SRX

Dear team,

I am trying to setup a Dynamic VPN between my laptop and and my SRX100H from the office.

In front of the SRX there is an ADSL modem from my ISP with the appropriate ports forwarded to the SRX (500, 4500, 443, ...).

I am fighting with this for 3 days already and I can not get over Phase 1 – it looks the link is DOWN, as can be seen below at the output from sho sec ike s-a. The Junos Pulse’s window remains with „Connecting ...” pending and nothing more happens ...

Below there are some outputs from cli, the IP/devices schema and I attached also my full config from the SRX.

Please help me to move forward and open the tunnel.

A.H.

OUTPUTS:

hay@srx-hay> show security ike security-associations

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address

77782   DOWN   0dc27ee752099f36  63207a927bb1e727  Aggressive     195.xxx.xxx.xxx

hay@srx-hay> show security ike security-associations detail

IKE peer 195.xxx.xxx.xxx, Index 77784, Gateway Name: N/A

  Role: Responder, State: DOWN

  Initiator cookie: fcf815e0813994d3, Responder cookie: 896caba841bb245b

  Exchange type: Aggressive, Authentication method: Pre-shared-keys

  Local: 172.20.20.2:500, Remote: 195.xxx.xxx.xxx:22566

  Peer ike-id: not available

  Xauth user-name: not available

  Xauth assigned IP: 0.0.0.0

  Algorithms:

   Authentication        : hmac-sha1-96

   Encryption            : aes128-cbc

   Pseudo random function: hmac-sha1

   Diffie-Hellman group  : unknown

  Traffic statistics:

   Input  bytes  :                 1596

   Output bytes  :                 1024

   Input  packets:                    4

   Output packets:                    2

  IPSec security associations: 0 created, 0 deleted

  Phase 2 negotiations in progress: 0

hay@srx-hay> show log kmd

[...]

[Jul 24 08:44:02]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received

[Jul 24 08:44:43]KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection for iked show CLI was SHUTDOWN due to error in receiving msg or age out of connection or flowd going down etc. Reconnect to pfe..

I found nothing in the System Log Messages Reference from Junos OS Technical Doc related to these errors ...

SCHEMA:

Note: laptop’s IP – from range 10.1.0.0./22

Attachment(s)

conf-ike-3j.txt   6 KB 1 version

Hi ,

Try configurung set security ike gateway dynamic-vpngatewayname general ike-id

see if it works.

if not , i need the following information when you try connecting vpn client.

run monitor traffic interface fe-0/0/0 no-resolve extensive matching udp write-file /var/tmp/vpn.pcap

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi ,

Please open following information on the ADSL modem:

1, IP protocol 50

2. Ipsec pass through if any.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi and thanks for your fast answer(s).

I already let IPSEC pass through the modem and now I forwarded also port 50, as per your suggestion.

I changed the ike gateway config part to:

        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            address 195.234.177.218;
            external-interface fe-0/0/0.0;
            xauth access-profile remote_access_profile;
            general-ikeid;
        }

... and it still didn't work (pending with "Connecting" after enetring username and password).

I ran the monitor traffic command and the result is attached.

Thanks a lot for your assistance

Attachment(s)

vpn-capture-1.txt   7 KB 1 version

Hi ,

Monitor interface output was not clear,.

Client is sending same packet again and again and looks like SRX is not responding for its request.

it looks it is failing on the IKE-ID validation but it is not clear.

I need the following information:

1. set security ike traceoptions file ike-test flag all

2. monitor traffic interface ge-0/0/1 extensive no-resolve size 1500 write-file /var/tmp/dynvpn.pcap

Attempt to connect twice and update.

Regards,

Parthi

Hi Parthi,

I attached both log files - ike-test and dynvpn.

However, I noticed that the peers are not trying both to communicate on port 500 - only the SRX, but not the laptop ...

Well, I hope you can figure out many more details.

Thanks,

A.H.

Attachment(s)

dynvpn.txt   112 KB 1 version

ike-test.old.txt   85 KB 1 version

ike-test.txt   13 KB 1 version

Hi ,

May i know the Junos version that you are running on the device.

Because there are ceertain situations are not supported prior to 11.4R7  as per this KB:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17953

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

Your config seems fine and should work without any problem, might there is something else in your config. For example in trust zone there is vlan.1 & vlan.2 if one of them has same range (10.1.0.0./22). it will not work without proxy-arp. Better to paste the full config once to review all, you can change public IPs and password and attached it

Hi all,

1. SRX running Junos 12.1X44-D10.4

2. I attached full configs here; the only difference between them is the gateway vpn stanza - one is with general-ikeid, the other one is dynamic. I tried with both of them and nothing.

NOW (!), I did a test this morning: I went to the SRX, connected the laptop via cable direct to the fe-0/0/0 interface, with laptop's IP as 172.20.20.1 and the tunnel came UP and it worked like a charm - I could access protected resources without any problem - see the attached "mon.txt" for details.

The only way it does not want to work is over Internet - I tried from different locations, even through my iPhone as hotspot ... nothing.

Hope you can help me (just tell me what other logs or info you need and I will send them to you).

Many thanks,

A.H.

Attachment(s)

mon.txt   3 KB 1 version

conf-full-dyn.txt   10 KB 1 version

conf-full-gen.txt   10 KB 1 version

Hi Abrahamhay,

As i updated earlier , configuration looks good and you confirmed it by connecting a laptop to the wan and it worked fine .

Issue could be with upstream Nating the Packets.

I need following information to proceed further.

1. Capture on the WAN interface.

monitor traffic interface fe-0/0/0 extensive size1500 no-resolve write-file /var/tmp/vpndebug.pcap

2. Capture on the VPN client machine using wireshark.

Enable capturing and then try deleting existing vpn profile in your vpn client and try configuring new profile and connect using vpn client .

Try this for couple of times and upload the SRX capture and Client capture files.

Regards,

rparthi

Hi rparthi,

I did as you suggested and attached the capture files here.

Set 1.x is from a location, set 2.x is from another location.

I had to change the attachments' extensions because i got over and over the same error ("The contents of the attachment doesn't match its file type"). Please change txt to zip, then uncompress the archives and you will find the capture file there; sorry for this inconvenience ...

Thanks,

A.H.

Attachment(s)

srx2x.txt   29 KB 1 version

srx1x.txt   66 KB 1 version

Hi,

I ran also:

> request security ike debug-enable local 172.20.20.2 remote 195.234.177.218 level 7

while tryning to connect and here is attached the output within kmd.log

Maybe this can help also ...

Thanks,

A.H.

Attachment(s)

kmd.txt   21 KB 1 version

Hello everyone,

Any chance to get this VPN issue solved ?

Please be so kind and help me if you have any additional ideas.

Many thanks,

A.H.

Dear team,

I finally figured out what happened: the ADSL modem in front of the SRX was doing something that didn't allow VPN authentication. As I specified before, all ports were properly forwarded, but even so, the ADSL was still blocking Phase I.

In the end, I put the modem in bridge mode and everything start to work correctly, as expected.

So, this is the end, I would like to thank to all that helped me and put this thread the label "SOLVED".

Thanks,

AH