SRX

Hi,

I have one question here. Is there is anyway to get the proposal info on the SRX. Suppose I am establish IPSEC VPN between another organization and they set the proposal to (proposal-set compatible instead of standard). Is there any traceoption or log will indicate where exactly the mismatch or what is the parameter is missing/ wrong instead of finger point each other

Regards,

Mohamed Elhariry

You can look at "show log kmd" and also configure traceoptions under security->ike.

There's a hidden command to set a more detailed debug level as well, "set security ike traceoptions level 15" (or other levels, I just use 15 usually).

This is a place to start:

# set security ike traceoptions file ike-debug size 10m files 2
# set security ike traceoptions flag all
# set security ike traceoptions level 15

This will put the IKE debugs into a separate file called "ike-debug" so you can do a "show log ike-debug" to see the relevant information.

Hi kr,

Thanks for your replay. I saw same advise in previous post from you 🙂 and tried already before asking. The problem is like I have VPN is working fine but tried to change the proposal from standard to compatible. How can I receive in the logs mis match in proposal and the received one is standard not compatible. I am simulating troubleshooting problem

I attached the log from the traceoptions file created replaced my IP address with 92.X.X.X and remote IP with 94.Y.Y.Y

for the kmd file it showing no logs

Regards,

Mohamed Elhariry

Attachment(s)

vpn logs.txt   124 KB 1 version

Hi,

It is phase one problem not phase 2 I changed the proposal under ike policy.

So we can confirm from the traceoptions, I couldn't figure-out the proposal is standard not compatible from the other end.

I am facing problems when I establish VPN with any other vendor sometimes the parameter is not clear or the IT admin is not qualified there to give me the correct parameters. So I want to detect it on my FW and adjust it without refer to him.

Regards,

Mohamed Elhariry

TCPDUMP can provide you complet einformation of exchange.

Regards,

Raveen

Yes you are correct. So far I have not seen any longs that would indicate what proposal is being used at the other end. So are you saying you cannot ask for and get this information?

The you could not have see any ike sa? In fact I should have paid more attention. That means you run the command: >show security ike sa, this should not show anything. But as I said, I should have been more careful. If phase one was successful it would have said Responder done.
Oct 8 10:41:40 Phase-1 [responder] done for local=ipv4(udp:500,[0..3]=1.1.1.2)
remote=ipv4(udp:500,[0..3]=2.2.2.2)
This has more information on troubleshooting. http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/nce/vpn-hub-spoke-nhtb/configuring-hub-and-spoke-vpns-using-nhtb.pdf#search=%22phase%201%20error%22
Clear the log, clear the sessions
clear security ike security-associations

add the following to your traceoptions(if they are not present)

I think
The post the new log and we should get more details.

[edit security ike traceoptions]
lab@srxA-2# show | display set
set security ike traceoptions file iktrace
set security ike traceoptions flag policy-manager
set security ike traceoptions flag routing-socket
set security ike traceoptions flag parse
set security ike traceoptions flag config
set security ike traceoptions flag ike

tell the admin to log in and tell him exactly where to to look for the information you need.

This gave me another idea. So I changed the proposal in phase 1 and save the log file. Then changed it back to the correct one and compared them. And it made a world of difference. So we know that the connection error 14 means mismatched proposal. I have not done same for phase 2 IPSEC, but may try it later. You can actually see it telling you the hash, encry algorythm etc. Very nice. My suggestion is do same and you will get better information for yourself.

Thx every one

It start working I got in the traceoptions

Aug 11 23:44:51 ike_find_group_from_sa: No isakmp group defined yet
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 1 (0x0001), value = 5 (0x00000005), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Encryption alg = 5 (3des-cbc)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 2 (0x0002), value = 2 (0x00000002), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Hash alg = 2 (sha1)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 3 (0x0003), value = 1 (0x00000001), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Auth method = 1
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 4 (0x0004), value = 2 (0x00000002), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Group = 2, a8f180
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 11 (0x000b), value = 1 (0x00000001), len = 2 (0x0002)
Aug 11 23:44:51 jnp_ike_get_data_attribute_int: get_int: type = 12 (0x000c), value = 28800 (0x00007080), len = 2 (0x0002)
Aug 11 23:44:51 176.Y.Y.Y:500 (Initiator) <-> 94.X.X.X:500 { d1eac08a c9b81708 - 00000000 00000000 [-1] / 0x00000000 } Aggr; Life duration 28800 secs

although the kmd file still empty but I think it is another problem may be related to the junos version. I will check later.

# run show log kmd    
Aug 11 22:19:55 SRX-FW1 clear-log[4640]: logfile cleared
Aug 11 23:53:26 Group/Shared IKE ID VPN configured: 0

Thanks again for all members