    Posted 11-19-2018 15:05

    I am attempting to connect an Amazon hosted VSRX to a VPN gateway that is in a different VPC, but not having much luck.  Specifically, my IKE security associations never come up.  I have used the configuration supplied by Amazon, but I think that is created assuming that the Juniper isn't in AWS.


    The VSRX is in a VPC.  The only interfaces that are up are fxp0 and ge-0/0/0.0.  I have an Elastic IP assigned to the private IP that is on ge-0/0/0.0, and I can ssh into that IP without any issues. 


    Here's what I get when I look at the security sessions:

    ec2-user> show security ike security-associations



    I have enabled IKE debugging.  I am repeatedly getting this message:


    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 131073, SPI-In = 0x0
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  iked_sa_config_install msg_len=744
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  Successfully added SA Config
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  iked_sa_cfg_get_parent_sa_cfg_child_sas_count No parent for sa_cfg vpn-06ab852-1 count is 0
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  kmd_update_tunnel_interface:
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  iked_update_tunnel_interface_by_ifname: update ifl st0.1 status UP
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  iked_stop_vpnm_timer: processing SA vpn-06ab852-1
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  iked_process_iff_add: VR id 0 updated in sa_cfg vpn-06ab852-1
    [Nov 19 19:08:43][ <-> XXX.YYY.ZZZ.PPP]  Ignoring the ifa preferred address add/change message as previous local address is the same

    [Nov 19 19:08:43]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
    [Nov 19 19:10:23]KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection to pfe could not be made after repeated attempts. User should retry cli/SNMP command


    Here's my (sanitized) IKE config:

    proposal ike-prop-vpn-06ab852-1 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 28800;
    policy ike-pol-vpn-06ab852-1 {
        mode aggressive;
        proposals ike-prop-vpn-06ab852-1;
        pre-shared-key ascii-text "*redacted*"; ## SECRET-DATA
    gateway gw-vpn-06ab852-1 {
        ike-policy ike-pol-vpn-06ab852-1;
        address XXX.YYY.ZZZ.PPP;
        dead-peer-detection {
            interval 10;
            threshold 3;
        nat-keepalive 60;
        external-interface ge-0/0/0.0;


    Here's my IPSEC:

    proposal ipsec-prop-vpn-06ab852-1 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    policy ipsec-pol-vpn-06ab852-1 {
        perfect-forward-secrecy {
            keys group2;
        proposals ipsec-prop-vpn-06ab852-1;
    vpn vpn-06ab852-1 {
        bind-interface st0.1;
        df-bit clear;
        ike {
            gateway gw-vpn-06ab852-1;
            ipsec-policy ipsec-pol-vpn-06ab852-1;

    Here's my security zone info:

    security-zone trust {
        host-inbound-traffic {
            system-services {
            protocols {
        interfaces {

    And the policy:

    from-zone trust to-zone trust {
        policy everything {
            match {
                source-address any;
                destination-address any;
                application any;
            then {


    I am able to ping the address specified in the  IKE gateway.  I have also opened all TCP and UDP ports to the Juniper from the IKE gateway address in AWS.

    Posted 11-19-2018 23:22



    In the 'security ike gateway <name>', including local-identity as the elastic IP of self and remote-identity as elastic IP of the peer on each vSRX.

    This should bring the VPN up.





    why are you using "mode aggressive" this should be used only if one peer has an dynamic public IP-address, also with aggressive mode you should use host identifier.  Why do you have no ip address on the Tunnel ? if you like to use tunnel IP-unnumbered, you have to use traffic-selector for local & remote networks and this does not work with aggressive mode. Also you have to take care not to use dpd and vpn-monitor at the same time


    Here is a config template that my work, you have to adapt, fullfill you local informations, this config template has also an bandwidth limter on the Tunnel Interface to protect the I-Net Interface.


    set security ike proposal IKE-PROP-VPN-06ab852-1 authentication-method pre-shared-keys
    set security ike proposal IKE-PROP-VPN-06ab852-1 dh-group group2
    set security ike proposal IKE-PROP-VPN-06ab852-1 authentication-algorithm sha1
    set security ike proposal IKE-PROP-VPN-06ab852-1 encryption-algorithm aes-128-cbc
    set security ike proposal IKE-PROP-VPN-06ab852-1 lifetime-seconds 28800
    set security ike policy VPN-06ab852-1-POLICY mode main
    set security ike policy VPN-06ab852-1-POLICY proposals IKE-PROP-VPN-06ab852-1
    set security ike policy VPN-06ab852-1-POLICY pre-shared-key ascii-text  "*redacted*"; ## SECRET-DATA
    set security ike gateway VPN-06ab852-1 ike-policy VPN-06ab852-1-POLICY
    set security ike gateway VPN-06ab852-1 address XXX.YYY.ZZZ.PPP
    set security ike gateway VPN-06ab852-1 dead-peer-detection interval 10
    set security ike gateway VPN-06ab852-1 dead-peer-detection threshold 3
    set security ike gateway VPN-06ab852-1 nat-keepalive 5
    set security ike gateway VPN-06ab852-1 local-identity inet
    set security ike gateway VPN-06ab852-1 remote-identity inet XXX.YYY.ZZZ.PPP
    set security ike gateway VPN-06ab852-1 external-interface ge-0/0/0.0
    set security ipsec policy VPN-06ab852-1-IPSEC-POLICY perfect-forward-secrecy keys group14
    set security ipsec policy VPN-06ab852-1-IPSEC-POLICY proposals VPN-06ab852-1-IPSEC-PROPOSAL
    set security ipsec vpn VPN-06ab852-1 bind-interface st0.1
    set security ipsec vpn VPN-06ab852-1 df-bit copy
    set security ipsec vpn VPN-06ab852-1 ike gateway VPN-06ab852-1
    set security ipsec vpn VPN-06ab852-1 ike no-anti-replay
    set security ipsec vpn VPN-06ab852-1 ike ipsec-policy VPN-06ab852-1-IPSEC-POLICY
    set security ipsec vpn VPN-06ab852-1 traffic-selector VPN-06ab852-1_TS01 local-ip CCC.CCC.CCC.CCC./XX
    set security ipsec vpn VPN-06ab852-1 traffic-selector VPN-06ab852-1_TS01 remote-ip DDD.DDD.DDD.DDD/YY
    set security ipsec vpn VPN-06ab852-1 establish-tunnels immediately
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match source-address any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match destination-address any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL match application any
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then permit
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then log session-init
    set security policies from-zone TRUST to-zone VPN-06ab852-1-VPN policy PERMIT-ALL then log session-close
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match source-address any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match destination-address any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL match application any
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then permit
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then log session-init
    set security policies from-zone VPN-06ab852-1-VPN to-zone TRUST policy PERMIT-ALL then log session-close
    set security zones security-zone VPN-06ab852-1-VPN interfaces st0.1 host-inbound-traffic system-services all
    set security zones security-zone VPN-06ab852-1-VPN interfaces st0.1 host-inbound-traffic protocols all
    set interfaces st0 unit 1 description VPN-06ab852-1
    set interfaces st0 unit 1 family inet filter input VPN-06ab852-1-SHAPER
    set interfaces st0 unit 1 family inet filter output VPN-06ab852-1-SHAPER
    set firewall family inet filter VPN-06ab852-1-SHAPER term 1 then policer VPN-06ab852-1-SHAPER
    set firewall policer VPN-06ab852-1-SHAPER if-exceeding bandwidth-limit 50m
    set firewall policer VPN-06ab852-1-SHAPER if-exceeding burst-size-limit 1m
    set firewall policer VPN-06ab852-1-SHAPER then discard



    The tunnel is now up.  Thank you both!