SRX Services Gateway
Reply
Visitor
clowe1243
Posts: 2
Registered: ‎01-27-2012
0

Need help With IKE Security Associations

[ Edited ]

I set up a VPN from two SRX3600's and it looks like I've set something up wrong.  I am not able to get any traffic from once subnet over the vpn to another.  I think its because of IKE SA's, but I'm not sure.  Please see the attached configs.

 

==============================================================

lowe@dc-srx3660-0> show security ike security-associations

lowe@dc-srx3660-0> show security ipsec **bleep**
                                       ^
syntax error, expecting <command>.
lowe@dc-srx3660-0> show security ipsec security-associations
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131073 XXX.XXX.XXX.XXX 500  ESP:3des/sha1   3b3767bf expir/expir   U   root
  >131073 XXX.XXX.XXX.XXX 500  ESP:3des/sha1   3bc41375 expir/expir   U   root

==============================================================v

lowe@la-srx3660-0> show security ike security-associations

lowe@la-srx3660-0> show security ipsec security-associations
  Total active tunnels: 1
  ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <131073 XXX.XXX.XXX.XXX   500   ESP:3des/sha1   3bc41375 expir/expir   U   root
  >131073 XXX.XXX.XXX.XXX   500   ESP:3des/sha1   3b3767bf expir/expir   U   root

 

==============================================================

 

dc-srx3660-0#

    }
    st0 {
        unit 0 {
            family inet {
                address 10.2.2.2/24;




security {
    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address X.X.X.X;
            external-interface xe-1/0/1;
        }
    }
    ipsec {
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;

        


        from-zone trust to-zone vpn {
            policy trust-vpn-cfgr {
                match {
                    source-address [ net-cfgr_10-15-0-0--20 net-cfgr_10-15-16-0--20 ];
                    destination-address net-cfgr_10-16-0-0--23;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-trust-cfgr {
                match {
                    source-address net-cfgr_10-16-0-0--23;
                    destination-address [ net-cfgr_10-15-0-0--20 net-cfgr_10-15-16-0--20 ];
                    application any;
                }
                then {
                    permit;

 
==============================================================

 

la-srx3660-0#

    }
    st0 {
        unit 0 {
            family inet {
                address 10.2.2.3/24;



security {
    ike {
        policy ike-policy-cfgr {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
        }
        gateway ike-gate-cfgr {
            ike-policy ike-policy-cfgr;
            address X.X.X.X;
            external-interface ge-0/0/8;
        }
    }
    ipsec {
        policy ipsec-policy-cfgr {
            proposal-set standard;
        }
        vpn ipsec-vpn-cfgr {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway ike-gate-cfgr;
                ipsec-policy ipsec-policy-cfgr;

        



    from-zone internal to-zone vpn {
            policy internal-vpn-cfgr {
                match {
                    source-address net-cfgr_10-16-0-0--23;
                    destination-address [ net-cfgr_10-15-0-0--20 net-cfgr_10-15-16-0--20 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone internal {
            policy vpn-internal-cfgr {
                match {
                    source-address [ net-cfgr_10-15-0-0--20 net-cfgr_10-15-16-0--20 ];
                    destination-address net-cfgr_10-16-0-0--23;
                    application any;
                }
                then {
                    permit;

Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: Need help With IKE Security Associations

Hi,

 

Since your P1/P2 are UP and you have a policy, I would check your route at each site.

 

set routing-options static route 10.15.0.0/24 next-hop st0.0

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Recognized Expert
Visitor
Posts: 121
Registered: ‎08-30-2010
0

Re: Need help With IKE Security Associations

Hi,

 

For the traffic not passing i will suggest you to check the static routes ,as suggested by John and  for the phase 1
to show up you need to configure NTP server on the srx to synchronized the time stamp,
between the multiple SPU boards and the RE.
Refer kb http://kb.juniper.net/InfoCenter/index?page=content&id=KB17537&pmv=print for more information.

 

Hope this helps.


Regards,

Visitor

--------------------------------------------------​--------------------------------------------------​---

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Need help With IKE Security Associations

Your Phase 2 SA's are expired, which means they've timed out and not renewed.  That could be for a couple different reasons.

 

Do your P1/P2 SA's come up and work at all, and then expire and stop working, or do they just never work?

There is not enough of your configuration posted to try and figure out what's going on. 

 

As firewall72 suggested, you've got the VPNs set up as route-based, so check your static route at each side and make sure the route is pointing to the correct place, either interface st0.0 or the next-hop IP of the remote st0 interface.  Also you'll need to make sure that you're st0 interface are in the "vpn" zones, and that you have proper connectivity to your external IKE interfaces and that they're in the correct zones / VRs (which is going to depend on what version of Junos you're running.)  Be sure P1 comes up, you can try configuring your IKE / P1 connections with DPD and then set your vpns to "establish-tunnels immediately".

 

If you don't get it going after checking those things, please post more information.  More complete configurations, logs and/or traceoptions, the output of "show route", etc.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.