SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  Wrong VPN gateway selected

    Posted 05-12-2022 05:43
    Edited by Michael Pappas 05-13-2022 10:32
    Hello!

    I tried to configure a site-to-site vpn (ipsec-vpn-pfsense-oe5) next to a remote-user-vpn (vpn-it-management). If I try to connect to the site-to-site vpn the logs shows that the remote-user-vpn gateway is used. What I'm missing? Error message and configuration below. Thank you very much!

    Error Message:
    May 11 13:59:39 srx300 kmd[2048]: IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: vpn-it-management Gateway: gateway-vpn-it-management, Local: xx.xx.xx.19/500, Remote: xx.xx.xx.100/61325, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    srx300# show security ike
    proposal proposal-vpn-it-management {
        description RemoteUserVPN;
        authentication-method pre-shared-keys;
        dh-group group19;
        authentication-algorithm sha-256;
        encryption-algorithm aes-256-cbc;
    }
    proposal ike-proposal-vpn-pfsense {
        description PfSense;
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha-256;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    }
    policy policy-vpn-it-management {
        mode aggressive;
        proposals proposal-vpn-it-management;
        pre-shared-key ascii-text ## SECRET-DATA
    }
    policy ike-policy-vpn-pfsense-oe5 {
        mode aggressive;
        proposals ike-proposal-vpn-pfsense;
        pre-shared-key ascii-text ## SECRET-DATA
    }
    gateway gateway-vpn-it-management {
        ike-policy policy-vpn-it-management;
        dynamic {
            user-at-hostname "user@host.tld";
            ike-user-type shared-ike-id;
        }
        dead-peer-detection {
            optimized;
            interval 10;
            threshold 5;
        }
        external-interface ge-0/0/0;
        local-address 91.102.11.19;
        aaa {
            access-profile access-vpn-it-management;
        }
        version v1-only;
        tcp-encap-profile ssl-vpn-it-management;
    }
    gateway ike-gateway-vpn-pfsense-oe5 {
        ike-policy ike-policy-vpn-pfsense-oe5;
        dynamic user-at-hostname "site@host.tld";
        external-interface ge-0/0/0;
        version v2-only;
    }
    srx300# show security ipsec
    proposal proposal-vpn-it-management {
        protocol esp;
        encryption-algorithm aes-256-gcm;
    }
    proposal ipsec-proposal-vpn-pfsense {
        protocol esp;
        authentication-algorithm hmac-sha-256-128;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 3600;
    }
    policy policy-vpn-it-management {
        perfect-forward-secrecy {
            keys group19;
        }
        proposals proposal-vpn-it-management;
    }
    policy ipsec-policy-vpn-pfsense {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals ipsec-proposal-vpn-pfsense;
    }
    vpn vpn-it-management {
        bind-interface st0.0;
        df-bit clear;
        ike {
            gateway gateway-vpn-it-management;
            ipsec-policy policy-vpn-it-management;
        }
        traffic-selector ts-1 {
            local-ip 10.2.1.0/24;
            remote-ip 0.0.0.0/0;
        }
    }
    vpn ipsec-vpn-pfsense-oe5 {
        bind-interface st0.1;
        ike {
            gateway ike-gateway-vpn-pfsense-oe5;
            ipsec-policy ipsec-policy-vpn-pfsense;
        }
        establish-tunnels immediately;
    }
    srx300# show interfaces st0
    unit 0 {
        family inet;
    }
    unit 1 {
        family inet;
    }


  • 2.  RE: Wrong VPN gateway selected

    Posted 05-12-2022 09:42
    Hi,

    U can check below url

    https://www.setroute0.com/2018/07/22/ipsec-tunnel-between-juniper-srx-and-pfsense-firewall/


    Thanks


  • 3.  RE: Wrong VPN gateway selected

    Posted 05-13-2022 10:33
    Thank you for your reply. The situation in the linked post is different: On the one hand they have only one vpn gateway on the other hand both sides use static ip addresses. I'm pretty sure that I can solve my issue if i spend an additional ip address to the srx gateway or i use an static ip address on the remote site. But i like to solve this with one static ip on the srx device for all vpn gateways and a dynamic ip on the PfSense. Any ideas?

    ------------------------------
    MATTHIAS LAUTH
    ------------------------------



  • 4.  RE: Wrong VPN gateway selected

    Posted 05-16-2022 14:12
    Go here and run your it-management config thru here.  You'll see the differences.
    https://support.juniper.net/support/tools/vpnconfig/#advancedSettings