Site to Site VPN between two J4350’s. VPN has been working for over a year. I had to change ISPs at one end. Simple enough, I just changed the IP addresses in both J4350s’. However, now the VPN will not come up. I see the following in the KMD log:
May 6 20:47:38 Group/Shared IKE ID VPN configured: 0
May 6 23:28:40 Group/Shared IKE ID VPN configured: 0
May 6 23:32:03 Group/Shared IKE ID VPN configured: 0
May 6 23:32:03 Obsolete parameter length_of_local_secret is not set to zero inssh_ike_init
May 6 23:32:03 Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
May 6 23:32:03 KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
And on the other unit:
May 6 12:44:51 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=xxx.yyy.236.244) p1_remote=ipv4(any:0,[0..3]=aaa.bbb.11.179)
The new IP and routes are OK, I can ping each router from the other.
I saw a similar issue on the Forums (IPsec tunnel appears up but not passing traffic) that was solved by rebooting the router … tried that with both, no luck.
The show security ike security-associations show 4 associations...all down.
Any thoughts?
Site 1:
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text "$xxxxxxxxxP5z"
set security ike gateway ike-gateDNI ike-policy ike-policy1
set security ike gateway ike-gateDNI address aaa.bbb.11.197
set security ike gateway ike-gateDNI dead-peer-detection
set security ike gateway ike-gateDNI external-interface ge-0/0/0.0
set security ipsec vpn-monitor-options interval 1
set security ipsec policy vpn-policy1 proposal-set standard
set security ipsec vpn ike-vpn-DNI bind-interface st0.0
set security ipsec vpn ike-vpn-DNI ike gateway ike-gateDNI
set security ipsec vpn ike-vpn-DNI ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn-DNI establish-tunnels immediately
show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
1723 aaa.bbb.11.179 DOWN 4139aeb5ad417b0b 2f7f1e1b8d4cc3fb Main
1724 aaa.bbb.11.179 DOWN afca4315709cc90f 35c83b96fbb498ad Main
1725 aaa.bbb.11.179 DOWN 33cbd347cdd3cdd3 1ed81be622391b11 Main
1726 aaa.bbb.11.197 DOWN 771ab660f0e66071 0000000000000000 Main
Site 2:
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text "$xxxxxxxxxxP5z"
set security ike gateway ike-gate ike-policy ike-policy1
set security ike gateway ike-gate address xxx.yyy.236.244
set security ike gateway ike-gate external-interface ge-0/0/0.0
set security ipsec policy vpn-policy1 proposal-set standard
set security ipsec vpn ike-vpn bind-interface st0.0
set security ipsec vpn ike-vpn ike gateway ike-gate
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn establish-tunnels immediately
show security ike security-associations
<nothing shows here>