SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IP Sec VPN With GlobeSurfer III

    Posted 12-07-2011 01:41

    Hi,

     

    I need help for IPsec vpn with SRX240 - GlobeSurfer III 3g router.

     

    My configuration is:

     

    set interfaces st0 unit 1 family inet
    set routing-options static route 10.0.100.0/24 next-hop st0.1
    set security ike proposal to-3g-p1 authentication-method pre-shared-keys
    set security ike proposal to-3g-p1 dh-group group2
    set security ike proposal to-3g-p1 authentication-algorithm sha1
    set security ike proposal to-3g-p1 encryption-algorithm 3des-cbc
    set security ike proposal to-3g-p1 lifetime-seconds 28800
    set security ike policy to-3g-p1-policy mode main
    set security ike policy to-3g-p1-policy proposals to-3g-p1
    set security ike policy to-3g-p1-policy pre-shared-key ascii-text test

    set security ike gateway to-3g-gw ike-policy to-3g-p1-policy
    set security ike gateway to-3g-gw address 1.1.1.1
    set security ike gateway to-3g-gw external-interface ge-1/0/0.0

    set security ipsec proposal to-3g-p2 protocol esp
    set security ipsec proposal to-3g-p2 authentication-algorithm hmac-md5-96
    set security ipsec proposal to-3g-p2 encryption-algorithm 3des-cbc
    set security ipsec proposal to-3g-p2 lifetime-seconds 3600
    set security ipsec policy 3g-vpn-p2-policy proposals to-3g-p2

    set security ipsec vpn 3g-vpn bind-interface st0.1
    set security ipsec vpn 3g-vpn ike gateway to-3g-gw
    set security ipsec vpn 3g-vpn ike proxy-identity local 192.168.1.0/24
    set security ipsec vpn 3g-vpn ike proxy-identity remote 10.0.100.0/24
    set security ipsec vpn 3g-vpn ike proxy-identity service any
    set security ipsec vpn 3g-vpn ike ipsec-policy 3g-vpn-p2-policy
    set security ipsec vpn 3g-vpn establish-tunnels immediately

     

    jun@jun> show security ipsec security-associations    
      Total active tunnels: 1
      ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys

    jun@jun> show security ike security-associations      
    Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
    449     1.1.1.1   UP     3286b8179c2c9d85  a149b27377def3ff  Main         


     

    Log for GlobeSurfer III:

     

     

    pluto[52]: "ips0" #29: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xbdb55916 (perhaps this is a duplicated packet)

     

    I am also attaching the configuration pictures of GlobeSurfer. I think this is not a propasal issues. I changed the proposals and see same associations

     




  • 2.  RE: IP Sec VPN With GlobeSurfer III
    Best Answer

    Posted 12-07-2011 01:50

    A lot of thing is wrong here, for example you enabled Perfect Forward Secrecy on your firewall but not in your SRX, life time in phase one is not mached and some other stuff, I recommand you to use Site-To-Site vpn tool in here and use aes instead of 3des sometimes it doesn't work on some devices:

     

     

    https://www.juniper.net/customers/support/configtools/vpnconfig.html

     

     



  • 3.  RE: IP Sec VPN With GlobeSurfer III

    Posted 12-07-2011 02:06

    Hi;

     

    Thanks for your answer. Can you tell me what is wrong? I have corrected the life time seconds. I forgot to paste it here.

     

    Here is my debug output:

     

    Dec  7 11:47:38 ike_free_negotiation: Start, nego = 1
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_negotiation_qm: Start, nego = 2
    Dec  7 11:47:38 ike_free_negotiation: Start, nego = 2
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_negotiation_qm: Start, nego = 3
    Dec  7 11:47:38 ike_free_negotiation: Start, nego = 3
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
    Dec  7 11:47:38 ike_free_negotiation_isakmp: Start, nego = -1
    Dec  7 11:47:38 ike_free_negotiation: Start, nego = -1
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 1
    Dec  7 11:47:38 ike_free_id_payload: Start, id type = 1
    Dec  7 11:47:38 ike_free_sa: Start
    Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - 00000000 00000000 } / 00000000, remote = 1.1.1.1:500
    Dec  7 11:47:39 ike_sa_allocate: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff }
    Dec  7 11:47:39 ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 0
    Dec  7 11:47:39 ike_decode_packet: Start
    Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
    Dec  7 11:47:39 ike_decode_payload_sa: Start
    Dec  7 11:47:39 ike_decode_payload_t: Start, # trans = 4
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
    Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-03'
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
    Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-02'
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
    Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-02'
    Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
    Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-00'
    Dec  7 11:47:39 ike_st_i_sa_proposal: Start
    Dec  7 11:47:39 ike_isakmp_sa_reply: Start
    Dec  7 11:47:39 ike_st_i_cr: Start
    Dec  7 11:47:39 ike_st_i_cert: Start
    Dec  7 11:47:39 ike_st_i_private: Start
    Dec  7 11:47:39 ike_st_o_sa_values: Start
    Dec  7 11:47:39 ike_policy_reply_isakmp_vendor_ids: Start
    Dec  7 11:47:39 ike_st_o_private: Start
    Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
    Dec  7 11:47:39 ike_encode_packet: Start, SA = { 0xe75c4884 d53826b6 - d61035f1 8048caff } / 00000000, nego = -1
    Dec  7 11:47:39 ike_send_packet: Start, send SA = { e75c4884 d53826b6 - d61035f1 8048caff}, nego = -1, src=2.2.2.2:500, dst = 1.1.1.1:500, routing table id = 0
    Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff } / 00000000, remote = 1.1.1.1:500
    Dec  7 11:47:39 ike_sa_find: Found SA = { e75c4884 d53826b6 - d61035f1 8048caff }
    Dec  7 11:47:39 ike_decode_packet: Start
    Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
    Dec  7 11:47:39 ike_st_i_nonce: Start, nonce[0..16] = 963b2537 efffb858 ...
    Dec  7 11:47:39 ike_st_i_ke: Ke[0..128] = 4d67ee00 71ce0738 ...
    Dec  7 11:47:39 ike_st_i_cr: Start
    Dec  7 11:47:39 ike_st_i_cert: Start
    Dec  7 11:47:39 ike_st_i_private: Start
    Dec  7 11:47:39 my_ipaddr_as_ike_id: add <2.2.2.2>
    Dec  7 11:47:39 ike_st_o_ke: Start
    Dec  7 11:47:39 ike_st_o_nonce: Start
    Dec  7 11:47:39 ike_policy_reply_isakmp_nonce_data_len: Start
    Dec  7 11:47:39 ike_find_pre_shared_key: Find pre shared key key for 2.2.2.2:500, id = No Id -> 1.1.1.1:500, id = No Id
    Dec  7 11:47:39 ike_policy_reply_find_pre_shared_key: Start
    Dec  7 11:47:39 ike_st_o_private: Start
    Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
    Dec  7 11:47:39 my_ipaddr_as_ike_id: add <2.2.2.2>
    Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
    Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
    Dec  7 11:47:39 ike_st_o_calc_skeyid: Calculating skeyid
    Dec  7 11:47:39 ike_find_pre_shared_key: Find pre shared key key for 2.2.2.2:500, id = No Id -> 1.1.1.1:500, id = No Id
    Dec  7 11:47:39 ike_encode_packet: Start, SA = { 0xe75c4884 d53826b6 - d61035f1 8048caff } / 00000000, nego = -1
    Dec  7 11:47:39 ike_send_packet: Start, send SA = { e75c4884 d53826b6 - d61035f1 8048caff}, nego = -1, src=2.2.2.2:500, dst = .1.1.1.1:500, routing table id = 0
    Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff } / 00000000, remote = 1.1.1.1:500
    Dec  7 11:47:39 ike_sa_find: Found SA = { e75c4884 d53826b6 - d61035f1 8048caff }
    Dec  7 11:47:39 ike_decode_packet: Start
    Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
    Dec  7 11:47:39 ike_st_i_encrypt: Check that packet was encrypted succeeded
    Dec  7 11:47:39 ike_st_i_id: Start
    Dec  7 11:47:39 ike_st_i_hash: Start, hash[0..20] = 15f77f59 be331ec0 ...
    Dec  7 11:47:39 ike_calc_mac: Start, initiator = false, local = false
    Dec  7 11:47:39 ike_st_i_cert: Start
    Dec  7 11:47:39 ike_st_i_private: Start
    Dec  7 11:47:39 ike_st_o_id: Start
    Dec  7 11:47:39 ike_policy_reply_isakmp_id: Start
    Dec  7 11:47:39 ike_st_o_hash: Start
    Dec  7 11:47:39 ike_calc_mac: Start, initiator = false, local = true
    Dec  7 11:47:39 ike_st_o_status_n: Start
    Dec  7 11:47:39 ike_st_o_private: Start
    Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
    Dec  7 11:47:39 ike_st_o_encrypt: Marking encryption for packet
    Dec  7 11:47:39 ike_st_o_wait_done: Marking for waiting for done



  • 4.  RE: IP Sec VPN With GlobeSurfer III

    Posted 12-07-2011 02:22

    Solved it

     

    set security ipsec policy 3g-vpn-p2-policy perfect-forward-secrecy keys group2

     

    Thanks mate.

     

     

     

    I also have configuration for:

     

    bind the interface to zone vpn and wrote policies for connection



  • 5.  RE: IP Sec VPN With GlobeSurfer III

    Posted 12-07-2011 02:37

    Glad to here that 🙂

     

    Good luck