This is indicating that the Draytek is a responder mode and not giving a reply. So the detail log we need as to why the tunnel is being rejected is on the Draytek . Can you get logs from that side?
Or get the Draytek to be the initiator so the full responder logs will be on the SRX files?
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
Original Message:
Sent: 02-19-2023 15:23
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Got an different (way older) model of draytek.
build the config from scratch. and again the same error.
the KMD-Logs didn't show anything more than the KMD log. only the title of this thread
The only thing i noticed is the "Diffie-Hellman group : unknown" in the output bellow.
Chaned the group to 1 to see if it made some difference.
Also changed the p2 lifetime to the default.
As you already guessed at this point. it didn't made any difference.
also there is no "limit" reached since a long offline tunnel came back online without troubles (and also... 5 tunnels is not a valid limit ;) )
i have multiple device types connected. but this is the first draytek to this specific system.
IKE peer REMOTEIP, Index 1457844 Role: Responder, State: DOWN Initiator cookie: 417793a129ed5002, Responder cookie: a8bd71a16608a9ab Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: LOCALIP:500, Remote: REMOTEIP:500 Reauth Lifetime: Disabled IKE Fragmentation: Disabled, Size: 0 Remote Access Client Info: Unknown Client AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : unknown Traffic statistics: Input bytes : 904 Output bytes : 392 Input packets: 2 Output packets: 1 Input fragmentated packets: 0 Output fragmentated packets: 0 IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 0
Original Message:
Sent: 01-28-2023 13:00
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Good evening,
did some more tests.
to rule out the dynamic hostname etc. i set the public adres. (the ip is valid for 24 hours or a reboot, so for test it is fine)
i also added general-ikeid but still the same timeout.
i can ping the juniper (en also... there is "some" response at the juniper. so network should be a problem)
Original Message:
Sent: 01-25-2023 21:26
From: Brijil
Subject: IKE negotiation failed with error: Timed out
Hello,
The timeout could be occurring because the SRX is failing to identify the peer.
So we can try two things here, configure the dynamic hostname, remote-identity and local identity together.
set security ike gateway casa-fw01 dynamic hostname casa-fw01.fnetonline.local
set security ike gateway casa-fw01 remote-identity hostname casa-fw01.fnetonline.local
set security ike gateway casa-fw01 local-identity inet 1.1.1.1
Else configure general-ike-id and see if that helps.
set security ike gateway casa-fw01 general-ikeid
If none helps, we probably would have to debug the issue and see what's going on.
Regards
------------------------------
Brijil R
Original Message:
Sent: 01-25-2023 10:13
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Thanks for your aswers.
@spuluka
I have seen the sites. but there is no mention of a timeout.
@Brijil
Since the draytek has an dynamic ip the "dynamic" part is needed (otherwise i need an fixed ip in the config)
i tried it with remote-identity instead of dynamic hostname and setting the current public ip as the adress but that wasn't working either.
Original Message:
Sent: 01-24-2023 22:14
From: Brijil
Subject: IKE negotiation failed with error: Timed out
Hello,
Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:
set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
set security ike gateway casa-fw01 local-identity <SRX public IP >
As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.
Let me know it works.
------------------------------
Brijil R
Original Message:
Sent: 01-21-2023 14:26
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Good day,
i tried to establish a tunnel with a draytek,
the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)
i did this before. with succses. and expected an easy job.
however the tunnel didn't work.
in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.
kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
Some printscreens on the draytek
security ike >
proposal draytek {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy casa-fw01 {
mode aggressive;
proposals draytek;
pre-shared-key ascii-text "****"; ## SECRET-DATA
}
gateway casa-fw01 {
ike-policy casa-fw01;
dynamic hostname casa-fw01.fnetonline.local;
external-interface pp0.0;
}
security ipsec >
proposal draytek {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 27000;
}
policy casa-fw01 {
proposals draytek;
}
vpn casa-fw01 {
bind-interface st0.30;
ike {
gateway casa-fw01;
proxy-identity {
local 172.16.20.0/24; <---- lan on the srx
remote 172.16.30.0/24; <---- lan on draytek
service any;
}
ipsec-policy casa-fw01;
}
}
st0.30 has its own security zone with security policies
the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.