lab setup:
j2320->srx210 (mock isp router) -> srx210
scenario
site to site ipsec vpn carrying ospf. note that srx gets dynamic ip from mock isp router
what works:
sa is established and seems to be solid...check
ospf is full on st0.0...partial check 😞
problem:
ospf is full on st0.0 but dead timer expires repeatedly
jtac is involved. tried mutiple things but none made a difference. jtac asked for configs and they are trying to replicate at this time.
Parsed Configs:
J2320
set interfaces st0 unit 0 family inet mtu 1432
set interfaces st0 unit 0 family inet address 10.10.10.5/30
set security ike respond-bad-spi 20
set security ike proposal P1 authentication-method pre-shared-keys
set security ike proposal P1 dh-group group2
set security ike proposal P1 authentication-algorithm sha1
set security ike proposal P1 encryption-algorithm aes-256-cbc
set security ike policy TB_policy mode aggressive
set security ike policy TB_policy description "VPN to TB"
set security ike policy TB_policy proposals P1
set security ike policy TB_policy pre-shared-key ascii-text "$9$1nqESl8X-24ZX7i.PfQz"
set security ike gateway TB_rule-ike ike-policy TB_policy
set security ike gateway TB_rule-ike dynamic user-at-hostname "remote@siatss.com"
set security ike gateway TB_rule-ike external-interface ge-0/0/3.0
set security ipsec proposal P2 protocol esp
set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2 encryption-algorithm aes-256-cbc
set security ipsec proposal P2 lifetime-seconds 3600
set security ipsec policy TB_POLICY description TB_IPSEC
set security ipsec policy TB_POLICY perfect-forward-secrecy keys group2
set security ipsec policy TB_POLICY proposals P2
set security ipsec vpn TB-rule-ike bind-interface st0.0
set security ipsec vpn TB-rule-ike df-bit clear
set security ipsec vpn TB-rule-ike ike gateway TB_rule-ike
set security ipsec vpn TB-rule-ike ike idle-time 3600
set security ipsec vpn TB-rule-ike ike ipsec-policy TB_POLICY
set protocols ospf traceoptions file DebugOSPF
set protocols ospf traceoptions file size 5m
set protocols ospf traceoptions flag hello
set protocols ospf export advertise_static
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 20
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 80
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0 passive
SRX210:
set interfaces st0 unit 0 family inet mtu 1432
set interfaces st0 unit 0 family inet address 10.10.10.6/30
set security ike proposal P1-1 authentication-method pre-shared-keys
set security ike proposal P1-1 dh-group group2
set security ike proposal P1-1 authentication-algorithm sha1
set security ike proposal P1-1 encryption-algorithm aes-256-cbc
set security ike proposal P1-1 lifetime-seconds 28800
set security ike policy STJ-POLICY mode aggressive
set security ike policy STJ-POLICY description "VPN to STJ"
set security ike policy STJ-POLICY proposals P1-1
set security ike policy STJ-POLICY pre-shared-key ascii-text "$9$uKVOBRcKMXbs4M8GikqPf"
set security ike gateway STJ-GW ike-policy STJ-POLICY
set security ike gateway STJ-GW address 10.10.10.2
set security ike gateway STJ-GW local-identity user-at-hostname "remote@siatss.com"
set security ike gateway STJ-GW external-interface ge-0/0/0.0
set security ipsec vpn-monitor-options interval 3
set security ipsec vpn-monitor-options threshold 10
set security ipsec proposal P2-1 description group2
set security ipsec proposal P2-1 protocol esp
set security ipsec proposal P2-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-1 encryption-algorithm aes-256-cbc
set security ipsec proposal P2-1 lifetime-seconds 3600
set security ipsec policy STJ-POLICY description STJ-IPSEC
set security ipsec policy STJ-POLICY perfect-forward-secrecy keys group2
set security ipsec policy STJ-POLICY proposals P2-1
set security ipsec vpn STJ-VPN bind-interface st0.0
set security ipsec vpn STJ-VPN df-bit clear
set security ipsec vpn STJ-VPN ike gateway STJ-GW
set security ipsec vpn STJ-VPN ike idle-time 3600
set security ipsec vpn STJ-VPN ike ipsec-policy STJ-POLICY
set security ipsec vpn STJ-VPN establish-tunnels immediately
set protocols ospf traceoptions file DebugOSPF
set protocols ospf traceoptions file size 5m
set protocols ospf traceoptions flag hello
set protocols ospf export ospf-export
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 20
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 80
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive