SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IPSec VPN SRX300 to SSG5

    Posted 11-28-2023 10:01

    Hi All, I know most of this audience is full of very smart people. 

    I am looking for any information on creating an IPSec VPN from a SRX running version 22.2R1.9 with a Juniper SSG5 running version  6.2.0.1. 

    I am not sure if these are incompatible with the phase 1 and 2 settings. 


    Initially I was getting a message in the logs as follows:

    " IKE negotiation failed with error: No proposal chosen. "

    So I tweaked the phase 1 proposal and received the following:

    "IKE negotiation failed with error: Invalid syntax. IKE Version: 2,"

    I am using IKEv2 on both devices. 

    Current State:

    show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    6131020 DOWN   e733cfa0b43ba9e3  4de62aa3e0a2a734  IKEv2 

    I did set the time on both firewalls to sync up,

    I will keep adjusting the proposals but looking for any info that can help me out.

    Thanks as always for input and support. 



    ------------------------------
    Paul Andreozzi
    ------------------------------


  • 2.  RE: IPSec VPN SRX300 to SSG5

    Posted 11-28-2023 11:16

    For troubleshooting vpn issues like this you would need to go through the tests and error messages in order.  You start with confirming phase 1 and moving up to phase 2.  Usually the responding side of the vpn as opposed to the initiating side will have the most useful messages.

    You are on the right track that the parameters and timers all need to match on both sides.

    On the ScreenOS device the list of monitor commands order and confirmation is here.

    https://supportportal.juniper.net/s/article/ScreenOS-How-to-Troubleshoot-a-VPN-Tunnel-that-won-t-come-up?language=en_US

    The SRX side will use these commands.

    https://supportportal.juniper.net/s/article/SRX-Resolution-Guide-How-to-troubleshoot-Problem-Scenarios-in-VPN-tunnels?language=en_US



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: IPSec VPN SRX300 to SSG5

    Posted 11-28-2023 11:20

    Thanks, Steve, for your reply. 

    I did get this to work by playing with the proposals. 

    I appreciate your feedback.

    Paul



    ------------------------------
    Paul Andreozzi
    ------------------------------



  • 4.  RE: IPSec VPN SRX300 to SSG5

    Posted 11-28-2023 11:35

    Sorry to chime in late -- but I have several SRX series firewalls VPN tunneling back to my SSG140 (running 6.3.something)

    It works fine as long as you get all the parameters the same. 

    I'm doing both static IPs at both ends and my SSG set to accept SRX connections from non-static addresses.

    but I can also see you got it working. 

    Them proposals are important. :D 

    Cheers, 

     -Ben



    ------------------------------
    Ben Kamen
    ------------------------------