SRX

Hi,

I'm trying to setup a S2S IPSec VPN between two hosts with dynamic IP addresses based on FQDN.

One node (HUB) is an SRX220 with 12.1X46-D60, second node (SPOKE) is a Cisco router with 12.4T IOS.

Both nodes have a Public Internet IP address got from DHCP on following interfaces:

ge-0/0/0 on SRX (added to the Internet zone)

Fa4 on Cisco IOS Router

I have attached the relevant configuration.

The problem is, that it looks like noone is initiating phase 1. KMD logs shows nothing on the SRX, debug crypto isakmp & ipsec shows nothing on Cisco.

This is why I'm assuming, that noone is starting phase 1.

And of course there are no ike SAs.

Any ideas on that setup?

Attachment(s)

s2s_vpn_dyn.txt   5 KB 1 version

I think you may have to enable Dynamic DNS (DDNS) for SPOKE.domain.com.  KB28971 can be helpful.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28971&actp=RSS

http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/reference/command-summary/Show-system-services-dns-dynamic-dns.html

Hey rsuraj,

Thanks for the reply.

DDNS is enabled on both sides and both sides can resolve FQDNs properly.

But still, no luck.

It would be easier if there is any log message for ike, but there are none (tried traceoptions for ike, KMD logging - nothing appears in the log files).

Also, debug crypto isakmp and debug crypto ipsec shows nothing on cisco side.

Hello again,

I have went trough some troubleshooting and fine tuning of the configuration and now it's somewhat better.

Cisco side seems to work as expected. It is creating ike aggressive mode requests and sends them to the SRX.

But there are no logs on the SRX.

What is interesting is when I change:

gateway ike_gw-SPOKE {
    ike-policy ike-ext_sites_SPOKE;
    dynamic hostname SPOKE.domain.com;
    local-identity hostname HUB.domain.com;
    external-interface ge-0/0/0;
}

to this:

gateway ike_gw-SPOKE {
    ike-policy ike-ext_sites_SPOKE;
    address x.x.x.x; ##real IP address resolved from FQDN
    local-identity hostname HUB.domain.coml;
    remote-identity hostname SPOKE.domain.com;
    external-interface ge-0/0/0;
}

Tunnel goes up and everything works fine.

Any ideas what could be the root cause?

----EDIT #1-----

And there is one more thing. I was previously not aware, that FQDN in aggressive mode cannot be longer than 20 characters (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21716&actp=search).

Well, in my scenario tunnel goes up even though the FQDN is 22-character long 🙂

But I have tried with a shorter FQDN. At first the packet has been processed with "No proposal chosen" error, but after ipsec-key-management restart and CRYPTO engine restart on cisco side - packets are no longer seen on the SRX.

Same with a short U-FQDN.

---EDIT #2----

I have captured the error messages for the above scenario, as it appeared to be easily reproductable (attached).

The interesting fact is that on the cisco side phase 1 seems completed successfully.

IPv4 Crypto ISAKMP SA
dst         src         state          conn-id  status
1.1.1.1     2.2.2.2    QM_IDLE         2031     ACTIVE

Attachment(s)

debug_dyn-dyn.txt   21 KB 1 version

Just for the record, I finally got this setup working.

The issue with no ike packets seen on the SRX was trivial...

user@SRX# show | compare 
[edit security zones security-zone Internet]
-     host-inbound-traffic {
-         system-services {
-             ike;
-         }
-     }
[edit security zones security-zone Internet interfaces ge-0/0/0.0 host-inbound-traffic system-services]
        dhcp { ... }
+       ike;

And for the information:

1. FQDNs used for identity are longer than 20 characters.

2. Cisco IOS initiates the tunnel by resolving the peer IP from FQDN.

3. SRX matches the ike gateway by FQDN ID, but you can use UFQDN (email address) if you want. There is no need to use a real fqdn as an ike identity.

4. I run multiple tunnels terminated on the SRX in this setup and all of them works fine.