the key here will be to get more detailed messages. Try this logging configuration found in the second kb above that forces more logging to be generated. Ideally, you want the remote side to initiate the tunnel as well. Frequently with timeouts the side requesting is just not getting the message from the remote side as to why they are unhappy.
# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit
View the generated logs with
show log kmd-logs
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 01-24-2023 19:09
From: spuluka
Subject: IKE negotiation failed with error: Timed out
The full step by step check process is outline with this kb.
https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels
Yours appears to be a phase 1 issue so enabling the detailed logging as noted in this kb would likely be the next step to find the reason.
https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-1-VPN-connection-issues
I would first check that both the SRX can trace/ping to the Draytek and the reverse. A timeout like this is often from reachability of security blocks on the protocol.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 01-21-2023 14:26
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Good day,
i tried to establish a tunnel with a draytek,
the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)
i did this before. with succses. and expected an easy job.
however the tunnel didn't work.
in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.
kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
Some printscreens on the draytek
security ike >
proposal draytek {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy casa-fw01 {
mode aggressive;
proposals draytek;
pre-shared-key ascii-text "****"; ## SECRET-DATA
}
gateway casa-fw01 {
ike-policy casa-fw01;
dynamic hostname casa-fw01.fnetonline.local;
external-interface pp0.0;
}
security ipsec >
proposal draytek {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 27000;
}
policy casa-fw01 {
proposals draytek;
}
vpn casa-fw01 {
bind-interface st0.30;
ike {
gateway casa-fw01;
proxy-identity {
local 172.16.20.0/24; <---- lan on the srx
remote 172.16.30.0/24; <---- lan on draytek
service any;
}
ipsec-policy casa-fw01;
}
}
st0.30 has its own security zone with security policies
the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.