Hi Tim,
I added the NAT configurations as specified.
Now I do see the ISAKMP request packet with source NAT IP.
We are using strongswan on the other end.
I'm seeing the error message "iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed" on Juniper SRX after the other end send IKE response.
Logs on SRX:
[Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection source IP from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
[Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload NAT detection destination IP from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
[Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Multiple auth supported from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
[Nov 9 05:32:33]ikev2_decode_packet: [e44800/1c39400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ, N(MULTIPLE_AUTH_SUPPORTED)
[Nov 9 05:32:33]ikev2_packet_allocate: Allocated packet e35000 from freelist
[Nov 9 05:32:33]Added (spi=0x2ceb7f9a, protocol=0) entry to the spi table
[Nov 9 05:32:33]iked_pm_ike_conf_request: SA-CFG BT-ike-vpn-srx2 not configured for config payload. Skipping...
[Nov 9 05:32:33]iked_pm_ike_spd_notify_request: Sending Initial contact
[Nov 9 05:32:33]Construction NHTB payload for local:10.9.91.125, remote:10.79.105.221 IKEv2 P1 SA index 637539 sa-cfg BT-ike-vpn-srx2
[Nov 9 05:32:33]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg BT-ike-vpn-srx2, p1_sa=637539
[Nov 9 05:32:33]ikev2_packet_allocate: Allocated packet e45000 from freelist
[Nov 9 05:32:33]iked_pm_ike_spd_notify_received: Received Unauthenticated notification payload Authentication failed from local:10.9.91.125 remote:10.79.105.221 IKEv2 for P1 SA 637539
[Nov 9 05:32:33]ikev2_decode_packet: [e45000/1c39400] Received packet: HDR, N(AUTHENTICATION_FAILED)
[Nov 9 05:32:33]ikev2_state_auth_initiator_in: [e45000/1c39400] Error: IKE_AUTH packet is missing IDr or AUTH payload
[Nov 9 05:32:33]ikev2_process_notify: [e45000/1c39400] Received error notify Authentication failed (24)
[Nov 9 05:32:33]ikev2_state_error: [e45000/1c39400] Negotiation failed because of error Authentication failed (24)
[Nov 9 05:32:33]IKE negotiation fail for local:10.9.91.125, remote:10.79.105.221 IKEv2 with status: Authentication failed
[Nov 9 05:32:33]IPSec negotiation failed for SA-CFG BT-ike-vpn-srx2 for local:10.9.91.125, remote:10.79.105.221 IKEv2. status: Authentication failed
[Nov 9 05:32:33] P2 ed info: flags 0xc2, P2 error: Error ok
Summarize my configs:
I'm using lo0.100 as external interface in IKE gateway config.
lo0.100 & WAN interface are in same zone.
NAT is configured between junos-host zone to untrust1 zone.
lo0.100 : 192.168.100.1
ge-0/0/3.0(wan): 10.9.91.125
other end IP(strongswan): 10.79.105.191
NAT Flow ouput:
root@site-1> show security flow session nat
Session ID: 267471, Policy name: self-traffic-policy/1, Timeout: 56, Valid
In: 192.168.100.1/500 --> 10.79.105.191/500;udp, If: .local..0, Pkts: 40, Bytes: 14560
Out: 10.79.105.191/500 --> 10.9.91.125/14405;udp, If: ge-0/0/3.0, Pkts: 40, Bytes: 13600
Total sessions: 1
Tunnel flow session:
root@site-1> show security flow session tunnel
Session ID: 267460, Policy name: N/A, Timeout: N/A, Valid
In: 10.79.105.191/0 --> 192.168.100.1/0;esp, If: lo0.100, Pkts: 0, Bytes: 0
Session ID: 267461, Policy name: N/A, Timeout: N/A, Valid
In: 10.79.105.191/0 --> 192.168.100.1/0;ah, If: lo0.100, Pkts: 0, Bytes: 0
Total sessions: 2
root@site-1> show security ike sa detail
IKE peer 10.79.105.191, Index 709122, Gateway Name: BT-gw-srx1-bkp
Role: Initiator, State: DOWN
Initiator cookie: 5edba4212ce78692, Responder cookie: fb147f7992d599dc
Exchange type: IKEv2, Authentication method: Pre-shared-keys
Local: 192.168.100.1:500, Remote: 10.79.105.191:4500
Peer ike-id: not available
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 312
Output bytes : 592
Input packets: 1
Output packets: 2 <<--- I do not see the second packet leaving the WAN interface
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Please let me know how do I proceed.
Thanks