Hi everyone, I am new in SRX. I got a profile VPN from SSG and config VPN on my SRX. My SRX is behind a NAT device that has a dynamic IP address. I searched a lot but not to solve my problem which shows “negotiation failed with error: SA unusable”. I hope you give me some intrustions for this issue. Thanks in advanced.
Local-ID=test-bk0 33.12.22.1 10.0.0.0/8
(PC-A) -----[SRX]--------[NAT]-----------ISP-------[FIREWALL]-----(PC-B)
10.32.197.64 /28 192.168.1.0/24 DYNAMIC IP STATIC IP
Here is all my configuration on SRX:
root@SRX220> show configuration
services {
ssh;
telnet;
xnm-clear-text;
dhcp {
pool 10.32.197.64/28 {
address-range low 10.33.197.66 high 10.33.197.70;
name-server {
8.8.8.8;
}
router {
10.32.197.65;
}
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "Connect to Internet behind NAT 192.168.1.0/24";
family inet {
address 192.168.1.5/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
:
:
:
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
description "Tunnel 1 - VPN";
unit 0 {
family inet;
}
}
vlan {
unit 0 {
description "LAN Noi Bo";
family inet {
address 10.32.197.65/28;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1;
route 10.0.0.0/8 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
policy IKE-POLICY {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$ssYgJf5FCtuQFCu1IleoJGDk.f5F/CuPfp0B1hcbsYoUj3n/Cp0TQhSylMWUjiqTz"; ## SECRET-DATA
}
gateway IKE-GATEWAY{
ike-policy IKE-POLICY ;
address 33.12.22.1;
dead-peer-detection {
interval 10;
threshold 5;
}
nat-keepalive 10;
local-identity hostname test-bk0;
external-interface ge-0/0/0.0;
version v1-only;
}
}
ipsec {
vpn-monitor-options {
interval 10;
threshold 10;
}
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
lifetime-kilobytes 86400;
}
policy IPSEC-POLICY {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn IPSEC-VPN {
bind-interface st0.0;
vpn-monitor {
optimized;
}
ike {
gateway IKE-GATEWAY;
proxy-identity {
local 10.32.197.64/28;
remote 10.0.0.0/8;
service any;
}
ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set TRUST-TO-UNTRUST {
from zone trust;
to zone untrust;
rule NO_NAT {
match {
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
rule INTERFACE-NAT {
match {
source-address 10.32.197.64/28;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone VPN {
policy TRUST-TO-VPN {
match {
source-address local-net;
destination-address remote-net;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone trust {
policy VPN-TO-TRUST {
match {
source-address remote-net;
destination-address local-net;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy UNTRUST-TO-TRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address local-net 10.33.197.64/28;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN {
address-book {
address remote-net 10.0.0.0/8;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
--------
root@SRX220>show security ike security-association detail
KE peer 33.12.22.1, Index 5393328, Gateway Name: IKE-GATEWAY
Role: Initiator, State: UP
Initiator cookie: bf3766e935a76519, Responder cookie: 166b0c89c2c05ff9
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 192.168.1.5:4500, Remote: 33.12.22.1:4500
Lifetime: Expires in 5111 seconds
Peer ike-id: 33.12.22.1
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 516
Output bytes : 887
Input packets: 2
Output packets: 3
Flags: IKE SA is created
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Flags: IKE SA is created
root@SRX220> show log kmd-logs
Apr 25 08:21:05 SRX220 kmd[1283]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GATEWAY, Local: 192.168.1.5/500, Remote: 33.12.22.1/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0