SRX

 View Only
last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series.
  • 1.  IKE negotiation failed with error: Timed out

    Posted 17 days ago


    Good day,

    i tried to establish a tunnel with a draytek,
    the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)

    i did this before. with succses. and expected an easy job.

    however the tunnel didn't work.
    in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.

    kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Some printscreens on the draytek





    security ike >
    proposal draytek {
       authentication-method pre-shared-keys;
       dh-group group2;
       authentication-algorithm sha-256;
       encryption-algorithm 3des-cbc;
       lifetime-seconds 28800;
    }
    policy casa-fw01 {
       mode aggressive;
       proposals draytek;
       pre-shared-key ascii-text "****"; ## SECRET-DATA
    }
    gateway casa-fw01 {
       ike-policy casa-fw01;
       dynamic hostname casa-fw01.fnetonline.local;
       external-interface pp0.0;
    }
    security ipsec >
    proposal draytek {
       protocol esp;
       authentication-algorithm hmac-sha1-96;
       encryption-algorithm aes-256-cbc;
       lifetime-seconds 27000;
    }
    policy casa-fw01 {
       proposals draytek;
    }
    vpn casa-fw01 {
       bind-interface st0.30;
       ike {
          gateway casa-fw01;
          proxy-identity {
             local 172.16.20.0/24;  <---- lan on the srx
             remote 172.16.30.0/24; <---- lan on draytek
             service any;
          }
          ipsec-policy casa-fw01;
       }
    }

    st0.30  has its own security zone with security policies 
    the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.



  • 2.  RE: IKE negotiation failed with error: Timed out

    Posted 14 days ago
    The full step by step check process is outline with this kb.

    https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels

    Yours appears to be a phase 1 issue so enabling the detailed logging as noted in this kb would likely be the next step to find the reason.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-1-VPN-connection-issues

    I would first check that both the SRX can trace/ping to the Draytek and the reverse.  A timeout like this is often from reachability of security blocks on the protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: IKE negotiation failed with error: Timed out

    Posted 8 days ago
    the key here will be to get more detailed messages.  Try this logging configuration found in the second kb above that forces more logging to be generated.  Ideally, you want the remote side to initiate the tunnel as well.  Frequently with timeouts the side requesting is just not getting the message from the remote side as to why they are unhappy.

    # set system syslog file kmd-logs daemon info
    # set system syslog file kmd-logs match KMD
    # commit​


    View the generated logs with

    show log kmd-logs



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: IKE negotiation failed with error: Timed out

     
    Posted 14 days ago
    Hello,

    Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:

    set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity <SRX public IP >

    As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.

    Let me know it works.

    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: IKE negotiation failed with error: Timed out

    Posted 13 days ago
    Thanks for your aswers.

    @spuluka 
    I have seen the sites. but there is no mention of a timeout.

    @Brijil
    ​Since the draytek has an dynamic ip the "dynamic" part is needed (otherwise i need an fixed ip in the config)
    i tried it with remote-identity instead of dynamic hostname and setting the current public ip as the adress but that wasn't working either.



  • 6.  RE: IKE negotiation failed with error: Timed out

     
    Posted 13 days ago
    Hello,

    The timeout could be occurring because  the SRX is failing to identify the peer. 
    So we can try two things here, configure the dynamic hostname, remote-identity and local identity together. 

    set security ike gateway casa-fw01 dynamic hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 remote-identity hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity inet 1.1.1.1

    Else configure general-ike-id and see if that helps.
     
    set security ike gateway casa-fw01 general-ikeid

    If none helps, we probably would have to debug the issue and see what's going on. 

    Regards

    ------------------------------
    Brijil R
    ------------------------------



  • 7.  RE: IKE negotiation failed with error: Timed out

    Posted 10 days ago
    Good evening,

    did some more tests.
    to rule out the dynamic hostname etc. i set the public adres. (the ip is valid for 24 hours or a reboot, so for test it is fine)

    i also added general-ikeid but still the same timeout.

    i can ping the juniper (en also... there is "some" response at the juniper. so network should be a problem)