SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Phase 1 packet arrived from an unrecognized peer gateway

    Posted 01-25-2016 08:12

    Trying to get a point-to-point VPN setup between a SSG and an SRX and can't get past the phase 1 error.  Any help would be appreciated.

     

    Here are the configs:

    SSG: Untrust Addr: x.x.x.138, Trust Addr: 172.16.0.0/20

    SRX: Untrust Addr: x.x.x.177, Trust Add: 10.1.10.0/24

     

    Error from SSG - Rejected an IKE packet on ethernet0/0 from x.x.x.177:500 to x.x.x.138:500 with cookies xxx and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

    SSG - router
    set interface "ethernet0/0" zone "Untrust"
    set interface "tunnel.1" zone "Trust"
    set interface ethernet0/0 ip x.x.x.138/29
    set interface ethernet0/0 route
    set interface bgroup0 ip 172.16.0.1/20
    set interface bgroup0 nat
    set interface tunnel.1 ip unnumbered interface ethernet0/0
    set address "Untrust" "10.1.10.0/24" 10.1.10.0 255.255.255.0
    set ike gateway "TO_HQ" address x.x.x.117 Main outgoing-interface "ethernet0/0" preshare "xxxx" set vpn "HQ_VPN" gateway "TO_HQ" no-replay tunnel idletime 0 sec-level standard
    set vpn "HQ_VPN" id 0x3 bind interface tunnel.1
    unset interface tunnel.1 acvpn-dynamic-routing
    set policy id 11 from "Untrust" to "Trust"  "10.1.10.0/24" "Any" "ANY" permit
    set policy id 11
    set route 10.1.10.0/24 interface tunnel.1 gateway 10.1.10.1 permanent

    SRX - router
    set interfaces st0.0 family inet
    set routing-options static route 172.16.0.0/20 next-hop st0.0
    set security zones security-zone vpn interfaces st0.0
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone trust address-book address net-cfgr_10-1-10-0--24 10.1.10.0/24
    set security zones security-zone vpn address-book address net-cfgr_172-16-0-0--20 172.16.0.0/20
    set security ike policy ike-policy-cfgr mode main
    set security ike policy ike-policy-cfgr proposal-set standard
    set security ike policy ike-policy-cfgr pre-shared-key ascii-text "xxxx"
    set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
    set security ike gateway ike-gate-cfgr address x.x.x.138
    set security ike gateway ike-gate-cfgr external-interface fe-0/0/0
    set security ike gateway ike-gate-cfgr version v1-only
    set security ipsec policy ipsec-policy-cfgr proposal-set standard
    set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
    set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
    set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
    set security ipsec vpn ipsec-vpn-cfgr establish-tunnels on-traffic
    set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_10-1-10-0--24
    set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_172-16-0-0--20
    set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
    set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit
    set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_172-16-0-0--20
    set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_10-1-10-0--24
    set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
    set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit



  • 2.  RE: Phase 1 packet arrived from an unrecognized peer gateway

    Posted 01-25-2016 09:00

    Hello,

    Most likely, You have a typo in the config:

     

    set ike gateway "TO_HQ" address x.x.x.117

     

    vs

     

    Error from SSG - Rejected an IKE packet on ethernet0/0 from x.x.x.177:500

    HTH

    Thx

    Alex



  • 3.  RE: Phase 1 packet arrived from an unrecognized peer gateway

    Posted 01-25-2016 11:47

    Thanks, that was a great catch.

     

    My tunnel is up now but I can only ping in one direction, from the SRX to the SSG.  I can't ping from the SSG to the SRX.  I am guessing that it must be a policy issue.

     

    I have added this policy on the SSG side and it didn't help.

    set policy id 12 from "Trust" to "Untrust"  "Any" "10.1.10.0/24" "ANY" permit



  • 4.  RE: Phase 1 packet arrived from an unrecognized peer gateway

    Posted 01-25-2016 12:17

    Hello,

     

     

    When pinging from SSG to SRX across the tunnel, the src.IP is taken from Your eth0/0 because You unnumbered tun.1 to eth0/0.

    Unnumber tun1. to bgroup0 and add this line

     

     

    set interface bgroup0 route

    Also, make sure there is at least 1 ETH up/up in brgroup0.

     

    This should get Your ping going.

     

    HTH

    Thx

    Alex



  • 5.  RE: Phase 1 packet arrived from an unrecognized peer gateway

    Posted 01-25-2016 12:50

    When I ping from the SSG I specifgy bgroup0 as the source interface.  I also am able to ping from the SRX side to a server on the SSG side but cannot ping from the SSG network server to the SRX side.

     

    Also, I think I need bgoup0 to NAT not Route.  I've setup other SSG to SSG vpn's they all have NAT enabled.  Maybe I'm confused?