Hello,
The timeout could be occurring because the SRX is failing to identify the peer.
So we can try two things here, configure the dynamic hostname, remote-identity and local identity together.
set security ike gateway casa-fw01 dynamic hostname casa-fw01.fnetonline.local
set security ike gateway casa-fw01 remote-identity hostname casa-fw01.fnetonline.local
set security ike gateway casa-fw01 local-identity inet 1.1.1.1
Else configure general-ike-id and see if that helps.
set security ike gateway casa-fw01 general-ikeid
If none helps, we probably would have to debug the issue and see what's going on.
Regards
------------------------------
Brijil R
------------------------------
Original Message:
Sent: 01-25-2023 10:13
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Thanks for your aswers.
@spuluka
I have seen the sites. but there is no mention of a timeout.
@Brijil
Since the draytek has an dynamic ip the "dynamic" part is needed (otherwise i need an fixed ip in the config)
i tried it with remote-identity instead of dynamic hostname and setting the current public ip as the adress but that wasn't working either.
Original Message:
Sent: 01-24-2023 22:14
From: Brijil
Subject: IKE negotiation failed with error: Timed out
Hello,
Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:
set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
set security ike gateway casa-fw01 local-identity <SRX public IP >
As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.
Let me know it works.
------------------------------
Brijil R
Original Message:
Sent: 01-21-2023 14:26
From: Koos147
Subject: IKE negotiation failed with error: Timed out
Good day,
i tried to establish a tunnel with a draytek,
the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)
i did this before. with succses. and expected an easy job.
however the tunnel didn't work.
in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.
kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
Some printscreens on the draytek
security ike >
proposal draytek {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy casa-fw01 {
mode aggressive;
proposals draytek;
pre-shared-key ascii-text "****"; ## SECRET-DATA
}
gateway casa-fw01 {
ike-policy casa-fw01;
dynamic hostname casa-fw01.fnetonline.local;
external-interface pp0.0;
}
security ipsec >
proposal draytek {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 27000;
}
policy casa-fw01 {
proposals draytek;
}
vpn casa-fw01 {
bind-interface st0.30;
ike {
gateway casa-fw01;
proxy-identity {
local 172.16.20.0/24; <---- lan on the srx
remote 172.16.30.0/24; <---- lan on draytek
service any;
}
ipsec-policy casa-fw01;
}
}
st0.30 has its own security zone with security policies
the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.