SRX

Expand all | Collapse all

IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

  • 1.  IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

    Posted 04-19-2017 07:16

    Hi All,

     

    In attempting to bring up a site-to-site VPN between a Juniper SRX 240H2 and a Cisco ASA5505, I am receiving the following error repeatedly: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. 

     

    I am having some issues finding any documentation online in regards to the error, and have quadruple checked the configuration. Can anyone provide some insight into this error?

     

    Thanks in advance.


    #vpn
    #gateway
    #ike
    #Phase1
    #troubleshooting


  • 2.  RE: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

    Posted 04-21-2017 01:11

    Hi,

     

    Can you polease share the configuration fo the SRX and the ASA.

    We can have a look and let you know whats causing the negotiation to fail.

     

    regards,

    Guru Prasad

     



  • 3.  RE: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

    Posted 04-21-2017 06:51

    Great thanks Guru!

     

    See the below:

    Cisco Config

    name 111.111.111.111 juniper-ip
    !
    object-group network juniper-ip
    network-object 111.111.111.184 255.255.255.254
    !
    access-list ACL-juniper-ip extended permit ip object-group customer-ip-222.222.222.0_24 object-group juniper-ip
    !
    crypto ikev2 policy 10
    encryption aes-256
    integrity sha256
    group 5
    prf sha256
    lifetime 28800
    !
    group-policy POLICY-GROUP-IKEV2 internal
    group-policy POLICY-GROUP-IKEV2 attributes
    vpn-tunnel-protocol ikev2
    !
    crypto ipsec ikev2 ipsec-proposal customer-ip-IKE2-ESP-AES256-SHA1
    protocol esp encryption aes-256
    protocol esp integrity sha-1
    !
    tunnel-group 111.111.111.111 type ipsec-l2l
    tunnel-group 111.111.111.111 general-attributes
    default-group-policy POLICY-GROUP-IKEV2
    tunnel-group 111.111.111.111 ipsec-attributes
    ikev2 local-authentication pre-shared-key ***********
    ikev2 remote-authentication pre-shared-key ***********
    !
    crypto map customer-ip-MAP 995 set peer juniper-ip
    crypto map customer-ip-MAP 995 set ikev2 ipsec-proposal customer-ip-IKE2-ESP-AES256-SHA1
    crypto map customer-ip-MAP 995 match address ACL-juniper-ip
    crypto map customer-ip-MAP 995 set security-association lifetime seconds 3600
    crypto map customer-ip-MAP 995 set pfs group5
    !
    crypto ikev2 enable outside

     

    Juniper Config

     

    proposal ike-proposal {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;

     

     

     

    proposal ipsec-proposal-1 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600

     

     

     

    policy ipsec-policy-1 {
    perfect-forward-secrecy {
    keys group5;
    }
    proposals ipsec-proposal-1;
    }

     

     

     

    policy ike-pol-vpn-customer-u1 {
    mode main;
    proposals ike-proposal;
    pre-shared-key ascii-text ## 

     

     

    gateway gw-vpn-customer-u1 {
    ike-policy ike-pol-vpn-customer-u1;
    address 222.222.222.222;
    local-identity inet 111.111.111.111;
    external-interface ge-1/0/0.0;
    general-ikeid;
    version v2-only;

     

     

     

    vpn vpn-customer-u1 {
    bind-interface st0.9;
    ike {
    gateway gw-vpn-customer-u1;
    proxy-identity {
    local 111.111.111.184;
    remote 222.222.222.0/24;
    }
    ipsec-policy ipsec-policy-1;
    }
    establish-tunnels immediately;
    }

     



  • 4.  RE: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

     
    Posted 04-22-2017 09:08

    Looks like you might be configuring an ike id and not one on the cisco side.  Try removing general-ikeid

     

    gateway gw-vpn-customer-u1 {
    ike-policy ike-pol-vpn-customer-u1;
    address 222.222.222.222;
    local-identity inet 111.111.111.111;
    external-interface ge-1/0/0.0;
    general-ikeid;
    version v2-only;

     

     



  • 5.  RE: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation

    Posted 04-25-2017 01:40

    Hi,

     

    From the configuration provided, I could see that on ASA the tunnel-group is using IP 111.111.111.111 and on the SRX you have configured the local-identity to use is again 111.111.111.111.

    As Spuluka updated we do not require to configure the general-Ikeid as we have already mentioned the local-identity.

    Also can you let us know what is the IP used on the ASA which is part of the zone outside, because you have enabled the ikev2 on the interface outside.

    please remove the local-ikeid and let us know if that helped.

     

    regards,

    Guru Prasad