Hello!
I tried to configure a site-to-site vpn (ipsec-vpn-pfsense-oe5) next to a remote-user-vpn (vpn-it-management). If I try to connect to the site-to-site vpn the logs shows that the remote-user-vpn gateway is used. What I'm missing? Error message and configuration below. Thank you very much!
Error Message:
May 11 13:59:39 srx300 kmd[2048]: IKE negotiation failed with error: Peer proposed phase1 negotiation mode (main/aggressive) does not match with configuration. IKE Version: 1, VPN: vpn-it-management Gateway: gateway-vpn-it-management, Local: xx.xx.xx.19/500, Remote: xx.xx.xx.100/61325, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
srx300# show security ike
proposal proposal-vpn-it-management {
description RemoteUserVPN;
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
proposal ike-proposal-vpn-pfsense {
description PfSense;
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy policy-vpn-it-management {
mode aggressive;
proposals proposal-vpn-it-management;
pre-shared-key ascii-text ## SECRET-DATA
}
policy ike-policy-vpn-pfsense-oe5 {
mode aggressive;
proposals ike-proposal-vpn-pfsense;
pre-shared-key ascii-text ## SECRET-DATA
}
gateway gateway-vpn-it-management {
ike-policy policy-vpn-it-management;
dynamic {
user-at-hostname "user@host.tld";
ike-user-type shared-ike-id;
}
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
external-interface ge-0/0/0;
local-address 91.102.11.19;
aaa {
access-profile access-vpn-it-management;
}
version v1-only;
tcp-encap-profile ssl-vpn-it-management;
}
gateway ike-gateway-vpn-pfsense-oe5 {
ike-policy ike-policy-vpn-pfsense-oe5;
dynamic user-at-hostname "site@host.tld";
external-interface ge-0/0/0;
version v2-only;
}
srx300# show security ipsec
proposal proposal-vpn-it-management {
protocol esp;
encryption-algorithm aes-256-gcm;
}
proposal ipsec-proposal-vpn-pfsense {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy policy-vpn-it-management {
perfect-forward-secrecy {
keys group19;
}
proposals proposal-vpn-it-management;
}
policy ipsec-policy-vpn-pfsense {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-proposal-vpn-pfsense;
}
vpn vpn-it-management {
bind-interface st0.0;
df-bit clear;
ike {
gateway gateway-vpn-it-management;
ipsec-policy policy-vpn-it-management;
}
traffic-selector ts-1 {
local-ip 10.2.1.0/24;
remote-ip 0.0.0.0/0;
}
}
vpn ipsec-vpn-pfsense-oe5 {
bind-interface st0.1;
ike {
gateway ike-gateway-vpn-pfsense-oe5;
ipsec-policy ipsec-policy-vpn-pfsense;
}
establish-tunnels immediately;
}
srx300# show interfaces st0
unit 0 {
family inet;
}
unit 1 {
family inet;
}