SRX

Hello all,

First of all, I am new to Juniper, have only started using an SRX-100 gateway two days ago.

I have a simple site to site VPN scenario I want to test, the idea is to learn how to get VPN up with one of the gateways being Juniper SRX-100. The other gateway is one that I am used to, I have used it for over two years in countless VPN scenarios (both deployed and testing).

After some initial problems, I got the SRX100 to reply to IKE Main Mode requests, but these are replied with NO_PROPOSAL_CHOSEN. That's fine, but the proposals match on both gateways. What I have noticed in the kmd log is the following message:

Jun 10 11:23:55 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=192.168.1.50) p1_remote=ipv4(any:0,[0..3]=192.168.1.60)

No other messages were shown (according to http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097, if the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote peer:192.168.1.60 is not recognized." should be shown, but is not). In order to do this setup, I have used the document titled IMPLEMENTING POLICYBASED IPSEC VPN USING SRX SERIES SERVICES GATEWAYS. 

Now, as for my configuration:

    ike {

         proposal propo {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 5000;
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address 192.168.1.60;
            local-identity inet 192.168.1.50;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        policy vpn-policy1 {
            proposal-set standard;
        }
        vpn ike-vpn {
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
        }
    }
fe-0/0/0.0 is assigned 192.168.1.50. The gateway that initiates the connection is using 192.168.1.60 in the ID payload.

As for policies:

    policies {
        from-zone untrust to-zone trust {
            policy any1 {
                match {
                    source-address remote-net;
                    destination-address local-net;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn;
                            pair-policy any2;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone trust to-zone untrust {
            policy any2 {
                match {
                    source-address local-net;
                    destination-address remote-net;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn;
                            pair-policy any1;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }

Shouldn't this setup work? Or am I missing something? Is it possible to get more information about the error from logs (I can't get a proper grasp of logging with syslog just yet, haven't played much with it either, so I'm  to blame)?

hi,

is this a main mode vpn  (because i don't see the ike policy output to be sure)?

also i don't see a reason to have the "local-identity inet 192.168.1.50" in your ike gateway settings. (he will use your ip when this is a main mode)

Grz,

Frac

I seem to have forgotten the policy. Yes, it is Main Mode:

policy ike-policy1 {
            mode main;
            proposals propo;
            pre-shared-key ascii-text "$9$GNUi.tpBREytuvL7-2gz36"; ## SECRET-DATA
        }

I have removed the local-identity but it did not change anything.

There is no NAT on any side and no DPD. The gateway that initiates IKE does add it's own, vendor specific VID payload, can that cause problems?

How can I look at the full debug log? (just KMD or something else?)

You get the full debug log when enable traceoptions with flag all,

set security ike traceoptions flag all
set security ipsec traceoptions flag all

commit

Output goes to kmd file.

By the way, did you try to initiate the tunnel on SRX? You can check the log on the other side in this case.

Also in some cases VPN can go up only when initiated one-way.

What is your Junos version? Not sure if additional payload can be the problem - IMHO that's possible. In some cases I've seen that upgrade to a later release improved interoperability of SRXs.

Turns out that when intitiating, the SRX100 was using a different IP for the peer. Rebooting (without any changes to configuration) allowed the gateway to use the proper peer IP. Have no idea why this occured, but the IP being used was one from an old configuration.

Edit:

JUNOS Software Release [10.0R3.10]

hi,

there are some issues with ipsec and 10.0 release. best upgrade to newer version.

GreetZ,

Frac

Hi

Yor config looks fine to me. But just to be sure, can you try the same

without "local-identity inet 192.168.1.50;" knob? It should be a by default

behavior.

Not sure if this can cause such problem, but do you have NAT-T enabled on

the other side? Or DPD? What Junos are you using? Can you post a full debug

log here?

P.S. Frac is right, also check that mode matches on both sides (main/aggressive),