Hi
I'm having problems getting Phase 1 up between two SRX devices. It's a route based VPN with the simplest possible setup where I have copied the settings between the devices for ensuring that there should be no typos. Well, did of course not copy the gateway addresses...
It's one SRX240 running 11.1R3.5 and one SRX100B running 11.4R6.6.
The SRX100B is almost clean in the configuration as it's newly installed for being located at our new branch office - i.e. it has yet merely no policies, no advanced features, and this VPN is the only one configured in it. The SRX240 has several VPN's to various gateways (ScreenOS 5.6, Cisco's etc), all working without problems.
I am configuring the SRX100B in a temporary location. On the IP address next to this I am running a ScreenOS NS5GT that has an unproblematic VPN established with the SRX240 since almost two years. So, there should be no network related problems. See ike config in SRX100 below.
Problem is that I cannot even get through Phase 1! In the monitor I get "DOWN" in the IKE SA view. Under "Responder Cookie" it says "0000000000000" while the "Initiatior Cookie" has an actual value... I have traced with level 15 but cannot find anything revealing about what's actually causing the VPN to fail. Instead, I see confirmations that the p1 negotiation works, e.g. the lifetime, encryption and authentication parameters are explicitly stated as negotiated.
When trying to intentionally use a bad PSK I get other errors in the logs so it is presumable that the PSK is also working fine.
I would very much appreciate some tips on how to identify the underlying cause of this failure. I found some guides on Juniper support pages but the refer to old junos versions so the log messages are not the of any help...
I'd rather not upgrade the SRX240 at this moment. Should I downgrade the SRX100B to 11.1R3.5 and see if this would lead to any changes?
Thanks a lot for any tips around this...
/mk
----
proposal p1-xxx {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-xxx {
mode main;
proposals p1-xxx;
pre-shared-key ascii-text "$9$ZSGk39pOR/CKM"; ## SECRET-DATA
}
gateway gw-xxx-tg4 {
ike-policy ike-xxx;
address 212.214.4.178;
external-interface fe-0/0/0.0;
}