SRX

Expand all | Collapse all

Trouble with IPSEC 1 phase. SRX-220

Jump to Best Answer
  • 1.  Trouble with IPSEC 1 phase. SRX-220

    Posted 03-14-2017 02:30

    Good day.

    I have an issue with 1 phase of IPSEC.

    I have a stand of 2 Juniper at my table. I use public IP to all it looks like reality.

     

    So I have log messages like this

     

    Mar 14 07:57:26  Node_0_Bottom kmd[1342]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN_J-2-J Gateway: IKE_Gate, Local: 212.48.226.94/500, Remote: 212.48.226.93/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

     

    Config I've attached.

     

    I've triyed:

    change all parametrs for IKE proporsal

    change password

    change zone ( now all interface in trust zone and all permit for tests)

    and so on.

     

     

    Attachment(s)

    txt
    srx_node0.txt   7 KB 1 version
    txt
    srx_node1.txt   5 KB 1 version


  • 2.  RE: Trouble with IPSEC 1 phase. SRX-220

    Posted 03-14-2017 02:39

    Node 1

    show security ike security-associations

    Spoiler
    root@Node_1_Upper> show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    6196021 DOWN   aaa4e14a9e4b98e9  5c6a40e50eb584e2  Any            212.48.226.94

    root@Node_1_Upper> show security ike security-associations detail
    IKE peer 212.48.226.94, Index 6196021, Gateway Name: N/A
      Role: Responder, State: DOWN
      Initiator cookie: aaa4e14a9e4b98e9, Responder cookie: 5c6a40e50eb584e2
      Exchange type: Any, Authentication method: Unknown
              :500, Remote: 212.48.226.94:500
      Peer ike-id: not available
      Xauth user-name: not available
      Xauth assigned IP: 0.0.0.0
      Algorithms:
       Authentication        : (null)
       Encryption            : (null)
       Pseudo random function: (null)
       Diffie-Hellman group  : unknown
      Traffic statistics:
       Input  bytes  :                  452
       Output bytes  :                  102
       Input  packets:                    1
       Output packets:                    1
      Flags: IKE SA is created
      IPSec security associations: 0 created, 0 deleted
      Phase 2 negotiations in progress: 0

        Flags: IKE SA is created



    ike sa on Node 0 is always empty

     

    Spoiler


    root@Node_0_Bottom# run show security ike security-associations detail

     

    root@Node_0_Bottom# run show security ike security-associations detail

    root@Node_0_Bottom# run show security ike security-associations detail




     



  • 3.  RE: Trouble with IPSEC 1 phase. SRX-220
    Best Answer

     
    Posted 03-14-2017 02:55
    Below given are the most probable reason for this error.

    1. The Phase 1 proposals do not match.
    2. The IP address specified for the (remote) gateway is in correct.
    3.The external-interface is in correct.
    4 .The dynamic entry specified for the (remote) gateway is incorrect.

    From your config I can eliminate the first 3 possibilities . To make sure 4th is not an issue can you add below config and check.

    Node0
    set security ike gateway IKE_Gate remote-identity inet 212.48.226.93

    Node1
    set security ike gateway IKE_Gate remote-identity inet 212.48.226.94

    commit the changes and then check the tunnel status.


    If this don’t fix, please share the complete kmd logs and "show security ipsec inactive-sa" output


    Ref:

    https://kb.juniper.net/KB10101
    https://kb.juniper.net/KB30548


  • 4.  RE: Trouble with IPSEC 1 phase. SRX-220

    Posted 03-14-2017 03:13

    Suraj, thanks for the help.

     

    I've tryed set remote identity before. It doesn't change anything. I set it again.

     

     

    root@Node_1_Upper# run show security ipsec inactive-tunnels
      Total inactive tunnels: 1
      Total inactive tunnels with establish immediately: 1
      ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
      131073 500   0      0      600228    212.48.226.94    Bind interface's zone information not available

     


    root@Node_0_Bottom# run show security ipsec inactive-tunnels
      Total inactive tunnels: 1
      Total inactive tunnels with establish immediately: 1
      ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
      131073 500   0      0      600a29    212.48.226.93    SA not initiated

     

    St0.0 at node 1 was not binded to trust zone. I fix it. But nothing happened.

     

     

     



  • 5.  RE: Trouble with IPSEC 1 phase. SRX-220

     
    Posted 03-14-2017 06:07
    "restart ipsec-key-management" if this dont help "commit full" on both nodes . if not fix try reboot of both nodes it might be the process is stuck


  • 6.  RE: Trouble with IPSEC 1 phase. SRX-220

     
    Posted 03-14-2017 06:08
    try adding a static route with st0 as next hop before trying commit full


  • 7.  RE: Trouble with IPSEC 1 phase. SRX-220

    Posted 03-14-2017 06:41

    There was usefull command

     run show security ipsec inactive-tunnels

     

    So after I've fix trouble with zone and interface there was nothing happend, till I reboot router.

    So now it's OK. I'll go on config IPSEC

     

    Thanks for the help