SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

IKE negotiation failed with error: Timed out

  • 1.  IKE negotiation failed with error: Timed out

    Posted 01-21-2023 14:26


    Good day,

    i tried to establish a tunnel with a draytek,
    the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)

    i did this before. with succses. and expected an easy job.

    however the tunnel didn't work.
    in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.

    kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Some printscreens on the draytek





    security ike >
    proposal draytek {
       authentication-method pre-shared-keys;
       dh-group group2;
       authentication-algorithm sha-256;
       encryption-algorithm 3des-cbc;
       lifetime-seconds 28800;
    }
    policy casa-fw01 {
       mode aggressive;
       proposals draytek;
       pre-shared-key ascii-text "****"; ## SECRET-DATA
    }
    gateway casa-fw01 {
       ike-policy casa-fw01;
       dynamic hostname casa-fw01.fnetonline.local;
       external-interface pp0.0;
    }
    security ipsec >
    proposal draytek {
       protocol esp;
       authentication-algorithm hmac-sha1-96;
       encryption-algorithm aes-256-cbc;
       lifetime-seconds 27000;
    }
    policy casa-fw01 {
       proposals draytek;
    }
    vpn casa-fw01 {
       bind-interface st0.30;
       ike {
          gateway casa-fw01;
          proxy-identity {
             local 172.16.20.0/24;  <---- lan on the srx
             remote 172.16.30.0/24; <---- lan on draytek
             service any;
          }
          ipsec-policy casa-fw01;
       }
    }

    st0.30  has its own security zone with security policies 
    the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.



  • 2.  RE: IKE negotiation failed with error: Timed out

    Posted 01-24-2023 19:09
    The full step by step check process is outline with this kb.

    https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels

    Yours appears to be a phase 1 issue so enabling the detailed logging as noted in this kb would likely be the next step to find the reason.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-1-VPN-connection-issues

    I would first check that both the SRX can trace/ping to the Draytek and the reverse.  A timeout like this is often from reachability of security blocks on the protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: IKE negotiation failed with error: Timed out

    Posted 01-30-2023 12:18
    the key here will be to get more detailed messages.  Try this logging configuration found in the second kb above that forces more logging to be generated.  Ideally, you want the remote side to initiate the tunnel as well.  Frequently with timeouts the side requesting is just not getting the message from the remote side as to why they are unhappy.

    # set system syslog file kmd-logs daemon info
    # set system syslog file kmd-logs match KMD
    # commit​


    View the generated logs with

    show log kmd-logs



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: IKE negotiation failed with error: Timed out

     
    Posted 01-24-2023 22:15
    Hello,

    Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:

    set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity <SRX public IP >

    As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.

    Let me know it works.

    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: IKE negotiation failed with error: Timed out

    Posted 01-25-2023 10:14