I am attempting to connect an Amazon hosted VSRX to a VPN gateway that is in a different VPC, but not having much luck. Specifically, my IKE security associations never come up. I have used the configuration supplied by Amazon, but I think that is created assuming that the Juniper isn't in AWS.
The VSRX is in a VPC. The only interfaces that are up are fxp0 and ge-0/0/0.0. I have an Elastic IP assigned to the private IP that is on ge-0/0/0.0, and I can ssh into that IP without any issues.
Here's what I get when I look at the security sessions:
ec2-user> show security ike security-associations
ec2-user>
I have enabled IKE debugging. I am repeatedly getting this message:
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] iked_sa_config_install msg_len=744
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] Successfully added SA Config
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg vpn-06ab852-1 count is 0
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] kmd_update_tunnel_interface:
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] iked_update_tunnel_interface_by_ifname: update ifl st0.1 status UP
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] iked_stop_vpnm_timer: processing SA vpn-06ab852-1
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] iked_process_iff_add: VR id 0 updated in sa_cfg vpn-06ab852-1
[Nov 19 19:08:43][10.128.2.5 <-> XXX.YYY.ZZZ.PPP] Ignoring the ifa preferred address add/change message as previous local address is the same
[Nov 19 19:08:43]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Nov 19 19:10:23]KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection to pfe could not be made after repeated attempts. User should retry cli/SNMP command
Here's my (sanitized) IKE config:
proposal ike-prop-vpn-06ab852-1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy ike-pol-vpn-06ab852-1 {
mode aggressive;
proposals ike-prop-vpn-06ab852-1;
pre-shared-key ascii-text "*redacted*"; ## SECRET-DATA
}
gateway gw-vpn-06ab852-1 {
ike-policy ike-pol-vpn-06ab852-1;
address XXX.YYY.ZZZ.PPP;
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
nat-keepalive 60;
external-interface ge-0/0/0.0;
}
Here's my IPSEC:
proposal ipsec-prop-vpn-06ab852-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy ipsec-pol-vpn-06ab852-1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop-vpn-06ab852-1;
}
vpn vpn-06ab852-1 {
bind-interface st0.1;
df-bit clear;
ike {
gateway gw-vpn-06ab852-1;
ipsec-policy ipsec-pol-vpn-06ab852-1;
}
}
Here's my security zone info:
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
st0.1;
}
}
And the policy:
from-zone trust to-zone trust {
policy everything {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
I am able to ping the address specified in the IKE gateway. I have also opened all TCP and UDP ports to the Juniper from the IKE gateway address in AWS.