SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Wrong VPN gateway selected

    Posted 05-12-2022 05:43
    Hello!

    I tried to configure a site-to-site vpn (ipsec-vpn-pfsense-oe5) next to a remote-user-vpn (vpn-it-management). If I try to connect to the site-to-site vpn the logs shows that the remote-user-vpn gateway is used. What I'm missing? Error message and configuration below. Thank you very much!

    Error Message:
    May 11 13:59:39 srx300 kmd[2048]: IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: vpn-it-management Gateway: gateway-vpn-it-management, Local: xx.xx.xx.19/500, Remote: xx.xx.xx.100/61325, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    srx300# show security ike
    proposal proposal-vpn-it-management {
        description RemoteUserVPN;
        authentication-method pre-shared-keys;
        dh-group group19;
        authentication-algorithm sha-256;
        encryption-algorithm aes-256-cbc;
    }
    proposal ike-proposal-vpn-pfsense {
        description PfSense;
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha-256;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy policy-vpn-it-management {
        mode aggressive;
        proposals proposal-vpn-it-management;
        pre-shared-key ascii-text ## SECRET-DATA
    }
    policy ike-policy-vpn-pfsense-oe5 {
        mode aggressive;
        proposals ike-proposal-vpn-pfsense;
        pre-shared-key ascii-text ## SECRET-DATA
    }
    gateway gateway-vpn-it-management {
        ike-policy policy-vpn-it-management;
        dynamic {
            user-at-hostname "user@host.tld";
            ike-user-type shared-ike-id;
        }
        dead-peer-detection {
            optimized;
            interval 10;
            threshold 5;
        }
        external-interface ge-0/0/0;
        local-address 91.102.11.19;
        aaa {
            access-profile access-vpn-it-management;
        }
        version v1-only;
        tcp-encap-profile ssl-vpn-it-management;
    }
    gateway ike-gateway-vpn-pfsense-oe5 {
        ike-policy ike-policy-vpn-pfsense-oe5;
        dynamic user-at-hostname "site@host.tld";
        external-interface ge-0/0/0;
        version v2-only;
    }
    srx300# show security ipsec
    proposal proposal-vpn-it-management {
        protocol esp;
        encryption-algorithm aes-256-gcm;
    }
    proposal ipsec-proposal-vpn-pfsense {
        protocol esp;
        authentication-algorithm hmac-sha-256-128;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 3600;
    }
    policy policy-vpn-it-management {
        perfect-forward-secrecy {
            keys group19;
        }
        proposals proposal-vpn-it-management;
    }
    policy ipsec-policy-vpn-pfsense {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ipsec-proposal-vpn-pfsense;
    }
    vpn vpn-it-management {
        bind-interface st0.0;
        df-bit clear;
        ike {
            gateway gateway-vpn-it-management;
            ipsec-policy policy-vpn-it-management;
        }
        traffic-selector ts-1 {
            local-ip 10.2.1.0/24;
            remote-ip 0.0.0.0/0;
        }
    }
    vpn ipsec-vpn-pfsense-oe5 {
        bind-interface st0.1;
        ike {
            gateway ike-gateway-vpn-pfsense-oe5;
            ipsec-policy ipsec-policy-vpn-pfsense;
        }
        establish-tunnels immediately;
    }
    srx300# show interfaces st0
    unit 0 {
        family inet;
    }
    unit 1 {
        family inet;
    }


  • 2.  RE: Wrong VPN gateway selected

    Posted 05-12-2022 09:42
    Hi,

    U can check below url

    https://www.setroute0.com/2018/07/22/ipsec-tunnel-between-juniper-srx-and-pfsense-firewall/


    Thanks


  • 3.  RE: Wrong VPN gateway selected

    Posted 05-13-2022 10:33
    Thank you for your reply. The situation in the linked post is different: On the one hand they have only one vpn gateway on the other hand both sides use static ip addresses. I'm pretty sure that I can solve my issue if i spend an additional ip address to the srx gateway or i use an static ip address on the remote site. But i like to solve this with one static ip on the srx device for all vpn gateways and a dynamic ip on the PfSense. Any ideas?

    ------------------------------
    MATTHIAS LAUTH
    ------------------------------



  • 4.  RE: Wrong VPN gateway selected

    Posted 05-16-2022 14:12
    Go here and run your it-management config thru here.  You'll see the differences.
    https://support.juniper.net/support/tools/vpnconfig/#advancedSettings