SRX

Hello Everyone!!

I am having trouble and not sure where to look.

We have a hub & spoke VPN, this is first remote location to configure. The remote location uses PPPoE, SRX config displays "negotiate" but the ISP provides the SAME IP always (bottom line it is a static IP)

The hub is plugged to a T1 that gives us pure static IP.

The VPN is site-to-site. The local networks are not the same, the ST0 tunnels ARE on the same net... IKE is allowed, routes are in place, policies are properly created ... as far as I can see it is all good (consider that I am new to JUNIPER OS)

I cannot ping the remote ST0 IP (the local one responds fine, obviously), when I try a trace route to either remote ST0 or remote IP goes nowhere....

I am failing to see what I did wrong.

I am NOT on site, and have no access to CLI TERMINAL NOR CAN TELNET ... so all I have is the web interface and the CLI tools (CLI Viewer, CLI Editor, Point and click CLI)

Any help or slap in the right direction is much appreciated!

Attachment(s)

HubConfig-SRX210.txt   6 KB 1 version

SpokeConfig.txt   8 KB 1 version

Have you verified that the tunnel is building correctly?

Check the output of "show security ike security-associations" and "show security ipsec security-associataions".  You can also check the kmd log file.

---

@Manzano wrote:

 

I am NOT on site, and have no access to CLI TERMINAL NOR CAN TELNET ... so all I have is the web interface and the CLI tools (CLI Viewer, CLI Editor, Point and click CLI)

---

If you can get into the WebUI, you can enable SSH access over the untrust interface so that you can access the CLI directly.  Just add "ssh" to the host-inbound-traffic for your untrust interface.

Thank you for your help!!

I am working on the CLI thing... However, the kmd log shows this over and over and over..

18 09:24:34 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=72.156.75.193) p1_remote=ipv4(udp:500,[0..3]=208.71.48.198)
May 18 09:24:34 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=72.156.75.193) p1_remote=ipv4(udp:500,[0..3]=208.71.48.198)

... I remain puzzled... policy is there... or is it refering to something else? is it the REMOTE policy? do policies have to have the same names on both ends? .... kind of shooting ideas to the air...

... again MANY THANKS!!

The policy names don't have to match.

I'm not really sure here, just guessing, but since it's failing in phase 1 I would say the place to look is your ike config -- you have it set for aggressive mode but you're configuring both ends with static peer addresses.  I've never tried to do it like that, so I can't say if that would work or not.

You might want to set your hub side to not have a peer address under the gateway config, and instead set the gateway as "dynamic" and give a hostname or distinguished name (which must match on both sides, since that's how the peers will identify themselves).

Well... first of all I'd like to thank you for your help! At least I stopped looking/blaming the PPPoE and other things and focused on the real problem...

However, even though I changed options (like you said), then I switched to main vs. agressive... then I re-did the whole VPN config using standard options... still nothing... the tunnel remains playing with my feelings and just not being established...

the hub displays the item on it's list and the state being DOWN... after a while just goes away like it gets tired of trying...

the spoke (initiator) remains displaying the same error on the kmd log...

... peers are just not "accepting" eachother...

THANKS FOR YOUR HELP AND TIME!!

You may have gotten a little too eager with making the changes...  

I mentioned that you had kind of a hybrid aggressive/main setup (in my opinion...) but the suggestions I gave for setting some options were applicable to keeping it as an aggressive mode setup.

Try this...  set some traceoptions for IKE debugging...

security {
  ike {
    traceoptions {
      file ike-debug size 5m files 5;
      flag all;
    }
  }
}

You can watch the ike-debug log file on both sides to see exactly what iKE Is doing and where it's failing.

Try making small changes and testing, rather than making multiple changes at once.

You can post the ike-debug logs here as attachments.

... I was indeed eager!! ... I get kind of impatient with new toys!!

Your sugestion on the ike-debug was really cool!! I realized that I got ahead of myself and needed to step it back... so, I went back to square one (original agressive config with static GW) ... named the files ike-debugy3 and I am posting them here... seems like definetly there is an issue with the proposals... now going back to your original suggestion I will make my hub dynamic and double check both proposals before that and just make sure I missed nothing...

What can you see in the logs? besides the obvious...

Again, MANY THANKS!!

Attachment(s)

VPN-Spoke1.doc   41 KB 1 version

VPN-Hub.doc   322 KB 1 version

Hello Again!

... I just wanted to say THANKS for your help!

Fearing that I might look like an idiot I will say that the only problem I had was the external interface on the side of the SPOKE ... it will not work using the FE interface... the PP0.0 has to be selected...

... the answer was simple... I hope this helps someone save some time and sweat!