SRX Services Gateway
Reply
Contributor
Nevermore
Posts: 68
Registered: ‎03-24-2008
0
Accepted Solution

IP Sec VPN With GlobeSurfer III

Hi,

 

I need help for IPsec vpn with SRX240 - GlobeSurfer III 3g router.

 

My configuration is:

 

set interfaces st0 unit 1 family inet
set routing-options static route 10.0.100.0/24 next-hop st0.1
set security ike proposal to-3g-p1 authentication-method pre-shared-keys
set security ike proposal to-3g-p1 dh-group group2
set security ike proposal to-3g-p1 authentication-algorithm sha1
set security ike proposal to-3g-p1 encryption-algorithm 3des-cbc
set security ike proposal to-3g-p1 lifetime-seconds 28800
set security ike policy to-3g-p1-policy mode main
set security ike policy to-3g-p1-policy proposals to-3g-p1
set security ike policy to-3g-p1-policy pre-shared-key ascii-text test

set security ike gateway to-3g-gw ike-policy to-3g-p1-policy
set security ike gateway to-3g-gw address 1.1.1.1
set security ike gateway to-3g-gw external-interface ge-1/0/0.0

set security ipsec proposal to-3g-p2 protocol esp
set security ipsec proposal to-3g-p2 authentication-algorithm hmac-md5-96
set security ipsec proposal to-3g-p2 encryption-algorithm 3des-cbc
set security ipsec proposal to-3g-p2 lifetime-seconds 3600
set security ipsec policy 3g-vpn-p2-policy proposals to-3g-p2

set security ipsec vpn 3g-vpn bind-interface st0.1
set security ipsec vpn 3g-vpn ike gateway to-3g-gw
set security ipsec vpn 3g-vpn ike proxy-identity local 192.168.1.0/24
set security ipsec vpn 3g-vpn ike proxy-identity remote 10.0.100.0/24
set security ipsec vpn 3g-vpn ike proxy-identity service any
set security ipsec vpn 3g-vpn ike ipsec-policy 3g-vpn-p2-policy
set security ipsec vpn 3g-vpn establish-tunnels immediately

 

jun@jun> show security ipsec security-associations    
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys

jun@jun> show security ike security-associations      
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
449     1.1.1.1   UP     3286b8179c2c9d85  a149b27377def3ff  Main         


 

Log for GlobeSurfer III:

 

 

pluto[52]: "ips0" #29: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xbdb55916 (perhaps this is a duplicated packet)

 

I am also attaching the configuration pictures of GlobeSurfer. I think this is not a propasal issues. I changed the proposals and see same associations

 


MCP - MCSA+S - MCSE+S
MCTS: Vista
Contributor
Youness
Posts: 40
Registered: ‎12-06-2011
0

Re: IP Sec VPN With GlobeSurfer III

A lot of thing is wrong here, for example you enabled Perfect Forward Secrecy on your firewall but not in your SRX, life time in phase one is not mached and some other stuff, I recommand you to use Site-To-Site vpn tool in here and use aes instead of 3des sometimes it doesn't work on some devices:

 

 

https://www.juniper.net/customers/support/configtools/vpnconfig.html

 

 

Contributor
Nevermore
Posts: 68
Registered: ‎03-24-2008
0

Re: IP Sec VPN With GlobeSurfer III

Hi;

 

Thanks for your answer. Can you tell me what is wrong? I have corrected the life time seconds. I forgot to paste it here.

 

Here is my debug output:

 

Dec  7 11:47:38 ike_free_negotiation: Start, nego = 1
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_negotiation_qm: Start, nego = 2
Dec  7 11:47:38 ike_free_negotiation: Start, nego = 2
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_negotiation_qm: Start, nego = 3
Dec  7 11:47:38 ike_free_negotiation: Start, nego = 3
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 4
Dec  7 11:47:38 ike_free_negotiation_isakmp: Start, nego = -1
Dec  7 11:47:38 ike_free_negotiation: Start, nego = -1
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 1
Dec  7 11:47:38 ike_free_id_payload: Start, id type = 1
Dec  7 11:47:38 ike_free_sa: Start
Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - 00000000 00000000 } / 00000000, remote = 1.1.1.1:500
Dec  7 11:47:39 ike_sa_allocate: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff }
Dec  7 11:47:39 ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 0
Dec  7 11:47:39 ike_decode_packet: Start
Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
Dec  7 11:47:39 ike_decode_payload_sa: Start
Dec  7 11:47:39 ike_decode_payload_t: Start, # trans = 4
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-03'
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-02'
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-02'
Dec  7 11:47:39 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Dec  7 11:47:39 The remote server at 1.1.1.1:500 is 'draft-ietf-ipsec-nat-t-ike-00'
Dec  7 11:47:39 ike_st_i_sa_proposal: Start
Dec  7 11:47:39 ike_isakmp_sa_reply: Start
Dec  7 11:47:39 ike_st_i_cr: Start
Dec  7 11:47:39 ike_st_i_cert: Start
Dec  7 11:47:39 ike_st_i_private: Start
Dec  7 11:47:39 ike_st_o_sa_values: Start
Dec  7 11:47:39 ike_policy_reply_isakmp_vendor_ids: Start
Dec  7 11:47:39 ike_st_o_private: Start
Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
Dec  7 11:47:39 ike_encode_packet: Start, SA = { 0xe75c4884 d53826b6 - d61035f1 8048caff } / 00000000, nego = -1
Dec  7 11:47:39 ike_send_packet: Start, send SA = { e75c4884 d53826b6 - d61035f1 8048caff}, nego = -1, src=2.2.2.2:500, dst = 1.1.1.1:500, routing table id = 0
Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff } / 00000000, remote = 1.1.1.1:500
Dec  7 11:47:39 ike_sa_find: Found SA = { e75c4884 d53826b6 - d61035f1 8048caff }
Dec  7 11:47:39 ike_decode_packet: Start
Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
Dec  7 11:47:39 ike_st_i_nonce: Start, nonce[0..16] = 963b2537 efffb858 ...
Dec  7 11:47:39 ike_st_i_ke: Ke[0..128] = 4d67ee00 71ce0738 ...
Dec  7 11:47:39 ike_st_i_cr: Start
Dec  7 11:47:39 ike_st_i_cert: Start
Dec  7 11:47:39 ike_st_i_private: Start
Dec  7 11:47:39 my_ipaddr_as_ike_id: add <2.2.2.2>
Dec  7 11:47:39 ike_st_o_ke: Start
Dec  7 11:47:39 ike_st_o_nonce: Start
Dec  7 11:47:39 ike_policy_reply_isakmp_nonce_data_len: Start
Dec  7 11:47:39 ike_find_pre_shared_key: Find pre shared key key for 2.2.2.2:500, id = No Id -> 1.1.1.1:500, id = No Id
Dec  7 11:47:39 ike_policy_reply_find_pre_shared_key: Start
Dec  7 11:47:39 ike_st_o_private: Start
Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
Dec  7 11:47:39 my_ipaddr_as_ike_id: add <2.2.2.2>
Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
Dec  7 11:47:39 ike_st_o_calc_skeyid: Calculating skeyid
Dec  7 11:47:39 ike_find_pre_shared_key: Find pre shared key key for 2.2.2.2:500, id = No Id -> 1.1.1.1:500, id = No Id
Dec  7 11:47:39 ike_encode_packet: Start, SA = { 0xe75c4884 d53826b6 - d61035f1 8048caff } / 00000000, nego = -1
Dec  7 11:47:39 ike_send_packet: Start, send SA = { e75c4884 d53826b6 - d61035f1 8048caff}, nego = -1, src=2.2.2.2:500, dst = .1.1.1.1:500, routing table id = 0
Dec  7 11:47:39 ike_get_sa: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff } / 00000000, remote = 1.1.1.1:500
Dec  7 11:47:39 ike_sa_find: Found SA = { e75c4884 d53826b6 - d61035f1 8048caff }
Dec  7 11:47:39 ike_decode_packet: Start
Dec  7 11:47:39 ike_decode_packet: Start, SA = { e75c4884 d53826b6 - d61035f1 8048caff} / 00000000, nego = -1
Dec  7 11:47:39 ike_st_i_encrypt: Check that packet was encrypted succeeded
Dec  7 11:47:39 ike_st_i_id: Start
Dec  7 11:47:39 ike_st_i_hash: Start, hash[0..20] = 15f77f59 be331ec0 ...
Dec  7 11:47:39 ike_calc_mac: Start, initiator = false, local = false
Dec  7 11:47:39 ike_st_i_cert: Start
Dec  7 11:47:39 ike_st_i_private: Start
Dec  7 11:47:39 ike_st_o_id: Start
Dec  7 11:47:39 ike_policy_reply_isakmp_id: Start
Dec  7 11:47:39 ike_st_o_hash: Start
Dec  7 11:47:39 ike_calc_mac: Start, initiator = false, local = true
Dec  7 11:47:39 ike_st_o_status_n: Start
Dec  7 11:47:39 ike_st_o_private: Start
Dec  7 11:47:39 ike_policy_reply_private_payload_out: Start
Dec  7 11:47:39 ike_st_o_encrypt: Marking encryption for packet
Dec  7 11:47:39 ike_st_o_wait_done: Marking for waiting for done

MCP - MCSA+S - MCSE+S
MCTS: Vista
Contributor
Nevermore
Posts: 68
Registered: ‎03-24-2008
0

Re: IP Sec VPN With GlobeSurfer III

Solved it

 

set security ipsec policy 3g-vpn-p2-policy perfect-forward-secrecy keys group2

 

Thanks mate.

 

 

 

I also have configuration for:

 

bind the interface to zone vpn and wrote policies for connection

MCP - MCSA+S - MCSE+S
MCTS: Vista
Contributor
Youness
Posts: 40
Registered: ‎12-06-2011
0

Re: IP Sec VPN With GlobeSurfer III

Glad to here that :smileyhappy:

 

Good luck

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.