Junos OS

last person joined: 21 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  Site to Site VPN will not come up after IP address change.

    Posted 05-07-2014 10:00

    Site to Site VPN between two J4350’s. VPN has been working for over a year. I had to change ISPs at one end. Simple enough, I just changed the IP addresses in both J4350s’. However, now the VPN will not come up. I see the following in the KMD log:
    May 6 20:47:38 Group/Shared IKE ID VPN configured: 0
    May 6 23:28:40 Group/Shared IKE ID VPN configured: 0
    May 6 23:32:03 Group/Shared IKE ID VPN configured: 0
    May 6 23:32:03 Obsolete parameter length_of_local_secret is not set to zero inssh_ike_init
    May 6 23:32:03 Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
    May 6 23:32:03 KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

     

    And on the other unit:
    May 6 12:44:51 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=xxx.yyy.236.244) p1_remote=ipv4(any:0,[0..3]=aaa.bbb.11.179)

     

    The new IP and routes are OK, I can ping each router from the other.

     

    I saw a similar issue on the Forums (IPsec tunnel appears up but not passing traffic) that was solved by rebooting the router … tried that with both, no luck.  

     

    The show security ike security-associations show 4 associations...all down.  

     

    Any thoughts?

     

    Site 1:
    set security ike policy ike-policy1 mode main
    set security ike policy ike-policy1 proposal-set standard
    set security ike policy ike-policy1 pre-shared-key ascii-text "$xxxxxxxxxP5z"
    set security ike gateway ike-gateDNI ike-policy ike-policy1
    set security ike gateway ike-gateDNI address aaa.bbb.11.197
    set security ike gateway ike-gateDNI dead-peer-detection
    set security ike gateway ike-gateDNI external-interface ge-0/0/0.0
    set security ipsec vpn-monitor-options interval 1
    set security ipsec policy vpn-policy1 proposal-set standard
    set security ipsec vpn ike-vpn-DNI bind-interface st0.0
    set security ipsec vpn ike-vpn-DNI ike gateway ike-gateDNI
    set security ipsec vpn ike-vpn-DNI ike ipsec-policy vpn-policy1
    set security ipsec vpn ike-vpn-DNI establish-tunnels immediately

     

    show security ike security-associations
    Index Remote Address State Initiator cookie Responder cookie Mode

    1723 aaa.bbb.11.179 DOWN 4139aeb5ad417b0b 2f7f1e1b8d4cc3fb Main
    1724 aaa.bbb.11.179 DOWN afca4315709cc90f 35c83b96fbb498ad Main
    1725 aaa.bbb.11.179 DOWN 33cbd347cdd3cdd3 1ed81be622391b11 Main
    1726 aaa.bbb.11.197 DOWN 771ab660f0e66071 0000000000000000 Main

     

     

    Site 2:
    set security ike policy ike-policy1 mode main
    set security ike policy ike-policy1 proposal-set standard
    set security ike policy ike-policy1 pre-shared-key ascii-text "$xxxxxxxxxxP5z"
    set security ike gateway ike-gate ike-policy ike-policy1
    set security ike gateway ike-gate address xxx.yyy.236.244
    set security ike gateway ike-gate external-interface ge-0/0/0.0
    set security ipsec policy vpn-policy1 proposal-set standard
    set security ipsec vpn ike-vpn bind-interface st0.0
    set security ipsec vpn ike-vpn ike gateway ike-gate
    set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
    set security ipsec vpn ike-vpn establish-tunnels immediately

     

    show security ike security-associations
    <nothing shows here>



  • 2.  RE: Site to Site VPN will not come up after IP address change.

     
    Posted 05-07-2014 21:30

    Hello

     

    Would it be possible to delete the vpn configuraiton specific to this tunnel and re-add it?

     

    1. delete/deactivate ipsec vpn configuration specific to this tunnel.

    2. commit (commit full) configuraiton.

    3. Re-add the configuraiton.

    4. commit full fo the configuration.

     

    Regards,

    Raveen



  • 3.  RE: Site to Site VPN will not come up after IP address change.

     
    Posted 05-07-2014 22:10

    Hello

     

    You could also try restarting ipsec daemon to check if issue does get resolved.

     

    CLI:

     

    root>restart ipsec-key-management

     

    Regards,

    Raveen



  • 4.  RE: Site to Site VPN will not come up after IP address change.

    Posted 05-08-2014 00:52

    Make sure you do not have the old ISP IP address in any policies, address book entries or static routes. To make sure, you could use the replace pattern at the top of the hierarchy.

    #replace pattern <old_ISP_IP_Address> with  <new_ISP_IP_Address>

    commit and see what else is happening.



  • 5.  RE: Site to Site VPN will not come up after IP address change.
    Best Answer

    Posted 05-08-2014 00:55

    And on the other unit:
    May 6 12:44:51 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=xxx.yyy.236.244) p1_remote=ipv4(any:0,[0..3]=aaa.bbb.11.179)

     

    The new IP and routes are OK, I can ping each router from the other.

     

    I saw a similar issue on the Forums (IPsec tunnel appears up but not passing traffic) that was solved by rebooting the router … tried that with both, no luck.  

     

    The show security ike security-associations show 4 associations...all down.  

     

    Any thoughts?

     

    Site 1:
    set security ike policy ike-policy1 mode main
    set security ike policy ike-policy1 proposal-set standard
    set security ike policy ike-policy1 pre-shared-key ascii-text "$xxxxxxxxxP5z"
    set security ike gateway ike-gateDNI ike-policy ike-policy1
    set security ike gateway ike-gateDNI address aaa.bbb.11.197



  • 6.  RE: Site to Site VPN will not come up after IP address change.

    Posted 05-08-2014 04:16

    Well, that was embarising!  Thanks 



  • 7.  RE: Site to Site VPN will not come up after IP address change.

    Posted 05-08-2014 11:31

    Not a problem. Happy to help out when we can. Some problems can be solved quickly, others take longer time. You told us everything we needed to know and provided the information to help. Sometimes we miss it, sometimes we catch it:) Take care.