SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  IKE negotiation failed with error: Timed out

    Posted 8 days ago


    Good day,

    i tried to establish a tunnel with a draytek,
    the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)

    i did this before. with succses. and expected an easy job.

    however the tunnel didn't work.
    in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.

    kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Some printscreens on the draytek





    security ike >
    proposal draytek {
       authentication-method pre-shared-keys;
       dh-group group2;
       authentication-algorithm sha-256;
       encryption-algorithm 3des-cbc;
       lifetime-seconds 28800;
    }
    policy casa-fw01 {
       mode aggressive;
       proposals draytek;
       pre-shared-key ascii-text "****"; ## SECRET-DATA
    }
    gateway casa-fw01 {
       ike-policy casa-fw01;
       dynamic hostname casa-fw01.fnetonline.local;
       external-interface pp0.0;
    }
    security ipsec >
    proposal draytek {
       protocol esp;
       authentication-algorithm hmac-sha1-96;
       encryption-algorithm aes-256-cbc;
       lifetime-seconds 27000;
    }
    policy casa-fw01 {
       proposals draytek;
    }
    vpn casa-fw01 {
       bind-interface st0.30;
       ike {
          gateway casa-fw01;
          proxy-identity {
             local 172.16.20.0/24;  <---- lan on the srx
             remote 172.16.30.0/24; <---- lan on draytek
             service any;
          }
          ipsec-policy casa-fw01;
       }
    }

    st0.30  has its own security zone with security policies 
    the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.



  • 2.  RE: IKE negotiation failed with error: Timed out

    Posted 4 days ago
    The full step by step check process is outline with this kb.

    https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels

    Yours appears to be a phase 1 issue so enabling the detailed logging as noted in this kb would likely be the next step to find the reason.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-IKE-Phase-1-VPN-connection-issues

    I would first check that both the SRX can trace/ping to the Draytek and the reverse.  A timeout like this is often from reachability of security blocks on the protocol.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: IKE negotiation failed with error: Timed out

     
    Posted 4 days ago
    Hello,

    Instead of configuring "hostname casa-fw01.fnetonline.local" on SRX device configure below:

    set security ike gateway casa-fw01 remote-identity casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity <SRX public IP >

    As draytek is the one with dynamic IP, we should configure its local identity as remote-identity so that we would identify and accept the IKE proposal.

    Let me know it works.

    ------------------------------
    Brijil R
    ------------------------------



  • 4.  RE: IKE negotiation failed with error: Timed out

    Posted 4 days ago
    Thanks for your aswers.

    @spuluka 
    I have seen the sites. but there is no mention of a timeout.

    @Brijil
    ​Since the draytek has an dynamic ip the "dynamic" part is needed (otherwise i need an fixed ip in the config)
    i tried it with remote-identity instead of dynamic hostname and setting the current public ip as the adress but that wasn't working either.



  • 5.  RE: IKE negotiation failed with error: Timed out

     
    Posted 3 days ago
    Hello,

    The timeout could be occurring because  the SRX is failing to identify the peer. 
    So we can try two things here, configure the dynamic hostname, remote-identity and local identity together. 

    set security ike gateway casa-fw01 dynamic hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 remote-identity hostname casa-fw01.fnetonline.local
    set security ike gateway casa-fw01 local-identity inet 1.1.1.1

    Else configure general-ike-id and see if that helps.
     
    set security ike gateway casa-fw01 general-ikeid

    If none helps, we probably would have to debug the issue and see what's going on. 

    Regards

    ------------------------------
    Brijil R
    ------------------------------



  • 6.  RE: IKE negotiation failed with error: Timed out

    Posted yesterday
    Good evening,

    did some more tests.
    to rule out the dynamic hostname etc. i set the public adres. (the ip is valid for 24 hours or a reboot, so for test it is fine)

    i also added general-ikeid but still the same timeout.

    i can ping the juniper (en also... there is "some" response at the juniper. so network should be a problem)