SRX

Expand all | Collapse all

IPSEC between SRX and Fortinet not coming up

Jump to Best Answer
  • 1.  IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 00:07

    HI Team,

    i'm new with ipsec, trying to setup a IPSEC vpn between fortinet and SRX but it is not working . i have captured the packet and found that SRX is not initiating ike communication. configuration and topo is as below. phase 1 is no comming up. Please help

     

    TOPO.PNG

     


    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three mode aggressive
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

     

     

    config vpn ipsec phase1-interface
    edit "ike01-DUB-Three"
    set interface "port2"
    set ike-version 2
    set local-gw 192.168.86.4
    set keylife 28800
    set peertype any
    set net-device disable
    set proposal des-md5 des-sha256
    set comments "ike01-DUB-Three"
    set dhgrp 2
    set remote-gw 192.168.86.3
    set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg==
    next
    end

    FORTINET # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
    edit "ike01-DUB-Three"
    set phase1name "ike01-DUB-Three"
    set proposal des-md5 des-sha1
    set pfs disable
    set comments "ike01-DUB-Three"
    set src-addr-type ip
    set dst-addr-type ip
    set keylifeseconds 3600
    set src-start-ip 1.1.1.1
    set dst-start-ip 2.2.2.2
    next
    end

     

     

     

     

     

     

     


    #SRX
    #ospf
    #ike
    #IPSec
    #ISIS
    #security


  • 2.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 01:11

    There is no aggressive mode in ikev2. Try below steps and update us

    > Remove aggressive mode config

    > Remove PFS config from SRX side. Fortinet side it is disabled

    > Remove proxy-identity config from SRX side

    > Assign st0.0 interface to a security zone.

     

     



  • 3.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 01:54

    Hi Nellikka

     

    Thanks for your quick responce.

     

    i have done the changes that you have mentioned below. but still it is not working . please find latest configuration and debug traces for IKE

     

    > Remove aggressive mode config--------------------------------Removed

    > Remove PFS config from SRX side. Fortinet side it is disabled-----------------------Removed

    > Remove proxy-identity config from SRX side--------------while using traffic selector i'm getting error "IKEv2 does not support traffic-selectors"  thats why i am using proxy identity for traffic selection

    > Assign st0.0 interface to a security zone.---------------Assigned to security Zone

     

     

    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

     

     

     

    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 05:55:43]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 05:55:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 05:55:43]No SPUs are operational, returning.
    [May 4 05:55:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 05:55:43]Config download: Processed 7 - 8 messages
    [May 4 05:55:43]Config download time: 0 secs
    [May 4 05:55:43]iked_config_process_config_list, configuration diff complete
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615776 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 05:58:43]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 05:58:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 05:58:43]No SPUs are operational, returning.
    [May 4 05:58:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 05:58:43]Config download: Processed 8 - 9 messages
    [May 4 05:58:43]Config download time: 0 secs
    [May 4 05:58:43]iked_config_process_config_list, configuration diff complete
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 06:49:36]Error: Unknown record, type = 25

    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 40, reclen = -1876617120 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 41c, reclen = -1876616672 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 06:49:36]No SPUs are operational, returning.
    [May 4 06:49:36]Config download: Processed 9 - 10 messages
    [May 4 06:49:36]Config download time: 0 secs
    [May 4 06:49:36]iked_config_process_config_list, configuration diff complete
    [May 4 08:30:46]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:30:46]Config download: Processed 1 - 1 messages
    [May 4 08:30:46]Config download time: 0 secs
    [May 4 08:30:46]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
    [May 4 08:30:46]Creating PM instance for service_set: root
    [May 4 08:30:47]ssh_ike_init: Start
    [May 4 08:30:47]ssh_ike_init: params->ignore_cr_payloads = FALSE
    [May 4 08:30:47]ssh_ike_init: params->no_key_hash_payload = FALSE
    [May 4 08:30:47]ssh_ike_init: params->no_cr_payloads = FALSE
    [May 4 08:30:47]ssh_ike_init: params->do_not_send_crls = FALSE
    [May 4 08:30:47]ssh_ike_init: params->send_full_chains = FALSE
    [May 4 08:30:47]ssh_ike_init: params->trust_icmp_messages = FALSE
    [May 4 08:30:47]ssh_ike_init: params->spi_size = 0
    [May 4 08:30:47]ssh_ike_init: params->zero_spi = TRUE
    [May 4 08:30:47]ssh_ike_init: params->max_key_length = 512
    [May 4 08:30:47]ssh_ike_init: params->max_isakmp_sa_count = 8192
    [May 4 08:30:47]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
    [May 4 08:30:47]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_cnt = 1
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_retry = 2
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_cnt = 1
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_retry = 2
    [May 4 08:30:47]ssh_ike_attach_audit_context: Attaching a new audit context
    [May 4 08:30:47]ssh_ike_init: params->base_retry_limit = 5
    [May 4 08:30:47]ssh_ike_init: params->base_retry_timer = 10.000000
    [May 4 08:30:47]ssh_ike_init: params->base_retry_timer_max = 150.000000
    [May 4 08:30:47]ssh_ike_init: params->base_expire_timer = 180.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_limit = 5
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_timer = 5.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_timer_max = 300.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_expire_timer = 240.000000
    [May 4 08:30:47]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
    [May 4 08:30:47]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
    [May 4 08:30:47]iked_config_process_config_list, configuration diff complete
    [May 4 08:30:47]IKED-PKID-IPC
    [May 4 08:30:47]kmd_rpd_init
    [May 4 08:30:47]rpd session connected
    [May 4 08:30:47]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
    [May 4 08:30:48]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [May 4 08:30:48]kmd_rpd_cb_session_connect
    [May 4 08:30:48]kmd_rpd_cb_session_connect: rpd session established
    [May 4 08:30:48]kmd_rpd_db_read
    [May 4 08:30:48]kmd_rpd_db_read: gw handle 38
    [May 4 08:30:48]kmd_rpd_cb_protocol_register gw handle 0 return code 1
    [May 4 08:30:48]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
    [May 4 08:30:48]kmd_rpd_db_write
    [May 4 08:30:48]kmd_rpd_shutdown_session
    [May 4 08:30:53]kmd_rpd_init
    [May 4 08:30:53]rpd session connected
    [May 4 08:30:53]kmd_rpd_cb_session_connect
    [May 4 08:30:53]kmd_rpd_cb_session_connect: rpd session established
    [May 4 08:30:53]kmd_rpd_db_write
    [May 4 08:30:53]kmd_rpd_cb_protocol_register gw handle 39 return code 0
    [May 4 08:30:53]kmd_rpd_db_write
    [May 4 08:30:53]kmd_rpd_refresh_routes
    [May 4 08:31:10]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
    [May 4 08:31:11]Couldn't get the zone information for interface ext st0, error No such file or directory
    [May 4 08:31:14]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876606944 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 08:34:05]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 08:34:05]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:34:05]No SPUs are operational, returning.
    [May 4 08:34:05]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:34:05]Config download: Processed 1 - 2 messages
    [May 4 08:34:05]Config download time: 0 secs
    [May 4 08:34:05]iked_config_process_config_list, configuration diff complete
    [May 4 08:35:35]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [May 4 08:35:35]Successfully added SA Config
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876615520 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 08:37:08]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 08:37:08]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:37:08]No SPUs are operational, returning.
    [May 4 08:37:08]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:37:08]Config download: Processed 2 - 3 messages
    [May 4 08:37:08]Config download time: 0 secs
    [May 4 08:37:08]iked_config_process_config_list, configuration diff complete
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:38:07]Error: Unknown record, type = 25

    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876616416 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:38:07]No SPUs are operational, returning.
    [May 4 08:38:07]Config download: Processed 3 - 4 messages
    [May 4 08:38:07]Config download time: 0 secs
    [May 4 08:38:07]iked_config_process_config_list, configuration diff complete

     

     

     

    root> ping 192.168.86.4
    PING 192.168.86.4 (192.168.86.4): 56 data bytes
    64 bytes from 192.168.86.4: icmp_seq=0 ttl=255 time=13.466 ms
    64 bytes from 192.168.86.4: icmp_seq=1 ttl=255 time=7.005 ms
    64 bytes from 192.168.86.4: icmp_seq=2 ttl=255 time=6.879 ms
    64 bytes from 192.168.86.4: icmp_seq=3 ttl=255 time=11.194 ms
    64 bytes from 192.168.86.4: icmp_seq=4 ttl=255 time=7.379 ms
    64 bytes from 192.168.86.4: icmp_seq=5 ttl=255 time=8.763 ms

     

     

     

     


    #IPSec
    #ospf
    #ike
    #security


  • 4.  RE: IPSEC between SRX and Fortinet not coming up
    Best Answer

    Posted 05-04-2020 02:56

    Do below config and update us:

     

    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately

    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32

     

    show security ike security-associations

    show security ipsec security-associations 

    show security ipsec security-associations detail

     

     



  • 5.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 13:15

    Hi Nellikka,

     

    i have done the changes that you have mentioned below , but still it is not working . Please find below results

     

    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately---------------Configured

    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32----------Configured
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32--------------Configured

     

    root> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    2089264 DOWN b6f334ca1da64432 0000000000000000 IKEv2 192.168.86.4

    root>

    root> show security ipsec security-associations
    Total active tunnels: 0

    root>

    root> show security ipsec security-associations detail

    root>

     

     

    Please find below latest IPSEC COnfiguration and IKE traces

     

    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

    root> show log IKE
    [May 4 19:57:44]Config download time: 0 secs
    [May 4 19:57:44]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
    [May 4 19:57:44]Creating PM instance for service_set: root
    [May 4 19:57:44]ssh_ike_init: Start
    [May 4 19:57:44]ssh_ike_init: params->ignore_cr_payloads = FALSE
    [May 4 19:57:44]ssh_ike_init: params->no_key_hash_payload = FALSE
    [May 4 19:57:44]ssh_ike_init: params->no_cr_payloads = FALSE
    [May 4 19:57:44]ssh_ike_init: params->do_not_send_crls = FALSE
    [May 4 19:57:44]ssh_ike_init: params->send_full_chains = FALSE
    [May 4 19:57:44]ssh_ike_init: params->trust_icmp_messages = FALSE
    [May 4 19:57:44]ssh_ike_init: params->spi_size = 0
    [May 4 19:57:44]ssh_ike_init: params->zero_spi = TRUE
    [May 4 19:57:44]ssh_ike_init: params->max_key_length = 512
    [May 4 19:57:44]ssh_ike_init: params->max_isakmp_sa_count = 8192
    [May 4 19:57:44]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
    [May 4 19:57:44]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_cnt = 1
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_retry = 2
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_cnt = 1
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_retry = 2
    [May 4 19:57:44]ssh_ike_attach_audit_context: Attaching a new audit context
    [May 4 19:57:44]ssh_ike_init: params->base_retry_limit = 5
    [May 4 19:57:44]ssh_ike_init: params->base_retry_timer = 10.000000
    [May 4 19:57:44]ssh_ike_init: params->base_retry_timer_max = 150.000000
    [May 4 19:57:44]ssh_ike_init: params->base_expire_timer = 180.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_limit = 5
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_timer = 5.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_timer_max = 300.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_expire_timer = 240.000000
    [May 4 19:57:44]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
    [May 4 19:57:44]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
    [May 4 19:57:44]iked_config_process_config_list, configuration diff complete
    [May 4 19:57:44]IKED-PKID-IPC
    [May 4 19:57:44]kmd_rpd_init
    [May 4 19:57:44]rpd session connected
    [May 4 19:57:44]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
    [May 4 19:57:45]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [May 4 19:57:45]kmd_rpd_cb_session_connect
    [May 4 19:57:45]kmd_rpd_cb_session_connect: rpd session established
    [May 4 19:57:45]kmd_rpd_db_read
    [May 4 19:57:45]kmd_rpd_db_read: gw handle 39
    [May 4 19:57:45]kmd_rpd_cb_protocol_register gw handle 3216496872 return code 1
    [May 4 19:57:45]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
    [May 4 19:57:45]kmd_rpd_db_write
    [May 4 19:57:45]kmd_rpd_shutdown_session
    [May 4 19:57:50]kmd_rpd_init
    [May 4 19:57:50]rpd session connected
    [May 4 19:57:50]kmd_rpd_cb_session_connect
    [May 4 19:57:50]kmd_rpd_cb_session_connect: rpd session established
    [May 4 19:57:50]kmd_rpd_db_write
    [May 4 19:57:50]kmd_rpd_cb_protocol_register gw handle 39 return code 0
    [May 4 19:57:50]kmd_rpd_db_write
    [May 4 19:57:50]kmd_rpd_refresh_routes
    [May 4 19:57:54]Couldn't get the zone information for interface ge-0/0/1, error No such file or directory
    [May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
    [May 4 19:58:23]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [May 4 19:58:23]Successfully added SA Config
    [May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615264 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 20:06:07]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 20:06:07]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 20:06:07]No SPUs are operational, returning.
    [May 4 20:06:07]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 20:06:07]Config download: Processed 1 - 2 messages
    [May 4 20:06:07]Config download time: 0 secs
    [May 4 20:06:07]ikev2_packet_allocate: Allocated packet 8c24800 from freelist
    [May 4 20:06:07]iked_config_process_config_list, configuration diff complete
    [May 4 20:06:37]P1 SA 2089251 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:06:37]IKE SA delete called for p1 sa 2089251 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:06:37]Freeing all P2 SAs for IKEv2 p1 SA 2089251
    [May 4 20:06:37]P1 SA 2089251 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:06:37]iked_pm_p1_sa_destroy: p1 sa 2089251 (ref cnt 0), waiting_for_del 0x8c809a0
    [May 4 20:06:37]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:06:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:07:34]ikev2_packet_allocate: Allocated packet 8c24c00 from freelist
    [May 4 20:08:04]P1 SA 2089252 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:08:04]IKE SA delete called for p1 sa 2089252 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:08:04]Freeing all P2 SAs for IKEv2 p1 SA 2089252
    [May 4 20:08:04]P1 SA 2089252 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:08:04]iked_pm_p1_sa_destroy: p1 sa 2089252 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:08:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:08:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:08:34]ikev2_packet_allocate: Allocated packet 8c39000 from freelist

    [May 4 20:13:34]ikev2_packet_allocate: Allocated packet 8c3a400 from freelist
    [May 4 20:14:04]P1 SA 2089258 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:14:04]IKE SA delete called for p1 sa 2089258 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:14:04]Freeing all P2 SAs for IKEv2 p1 SA 2089258
    [May 4 20:14:04]P1 SA 2089258 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:14:04]iked_pm_p1_sa_destroy: p1 sa 2089258 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:14:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:14:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:14:34]ikev2_packet_allocate: Allocated packet 8c3a800 from freelist
    [May 4 20:15:04]P1 SA 2089259 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:15:04]IKE SA delete called for p1 sa 2089259 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:15:04]Freeing all P2 SAs for IKEv2 p1 SA 2089259
    [May 4 20:15:04]P1 SA 2089259 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:15:04]iked_pm_p1_sa_destroy: p1 sa 2089259 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:15:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:15:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:15:34]ikev2_packet_allocate: Allocated packet 8c3ac00 from freelist
    [May 4 20:16:04]P1 SA 2089260 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:16:04]IKE SA delete called for p1 sa 2089260 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:16:04]Freeing all P2 SAs for IKEv2 p1 SA 2089260
    [May 4 20:16:04]P1 SA 2089260 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:16:04]iked_pm_p1_sa_destroy: p1 sa 2089260 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:16:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:16:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:16:34]ikev2_packet_allocate: Allocated packet 8c3b000 from freelist
    [May 4 20:17:04]P1 SA 2089261 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:17:04]IKE SA delete called for p1 sa 2089261 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:17:04]Freeing all P2 SAs for IKEv2 p1 SA 2089261
    [May 4 20:17:04]P1 SA 2089261 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:17:04]iked_pm_p1_sa_destroy: p1 sa 2089261 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:17:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:17:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:17:34]ikev2_packet_allocate: Allocated packet 8c3b400 from freelist
    [May 4 20:18:04]P1 SA 2089262 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:18:04]IKE SA delete called for p1 sa 2089262 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:18:04]Freeing all P2 SAs for IKEv2 p1 SA 2089262
    [May 4 20:18:04]P1 SA 2089262 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:18:04]iked_pm_p1_sa_destroy: p1 sa 2089262 (ref cnt 0), waiting_for_del 0x8c80a60
    [May 4 20:18:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:18:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:18:34]ikev2_packet_allocate: Allocated packet 8c3b800 from freelist
    [May 4 20:19:04]P1 SA 2089263 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:19:04]IKE SA delete called for p1 sa 2089263 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:19:04]Freeing all P2 SAs for IKEv2 p1 SA 2089263
    [May 4 20:19:04]P1 SA 2089263 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:19:04]iked_pm_p1_sa_destroy: p1 sa 2089263 (ref cnt 0), waiting_for_del 0x8c80a60
    [May 4 20:19:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:19:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:19:34]ikev2_packet_allocate: Allocated packet 8c3bc00 from freelist

     


    #JNCIE
    #security
    #ospf
    #ike
    #IPSec


  • 6.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 07:07

    As per the given output, SRX is initiating vpn traffic but not getting packets from Fortinet. Please enable debug at Fortinet side and check: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611 

     

    Which SRX model  and Junos version you are using? Please share the output of "show chassis fpc detail"

     

     



  • 7.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 22:21

    HI Nellikka

     

    Thanks for your support , both phase 1 and phase are up now. there was issue with fortinet firewall policy after correcting it IPSEC came up. i have some questions:

     

    1. how can i redirect the traffic over ipsec tunnel from source (2.2.2.2) to destination(1.1.1.1) as we can see in the routing table it is not showing route for it . do i need to configure static route for destination pointing towards st0.0 interface ?

     

    2. what if "establish-tunnels immediately" not configured . what is the default behaviour of JunOS.

     


    + = Active Route, - = Last Active, * = Both

    2.2.2.2/32 *[Static/5] 01:16:46
    > to 23.0.0.2 via ge-0/0/2.0
    23.0.0.0/24 *[Direct/0] 01:16:46
    > via ge-0/0/2.0
    23.0.0.1/32 *[Local/0] 01:16:59
    Local via ge-0/0/2.0
    192.168.86.0/24 *[Direct/0] 01:16:46
    > via ge-0/0/1.0
    192.168.86.3/32 *[Local/0] 01:17:00
    Local via ge-0/0/1.0

     

     

    root> show security ipsec security-associations detail
    ID: 131073 Virtual-system: root, VPN Name: vpn01-DUB-Three
    Local Gateway: 192.168.86.3, Remote Gateway: 192.168.86.4
    Local Identity: ipv4(any:0,[0..3]=2.2.2.2)
    Remote Identity: ipv4(any:0,[0..3]=1.1.1.1)
    Version: IKEv2
    DF-bit: clear
    Bind-interface: st0.0

    Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
    Last Tunnel Down Reason: Lifetime expired
    Direction: inbound, SPI: ea741b61, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3518 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2880 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 5e5575e7, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3518 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2880 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

     

    root> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    3264977 UP 2f31bcc0891ceff9 a1b8c28e9f518341 IKEv2 192.168.86.4


    root> show chassis fpc detail
    Slot 0 information:
    State Online
    Total CPU DRAM ---- CPU less FPC ----
    Start time 2020-05-06 03:51:22 UTC
    Uptime 12 hour, 17 minutes, 37 seconds

    root>


    #ike
    #IPSec
    #SRX
    #security


  • 8.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 22:31

    Glad to know that the VPN came up.

    Yes, static route should be configured for the destination network with nexthop as st0.0 

    Default behavior is on-demand. Tunnel will be initiated when traffic to destination hits SRX.