SRX

Hi All,

I am trying to set up Route-based IPSec VPN between SRX345 and Cisco RVI 130 but not work with the following error: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. 

Can anyone advise on this?

Enclosed screenshots from RVI130 and below is SRX345 config:

security {
ike {
proposal ikephase1proposal_VPN1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ikephase1policy_VPN1 {
mode aggressive;
proposals ikephase1proposal_VPN1;
pre-shared-key ascii-text "Password"; ## SECRET-DATA
}
gateway gw-VPN1 {
ike-policy ikephase1policy_VPN1;
address 10.10.10.10;
external-interface reth1.0;
}
}
ipsec {
proposal ipsecphase2proposal_VPN1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsecphase2policy_VPN1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsecphase2proposal_VPN1;
}
vpn ike-vpn-VPN1 {
bind-interface st8.0;
ike {
gateway gw-VPN1;
ipsec-policy ipsecphase2policy_VPN1;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}

Hi,

From the screen shots and the configuration, I could find 2 issues.

1. You are using aggressive modeon both the sides, please change it to main mode for the phase 1 IKE negotiation.

policy ikephase1policy_VPN1 {
mode aggressive;  <<<<<<<<<<<<<<this should be main mode on both the sides
proposals ikephase1proposal_VPN1;
pre-shared-key ascii-text "Password"; ## SECRET-DATA

2. The tunnel interface defined in the IPSEC VPN section is also not correct.

vpn ike-vpn-VPN1 {
bind-interface st8.0; <<<<<<<<<<<<<<<not correct tunnel interface, it should be st0.* and not st8.0.
ike {
gateway gw-VPN1;
ipsec-policy ipsecphase2policy_VPN1;

Please configure the above things and also do let us know if the st0 interface is assigned toa security zone or not.

Regards,

Guru Prasad

Hi Guru,

Thanks for your advice! The st8.0 is assigned to the corresponding security zone as below config. Actually, there are several VPN tunnels from various site to SRX345 and this is the no.8 site so I use st8.0. is there any misconfiguration?

security-zone vpn-VPN1 {
address-book {
address VPN1_remote_1 1.1.1.0/24;
address VPN1_remote_2 1.1.2.0/24;
}
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
st8.0;
}

Hi,

yes there is an issue with the configuration.

becasue SRX does not support st8.0 if it is the 8th tunnel then it should be st0.8 instead of st8.0

regards,

Guru Prasad

Hi Guru,

Thanks for your clarification. But for the traffic selector, is it necessary to configure? I `ve checked relate document that indicates the system will use a default proxy-id of use 0.0.0.0/0 for local and remote and ‘any’ for service when traffic selector is not configured. I am so curious on this. Kindly please advise.

Best Regards,

Dylen

You are reading that correctly.  If no traffic selectors are configured the proxy-id sent by the SRX is 0.0.0.0/0 local and 0.0.0.0/0 remote.  

This will need to be the same as the Cisco "interesting traffic" ACL configured for the VPN on that side.

Hi spuluka,

Thanks for your reply. So what if I leave the proxy-id as default on SRX? Will it be unable to communicate between these 2 sites?

Best Regards,

Dylen

I am not sure if the Cisco ASA can have an interesting traffic acl with 0.0.0.0/0 for both local and remote traffic.  I have set them up with 0.0.0.0/0 for remote traffic with local traffic specific.

But the basic premise here is that the proxy id must match between the Juniper and the Cisco.  If you don't configure a proxy id via traffic selectors on the Juniper then it will send the open 0.0.0.0/0 for both local and remote.

What is the interesting traffic ACL on the Cisco ASA right now?

The command lyndidon is suggesting isa  debug command to generate more details logs in a file, not security.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19943

You also need to add

host-inbound-traffic system-services ike

Hi lyndidon,

You mean to add this command to secure tunnel as well?

Best Regards,

Dylen

Hi,

Also the 3rd issue which i found is that on the cisco side you have definitely specified the local and the remote subnets however on the SRX there is nothing of that sort configured.

Please configure the same under the ipsec VPN heirarchy.

set security ipsec vpn test traffic-selector test1 local-ip a.b.c.d/x
set security ipsec vpn test traffic-selector test1 remote-ip e.f.g.h/x

In above commands a.b.c.d/x represents your local subnet behind the SRX and e.f.g.h/x represents the local subnet behind the cisco RVI router.

regads,

Guru Prasad