SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 00:07

    HI Team,

    i'm new with ipsec, trying to setup a IPSEC vpn between fortinet and SRX but it is not working . i have captured the packet and found that SRX is not initiating ike communication. configuration and topo is as below. phase 1 is no comming up. Please help

     

    TOPO.PNG

     


    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three mode aggressive
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

     

     

    config vpn ipsec phase1-interface
    edit "ike01-DUB-Three"
    set interface "port2"
    set ike-version 2
    set local-gw 192.168.86.4
    set keylife 28800
    set peertype any
    set net-device disable
    set proposal des-md5 des-sha256
    set comments "ike01-DUB-Three"
    set dhgrp 2
    set remote-gw 192.168.86.3
    set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg==
    next
    end

    FORTINET # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
    edit "ike01-DUB-Three"
    set phase1name "ike01-DUB-Three"
    set proposal des-md5 des-sha1
    set pfs disable
    set comments "ike01-DUB-Three"
    set src-addr-type ip
    set dst-addr-type ip
    set keylifeseconds 3600
    set src-start-ip 1.1.1.1
    set dst-start-ip 2.2.2.2
    next
    end

     

     

     

     

     

     

     


    #SRX
    #ospf
    #ike
    #IPSec
    #ISIS
    #security


  • 2.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 01:11

    There is no aggressive mode in ikev2. Try below steps and update us

    > Remove aggressive mode config

    > Remove PFS config from SRX side. Fortinet side it is disabled

    > Remove proxy-identity config from SRX side

    > Assign st0.0 interface to a security zone.

     

     



  • 3.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 01:54

    Hi Nellikka

     

    Thanks for your quick responce.

     

    i have done the changes that you have mentioned below. but still it is not working . please find latest configuration and debug traces for IKE

     

    > Remove aggressive mode config--------------------------------Removed

    > Remove PFS config from SRX side. Fortinet side it is disabled-----------------------Removed

    > Remove proxy-identity config from SRX side--------------while using traffic selector i'm getting error "IKEv2 does not support traffic-selectors"  thats why i am using proxy identity for traffic selection

    > Assign st0.0 interface to a security zone.---------------Assigned to security Zone

     

     

    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

     

     

     

    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 05:55:43]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 05:55:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 05:55:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 05:55:43]No SPUs are operational, returning.
    [May 4 05:55:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 05:55:43]Config download: Processed 7 - 8 messages
    [May 4 05:55:43]Config download time: 0 secs
    [May 4 05:55:43]iked_config_process_config_list, configuration diff complete
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615776 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 05:58:43]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 05:58:43]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 05:58:43]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 05:58:43]No SPUs are operational, returning.
    [May 4 05:58:43]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 05:58:43]Config download: Processed 8 - 9 messages
    [May 4 05:58:43]Config download time: 0 secs
    [May 4 05:58:43]iked_config_process_config_list, configuration diff complete
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 06:49:36]Error: Unknown record, type = 25

    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 40, reclen = -1876617120 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 41c, reclen = -1876616672 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
    [May 4 06:49:36]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 06:49:36]No SPUs are operational, returning.
    [May 4 06:49:36]Config download: Processed 9 - 10 messages
    [May 4 06:49:36]Config download time: 0 secs
    [May 4 06:49:36]iked_config_process_config_list, configuration diff complete
    [May 4 08:30:46]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:30:46]Config download: Processed 1 - 1 messages
    [May 4 08:30:46]Config download time: 0 secs
    [May 4 08:30:46]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
    [May 4 08:30:46]Creating PM instance for service_set: root
    [May 4 08:30:47]ssh_ike_init: Start
    [May 4 08:30:47]ssh_ike_init: params->ignore_cr_payloads = FALSE
    [May 4 08:30:47]ssh_ike_init: params->no_key_hash_payload = FALSE
    [May 4 08:30:47]ssh_ike_init: params->no_cr_payloads = FALSE
    [May 4 08:30:47]ssh_ike_init: params->do_not_send_crls = FALSE
    [May 4 08:30:47]ssh_ike_init: params->send_full_chains = FALSE
    [May 4 08:30:47]ssh_ike_init: params->trust_icmp_messages = FALSE
    [May 4 08:30:47]ssh_ike_init: params->spi_size = 0
    [May 4 08:30:47]ssh_ike_init: params->zero_spi = TRUE
    [May 4 08:30:47]ssh_ike_init: params->max_key_length = 512
    [May 4 08:30:47]ssh_ike_init: params->max_isakmp_sa_count = 8192
    [May 4 08:30:47]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
    [May 4 08:30:47]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_cnt = 1
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_default_retry = 2
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_cnt = 1
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
    [May 4 08:30:47]ssh_ike_create_system: params->randomizers_private_retry = 2
    [May 4 08:30:47]ssh_ike_attach_audit_context: Attaching a new audit context
    [May 4 08:30:47]ssh_ike_init: params->base_retry_limit = 5
    [May 4 08:30:47]ssh_ike_init: params->base_retry_timer = 10.000000
    [May 4 08:30:47]ssh_ike_init: params->base_retry_timer_max = 150.000000
    [May 4 08:30:47]ssh_ike_init: params->base_expire_timer = 180.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_limit = 5
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_timer = 5.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_retry_timer_max = 300.000000
    [May 4 08:30:47]ssh_ike_init: params->extended_expire_timer = 240.000000
    [May 4 08:30:47]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
    [May 4 08:30:47]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
    [May 4 08:30:47]iked_config_process_config_list, configuration diff complete
    [May 4 08:30:47]IKED-PKID-IPC
    [May 4 08:30:47]kmd_rpd_init
    [May 4 08:30:47]rpd session connected
    [May 4 08:30:47]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
    [May 4 08:30:48]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [May 4 08:30:48]kmd_rpd_cb_session_connect
    [May 4 08:30:48]kmd_rpd_cb_session_connect: rpd session established
    [May 4 08:30:48]kmd_rpd_db_read
    [May 4 08:30:48]kmd_rpd_db_read: gw handle 38
    [May 4 08:30:48]kmd_rpd_cb_protocol_register gw handle 0 return code 1
    [May 4 08:30:48]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
    [May 4 08:30:48]kmd_rpd_db_write
    [May 4 08:30:48]kmd_rpd_shutdown_session
    [May 4 08:30:53]kmd_rpd_init
    [May 4 08:30:53]rpd session connected
    [May 4 08:30:53]kmd_rpd_cb_session_connect
    [May 4 08:30:53]kmd_rpd_cb_session_connect: rpd session established
    [May 4 08:30:53]kmd_rpd_db_write
    [May 4 08:30:53]kmd_rpd_cb_protocol_register gw handle 39 return code 0
    [May 4 08:30:53]kmd_rpd_db_write
    [May 4 08:30:53]kmd_rpd_refresh_routes
    [May 4 08:31:10]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
    [May 4 08:31:11]Couldn't get the zone information for interface ext st0, error No such file or directory
    [May 4 08:31:14]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876606944 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 08:34:05]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 08:34:05]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 08:34:05]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:34:05]No SPUs are operational, returning.
    [May 4 08:34:05]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:34:05]Config download: Processed 1 - 2 messages
    [May 4 08:34:05]Config download time: 0 secs
    [May 4 08:34:05]iked_config_process_config_list, configuration diff complete
    [May 4 08:35:35]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [May 4 08:35:35]Successfully added SA Config
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876615520 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 08:37:08]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 08:37:08]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 08:37:08]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:37:08]No SPUs are operational, returning.
    [May 4 08:37:08]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 08:37:08]Config download: Processed 2 - 3 messages
    [May 4 08:37:08]Config download time: 0 secs
    [May 4 08:37:08]iked_config_process_config_list, configuration diff complete
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 08:38:07]Error: Unknown record, type = 25

    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 168, reclen = -1876616416 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 48, reclen = -1078474165 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 4, reclen = 0 **
    [May 4 08:38:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 08:38:07]No SPUs are operational, returning.
    [May 4 08:38:07]Config download: Processed 3 - 4 messages
    [May 4 08:38:07]Config download time: 0 secs
    [May 4 08:38:07]iked_config_process_config_list, configuration diff complete

     

     

     

    root> ping 192.168.86.4
    PING 192.168.86.4 (192.168.86.4): 56 data bytes
    64 bytes from 192.168.86.4: icmp_seq=0 ttl=255 time=13.466 ms
    64 bytes from 192.168.86.4: icmp_seq=1 ttl=255 time=7.005 ms
    64 bytes from 192.168.86.4: icmp_seq=2 ttl=255 time=6.879 ms
    64 bytes from 192.168.86.4: icmp_seq=3 ttl=255 time=11.194 ms
    64 bytes from 192.168.86.4: icmp_seq=4 ttl=255 time=7.379 ms
    64 bytes from 192.168.86.4: icmp_seq=5 ttl=255 time=8.763 ms

     

     

     

     


    #IPSec
    #ospf
    #ike
    #security


  • 4.  RE: IPSEC between SRX and Fortinet not coming up
    Best Answer

    Posted 05-04-2020 02:56

    Do below config and update us:

     

    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately

    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32

     

    show security ike security-associations

    show security ipsec security-associations 

    show security ipsec security-associations detail

     

     



  • 5.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-04-2020 13:15

    Hi Nellikka,

     

    i have done the changes that you have mentioned below , but still it is not working . Please find below results

     

    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately---------------Configured

    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 2.2.2.2/32----------Configured
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 1.1.1.1/32--------------Configured

     

    root> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    2089264 DOWN b6f334ca1da64432 0000000000000000 IKEv2 192.168.86.4

    root>

    root> show security ipsec security-associations
    Total active tunnels: 0

    root>

    root> show security ipsec security-associations detail

    root>

     

     

    Please find below latest IPSEC COnfiguration and IKE traces

     

    set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1"
    set system services ssh
    set system services web-management http interface ge-0/0/0.0
    set system services web-management http interface ge-0/0/1.0
    set system services web-management https pki-local-certificate 12345
    set system services web-management https interface ge-0/0/1.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 description TO_FORTINET
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24
    set interfaces ge-0/0/2 description TO_R4
    set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24
    set interfaces st0 unit 0 family inet
    set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2
    set security ike traceoptions file IKE
    set security ike traceoptions file size 10k
    set security ike traceoptions file files 2
    set security ike traceoptions flag all
    set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys
    set security ike proposal AES256-SHA256-DH2 dh-group group2
    set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256
    set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc
    set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800
    set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2
    set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B"
    set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three
    set security ike gateway ike01-DUB-Three address 192.168.86.4
    set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3
    set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0
    set security ike gateway ike01-DUB-Three version v2-only
    set security ipsec proposal AES256-SHA256-PFS protocol esp
    set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96
    set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc
    set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600
    set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS
    set security ipsec vpn vpn01-DUB-Three bind-interface st0.0
    set security ipsec vpn vpn01-DUB-Three df-bit clear
    set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity remote 2.2.2.2/32
    set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any
    set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three
    set security ipsec vpn vpn01-DUB-Three establish-tunnels immediately
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services all

    root> show log IKE
    [May 4 19:57:44]Config download time: 0 secs
    [May 4 19:57:44]iked_ts_config_template_clean_up_all_gt_gi Failed to find sa_cfg vpn01-DUB-Three
    [May 4 19:57:44]Creating PM instance for service_set: root
    [May 4 19:57:44]ssh_ike_init: Start
    [May 4 19:57:44]ssh_ike_init: params->ignore_cr_payloads = FALSE
    [May 4 19:57:44]ssh_ike_init: params->no_key_hash_payload = FALSE
    [May 4 19:57:44]ssh_ike_init: params->no_cr_payloads = FALSE
    [May 4 19:57:44]ssh_ike_init: params->do_not_send_crls = FALSE
    [May 4 19:57:44]ssh_ike_init: params->send_full_chains = FALSE
    [May 4 19:57:44]ssh_ike_init: params->trust_icmp_messages = FALSE
    [May 4 19:57:44]ssh_ike_init: params->spi_size = 0
    [May 4 19:57:44]ssh_ike_init: params->zero_spi = TRUE
    [May 4 19:57:44]ssh_ike_init: params->max_key_length = 512
    [May 4 19:57:44]ssh_ike_init: params->max_isakmp_sa_count = 8192
    [May 4 19:57:44]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
    [May 4 19:57:44]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_cnt = 1
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_default_retry = 2
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_cnt = 1
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
    [May 4 19:57:44]ssh_ike_create_system: params->randomizers_private_retry = 2
    [May 4 19:57:44]ssh_ike_attach_audit_context: Attaching a new audit context
    [May 4 19:57:44]ssh_ike_init: params->base_retry_limit = 5
    [May 4 19:57:44]ssh_ike_init: params->base_retry_timer = 10.000000
    [May 4 19:57:44]ssh_ike_init: params->base_retry_timer_max = 150.000000
    [May 4 19:57:44]ssh_ike_init: params->base_expire_timer = 180.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_limit = 5
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_timer = 5.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_retry_timer_max = 300.000000
    [May 4 19:57:44]ssh_ike_init: params->extended_expire_timer = 240.000000
    [May 4 19:57:44]ssh_ikev2_fallback_create: FB; v1 policy manager 8c33900 started
    [May 4 19:57:44]ssh_ikev2_fallback_attach: FB; v1 policy manager 8c33900 attached to server 8ced500
    [May 4 19:57:44]iked_config_process_config_list, configuration diff complete
    [May 4 19:57:44]IKED-PKID-IPC
    [May 4 19:57:44]kmd_rpd_init
    [May 4 19:57:44]rpd session connected
    [May 4 19:57:44]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
    [May 4 19:57:45]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [May 4 19:57:45]kmd_rpd_cb_session_connect
    [May 4 19:57:45]kmd_rpd_cb_session_connect: rpd session established
    [May 4 19:57:45]kmd_rpd_db_read
    [May 4 19:57:45]kmd_rpd_db_read: gw handle 39
    [May 4 19:57:45]kmd_rpd_cb_protocol_register gw handle 3216496872 return code 1
    [May 4 19:57:45]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
    [May 4 19:57:45]kmd_rpd_db_write
    [May 4 19:57:45]kmd_rpd_shutdown_session
    [May 4 19:57:50]kmd_rpd_init
    [May 4 19:57:50]rpd session connected
    [May 4 19:57:50]kmd_rpd_cb_session_connect
    [May 4 19:57:50]kmd_rpd_cb_session_connect: rpd session established
    [May 4 19:57:50]kmd_rpd_db_write
    [May 4 19:57:50]kmd_rpd_cb_protocol_register gw handle 39 return code 0
    [May 4 19:57:50]kmd_rpd_db_write
    [May 4 19:57:50]kmd_rpd_refresh_routes
    [May 4 19:57:54]Couldn't get the zone information for interface ge-0/0/1, error No such file or directory
    [May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
    [May 4 19:58:23]In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [May 4 19:58:23]Successfully added SA Config
    [May 4 19:58:23]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/2.0
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 143028240 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 143028240 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 432: record IPSEC_SA_TYPE, reclen = 380
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 17c, reclen = -1876615264 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 440: record TRAFFIC_SELECTOR, reclen = 168
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is a8, reclen = 32 **
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is cc, reclen = 0 **
    [May 4 20:06:07]Deleting existing ipsec trace cfg with key: 16777216

    [May 4 20:06:07]iked_ipsec_trace_flag_update: Successfully added ipsec trace config with key 0x1
    [May 4 20:06:07]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = -1078471800 **
    [May 4 20:06:07]No SPUs are operational, returning.
    [May 4 20:06:07]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
    [May 4 20:06:07]Config download: Processed 1 - 2 messages
    [May 4 20:06:07]Config download time: 0 secs
    [May 4 20:06:07]ikev2_packet_allocate: Allocated packet 8c24800 from freelist
    [May 4 20:06:07]iked_config_process_config_list, configuration diff complete
    [May 4 20:06:37]P1 SA 2089251 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:06:37]IKE SA delete called for p1 sa 2089251 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:06:37]Freeing all P2 SAs for IKEv2 p1 SA 2089251
    [May 4 20:06:37]P1 SA 2089251 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:06:37]iked_pm_p1_sa_destroy: p1 sa 2089251 (ref cnt 0), waiting_for_del 0x8c809a0
    [May 4 20:06:37]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:06:37]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:07:34]ikev2_packet_allocate: Allocated packet 8c24c00 from freelist
    [May 4 20:08:04]P1 SA 2089252 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:08:04]IKE SA delete called for p1 sa 2089252 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:08:04]Freeing all P2 SAs for IKEv2 p1 SA 2089252
    [May 4 20:08:04]P1 SA 2089252 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:08:04]iked_pm_p1_sa_destroy: p1 sa 2089252 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:08:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:08:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:08:34]ikev2_packet_allocate: Allocated packet 8c39000 from freelist

    [May 4 20:13:34]ikev2_packet_allocate: Allocated packet 8c3a400 from freelist
    [May 4 20:14:04]P1 SA 2089258 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:14:04]IKE SA delete called for p1 sa 2089258 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:14:04]Freeing all P2 SAs for IKEv2 p1 SA 2089258
    [May 4 20:14:04]P1 SA 2089258 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:14:04]iked_pm_p1_sa_destroy: p1 sa 2089258 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:14:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:14:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:14:34]ikev2_packet_allocate: Allocated packet 8c3a800 from freelist
    [May 4 20:15:04]P1 SA 2089259 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:15:04]IKE SA delete called for p1 sa 2089259 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:15:04]Freeing all P2 SAs for IKEv2 p1 SA 2089259
    [May 4 20:15:04]P1 SA 2089259 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:15:04]iked_pm_p1_sa_destroy: p1 sa 2089259 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:15:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:15:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:15:34]ikev2_packet_allocate: Allocated packet 8c3ac00 from freelist
    [May 4 20:16:04]P1 SA 2089260 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:16:04]IKE SA delete called for p1 sa 2089260 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:16:04]Freeing all P2 SAs for IKEv2 p1 SA 2089260
    [May 4 20:16:04]P1 SA 2089260 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:16:04]iked_pm_p1_sa_destroy: p1 sa 2089260 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:16:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:16:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:16:34]ikev2_packet_allocate: Allocated packet 8c3b000 from freelist
    [May 4 20:17:04]P1 SA 2089261 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:17:04]IKE SA delete called for p1 sa 2089261 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:17:04]Freeing all P2 SAs for IKEv2 p1 SA 2089261
    [May 4 20:17:04]P1 SA 2089261 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:17:04]iked_pm_p1_sa_destroy: p1 sa 2089261 (ref cnt 0), waiting_for_del 0x8c80a00
    [May 4 20:17:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:17:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:17:34]ikev2_packet_allocate: Allocated packet 8c3b400 from freelist
    [May 4 20:18:04]P1 SA 2089262 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:18:04]IKE SA delete called for p1 sa 2089262 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:18:04]Freeing all P2 SAs for IKEv2 p1 SA 2089262
    [May 4 20:18:04]P1 SA 2089262 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:18:04]iked_pm_p1_sa_destroy: p1 sa 2089262 (ref cnt 0), waiting_for_del 0x8c80a60
    [May 4 20:18:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:18:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:18:34]ikev2_packet_allocate: Allocated packet 8c3b800 from freelist
    [May 4 20:19:04]P1 SA 2089263 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
    [May 4 20:19:04]IKE SA delete called for p1 sa 2089263 (ref cnt 3) local:192.168.86.3, remote:192.168.86.4, IKEv2
    [May 4 20:19:04]Freeing all P2 SAs for IKEv2 p1 SA 2089263
    [May 4 20:19:04]P1 SA 2089263 reference count is not zero (1). Delaying deletion of SA
    [May 4 20:19:04]iked_pm_p1_sa_destroy: p1 sa 2089263 (ref cnt 0), waiting_for_del 0x8c80a60
    [May 4 20:19:04]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
    [May 4 20:19:04]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    [May 4 20:19:34]ikev2_packet_allocate: Allocated packet 8c3bc00 from freelist

     


    #JNCIE
    #security
    #ospf
    #ike
    #IPSec


  • 6.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 07:07

    As per the given output, SRX is initiating vpn traffic but not getting packets from Fortinet. Please enable debug at Fortinet side and check: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46611 

     

    Which SRX model  and Junos version you are using? Please share the output of "show chassis fpc detail"

     

     



  • 7.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 22:21

    HI Nellikka

     

    Thanks for your support , both phase 1 and phase are up now. there was issue with fortinet firewall policy after correcting it IPSEC came up. i have some questions:

     

    1. how can i redirect the traffic over ipsec tunnel from source (2.2.2.2) to destination(1.1.1.1) as we can see in the routing table it is not showing route for it . do i need to configure static route for destination pointing towards st0.0 interface ?

     

    2. what if "establish-tunnels immediately" not configured . what is the default behaviour of JunOS.

     


    + = Active Route, - = Last Active, * = Both

    2.2.2.2/32 *[Static/5] 01:16:46
    > to 23.0.0.2 via ge-0/0/2.0
    23.0.0.0/24 *[Direct/0] 01:16:46
    > via ge-0/0/2.0
    23.0.0.1/32 *[Local/0] 01:16:59
    Local via ge-0/0/2.0
    192.168.86.0/24 *[Direct/0] 01:16:46
    > via ge-0/0/1.0
    192.168.86.3/32 *[Local/0] 01:17:00
    Local via ge-0/0/1.0

     

     

    root> show security ipsec security-associations detail
    ID: 131073 Virtual-system: root, VPN Name: vpn01-DUB-Three
    Local Gateway: 192.168.86.3, Remote Gateway: 192.168.86.4
    Local Identity: ipv4(any:0,[0..3]=2.2.2.2)
    Remote Identity: ipv4(any:0,[0..3]=1.1.1.1)
    Version: IKEv2
    DF-bit: clear
    Bind-interface: st0.0

    Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
    Last Tunnel Down Reason: Lifetime expired
    Direction: inbound, SPI: ea741b61, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3518 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2880 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 5e5575e7, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3518 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2880 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

     

    root> show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    3264977 UP 2f31bcc0891ceff9 a1b8c28e9f518341 IKEv2 192.168.86.4


    root> show chassis fpc detail
    Slot 0 information:
    State Online
    Total CPU DRAM ---- CPU less FPC ----
    Start time 2020-05-06 03:51:22 UTC
    Uptime 12 hour, 17 minutes, 37 seconds

    root>


    #ike
    #IPSec
    #SRX
    #security


  • 8.  RE: IPSEC between SRX and Fortinet not coming up

    Posted 05-05-2020 22:31

    Glad to know that the VPN came up.

    Yes, static route should be configured for the destination network with nexthop as st0.0 

    Default behavior is on-demand. Tunnel will be initiated when traffic to destination hits SRX.