SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

IKE negotiation failed with error: Timed out

  • 1.  IKE negotiation failed with error: Timed out

    Posted 01-21-2023 14:26


    Good day,

    i tried to establish a tunnel with a draytek,
    the draytek is using 4G with a dynamic ip (no nat. draytek has a public reachable ip)

    i did this before. with succses. and expected an easy job.

    however the tunnel didn't work.
    in the logfile i see the bellow message. but i didn't find a reason. and google wasn't helpfull either.

    kmd[2064]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: casa-fw01 Gateway: casa-fw01, Local: [srx-public-ip]/500, Remote: [draytek-public-ip]/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

    Some printscreens on the draytek





    security ike >
    proposal draytek {
       authentication-method pre-shared-keys;
       dh-group group2;
       authentication-algorithm sha-256;
       encryption-algorithm 3des-cbc;
       lifetime-seconds 28800;
    }
    policy casa-fw01 {
       mode aggressive;
       proposals draytek;
       pre-shared-key ascii-text "****"; ## SECRET-DATA
    }
    gateway casa-fw01 {
       ike-policy casa-fw01;
       dynamic hostname casa-fw01.fnetonline.local;
       external-interface pp0.0;
    }
    security ipsec >
    proposal draytek {
       protocol esp;
       authentication-algorithm hmac-sha1-96;
       encryption-algorithm aes-256-cbc;
       lifetime-seconds 27000;
    }
    policy casa-fw01 {
       proposals draytek;
    }
    vpn casa-fw01 {
       bind-interface st0.30;
       ike {
          gateway casa-fw01;
          proxy-identity {
             local 172.16.20.0/24;  <---- lan on the srx
             remote 172.16.30.0/24; <---- lan on draytek
             service any;
          }
          ipsec-policy casa-fw01;
       }
    }

    st0.30  has its own security zone with security policies 
    the external interface pp0.0 is used in 5 other tunnels. so that part should be fine.



  • 2.  RE: IKE negotiation failed with error: Timed out