SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

IKE negotiation failed with error: Timed out

  • 1.  IKE negotiation failed with error: Timed out

    Posted 01-21-2023 14:26


    Good day,

    i tried to establish a tunnel with a draytek,
    the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)

    i did this before. with succses. and expected an easy job.

    however the tunnel didn't work.
    in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.

    kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Some printscreens on the draytek





    security ike >
    proposal draytek {
       authentication-method pre-shared-keys;
       dh-group group2;
       authentication-algorithm sha-256;
       encryption-algorithm 3des-cbc;
       lifetime-seconds 28800;
    }
    policy casa-fw01 {
       mode aggressive;
       proposals draytek;
       pre-shared-key ascii-text "****"; ## SECRET-DATA
    }
    gateway casa-fw01 {
       ike-policy casa-fw01;
       dynamic hostname casa-fw01.fnetonline.local;
       external-interface pp0.0;
    }
    security ipsec >
    proposal draytek {
       protocol esp;
       authentication-algorithm hmac-sha1-96;
       encryption-algorithm aes-256-cbc;
       lifetime-seconds 27000;
    }
    policy casa-fw01 {
       proposals draytek;
    }
    vpn casa-fw01 {
       bind-interface st0.30;
       ike {
          gateway casa-fw01;
          proxy-identity {
             local 172.16.20.0/24;  <---- lan on the srx
             remote 172.16.30.0/24; <---- lan on draytek
             service any;
          }
          ipsec-policy casa-fw01;
       }
    }

    st0.30  has its own security zone with security policies 
    the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.



  • 2.  RE: IKE negotiation failed with error: Timed out

    Posted 01-24-2023 19:09
    The full step by step check process is outline with this kb.

    https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels

    Yours appears to be a phase 1 issue so enabling the detailed logging as noted in this kb would likely be the next step to find the reason.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-1-VPN-connection-issues

    I would first check that both the SRX can trace/ping to the Draytek and the reverse.  A timeout like this is often from reachability of security blocks on the protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: IKE negotiation failed with error: Timed out

    Posted 01-30-2023 12:18
    the key here will be to get more detailed messages.  Try this logging configuration found in the second kb above that forces more logging to be generated.  Ideally, you want the remote side to initiate the tunnel as well.  Frequently with timeouts the side requesting is just not getting the message from the remote side as to why they are unhappy.

    # set system syslog file kmd-logs daemon info
    # set system syslog file kmd-logs match KMD
    # commit​


    View the generated logs with

    show log kmd-logs



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: IKE negotiation failed with error: Timed out

     
    Posted 01-24-2023 22:15
    Hello,

    Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:

    set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity <SRX public IP >

    As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.

    Let me know it works.

    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: IKE negotiation failed with error: Timed out

    Posted 01-25-2023 10:14
    Thanks for your aswers.

    @spuluka 
    I have seen the sites. but there is no mention of a timeout.

    @Brijil
    ​Since the draytek has an dynamic ip the "dynamic" part is needed (otherwise i need an fixed ip in the config)
    i tried it with remote-identity instead of dynamic hostname and setting the current public ip as the adress but that wasn't working either.



  • 6.  RE: IKE negotiation failed with error: Timed out

     
    Posted 01-25-2023 21:27
    Hello,

    The timeout could be occurring because  the SRX is failing to identify the peer. 
    So we can try two things here, configure the dynamic hostname, remote-identity and local identity together. 

    set security ike gateway casa-fw01 dynamic hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 remote-identity hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity inet 1.1.1.1

    Else configure general-ike-id and see if that helps.
     
    set security ike gateway casa-fw01 general-ikeid

    If none helps, we probably would have to debug the issue and see what's going on. 

    Regards

    ------------------------------
    Brijil R
    ------------------------------



  • 7.  RE: IKE negotiation failed with error: Timed out

    Posted 01-28-2023 13:01
    Good evening,

    did some more tests.
    to rule out the dynamic hostname etc. i set the public adres. (the ip is valid for 24 hours or a reboot, so for test it is fine)

    i also added general-ikeid but still the same timeout.

    i can ping the juniper (en also... there is "some" response at the juniper. so network should be a problem)


  • 8.  RE: IKE negotiation failed with error: Timed out

    Posted 02-19-2023 15:23

    Got an different (way older) model of draytek. 

    build the config from scratch. and again the same error.

    the KMD-Logs didn't show anything more than the KMD log. only the title of this thread

    The only thing i noticed is the "Diffie-Hellman group  : unknown" in the output bellow.

    Chaned the group to 1 to see if it made some difference.

    Also changed the p2 lifetime to the default.

    As you already guessed at this point. it didn't made any difference.

    also there is no "limit" reached since a long offline tunnel came back online without troubles (and also... 5 tunnels is not a valid limit ;) )

    i have multiple device types connected. but this is the first draytek to this specific system.

    IKE peer REMOTEIP, Index 1457844
      Role: Responder, State: DOWN
      Initiator cookie: 417793a129ed5002, Responder cookie: a8bd71a16608a9ab
      Exchange type: Aggressive, Authentication method: Pre-shared-keys
      Local: LOCALIP:500, Remote: REMOTEIP:500
      Reauth Lifetime: Disabled
      IKE Fragmentation: Disabled, Size: 0
      Remote Access Client Info: Unknown Client
      AAA assigned IP: 0.0.0.0
      Algorithms:
       Authentication        : hmac-sha1-96
       Encryption            : 3des-cbc
       Pseudo random function: hmac-sha1
       Diffie-Hellman group  : unknown
      Traffic statistics:
       Input  bytes  :                  904
       Output bytes  :                  392
       Input  packets:                    2
       Output packets:                    1
       Input  fragmentated packets:       0
       Output fragmentated packets:       0
      IPSec security associations: 0 created, 0 deleted
      Phase 2 negotiations in progress: 0
    



  • 9.  RE: IKE negotiation failed with error: Timed out

    Posted 02-19-2023 20:22

    This is indicating that the Draytek is a responder mode and not giving a reply.  So the detail log we need as to why the tunnel is being rejected is on the Draytek .  Can you get logs from that side?

    Or get the Draytek to be the initiator so the full responder logs will be on the SRX files?



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 10.  RE: IKE negotiation failed with error: Timed out

    Posted 06-19-2023 09:57

    Hi all.
    I am experiencing a similar issue but with a different vendor. On the other side, I have a console router, the Opengear OM1200.
    On the firewall, I can see " IKE exchange is in progress currently (1 times)" 
    After a few seconds, I receive the following log entry:" IKE negotiation failed with error: Timed out. IKE Version: 1"
    Meanwhile, on my Opengear console router, I am observing the following two log entries:
    "calculated HASH does not match HASH payload"

    "generating INFORMATIONAL_V1 request 150430101 [ HASH N(AUTH_FAILED) 

    Thanks for your respond.



    ------------------------------
    TOMAS
    ------------------------------



  • 11.  RE: IKE negotiation failed with error: Timed out

    Posted 06-19-2023 10:35

    The Open gear message seems to indicate that either the preshared key does not match or the two sides do not have the same encryption suites selected.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 12.  RE: IKE negotiation failed with error: Timed out

    Posted 06-20-2023 02:22

    Hi,

    I tried retyping my PSK several times, but the result was the same. Then I decided to change my key to include only letters, and it started working. My old PSK was 5i8N\tm0i-bsQ3t.

    Thank you for your advice.



    ------------------------------
    TOMAS
    ------------------------------



  • 13.  RE: IKE negotiation failed with error: Timed out

    Posted 06-20-2023 04:32

    Hey TJ.

    Ok - so you're sure about the PSK (even if it's simple for now) -- but what about the rest of the settings? (i.e. the proposals and such)

    Are both ends using static IPs or is one end dynamic?

    etc...etc...

    Let us know,

     -Ben



    ------------------------------
    Ben Kamen
    ------------------------------



  • 14.  RE: IKE negotiation failed with error: Timed out

    Posted 06-21-2023 10:25

    Hi,

    On my juniper srx I have static IP but on Opengear I have dynamic. 

    here is my configuration:

    SRX 

    set interfaces st0 unit 99 description JUNG-CONSOLE
    set interfaces st0 unit 99 family inet

    set security ike gateway ike-JUNG-CONSOLE-gate ike-policy ike-CONSOLE
    set security ike gateway ike-JUNG-CONSOLE-gate dynamic hostname conjung.xxx.com
    set security ike gateway ike-JUNG-CONSOLE-gate local-identity hostname cho.xxx.com
    set security ike gateway ike-JUNG-CONSOLE-gate external-interface lo0.0

    set security ike policy ike-CONSOLE mode aggressive
    set security ike policy ike-CONSOLE proposal-set compatible
    set security ike policy ike-CONSOLE pre-shared-key ascii-text mypassword

    set security ipsec policy vpn-CONSOLE proposal-set standard


    set security ipsec vpn ipsec-JUNG-CONSOLE bind-interface st0.99
    set security ipsec vpn ipsec-JUNG-CONSOLE ike gateway ike-JUNG-CONSOLE-gate
    set security ipsec vpn ipsec-JUNG-CONSOLE ike ipsec-policy vpn-CONSOLE
    set security ipsec vpn ipsec-JUNG-CONSOLE establish-tunnels immediately

    set security zones security-zone MGMT interfaces st0.99

    Opengear configuration:

    role - initiator

    IKE - IKEv1 aggressive mode

    phase 1 - IKE

    cipher - 3des

    hash - sha1

    DH - modp1024 (Group2)

    phase2 IPSEC

    proposal type ESP

    cipher 3des

    hash sha1

    DH modp1024 (group 2)

    Authentication PSK

    PSK - only text password

    local ID conjung.xxx.com

    remote ID cho.xxx.com

    addressing

    local subnet 192.168.8.0/24

    remote address (public address of my Lo0 on my srx)

    that is all...



    ------------------------------
    TOMAS
    ------------------------------



  • 15.  RE: IKE negotiation failed with error: Timed out

    Posted 06-20-2023 07:03

    I would avoid the slashes and use other special characters instead.  These can be misinterpreted as end codes depending on the OS and parsing done by the boxes involved.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------