That's the guide that is incorrect for route based VPNs.
Step 8 is incompatible.
edit: oddly enough I just went to the next step.
Weird how packets are coming IN, but not out.
Session ID: 8832, Policy name: self-traffic-policy/1, Timeout: 60, Valid
In: 192.168.10.1/13309 --> 172.16.61.1/90;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 84,
Out: 172.16.61.1/90 --> 192.168.10.1/13309;icmp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,
Original Message:
Sent: 01-19-2021 17:00
From: STEVE PULUKA
Subject: Can someone post their branch to branch ikev2 routed VPN config?
Here is the guide for vpn tunnel up without passing traffic step by step
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 01-19-2021 14:21
From: Unknown User
Subject: Can someone post their branch to branch ikev2 routed VPN config?
So,
oddly enough. Changing my phase 2 to AES-SHA1 from AES-256 and the tunnel came right up.
now, I can't pass any traffic.
Original Message:
Sent: 01-18-2021 21:10
From: Unknown User
Subject: Can someone post their branch to branch ikev2 routed VPN config?
I shall try that tomorrow. Thank you!
THere's no way to make your own encyrption / authen algorithim is there?
The only thing I can think is the Juniper is sending aes-256 and 128, but the 3rd party is not.
That shouldn't matter, but maybe it does.
Thanks,
Original Message:
Sent: 01-18-2021 20:11
From: STEVE PULUKA
Subject: Can someone post their branch to branch ikev2 routed VPN config?
I have had this issue occasionally between vendors on IPSEC. Naturally confirm that both sides really, really, really are configured EXACTLY the same parameters. Subtle differences will fail.
But if they are the same and it logs as different, your next step is to pick a new scheme and go at it again. I had both ASA and Cradlepoints over the years that would not connect with certain group numbers but would on others for example.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 01-18-2021 11:26
From: Unknown User
Subject: Can someone post their branch to branch ikev2 routed VPN config?
Walked through the T/S VPN and i'm getting this, but it looks like everything matches!
IKE negotiation failed with error: Peer proposed phase2 proposal conflicts with local configuration. Negotiation failed. I
Original Message:
Sent: 01-18-2021 10:12
From: Unknown User
Subject: Can someone post their branch to branch ikev2 routed VPN config?
Hey thanks!
I found that after I posted this, but i'm not getting the tunnel up.
How does my config look?
Sadly, the other end gives me very little T/S ability and i'm new to T/S Junos so not really sure where to look.
I've double checked PSK, etc.
Is that guide missing security configurations?
I noticed the VPN zone doesn't have anything under the host-inbound-traffic.
}security { ike { proposal Test-IkeP1-Proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; } policy Test-P1-Policy { proposals Test-IkeP1-Proposal; pre-shared-key ascii-text "$9$KeVMxNVwYoZUbw5Q36AtxN-dgok.P"; ## SECRET-DATA } gateway Test { ike-policy Test-P1-Policy; address x.x.x.5; external-interface ge-0/0/0; version v2-only; } } ipsec { proposal Test-IPsecP2-Proposal { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; } policy Test-IPsecP2-Policy { proposals Test-IPsecP2-Proposal; } vpn Test { bind-interface st0.0; ike { gateway Test; ipsec-policy Test-IPsecP2-Policy; } } } flow { tcp-mss { ipsec-vpn { mss 1320; } } } policies { from-zone local to-zone VPN-Remote { policy VPN { match { source-address Local; destination-address Remote; application any; } then { permit; } } } from-zone VPN-Remote to-zone local { policy VPN { match { source-address Remote; destination-address Local; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/0.0; } } security-zone local { address-book { address Local 192.168.10.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } security-zone VPN-Remote { address-book { address Remote 192.168.168.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.0; } } }}interfaces { ge-0/0/0 { unit 0 { family inet { address x.x.x.x.222/29; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.10.1/24; } } } st0 { unit 0 { family inet { address 169.254.27.142/24; } } }}routing-options { static { route 0.0.0.0/0 next-hop x.x.x.x.217; route 192.168.168.0/24 next-hop st0.0; }}
Original Message:
Sent: 01-17-2021 18:13
From: STEVE PULUKA
Subject: Can someone post their branch to branch ikev2 routed VPN config?
Naturally with cross vendor connections you need to be extra careful in matching all the phase 1 and phase 2 settings. But these are the SRX side configs for route based vpn with ikev2.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-vpns-for-ikev2.html
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 01-16-2021 22:05
From: Unknown User
Subject: Can someone post their branch to branch ikev2 routed VPN config?
I've been working with Junos for about 8 months and we've got to setup an iKev2 routed VPN to a 3rd party firewall.
Can someone post their configuration for such a thing and I'll make mine off of that?