Security

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  Phase 2 message under tunnel events that I'm curious about.

    Posted 07-29-2021 14:12
    I configured a VPN and Phase 1 is up and Phase 2 appears to be up.
    Its a route based vpn with traffic selectors. 

    In the tunnel events I get this message 
    Negotiation failed with INVALID_SYNTAX error(104 times) for each of the traffic selectors The prior messages are:


    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)

    what does the invalid syntax mean? I compared configs and they match the full message with the line bolded red in question below. 

    Tunnel events:
    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Negotiation failed with INVALID_SYNTAX error(104 times)
    Direction: inbound, SPI: efa10870, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3394 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Direction: outbound, SPI: c46c784f, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3394 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2796 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Thank you all for sharing to this thread!

    ------------------------------
    Juan
    ------------------------------


  • 2.  RE: Phase 2 message under tunnel events that I'm curious about.
    Best Answer

    Posted 07-30-2021 05:30
    Hi Juan,

    "Negotiation failed with INVALID_SYNTAX error" indicates mismatch in pre-shared key. As per the given output,  it is corrected now and the VPN is UP.  Latest tunnel events are shown at the top and old events are at bottom

    Tunnel events:
    IPSec SA negotiation successfully completed (1 times)
    Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
    IKE SA negotiation successfully completed (4 times)
    IPSec SA negotiation successfully completed (1 times)
    Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Negotiation failed with INVALID_SYNTAX error(104 times)