Security

View Only

Back to discussions

Expand all | Collapse all

ike security-associations not comming up

1. ike security-associations not comming up

Recommend
Cas
Posted 09-09-2024 06:22

Reply Reply Privately
hello team, I configured simply setup P2P VPN with pre-shared keys beetween two vSRX, however ike security-associations not coming up. could You help? for simplicity of trabelshooting, I allowed all traffic at zone level and interface level:

here is a topology view:

Below is config SRX1:

root# show
## Last changed: 2024-09-09 09:35:23 UTC
version 20190606.224121_builder.r1033375;
system {
root-authentication {
encrypted-password "$6$QXf4AyM8$Ch3CgnBl55qsqPz1TaTCD9T5.pPhZQ6sAtGu63xSZT4RMjxcSOT9g9mX33GHPMLks8PcvvugNEadvdxv7ELsM0"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$6Ka./Ctu01EhyKMoJUDkq0B1"; ## SECRET-DATA
}
gateway gw-chicago {
ike-policy ike-phase1-policy;
address 10.2.2.2;
external-interface ge-0/0/3.0;
version v2-only;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ipsec-vpn-chicago {
bind-interface st0.0;
ike {
gateway gw-chicago;
ipsec-policy ipsec-phase2-policy;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-chicago {
policy vpn-tr-chi {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit;
}
}
}
from-zone vpn-chicago to-zone trust {
policy vpn-chi-tr {
match {
source-address chicago;
destination-address sunnyvale;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address sunnyvale 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
ping;
all;
}
protocols {
ospf;
all;
}
}
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone vpn-chicago {
address-book {
address chicago 192.168.168.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.1.1.2/30;
}
}
}
fxp0 {
unit 0;
}
st0 {
unit 0 {
family inet {
address 10.11.11.10/24;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/3.0;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.1.1.1;
route 192.168.168.0/24 next-hop st0.0;
}
}

[edit]

SRX2:

root# show
## Last changed: 2024-09-09 09:51:06 UTC
version 20190606.224121_builder.r1033375;
system {
root-authentication {
encrypted-password "$6$P2puOCsA$DAHMjhrtpdUdolG8GWS3LBgODY7bhXRznvj6LcSOj9YssWpqaOycyzU2etun/Hb7bsIf32Qdfxr9fPWwjNGNV0"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$049TO1RhcrKv87-ikmPQzcyr"; ## SECRET-DATA
}
gateway gw-sunnyvale {
ike-policy ike-phase1-policy;
address 10.1.1.1;
external-interface ge-0/0/3.0;
version v2-only;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ipsec-vpn-chicago {
bind-interface st0.0;
ike {
gateway gw-sunnyvale;
ipsec-policy ipsec-phase2-policy;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-chicago {
policy vpn-tr-chi {
match {
source-address chicago;
destination-address sunnyvale;
application any;
}
then {
permit;
}
}
}
from-zone vpn-chicago to-zone trust {
policy vpn-chi-tr {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address chicago 192.168.168.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
ping;
all;
}
protocols {
ospf;
all;
}
}
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone vpn-chicago {
address-book {
address sunnyvale 192.168.10.0/24;
}
host-inbound-traffic {
system-services {
ping;
all;
}
protocols {
all;
}
}
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.168.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 10.2.2.2/30;
}
}
}
fxp0 {
unit 0;
}
st0 {
unit 0 {
family inet {
address 10.11.11.11/24;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/3.0;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.2.2.1;
route 192.168.10.0/24 next-hop st0.0;
}
}

[edit]
root#

show commands SRX1:

root# run show security ike security-associations

[edit]

root# run show security ipsec security-associations
Total active tunnels: 0 Total Ipsec sas: 0

root# run show route

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 02:07:34
> to 10.1.1.1 via ge-0/0/3.0
10.1.1.0/30 *[Direct/0] 02:07:34
> via ge-0/0/3.0
10.1.1.2/32 *[Local/0] 02:07:34
Local via ge-0/0/3.0
10.2.2.0/30 *[OSPF/10] 02:07:33, metric 2
> to 10.1.1.1 via ge-0/0/3.0
10.11.11.0/24 *[Direct/0] 02:13:35
> via st0.0
10.11.11.10/32 *[Local/0] 02:13:35
Local via st0.0
192.168.10.0/24 *[Direct/0] 02:07:33
> via ge-0/0/0.0
192.168.10.1/32 *[Local/0] 02:07:33
Local via ge-0/0/0.0
192.168.168.0/24 *[Static/5] 02:13:35
> via st0.0
224.0.0.5/32 *[OSPF/10] 02:14:00, metric 1
MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128 *[INET6/0] 02:13:59
MultiRecv

root# run show ospf neighbor
Address Interface State ID Pri Dead
10.1.1.1 ge-0/0/3.0 Full 10.2.2.1 1 39

root# run ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=19.332 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=9.565 ms
^C
--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.565/14.448/19.332/4.884 ms

[edit]
root# run ping 10.2.2.2
PING 10.2.2.2 (10.2.2.2): 56 data bytes
64 bytes from 10.2.2.2: icmp_seq=0 ttl=63 time=35.327 ms
64 bytes from 10.2.2.2: icmp_seq=1 ttl=63 time=16.065 ms
^C
--- 10.2.2.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 16.065/25.696/35.327/9.631 ms

root# run ping 10.11.11.11
PING 10.11.11.11 (10.11.11.11): 56 data bytes
^C
--- 10.11.11.11 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

[edit]

------------------------------
Cas
------------------------------

Security

ike security-associations not comming up

1. ike security-associations not comming up