is a method for getting around IP address translation issues encountered when data protected by IPsec passes through a NAT device for address translation. Any changes to the IP addressing, which is the function of NAT, causes IKE to discard packets. After detecting one or more NAT devices along the datapath during Phase 1 exchanges, NAT-T adds a layer of User Datagram Protocol (UDP) encapsulation to IPsec packets so they are not discarded after address translation. NAT-T encapsulates both IKE and ESP traffic within UDP with port 4500 used as both the source and destination port. Because NAT devices age out stale UDP translations, keepalive messages are required between the peers.



  • 9.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 06-15-2020 02:22

    Seems like the issue is the third router that is simulating isp. When i changed Site a public ip into same /28 as juniper and bridged both Juniper and mikrotik ports together then tunnel came up.



  • 10.  RE: ipsec stops working when upgrading srx from 17.3 to 18.4
    Best Answer

     
    Posted 06-15-2020 02:38

    Hello , 

     

    Glad that the issue is fixed . Please make the thread as solution , which pointed the ISP device as faulty .



  • 11.  Re: ipsec stops working when upgrading srx from 17.3 to 18.4

    Posted 10-17-2020 05:36

    Hi

    I want to achieve the same thing as you which is in my case connecting vsrx to mikrotik in eve-ng.

    ?
    1. are you using route based vpn in srx?

    DIAGRAM
    LAN1 12.0.0.0/24 > 12.0.0.1/24 LANSRX > 23.0.0.1/24 WANSRX > 23.0.0.2/24 WANMIKROTIK > 34.0.0.1/24 LANMIKROTIK > LAN2 34,0.0.0/24
    LAN1 and LAN2 different subnet


    2. do you use NAT in mikrotik side

    3. could you please gimme sample route based config in Mikrotik side.
    I know how to configure NAT in mikrotik but don't know yet in route based
    Do you use OSPF on both SRX and Mikrotik?

    4. do you use wizard GUI when configuring Route based in SRX

     

    tq