Hello all,
First of all, I am new to Juniper, have only started using an SRX-100 gateway two days ago.
I have a simple site to site VPN scenario I want to test, the idea is to learn how to get VPN up with one of the gateways being Juniper SRX-100. The other gateway is one that I am used to, I have used it for over two years in countless VPN scenarios (both deployed and testing).
After some initial problems, I got the SRX100 to reply to IKE Main Mode requests, but these are replied with NO_PROPOSAL_CHOSEN. That's fine, but the proposals match on both gateways. What I have noticed in the kmd log is the following message:
Jun 10 11:23:55 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=192.168.1.50) p1_remote=ipv4(any:0,[0..3]=192.168.1.60)
No other messages were shown (according to http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097, if the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote peer:192.168.1.60 is not recognized." should be shown, but is not). In order to do this setup, I have used the document titled IMPLEMENTING POLICYBASED IPSEC VPN USING SRX SERIES SERVICES GATEWAYS.
Now, as for my configuration:
ike {
proposal propo {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 5000;
}
gateway ike-gate {
ike-policy ike-policy1;
address 192.168.1.60;
local-identity inet 192.168.1.50;
external-interface fe-0/0/0.0;
}
}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn ike-vpn {
ike {
gateway ike-gate;
ipsec-policy vpn-policy1;
}
}
}
fe-0/0/0.0 is assigned 192.168.1.50. The gateway that initiates the connection is using 192.168.1.60 in the ID payload.
As for policies:
policies {
from-zone untrust to-zone trust {
policy any1 {
match {
source-address remote-net;
destination-address local-net;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn;
pair-policy any2;
}
}
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone untrust {
policy any2 {
match {
source-address local-net;
destination-address remote-net;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ike-vpn;
pair-policy any1;
}
}
log {
session-init;
session-close;
}
}
}
}
Shouldn't this setup work? Or am I missing something? Is it possible to get more information about the error from logs (I can't get a proper grasp of logging with syslog just yet, haven't played much with it either, so I'm to blame)?