SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Site-to-Site VPN problems (dynamic to static address)

    Posted 10-14-2014 05:24

    Hi,

     

    We have been using a Site-to-Site VPN configuration for quite some time now. But since this monday it won't come up anymore.

     

    We've got an SRX220 with a static WAN-IP and an SRX110 with a dynamic WAN-IP. VPN is created using "local-identity user-at-hostname", and we've never experienced any problems with this.

     

    Below is the config.

     

    SRX110 (dynamic WAN-IP):

    [edit security ike]
    admin@SRX110# show
    policy ike_pol_CLIENT {
        mode aggressive;
        proposal-set standard;
        pre-shared-key ascii-text ""; ## SECRET-DATA
    }
    gateway gw_CLIENT {
        ike-policy ike_pol_CLIENT;
        address <<SRX220-ADDRESS>>;
        dead-peer-detection;
        local-identity user-at-hostname "vpn@client.nl";
        external-interface fe-0/0/2.0;
    }
    
    
    [edit security ipsec]
    admin@SRX110# show
    policy ipsec_pol_CLIENT {
        perfect-forward-secrecy {
            keys group2;
        }
        proposal-set standard;
    }
    
    vpn CLIENT {
        bind-interface st0.3;
        ike {
            gateway gw_CLIENT;
            ipsec-policy ipsec_pol_CLIENT;
        }
        establish-tunnels immediately;
    }
    

     

    SRX220 (static WAN-IP):

    [edit security ike]
    admin@SRX220# show
    policy ike_pol_CLIENT {
        mode aggressive;
        proposal-set standard;
        pre-shared-key ascii-text ""; ## SECRET-DATA
    }
    gateway gw_CLIENT {
        ike-policy ike_pol_CLIENT;
        dynamic user-at-hostname "vpn@client.nl";
        local-identity inet <<SRX220-ADDRESS>>;
        external-interface ge-0/0/0.0;
    }
    
    
    
    [edit security ipsec]
    admin@SRX220# show
    policy ipsec_pol_CLIENT {
        perfect-forward-secrecy {
            keys group2;
        }
        proposal-set standard;
    }
    vpn CLIENT {
        bind-interface st0.14;
        ike {
            gateway gw_CLIENT;
            ipsec-policy ipsec_pol_CLIENT;
        }
        establish-tunnels immediately;
    }

     

     

    Below the traceoptions (flag all).

     

    SRX110 (dynamic WAN-IP):

    Oct 14 09:29:08 iked_pm_ike_spd_notify_request: Sending Initial contact
    Oct 14 09:29:08 ssh_ike_connect: Start, remote_name = <<SRX220-ADDRESS>>:500, xchg = 4, flags = 00040000
    Oct 14 09:29:08 ike_sa_allocate: Start, SA = { 50676703 2418a55a - 00000000 00000000 }
    Oct 14 09:29:08 ike_init_isakmp_sa: Start, remote = <<SRX220-ADDRESS>>:500, initiator = 1
    Oct 14 09:29:08 <<SRX110-ADDRESS>>:500 (Initiator) <-> <<SRX220-ADDRESS>>:500 { 50676703 2418a55a - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!
    Oct 14 09:29:08 ssh_ike_connect: SA = { 50676703 2418a55a - 00000000 00000000}, nego = -1
    Oct 14 09:29:08 ike_st_o_sa_proposal: Start
    Oct 14 09:29:08 ike_st_o_ke: Start
    Oct 14 09:29:08 ike_st_o_nonce: Start
    Oct 14 09:29:08 ike_policy_reply_isakmp_nonce_data_len: Start
    Oct 14 09:29:08 ike_st_o_id: Start
    Oct 14 09:29:08 ike_policy_reply_isakmp_vendor_ids: Start
    Oct 14 09:29:08 ike_st_o_private: Start
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_encode_packet: Start, SA = { 0x50676703 2418a55a - 00000000 00000000 } / 00000000, nego = -1
    Oct 14 09:29:08 ike_send_packet: Start, send SA = { 50676703 2418a55a - 00000000 00000000}, nego = -1, dst = <<SRX220-ADDRESS>>:500,  routing table id = 0
    Oct 14 09:29:08 ikev2_packet_allocate: Allocated packet a38000 from freelist
    Oct 14 09:29:08 ike_sa_find: Not found SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:29:08 ike_get_sa: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096 } / 00000000, remote = <<SRX220-ADDRESS>>:500
    Oct 14 09:29:08 ike_sa_find: Not found SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ike_sa_find_half: Found half SA = { 50676703 2418a55a - 00000000 00000000 }
    Oct 14 09:29:08 ike_sa_upgrade: Start, SA = { 50676703 2418a55a - 00000000 00000000 } -> { ... - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ike_decode_packet: Start
    Oct 14 09:29:08 ike_decode_packet: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096} / 00000000, nego = -1
    Oct 14 09:29:08 ike_decode_payload_sa: Start
    Oct 14 09:29:08 ike_decode_payload_t: Start, # trans = 1
    Oct 14 09:29:08 ike_st_i_sa_value: Start
    Oct 14 09:29:08 ike_st_i_nonce: Start, nonce[0..16] = c80e50f7 9761e13f ...
    Oct 14 09:29:08 ike_st_i_id: Start
    Oct 14 09:29:08 ike_st_i_ke: Ke[0..128] = 4313e71e 1fc6e7b7 ...
    Oct 14 09:29:08 ike_st_i_hash: Start, hash[0..20] = cf7f5a21 e59a31a5 ...
    Oct 14 09:29:08 ike_calc_mac: Start, initiator = true, local = false
    Oct 14 09:29:08 ike_find_pre_shared_key: Find pre shared key key for <<SRX110-ADDRESS>>:500, id = usr@fqdn(any:0,[0..14]=vpn@grift-it.nl) -> <<SRX220-ADDRESS>>:500, id = ipv4(any:0,[0..3]=<<SRX220-ADDRESS>>)
    Oct 14 09:29:08 ike_policy_reply_find_pre_shared_key: Start
    Oct 14 09:29:08 ike_st_i_cert: Start
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    Oct 14 09:29:08 ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
    Oct 14 09:29:08 ike_st_i_private: Start
    Oct 14 09:29:08 ike_st_o_hash: Start
    Oct 14 09:29:08 ike_calc_mac: Start, initiator = true, local = true
    Oct 14 09:29:08 ike_st_o_status_n: Start
    Oct 14 09:29:08 ike_st_o_private: Start
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_st_o_optional_encrypt: Marking encryption for packet
    Oct 14 09:29:08 ike_st_o_wait_done: Marking for waiting for done
    Oct 14 09:29:08 ike_st_o_all_done: MESSAGE: Phase 1 { 0x50676703 2418a55a - 0xbd7521d8 50cb6096 } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Initiator, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key len = 0
    Oct 14 09:29:08 <<SRX110-ADDRESS>>:500 (Initiator) <-> <<SRX220-ADDRESS>>:500 { 50676703 2418a55a - bd7521d8 50cb6096 [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec,
    Oct 14 09:29:08 ike_encode_packet: Start, SA = { 0x50676703 2418a55a - bd7521d8 50cb6096 } / 00000000, nego = -1
    Oct 14 09:29:08 ike_send_packet: Start, send SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = -1, dst = <<SRX220-ADDRESS>>:500,  routing table id = 0
    Oct 14 09:29:08 ike_send_notify: Connected, SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = -1
    Oct 14 09:29:08 iked_pm_ike_sa_done: local:<<SRX110-ADDRESS>>, remote:<<SRX220-ADDRESS>> IKEv1
    Oct 14 09:29:08 IKE negotiation done for local:<<SRX110-ADDRESS>>, remote:<<SRX220-ADDRESS>> IKEv1 with status: Error ok
    Oct 14 09:29:08 Added (spi=0x390ed5a3, protocol=0) entry to the spi table
    Oct 14 09:29:08 Added (spi=0x9e7e8f5d, protocol=0) entry to the spi table
    Oct 14 09:29:08 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00010000
    Oct 14 09:29:08 ike_sa_find_ip_port: Remote = all:500, Found SA = { 50676703 2418a55a - bd7521d8 50cb6096}
    Oct 14 09:29:08 ike_alloc_negotiation: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096}
    Oct 14 09:29:08 ssh_ike_connect_ipsec: SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = 0
    Oct 14 09:29:08 ike_init_qm_negotiation: Start, initiator = 1, message_id = 52a938bd
    Oct 14 09:29:08 ike_st_o_qm_hash_1: Start
    Oct 14 09:29:08 ike_st_o_qm_sa_proposals: Start
    Oct 14 09:29:08 ike_st_o_qm_nonce: Start
    Oct 14 09:29:08 ike_policy_reply_qm_nonce_data_len: Start
    Oct 14 09:29:08 ike_st_o_qm_optional_ke: Start
    Oct 14 09:29:08 ike_st_o_qm_optional_ids: Start
    Oct 14 09:29:08 ike_st_qm_optional_id: Start
    Oct 14 09:29:08 ike_st_qm_optional_id: Start
    Oct 14 09:29:08 ike_st_o_private: Start
    Oct 14 09:29:08 Construction NHTB payload for  local:<<SRX110-ADDRESS>>, remote:<<SRX220-ADDRESS>> IKEv1 P1 SA index 4570866 sa-cfg CLIENT
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_policy_reply_private_payload_out: Start
    Oct 14 09:29:08 ike_st_o_encrypt: Marking encryption for packet
    Oct 14 09:29:08 ike_encode_packet: Start, SA = { 0x50676703 2418a55a - bd7521d8 50cb6096 } / 52a938bd, nego = 0
    Oct 14 09:29:08 ike_finalize_qm_hash_1: Hash[0..20] = d81b2b32 97d45670 ...
    Oct 14 09:29:08 ike_send_packet: Start, send SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = 0, dst = <<SRX220-ADDRESS>>:500,  routing table id = 0
    Oct 14 09:29:08 ikev2_packet_allocate: Allocated packet a38400 from freelist
    Oct 14 09:29:08 ike_sa_find: Found SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:29:08 ike_get_sa: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096 } / 499eb11f, remote = <<SRX220-ADDRESS>>:500
    Oct 14 09:29:08 ike_sa_find: Found SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ike_st_o_done: ISAKMP SA negotiation done
    Oct 14 09:29:08 ike_send_notify: Connected, SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = -1
    Oct 14 09:29:08 ike_free_negotiation_isakmp: Start, nego = -1
    Oct 14 09:29:08 ike_free_negotiation: Start, nego = -1
    Oct 14 09:29:08 ike_alloc_negotiation: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096}
    Oct 14 09:29:08 ike_decode_packet: Start
    Oct 14 09:29:08 ike_decode_packet: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096} / 499eb11f, nego = 1
    Oct 14 09:29:08 ike_st_i_encrypt: Check that packet was encrypted succeeded
    Oct 14 09:29:08 ike_st_i_gen_hash: Start, hash[0..20] = 983f6c86 079464c1 ...
    Oct 14 09:29:08 ike_st_i_d: Start, doi = 1, protocol = 1, spis[0..1][0..16] = [50676703 2418a55a ...]
    Oct 14 09:29:08 ike_sa_find: Found SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 <none>:500 (Responder) <-> <<SRX220-ADDRESS>>:500 { 50676703 2418a55a - bd7521d8 50cb6096 [1] / 0x499eb11f } Info; delete spi[16] = 0x50676703 2418a55a bd7521d8 50cb6096
    Oct 14 09:29:08 ike_st_i_private: Start
    Oct 14 09:29:08 ike_send_notify: Connected, SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = 1
    Oct 14 09:29:08 ike_delete_negotiation: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = 1
    Oct 14 09:29:08 ike_free_negotiation_info: Start, nego = 1
    Oct 14 09:29:08 ike_free_negotiation: Start, nego = 1
    Oct 14 09:29:08 ike_remove_callback: Start, delete SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = -1
    Oct 14 09:29:08 ike_delete_negotiation: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096}, nego = -1
    Oct 14 09:29:08 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    Oct 14 09:29:08 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    Oct 14 09:29:08 ike_sa_delete: Start, SA = { 50676703 2418a55a - bd7521d8 50cb6096 }
    Oct 14 09:29:08 ike_free_negotiation_qm: Start, nego = 0
    Oct 14 09:29:08 ike_free_negotiation: Start, nego = 0
    Oct 14 09:29:08 ike_free_id_payload: Start, id type = 4
    Oct 14 09:29:08 ike_free_id_payload: Start, id type = 4
    Oct 14 09:29:08 ike_free_negotiation_isakmp: Start, nego = -1
    Oct 14 09:29:08 ike_free_negotiation: Start, nego = -1
    Oct 14 09:29:08 IKE SA delete called for p1 sa 4570866 (ref cnt 2) local:<<SRX110-ADDRESS>>, remote:<<SRX220-ADDRESS>>, IKEv1
    Oct 14 09:29:08 P1 SA 4570866 reference count is not zero (1). Delaying deletion of SA
    Oct 14 09:29:08 ike_free_id_payload: Start, id type = 3
    Oct 14 09:29:08 ike_free_id_payload: Start, id type = 1
    Oct 14 09:29:08 ike_free_sa: Start
    Oct 14 09:29:08 iked_pm_p1_sa_destroy:  p1 sa 4570866 (ref cnt 0), waiting_for_del 0xa822c0
    Oct 14 09:29:08 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)

     

    SRX220 (static WAN-IP - used for multiple VPN connections):

    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0x9e6800)
    Oct 14 09:39:02 iked_pm_dpd_timer_callback: No dpd for gateway(0xa0d400)
    Oct 14 09:39:03 DPD -> TTL decrement 2 (no-response) for remote peer <<UNIMPORTANT-ADDRESS-1>>
    Oct 14 09:39:03 ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:03 ike_sa_find_ip_port: Remote = all:500, Found SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:03 ike_alloc_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:03 ssh_ike_connect_notify: SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:03 ike_encode_packet: Start, SA = { 0x34344b02 c8b86d37 - 959df49d 4ae49a3b } / 24e2c3dc, nego = 0
    Oct 14 09:39:03 ike_send_packet: Start, send SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500,  routing table id = 0
    Oct 14 09:39:03 ike_delete_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:03 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:03 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:04 ikev2_packet_allocate: Allocated packet a3a000 from freelist
    Oct 14 09:39:04 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:04 ike_get_sa: Start, SA = { d4014a00 57304730 - 00000000 00000000 } / 00000000, remote = <<SRX110-ADDRESS>>:500
    Oct 14 09:39:04 ike_sa_allocate: Start, SA = { d4014a00 57304730 - 510e6cba f07390c6 }
    Oct 14 09:39:04 ike_init_isakmp_sa: Start, remote = <<SRX110-ADDRESS>>:500, initiator = 0
    Oct 14 09:39:04 ike_decode_packet: Start
    Oct 14 09:39:05 ike_decode_packet: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f} / 00000000, nego = -1
    Oct 14 09:39:05 ike_decode_payload_sa: Start
    Oct 14 09:39:05 ike_decode_payload_t: Start, # trans = 1
    Oct 14 09:39:05 ike_decode_payload_t: Start, # trans = 1
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    Oct 14 09:39:05 ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
    Oct 14 09:39:05 ike_st_i_id: Start
    Oct 14 09:39:05 ike_st_i_sa_proposal: Start
    Oct 14 09:39:05 ike_free_id_payload: Start, id type = 3
    Oct 14 09:39:05 ike_isakmp_sa_reply: Start
    Oct 14 09:39:05 ike_state_restart_packet: Start, restart packet SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ike_st_i_sa_proposal: Start
    Oct 14 09:39:05 ike_st_i_nonce: Start, nonce[0..16] = 1b1dcc27 0190c802 ...
    Oct 14 09:39:05 ike_st_i_cert: Start
    Oct 14 09:39:05 ike_st_i_hash_key: Start, no key_hash
    Oct 14 09:39:05 ike_st_i_ke: Ke[0..128] = 84d54559 0cfbd22b ...
    Oct 14 09:39:05 ike_st_i_cr: Start
    Oct 14 09:39:05 ike_st_i_private: Start
    Oct 14 09:39:05 ike_st_o_sa_values: Start
    Oct 14 09:39:05 ike_st_o_ke: Start
    Oct 14 09:39:05 ike_st_o_nonce: Start
    Oct 14 09:39:05 ike_policy_reply_isakmp_nonce_data_len: Start
    Oct 14 09:39:05 ike_st_o_id: Start
    Oct 14 09:39:05 ike_policy_reply_isakmp_id: Start
    Oct 14 09:39:05 ike_state_restart_packet: Start, restart packet SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ike_st_o_id: Start
    Oct 14 09:39:05 ike_st_o_certs_base: Start
    Oct 14 09:39:05 ike_st_o_sig_or_hash: Start, auth_method = 4
    Oct 14 09:39:05 ike_st_o_hash: Start
    Oct 14 09:39:05 ike_find_pre_shared_key: Find pre shared key key for <<SRX220-ADDRESS>>:500, id = ipv4(any:0,[0..3]=<<SRX220-ADDRESS>>) -> <<SRX110-ADDRESS>>:500, id = usr@fqdn(any:0,[0..14]=vpn@client.nl)
    Oct 14 09:39:05 ike_policy_reply_find_pre_shared_key: Start
    Oct 14 09:39:05 ike_state_restart_packet: Start, restart packet SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ike_st_o_sig_or_hash: Start, auth_method = 4
    Oct 14 09:39:05 ike_st_o_hash: Start
    Oct 14 09:39:05 ike_find_pre_shared_key: Find pre shared key key for <<SRX220-ADDRESS>>:500, id = ipv4(any:0,[0..3]=<<SRX220-ADDRESS>>) -> <<SRX110-ADDRESS>>:500, id = usr@fqdn(any:0,[0..14]=vpn@client.nl)
    Oct 14 09:39:05 ike_calc_mac: Start, initiator = false, local = true
    Oct 14 09:39:05 ike_policy_reply_isakmp_vendor_ids: Start
    Oct 14 09:39:05 ike_st_o_status_n: Start
    Oct 14 09:39:05 ike_st_o_private: Start
    Oct 14 09:39:05 ike_policy_reply_private_payload_out: Start
    Oct 14 09:39:05 ike_policy_reply_private_payload_out: Start
    Oct 14 09:39:05 ike_policy_reply_private_payload_out: Start
    Oct 14 09:39:05 ike_st_o_calc_skeyid: Calculating skeyid
    Oct 14 09:39:05 ike_encode_packet: Start, SA = { 0xd4014a00 57304730 - 7dd0f8dd 1d98ad6f } / 00000000, nego = -1
    Oct 14 09:39:05 ike_send_packet: Start, send SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1, dst = <<SRX110-ADDRESS>>:500,  routing table id = 0
    Oct 14 09:39:05 ikev2_packet_allocate: Allocated packet a52000 from freelist
    Oct 14 09:39:05 ikev2_packet_allocate: Allocated packet a3f000 from freelist
    Oct 14 09:39:05 ike_sa_find: Found SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f }
    Oct 14 09:39:05 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:05 ike_get_sa: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f } / f90e8bd9, remote = <<SRX110-ADDRESS>>:500
    Oct 14 09:39:05 ike_sa_find: Found SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f }
    Oct 14 09:39:05 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Cannot start new phase 2 negotiation, because phase 1 still in progress
    Oct 14 09:39:05 ike_sa_find: Found SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f }
    Oct 14 09:39:05 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:05 ike_get_sa: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f } / 00000000, remote = <<SRX110-ADDRESS>>:500
    Oct 14 09:39:05 ike_sa_find: Found SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f }
    Oct 14 09:39:05 ike_decode_packet: Start
    Oct 14 09:39:05 ike_decode_packet: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f} / 00000000, nego = -1
    Oct 14 09:39:05 ike_st_i_hash: Start, hash[0..20] = 8f12be4f 080d0ba0 ...
    Oct 14 09:39:05 ike_calc_mac: Start, initiator = false, local = false
    Oct 14 09:39:05 ike_st_i_cert: Start
    Oct 14 09:39:05 ike_st_i_private: Start
    Oct 14 09:39:05 ike_st_o_wait_done: Marking for waiting for done
    Oct 14 09:39:05 ike_st_o_all_done: MESSAGE: Phase 1 { 0xd4014a00 57304730 - 0x7dd0f8dd 1d98ad6f } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key len = 0
    Oct 14 09:39:05 <<SRX220-ADDRESS>>:500 (Responder) <-> <<SRX110-ADDRESS>>:500 { d4014a00 57304730 - 7dd0f8dd 1d98ad6f [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec,
    Oct 14 09:39:05 ike_send_notify: Connected, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 iked_pm_ike_sa_done: local:<<SRX220-ADDRESS>>, remote:<<SRX110-ADDRESS>> IKEv1
    Oct 14 09:39:05 IKE negotiation done for local:<<SRX220-ADDRESS>>, remote:<<SRX110-ADDRESS>> IKEv1 with status: Error ok
    Oct 14 09:39:05 iked_fetch_or_create_peer_entry: Gateways gw_CLIENT2 and gw_CLIENT for local <<SRX220-ADDRESS>>:1f4 and remote <<SRX110-ADDRESS>>:1f4. peer_entry creation failed
    Oct 14 09:39:05 Failed to create peer_entry for local:<<SRX220-ADDRESS>>:500, remote:<<SRX110-ADDRESS>>:500 in ike sa done
    Oct 14 09:39:05 P1 SA 7916729 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3), flags 0x330.
    Oct 14 09:39:05 iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 7916729, ref cnt 1, status: Error ok
    Oct 14 09:39:05 ike_expire_callback: Start, expire SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ike_alloc_negotiation: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}
    Oct 14 09:39:05 ike_encode_packet: Start, SA = { 0xd4014a00 57304730 - 7dd0f8dd 1d98ad6f } / ae5e6e58, nego = 0
    Oct 14 09:39:05 ike_send_packet: Start, send SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = 0, dst = <<SRX110-ADDRESS>>:500,  routing table id = 0
    Oct 14 09:39:05 ike_delete_negotiation: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = 0
    Oct 14 09:39:05 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:05 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:05 ike_remove_callback: Start, delete SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ike_delete_negotiation: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f}, nego = -1
    Oct 14 09:39:05 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    Oct 14 09:39:05 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    Oct 14 09:39:05 ike_sa_delete: Start, SA = { d4014a00 57304730 - 7dd0f8dd 1d98ad6f }
    Oct 14 09:39:05 ike_free_negotiation_isakmp: Start, nego = -1
    Oct 14 09:39:05 ike_free_negotiation: Start, nego = -1
    Oct 14 09:39:05 IKE SA delete called for p1 sa 7916729 (ref cnt 1) local:<<SRX220-ADDRESS>>, remote:<<SRX110-ADDRESS>>, IKEv1
    Oct 14 09:39:05 iked_pm_p1_sa_destroy:  p1 sa 7916729 (ref cnt 0), waiting_for_del 0x0
    Oct 14 09:39:05 ike_free_id_payload: Start, id type = 1
    Oct 14 09:39:05 ike_free_id_payload: Start, id type = 3
    Oct 14 09:39:05 ike_free_sa: Start
    Oct 14 09:39:13 DPD -> TTL decrement 1 (no-response) for remote peer <<UNIMPORTANT-ADDRESS-1>>
    Oct 14 09:39:13 ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:13 ike_sa_find_ip_port: Remote = all:500, Found SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:13 ike_alloc_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:13 ssh_ike_connect_notify: SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:13 ike_encode_packet: Start, SA = { 0x34344b02 c8b86d37 - 959df49d 4ae49a3b } / 1a6fd09e, nego = 0
    Oct 14 09:39:13 ike_send_packet: Start, send SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500,  routing table id = 0
    Oct 14 09:39:13 ike_delete_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:13 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:13 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:20 Deleted (spi=0xbde070a2, protocol=ESP dst=<<SRX220-ADDRESS>>) entry from the peer hash table. Reason: vpn monitoring
    Oct 14 09:39:20 ssh_ike_connect_delete: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:20 ssh_ike_create_delete_internal: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:20 ike_sa_find_ip_port: Remote = all:500, Found SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:20 ike_alloc_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:20 ssh_ike_create_delete_internal: SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:20 ike_encode_packet: Start, SA = { 0x34344b02 c8b86d37 - 959df49d 4ae49a3b } / 98d215f3, nego = 0
    Oct 14 09:39:20 ike_send_packet: Start, send SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500,  routing table id = 0
    Oct 14 09:39:20 ike_delete_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:20 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:20 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:20 NHTB entry not found. Not deleting NHTB entry
    Oct 14 09:39:20 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131074;SPI-In = 0xbde070a2
    Oct 14 09:39:20 Deleted SA pair for tunnel = 131074 with SPI-In = 0xbde070a2 to kernel
    Oct 14 09:39:20 Deleted (spi=0xbde070a2, protocol=ESP) entry from the inbound sa spi hash table
    Oct 14 09:39:20 Deleted (spi=0x7c8e344e, protocol=ESP dst=<<UNIMPORTANT-ADDRESS-1>>) entry from the peer hash table. Reason: vpn monitoring
    Oct 14 09:39:20 Deleted (spi=0xea0cbc1e, protocol=ESP dst=<<SRX220-ADDRESS>>) entry from the peer hash table. Reason: vpn monitoring
    Oct 14 09:39:20 ssh_ike_connect_delete: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:20 ssh_ike_create_delete_internal: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:20 ike_sa_find_ip_port: Remote = all:500, Found SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:20 ike_alloc_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:20 ssh_ike_create_delete_internal: SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:20 ike_encode_packet: Start, SA = { 0x34344b02 c8b86d37 - 959df49d 4ae49a3b } / fa2d52fb, nego = 0
    Oct 14 09:39:20 ike_send_packet: Start, send SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500,  routing table id = 0
    Oct 14 09:39:20 ike_delete_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:20 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:20 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:20 NHTB entry not found. Not deleting NHTB entry
    Oct 14 09:39:20 In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131074;SPI-In = 0xea0cbc1e
    Oct 14 09:39:20 Deleted SA pair for tunnel = 131074 with SPI-In = 0xea0cbc1e to kernel
    Oct 14 09:39:20 Deleted (spi=0xea0cbc1e, protocol=ESP) entry from the inbound sa spi hash table
    Oct 14 09:39:20 Deleted (spi=0x5071791, protocol=ESP dst=<<UNIMPORTANT-ADDRESS-1>>) entry from the peer hash table. Reason: vpn monitoring
    Oct 14 09:39:28 ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:28 ike_sa_find_ip_port: Remote = all:500, Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:28 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:28 ssh_ike_connect_notify: SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:28 ike_encode_packet: Start, SA = { 0xcefce836 dcac4187 - 2dcdb441 0754f0fa } / 1936bc5a, nego = 0
    Oct 14 09:39:28 ike_send_packet: Start, send SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-2>>:500,  routing table id = 0
    Oct 14 09:39:28 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:28 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:28 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:28 ikev2_packet_allocate: Allocated packet a3b000 from freelist
    Oct 14 09:39:28 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:28 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:28 ike_get_sa: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa } / 293a999c, remote = <<UNIMPORTANT-ADDRESS-2>>:500
    Oct 14 09:39:28 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:28 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:28 ike_decode_packet: Start
    Oct 14 09:39:28 ike_decode_packet: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa} / 293a999c, nego = 0
    Oct 14 09:39:28 ike_st_i_encrypt: Check that packet was encrypted succeeded
    Oct 14 09:39:28 ike_st_i_gen_hash: Start, hash[0..20] = 6a0ee59c 6dae8dc0 ...
    Oct 14 09:39:28 ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD I Am Here (36137), spi[0..16] = cefce836 dcac4187 ..., data[0..4] = df63cfc8 00000000 ...
    Oct 14 09:39:28 Received authenticated notification payload unknown from local:<<SRX220-ADDRESS>> remote:<<UNIMPORTANT-ADDRESS-2>> IKEv1 for P1 SA 7916722
    Oct 14 09:39:28 iked_pm_process_dpd_ack: Received IKE DPD R_U_THERE_ACK from IKE local:<<SRX220-ADDRESS>> peer:<<UNIMPORTANT-ADDRESS-2>> index 7916722 sequence number 3747860424
    Oct 14 09:39:28 ike_st_i_private: Start
    Oct 14 09:39:28 ike_send_notify: Connected, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:28 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:28 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:28 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:30 Added (spi=0xf7791105, protocol=0) entry to the spi table
    Oct 14 09:39:30 Added (spi=0x8c1f46f6, protocol=0) entry to the spi table
    Oct 14 09:39:30 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:30 ike_sa_find_ip_port: Remote = all:500, Found SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:30 ike_alloc_negotiation: Start, SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}
    Oct 14 09:39:30 ssh_ike_connect_ipsec: SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:30 ike_init_qm_negotiation: Start, initiator = 1, message_id = 2b9a99b2
    Oct 14 09:39:30 ike_st_o_qm_hash_1: Start
    Oct 14 09:39:30 ike_st_o_qm_sa_proposals: Start
    Oct 14 09:39:30 ike_st_o_qm_nonce: Start
    Oct 14 09:39:30 ike_policy_reply_qm_nonce_data_len: Start
    Oct 14 09:39:30 ike_st_o_qm_optional_ke: Start
    Oct 14 09:39:30 ike_st_o_qm_optional_ids: Start
    Oct 14 09:39:30 ike_st_qm_optional_id: Start
    Oct 14 09:39:30 ike_st_qm_optional_id: Start
    Oct 14 09:39:30 ike_st_o_private: Start
    Oct 14 09:39:30 Construction NHTB payload for  local:<<SRX220-ADDRESS>>, remote:<<UNIMPORTANT-ADDRESS-1>> IKEv1 P1 SA index 7916648 sa-cfg <<CLIENT-2>>
    Oct 14 09:39:30 ike_policy_reply_private_payload_out: Start
    Oct 14 09:39:30 ike_policy_reply_private_payload_out: Start
    Oct 14 09:39:30 ike_st_o_encrypt: Marking encryption for packet
    Oct 14 09:39:30 ike_encode_packet: Start, SA = { 0x34344b02 c8b86d37 - 959df49d 4ae49a3b } / 2b9a99b2, nego = 0
    Oct 14 09:39:30 ike_finalize_qm_hash_1: Hash[0..20] = 9fcde136 2c4f67b9 ...
    Oct 14 09:39:30 ike_send_packet: Start, send SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500,  routing table id = 0
    Oct 14 09:39:35 ike_retransmit_callback: Start, retransmit SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:35 ike_send_packet: Start, retransmit previous packet SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500 routing table id = 0
    Oct 14 09:39:38 ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:38 ike_sa_find_ip_port: Remote = all:500, Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:38 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:38 ssh_ike_connect_notify: SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:38 ike_encode_packet: Start, SA = { 0xcefce836 dcac4187 - 2dcdb441 0754f0fa } / 78ea93bf, nego = 0
    Oct 14 09:39:38 ike_send_packet: Start, send SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-2>>:500,  routing table id = 0
    Oct 14 09:39:38 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:38 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:38 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:38 ikev2_packet_allocate: Allocated packet a3cc00 from freelist
    Oct 14 09:39:38 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:38 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:38 ike_get_sa: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa } / 4d193055, remote = <<UNIMPORTANT-ADDRESS-2>>:500
    Oct 14 09:39:38 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:38 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:38 ike_decode_packet: Start
    Oct 14 09:39:38 ike_decode_packet: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa} / 4d193055, nego = 0
    Oct 14 09:39:38 ike_st_i_encrypt: Check that packet was encrypted succeeded
    Oct 14 09:39:38 ike_st_i_gen_hash: Start, hash[0..20] = eaeef317 8eccf742 ...
    Oct 14 09:39:38 ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD I Am Here (36137), spi[0..16] = cefce836 dcac4187 ..., data[0..4] = df63cfc9 00000000 ...
    Oct 14 09:39:38 Received authenticated notification payload unknown from local:<<SRX220-ADDRESS>> remote:<<UNIMPORTANT-ADDRESS-2>> IKEv1 for P1 SA 7916722
    Oct 14 09:39:38 iked_pm_process_dpd_ack: Received IKE DPD R_U_THERE_ACK from IKE local:<<SRX220-ADDRESS>> peer:<<UNIMPORTANT-ADDRESS-2>> index 7916722 sequence number 3747860425
    Oct 14 09:39:38 ike_st_i_private: Start
    Oct 14 09:39:38 ike_send_notify: Connected, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:38 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:38 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:38 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:45 ike_retransmit_callback: Start, retransmit SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0
    Oct 14 09:39:45 ike_send_packet: Start, retransmit previous packet SA = { 34344b02 c8b86d37 - 959df49d 4ae49a3b}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-1>>:500 routing table id = 0
    Oct 14 09:39:48 ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
    Oct 14 09:39:48 ike_sa_find_ip_port: Remote = all:500, Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:48 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:48 ssh_ike_connect_notify: SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:48 ike_encode_packet: Start, SA = { 0xcefce836 dcac4187 - 2dcdb441 0754f0fa } / c5f2c21b, nego = 0
    Oct 14 09:39:48 ike_send_packet: Start, send SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0, dst = <<UNIMPORTANT-ADDRESS-2>>:500,  routing table id = 0
    Oct 14 09:39:48 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:48 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:48 ike_free_negotiation: Start, nego = 0
    Oct 14 09:39:48 ikev2_packet_allocate: Allocated packet a3b800 from freelist
    Oct 14 09:39:48 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:48 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Oct 14 09:39:48 ike_get_sa: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa } / 8f27051a, remote = <<UNIMPORTANT-ADDRESS-2>>:500
    Oct 14 09:39:48 ike_sa_find: Found SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa }
    Oct 14 09:39:48 ike_alloc_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}
    Oct 14 09:39:48 ike_decode_packet: Start
    Oct 14 09:39:48 ike_decode_packet: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa} / 8f27051a, nego = 0
    Oct 14 09:39:48 ike_st_i_encrypt: Check that packet was encrypted succeeded
    Oct 14 09:39:48 ike_st_i_gen_hash: Start, hash[0..20] = fd0ba4d5 f1374c9d ...
    Oct 14 09:39:48 ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD I Am Here (36137), spi[0..16] = cefce836 dcac4187 ..., data[0..4] = df63cfca 00000000 ...
    Oct 14 09:39:48 Received authenticated notification payload unknown from local:<<SRX220-ADDRESS>> remote:<<UNIMPORTANT-ADDRESS-2>> IKEv1 for P1 SA 7916722
    Oct 14 09:39:48 iked_pm_process_dpd_ack: Received IKE DPD R_U_THERE_ACK from IKE local:<<SRX220-ADDRESS>> peer:<<UNIMPORTANT-ADDRESS-2>> index 7916722 sequence number 3747860426
    Oct 14 09:39:48 ike_st_i_private: Start
    Oct 14 09:39:48 ike_send_notify: Connected, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:48 ike_delete_negotiation: Start, SA = { cefce836 dcac4187 - 2dcdb441 0754f0fa}, nego = 0
    Oct 14 09:39:48 ike_free_negotiation_info: Start, nego = 0
    Oct 14 09:39:48 ike_free_negotiation: Start, nego = 0

     

    On the SRX110, I noticed: 

    Oct 14 09:29:08 <<SRX110-ADDRESS>>:500 (Initiator) <-> <<SRX220-ADDRESS>>:500 { 50676703 2418a55a - 00000000 00000000 [-1] / 0x00000000 } Aggr; Warning: Number of proposals != 1 in ISAKMP SA, this is against draft!

     

    On the SRX220, I noticed: 

    Oct 14 09:39:05 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Cannot start new phase 2 negotiation, because phase 1 still in progress

    Oct 14 09:39:05 iked_fetch_or_create_peer_entry: Gateways gw_CLIENT2 and gw_CLIENT for local <<SRX220-ADDRESS>>:1f4 and remote <<SRX110-ADDRESS>>:1f4. peer_entry creation failed

     

     

    However I don't know where to look or what to test anymore. Also, checking with "show security ike security-associations" returns nothing.

     

     

    Can someone please help me 🙂

     

    With kind regards


    #user-at-hostname
    #ike
    #dynamicwan-ip
    #site-to-site
    #SRX110
    #SRX220
    #vpn
    #IPSec


  • 2.  RE: Site-to-Site VPN problems (dynamic to static address)

    Posted 10-16-2014 06:01

    Hi support@grift-it.nl ,

     

     

    Need the following outputs as the current messages are not helpful.

     

    capture the packets using the  monitor command on both ends and capture couple of vpn negosiations and upload it.

     

     

     monitor traffic interface fe-0/0/2.0 extensive no-resolve size 1500 matching udp write-file /var/tmp/vpn-dyn-end.pcap
     monitor traffic interface ge-0/0/0 extensive no-resolve size 1500 matching udp write-file /var/tmp/vpn-static-end.pcap

     

    note:  write-file is hidden command

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     

     



  • 3.  RE: Site-to-Site VPN problems (dynamic to static address)

    Posted 10-16-2014 06:41

    on the static IP SRX220 side, which is a recipient , you have given local-identity as inet. When the VPN tried to make a connection with user@hostname IKE ID the recipient says that my local-identity is IP address which creates a confusion. I gues this is the issue.

     

    Can you try removing local-identity from SRX220?



  • 4.  RE: Site-to-Site VPN problems (dynamic to static address)
    Best Answer

    Posted 10-17-2014 03:00

    Hi,

     

    Thank you for the replies.

     

    We've managed to fix this issue by rebooting the SRX220 device (static IP).

    After we did this, VPN got up without any issues. We had to plan the reboot of the device at 2:00 am last wednesday and VPN has been running since, no config changes needed.

     

    Sorry for not updating sooner.