Hi all,
We need set up ipsec vpn between Juniper SRX1500 (Hub) and Cisco device (spoke) and use Aggresive mode, Cisco behind the moderm router as image attached (The result below is test with vSRX and Cisco C2600). But Phase 1 can't up, troubleshoot with show logs on 2 devices i see:
SRX1500:
root@SRX.JUNIPER.NET# run show log kmd-logs | last
Nov 18 16:03:40 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:04:10 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:05:41 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=200.200.12.1 remote_ip=200.200.12.2]
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=200.200.12.1, dst_ip=200.200.12.2]
Nov 18 16:06:11 SRX.JUNIPER.NET kmd[1196]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 200.200.12.1/500, Remote: 200.200.12.2/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Cisco:
IOS.CISCO.COM#debug crypto isakmp
*Mar 1 04:06:00.849: ISAKMP: received ke message (1/1)
*Mar 1 04:06:00.849: ISAKMP:(0:0:N/A:0): SA request profile is JUNIPER_IKE_PROF
*Mar 1 04:06:00.849: ISAKMP: Created a peer struct for 200.200.12.1, peer port 500
*Mar 1 04:06:00.849: ISAKMP: New peer created peer = 0x82E211FC peer_handle = 0x80000081
*Mar 1 04:06:00.853: ISAKMP: Locking peer struct 0x82E211FC, IKE refcount 1 for isakmp_initiator
*Mar 1 04:06:00.853: ISAKMP: local port 500, remote port 500
*Mar 1 04:06:00.853: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 04:06:00.853: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88417D18
*Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0):Found HOST key in keyring default
*Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 04:06:00.857: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 04:06:00.861: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 04:06:00.885: ISAKMP:(0:118:SW:1):SA is doing pre-shared key authentication using id type ID_FQDN
*Mar 1 04:06:00.885: ISAKMP (0:134217846): ID payload
next-payload : 13
type : 2
FQDN name : IOS.CISCO.COM
protocol : 17
port : 0
length : 21
*Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Total payload length: 21
*Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar 1 04:06:00.889: ISAKMP:(0:118:SW:1):Old State = IKE_READY New State = IKE_I_AM1
*Mar 1 04:06:00.893: ISAKMP:(0:118:SW:1): beginning Aggressive Mode exchange
*Mar 1 04:06:00.893: ISAKMP:(0:118:SW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 04:06:00.893: ISAKMP:(0:117:SW:1):purging SA., sa=88417604, delme=88417604
*Mar 1 04:06:01.037: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 04:06:01.037: ISAKMP:(0:118:SW:1):Couldn't find node: message_id -1546417211
*Mar 1 04:06:01.037: ISAKMP (0:134217846): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_AM1
*Mar 1 04:06:01.041: ISAKMP:(0:118:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 04:06:01.041: ISAKMP:(0:118:SW:1):Old State = IKE_I_AM1 New State = IKE_I_AM1
*Mar 1 04:06:01.041: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.200.12.1
IOS.CISCO.COM#debug crypto isakmp
IOS.CISCO.COM#debug crypto isakmp
*Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar 1 04:06:10.893: ISAKMP (0:134217846): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Mar 1 04:06:10.893: ISAKMP:(0:118:SW:1): sending packet to 200.200.12.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 04:06:11.142: ISAKMP (0:134217846): received packet from 200.200.12.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 04:06:11.146: ISAKMP:(0:118:SW:1): phase 1 packet is a duplicte of a previous packet.
With wireshark tool, Cisco device send the messages 1 to section initial and SRX send messages 2 to back but Cisco didn't send memessages 3 to complete the Phase 1. Attached config 2 sites and wireshark image and topo image. Pls help me troubleshoot this case. I tried and will try more times.
Thanks Kudo team,
#IPSec#NAT#cisco#SRX#Aggressivemode