SRX

last person joined: 3 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX220 VPN Tunnel Static to Dynamic

Jump to Best Answer

1. SRX220 VPN Tunnel Static to Dynamic

0 Recommend
Erdem
Posted 01-13-2014 03:24

Reply Reply Privately
I am having trouble configuring a pair of SRX220s to create a VPN tunnel via the internet. One has a static public IP and one has DHCP assigned address. I keep receiving a "Hash Payload does not Match "error during Phase 1. The pre-shared keys ARE typed in correctly and are the same as can be seen below. Can anyone spot anything? Thanks in advance.

Here are the configs and error message:

Error from Log:

[Jan 13 10:30:52]ike_decode_packet: Start
[Jan 13 10:30:52]ike_decode_packet: Start, SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c} / f2fbb75e, nego = 0
[Jan 13 10:30:52]ike_st_i_n: Start, doi = 1, protocol = 1, code = Authentication failed (24), spi[0..16] = 21eec7cf 1aa70c89 ..., data[0..72] = 800c0001 80030008 ...
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Notification data has attribute list
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Notify message version = 1
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Offending payload type = 8
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Error text = Hash payload data does not match
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Offending message id = 0x00000000
[Jan 13 10:30:52]<none>:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [0] / 0xf2fbb75e } Info; Received notify err = Authentication failed (24) to isakmp sa, delete it
[Jan 13 10:30:52]ike_st_i_private: Start
[Jan 13 10:30:52]ike_send_notify: Connected, SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c}, nego = 0
[Jan 13 10:30:52]ike_delete_negotiation: Start, SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c}, nego = 0
[Jan 13 10:30:52]ike_free_negotiation_info: Start, nego = 0
[Jan 13 10:30:52]ike_free_negotiation: Start, nego = 0
[Jan 13 10:30:52]ike_remove_callback: Start, delete SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c}, nego = -1
[Jan 13 10:30:52]213.121.241.91:500 (Responder) <-> 81.130.61.5:500 { 21eec7cf 1aa70c89 - 73ae4cab 4778429c [-1] / 0x00000000 } Aggr; Connection got error = 24, calling callback
[Jan 13 10:30:52]ike_delete_negotiation: Start, SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c}, nego = -1
[Jan 13 10:30:52]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 13 10:30:52]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 13 10:30:52]ike_sa_delete: Start, SA = { 21eec7cf 1aa70c89 - 73ae4cab 4778429c }
[Jan 13 10:30:52]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 13 10:30:52]ike_free_negotiation: Start, nego = -1
[Jan 13 10:30:52]IKE SA delete called for p1 sa 5503032 (ref cnt 2) local:214.122.242.91, remote:81.130.61.5, IKEv1
[Jan 13 10:30:52]P1 SA 5503032 reference count is not zero (1). Delaying deletion of SA
[Jan 13 10:30:52]ike_free_id_payload: Start, id type = 1
[Jan 13 10:30:52]ike_free_id_payload: Start, id type = 2
[Jan 13 10:30:52]ike_free_sa: Start
[Jan 13 10:30:52]iked_pm_ike_sa_done: UNUSABLE p1_sa 5503032
[Jan 13 10:30:52] IKEv1 Error : Authentication failed
[Jan 13 10:30:52]iked_pm_p1_sa_destroy: p1 sa 5503032 (ref cnt 0), waiting_for_del 0x9e9320

Dynamic side:

## Last changed: 2014-01-13 10:37:52 GMT
version 12.1X45.5;
system {
    host-name juniper.myLink.com;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$wJ7xtyOn$cXKkbTQzg26l3DS3o9WmT0";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$YBNh01DC$QUVpZIwfYzdhYCLL2Tkav0";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            propagate-settings ge-0/0/0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file policy_session {
            user info;
            match RT_FLOW;
            archive size 1000k world-readable;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.60.7.254/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 10.60.6.1/24;
            }
            family inet6;
        }
    }
}
routing-options {
    static {
        route 10.60.3.0/24 next-hop st0.0;
    }
}
protocols {
    stp;
}
security {
    key-protection;
    ike {
        proposal myLink{
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike_pol_myLink {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$zTT-39t0OISyevWL7Vbg4F36/uB";
        }
        gateway gw_myLink {
            ike-policy ike_pol_myLink;
            address 214.122.242.91;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            nat-keepalive 10;
            local-identity hostname juniper.myLink.com;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal myLink{
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 20000;
            lifetime-kilobytes 86400;
        }
        policy ipsec_pol_myLink {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals myLink;
        }
        vpn myVPNLink{
            bind-interface st0.0;
            ike {
                gateway gw_myLink;
                proxy-identity {
                    local 10.60.7.0/24;
                    remote 10.60.3.0/24;
                    service any;
                }
                ipsec-policy ipsec_pol_myLink;
            }
            establish-tunnels immediately;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy InternetToInternal {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-dhcp-client junos-gre junos-icmp-all junos-ike junos-ike-nat junos-udp-any ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internal {
            policy policy_out_myLink {
                match {
                    source-address addr_10_60_7_0_24;
                    destination-address addr_10_60_3_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_in_myLink {
                match {
                    source-address addr_10_60_3_0_24;
                    destination-address addr_10_60_7_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address addr_10_60_7_0_24 10.60.7.0/24;
                address addr_10_60_3_0_24 10.60.3.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
                st0.0;
            }
        }
        security-zone Internet {
            address-book {
                address addr_10_60_6_254 10.60.6.254/32;
                address addr_10_60_3_0_24 10.60.3.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile juniperUsers {
        authentication-order password;
        client juniper {
            firewall-user {
                password "$9$EVSclv8L7bw24aZDkq5ThcyrWX";
            }
        }
    }
}

Static Side

## Last commit: 2014-01-13 10:27:42 GMT by root
version 12.1X45.5;
groups {
    jweb-security-logging {
        system {
            syslog {
                file datalog {
                    any any;
                    archive files 1;
                    structured-data;
                }
            }
        }
    }
}
system {
    host-name juniper.myLink.com;
    time-zone GMT;
    root-authentication {
        encrypted-password "$1$RkijoUQ5$z.z5zZmjJUdv2QxNhHqMl0"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$TIt1I0L9$XNGeONLSQtlyQ.uKym4x60"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file datalog {
            any any;
            archive files 1;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 214.122.242.91/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.60.3.1/24;
            }
        }
    }
    st0 {
        unit 1 {
            family inet {
                address 10.60.6.254/24;
            }
            family inet6;
        }
    }
}
routing-options {
    static {
        route 10.60.7.0/24 next-hop st0.1;
        route 0.0.0.0/0 next-hop 214.122.242.89;
    }
}
protocols {
    stp;
}
security {
    log {
        mode event;
    }
    ike {
        traceoptions {
            flag all;
        }
        proposal myLink{
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike_pol_myLink {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$zTT-39t0OISyevWL7Vbg4F36/uB"; ## SECRET-DATA
        }
        gateway gw_myLink {
            ike-policy ike_pol_myLink;
            dynamic {
                hostname juniper.myLink.com;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            nat-keepalive 10;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal myLink{
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 20000;
            lifetime-kilobytes 86400;
        }
        policy ipsec_pol_myLink {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals myLink;
        }
        vpn myVPNLink{
            bind-interface st0.1;
            ike {
                gateway gw_myLink;
                proxy-identity {
                    local 10.60.3.0/24;
                    remote 10.60.7.0/24;
                    service any;
                }
                ipsec-policy ipsec_pol_myLink;
            }
            establish-tunnels immediately;
        }
    }
    application-tracking {
        first-update;
    }

screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy InternetToInternal {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-ftp junos-http junos-https junos-icmp-all junos-ike junos-ike-nat junos-tcp-any junos-udp-any ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internal {
            policy policy_out_myLink {
                match {
                    source-address addr_10_60_3_0_24;
                    destination-address addr_10_60_7_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy policy_in_myLink {
                match {
                    source-address addr_10_60_7_0_24;
                    destination-address addr_10_60_3_0_24;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address addr_10_60_3_0_24 10.60.3.0/24;
                address addr_10_60_7_0_24 10.60.7.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }
                st0.1;
            }
            application-tracking;
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ike;
                        }
                    }
                }
            }
            application-tracking;
        }
    }
}
access {
    profile juniperUsers {
        authentication-order password;
        client juniper {
            firewall-user {
                password "$9$EVSclv8L7bw24aZDkq5ThcyrWX"; ## SECRET-DATA
            }
        }
    }
}
2. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
kashifnawaz
Posted 01-13-2014 05:07

Reply Reply Privately
Connections-limit 50;
ike-user-type group-ike-id

Parameters being used at Static site are not required when configuring LAN to LAN VPN (when one side have dynamic IP and other have static IP) . These parameters are only required when configuring Client -to LAN VPN . Another issue not really creating any problem but just to high light that proposal configured if IKE phase 1 is not being referred in your IKE policy.

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-reference/jd0e67385.html

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20784

http://www.fir3net.com/Juniper-SRX-Series-Gateway/srx-dyn.html

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos
3. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
Erdem
Posted 01-13-2014 05:48

Reply Reply Privately
Thanks very much. I am now seeing a Phase 1 connection as UP in the web monitor. Not getting a Phase 2 though. In the log it looks like the phase 1 was successfully negotiated but there seems to be some kind of retransmit loop occuring, before the maxium retry count is reached and the whole connection is lost and an IPSEC failed message saying Timeout, before Phase 1 starts again. I wasnt 100% when configuring the proxy IDs, after some online troubleshooting it seemed i needed to configure it like that but that could very well be wrong.. Thanks so much for your help.

Here is the log:

[Jan 13 13:26:42]ikev2_packet_allocate: Allocated packet debc00 from freelist
[Jan 13 13:26:42]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:26:42]ike_get_sa: Start, SA = { e691d302 bc688e6c - 00000000 00000000 } / 00000000, remote = 81.130.60.5:500
[Jan 13 13:26:42]ike_sa_allocate: Start, SA = { e691d302 bc688e6c - 56486a18 a223c735 }
[Jan 13 13:26:42]ike_init_isakmp_sa: Start, remote = 81.130.60.5:500, initiator = 0
[Jan 13 13:26:42]ike_decode_packet: Start
[Jan 13 13:26:42]ike_decode_packet: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086} / 00000000, nego = -1
[Jan 13 13:26:42]ike_decode_payload_sa: Start
[Jan 13 13:26:42]ike_decode_payload_t: Start, # trans = 1
[Jan 13 13:26:42]ike_decode_payload_t: Start, # trans = 1
[Jan 13 13:26:42]ike_decode_payload_t: Start, # trans = 1
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 13 13:26:42]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 13 13:26:42]ike_st_i_id: Start
[Jan 13 13:26:42]ike_st_i_sa_proposal: Start
[Jan 13 13:26:42]ike_free_id_payload: Start, id type = 2
[Jan 13 13:26:42]ike_isakmp_sa_reply: Start
[Jan 13 13:26:42]ike_state_restart_packet: Start, restart packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1
[Jan 13 13:26:42]ike_st_i_sa_proposal: Start
[Jan 13 13:26:42]ike_st_i_nonce: Start, nonce[0..16] = 89ecec13 eda49beb ...
[Jan 13 13:26:42]ike_st_i_cert: Start
[Jan 13 13:26:42]ike_st_i_hash_key: Start, no key_hash
[Jan 13 13:26:42]ike_st_i_ke: Ke[0..128] = 396ab954 d8f18b64 ...
[Jan 13 13:26:42]ike_st_i_cr: Start
[Jan 13 13:26:42]ike_st_i_private: Start
[Jan 13 13:26:42]ike_st_o_sa_values: Start
[Jan 13 13:26:42]ike_st_o_ke: Start
[Jan 13 13:26:42]ike_st_o_nonce: Start
[Jan 13 13:26:42]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 13 13:26:42]ike_st_o_id: Start
[Jan 13 13:26:42]ike_policy_reply_isakmp_id: Start
[Jan 13 13:26:42]ike_state_restart_packet: Start, restart packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1
[Jan 13 13:26:42]ike_st_o_id: Start
[Jan 13 13:26:42]ike_st_o_certs_base: Start
[Jan 13 13:26:42]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 13 13:26:42]ike_st_o_hash: Start
[Jan 13 13:26:42]ike_find_pre_shared_key: Find pre shared key key for 213.121.241.91:500, id = ipv4(any:0,[0..3]=213.121.241.91) -> 81.130.60.5:500, id = fqdn(any:0,[0..15]=juniper.myLink.com)
[Jan 13 13:26:42]ike_policy_reply_find_pre_shared_key: Start
[Jan 13 13:26:42]ike_state_restart_packet: Start, restart packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1
[Jan 13 13:26:42]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 13 13:26:42]ike_st_o_hash: Start
[Jan 13 13:26:42]ike_find_pre_shared_key: Find pre shared key key for 213.121.241.91:500, id = ipv4(any:0,[0..3]=213.121.241.91) -> 81.130.60.5:500, id = fqdn(any:0,[0..15]=juniper.myLink.com)
[Jan 13 13:26:42]ike_calc_mac: Start, initiator = false, local = true
[Jan 13 13:26:42]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 13 13:26:42]ike_st_o_status_n: Start
[Jan 13 13:26:42]ike_st_o_private: Start
[Jan 13 13:26:42]ike_policy_reply_private_payload_out: Start
[Jan 13 13:26:42]ike_policy_reply_private_payload_out: Start
[Jan 13 13:26:42]ike_policy_reply_private_payload_out: Start
[Jan 13 13:26:42]ike_st_o_calc_skeyid: Calculating skeyid
[Jan 13 13:26:42]ike_encode_packet: Start, SA = { 0xe691d302 bc688e6c - 09812c8b 26208086 } / 00000000, nego = -1
[Jan 13 13:26:42]ike_send_packet: Start, send SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1, dst = 81.130.60.5:500, routing table id = 0
[Jan 13 13:26:42]ikev2_packet_allocate: Allocated packet dec000 from freelist
[Jan 13 13:26:42]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:42]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:26:42]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / 00000000, remote = 81.130.60.5:4500
[Jan 13 13:26:42]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:42]ike_decode_packet: Start
[Jan 13 13:26:42]ike_decode_packet: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086} / 00000000, nego = -1
[Jan 13 13:26:42]ike_st_i_hash: Start, hash[0..20] = c46568b1 71e3a9f4 ...
[Jan 13 13:26:42]ike_calc_mac: Start, initiator = false, local = false
[Jan 13 13:26:42]ike_st_i_cert: Start
[Jan 13 13:26:42]ike_st_i_private: Start
[Jan 13 13:26:42]ike_st_o_wait_done: Marking for waiting for done
[Jan 13 13:26:42]ike_st_o_all_done: MESSAGE: Phase 1 { 0xe691d302 bc688e6c - 0x09812c8b 26208086 } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life
[Jan 13 13:26:42]213.121.241.91:500 (Responder) <-> 81.130.60.5:500 { e691d302 bc688e6c - 09812c8b 26208086 [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-
[Jan 13 13:26:42]ike_send_notify: Connected, SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1
[Jan 13 13:26:42]iked_pm_ike_sa_done: local:213.121.241.91, remote:81.130.60.5 IKEv1
[Jan 13 13:26:42]IKE negotiation done for local:213.121.241.91, remote:81.130.60.5 IKEv1 with status: Error ok
[Jan 13 13:26:42]ikev2_packet_allocate: Allocated packet dec400 from freelist
[Jan 13 13:26:42]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:42]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:26:42]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:26:42]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:42]ike_st_o_done: ISAKMP SA negotiation done
[Jan 13 13:26:42]ike_send_notify: Connected, SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = -1
[Jan 13 13:26:42]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 13 13:26:42]ike_free_negotiation: Start, nego = -1
[Jan 13 13:26:42]ike_alloc_negotiation: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086}
[Jan 13 13:26:42]ike_init_qm_negotiation: Start, initiator = 0, message_id = b5dc0cef
[Jan 13 13:26:42]ike_decode_packet: Start
[Jan 13 13:26:42]ike_decode_packet: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086} / b5dc0cef, nego = 0
[Jan 13 13:26:42]ike_decode_payload_sa: Start
[Jan 13 13:26:42]ike_decode_payload_t: Start, # trans = 1
[Jan 13 13:26:42]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 13 13:26:42]ike_st_i_qm_hash_1: Start, hash[0..20] = c396a5cb 7522c0f4 ...
[Jan 13 13:26:42]ike_st_i_qm_nonce: Nonce[0..16] = 869a1bfc ac99e7b5 ...
[Jan 13 13:26:42]ike_st_i_qm_ke: Ke[0..128] = 3844a811 ab28cd72 ...
[Jan 13 13:26:42]ike_st_i_qm_sa_proposals: Start
[Jan 13 13:26:42]Added (spi=0x52fb5d98, protocol=0) entry to the spi table
[Jan 13 13:26:42]Added (spi=0x5124e7e0, protocol=0) entry to the spi table
[Jan 13 13:26:42]ike_qm_sa_reply: Start
[Jan 13 13:26:42]ike_qm_sa_reply: Selected proposal 0, and transform 0 for protocol 0
[Jan 13 13:26:42]ike_state_restart_packet: Start, restart packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:26:42]ike_st_i_qm_sa_proposals: Start
[Jan 13 13:26:42]ike_st_i_status_n: Start, doi = 1, protocol = 0, code = unknown (40001), spi[0..4] = 075e81fb 00000000 ..., data[0..8] = 00010004 0a3c0601 ...
[Jan 13 13:26:42]<none>:4500 (Responder) <-> 81.130.60.5:4500 { e691d302 bc688e6c - 09812c8b 26208086 [0] / 0xb5dc0cef } QM; Invalid protocol_id = 0
[Jan 13 13:26:42]iked_pm_ike_spd_notify_received: Received authenticated notification payload unknown from local:213.121.241.91 remote:81.130.60.5 IKEv1 for P1 SA 5503205
[Jan 13 13:26:42]Received NHTB payload from local:213.121.241.91, remote:81.130.60.5 IKEv1 P1 SA index 5503205
[Jan 13 13:26:42]Received NHTB private IP address 10.60.6.1
[Jan 13 13:26:42]QM notification `(null)' (40001) (size 8 bytes) from 81.130.60.5:4500 for protocol Reserved spi[0...3]=07 5e 81 fb
[Jan 13 13:26:42]ike_st_i_private: Start
[Jan 13 13:26:42]ike_st_o_qm_hash_2: Start
[Jan 13 13:26:42]ike_st_o_qm_sa_values: Start
[Jan 13 13:26:42]ike_st_o_qm_nonce: Start
[Jan 13 13:26:42]ike_policy_reply_qm_nonce_data_len: Start
[Jan 13 13:26:42]ike_st_o_qm_optional_ke: Start
[Jan 13 13:26:42]ike_st_o_qm_optional_ids: Start
[Jan 13 13:26:42]ikev2_fb_qm_local_id: Using ipv4_subnet(any:0,[0..7]=10.60.3.0/24) as local QM identity
[Jan 13 13:26:42]ike_policy_reply_qm_local_id: Start
[Jan 13 13:26:42]ikev2_fb_qm_remote_id: Using ipv4_subnet(any:0,[0..7]=10.60.7.0/24) as remote QM identity
[Jan 13 13:26:42]ike_policy_reply_qm_remote_id: Start
[Jan 13 13:26:42]ike_st_qm_optional_id: Start
[Jan 13 13:26:42]ike_st_qm_optional_id: Start
[Jan 13 13:26:42]ike_st_o_qm_optional_responder_lifetime_n: Start
[Jan 13 13:26:42]ike_st_o_private: Start
[Jan 13 13:26:42]Construction NHTB payload for local:213.121.241.91, remote:81.130.60.5 IKEv1 P1 SA index 5503205 sa-cfg myLink
[Jan 13 13:26:42]iked_nhtb_get_tunnel_ifam: got ifa error 0

[Jan 13 13:26:42]ike_policy_reply_private_payload_out: Start
[Jan 13 13:26:42]ike_policy_reply_private_payload_out: Start
[Jan 13 13:26:42]ike_st_o_encrypt: Marking encryption for packet
[Jan 13 13:26:42]ike_encode_packet: Start, SA = { 0xe691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, nego = 0
[Jan 13 13:26:42]ike_send_packet: Start, send SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500, routing table id = 0
[Jan 13 13:26:52]ikev2_packet_allocate: Allocated packet dec800 from freelist
[Jan 13 13:26:52]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:52]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:26:52]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:26:52]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:26:52]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:26:52]ike_send_packet: Start, retransmit previous packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500 routing table id = 0
[Jan 13 13:27:02]ikev2_packet_allocate: Allocated packet decc00 from freelist
[Jan 13 13:27:02]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:27:02]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:27:02]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:02]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:02]ike_send_packet: Start, retransmit previous packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500 routing table id = 0
[Jan 13 13:27:12]ikev2_packet_allocate: Allocated packet ded000 from freelist
[Jan 13 13:27:12]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:12]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:27:12]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:27:12]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:12]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:12]ike_send_packet: Start, retransmit previous packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500 routing table id = 0
[Jan 13 13:27:22]ikev2_packet_allocate: Allocated packet ded400 from freelist
[Jan 13 13:27:22]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:22]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:27:22]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:27:22]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:22]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:22]ike_send_packet: Start, retransmit previous packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500 routing table id = 0
[Jan 13 13:27:32]ikev2_packet_allocate: Allocated packet ded800 from freelist
[Jan 13 13:27:32]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:32]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 13 13:27:32]ike_get_sa: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086 } / b5dc0cef, remote = 81.130.60.5:4500
[Jan 13 13:27:32]ike_sa_find: Found SA = { e691d302 bc688e6c - 09812c8b 26208086 }
[Jan 13 13:27:32]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:32]ike_send_packet: Start, retransmit previous packet SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0, dst = 81.130.60.5:4500 routing table id = 0
[Jan 13 13:27:42]ike_retransmit_callback: Start, retransmit SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:42]ike_retransmit_callback: Isakmp query retry limit reached, deleting
[Jan 13 13:27:42]<none>:4500 (Responder) <-> 81.130.60.5:4500 { e691d302 bc688e6c - 09812c8b 26208086 [0] / 0xb5dc0cef } QM; Error = Timeout (8197)
[Jan 13 13:27:42]ike_send_notify: Private notification, do not send notification
[Jan 13 13:27:42]ike_delete_negotiation: Start, SA = { e691d302 bc688e6c - 09812c8b 26208086}, nego = 0
[Jan 13 13:27:42]ike_free_negotiation_qm: Start, nego = 0
[Jan 13 13:27:42]ike_free_negotiation: Start, nego = 0
[Jan 13 13:27:42]ike_free_id_payload: Start, id type = 4
[Jan 13 13:27:42]ike_free_id_payload: Start, id type = 4
[Jan 13 13:27:42]ike_free_id_payload: Start, id type = 4
[Jan 13 13:27:42]ike_free_id_payload: Start, id type = 4
[Jan 13 13:27:42]IPSec negotiation failed for SA-CFG myLink for local:213.121.241.91, remote:81.130.60.5 IKEv1. status: Timed out
[Jan 13 13:27:42] P2 ed info: flags 0x80, P2 error: Error ok
[Jan 13 13:27:42]iked_pm_check_p2_failure_num: Phase2 failed 1/3 times for P1 SA 5503205
[Jan 13 13:27:42] IKEv1 Error : Timeout
4. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
kashifnawaz
Posted 01-13-2014 06:40

Reply Reply Privately
Problem is with placement of external interface for gateway and tunnel in differen zones in both sites. When vpn montoring is enabled and gateway and tunnel interfaces are in different zone then vpn montior will drop the tunnel.

Refernce link

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24133&smlogin=true

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos
5. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
Erdem
Posted 01-13-2014 07:10

Reply Reply Privately
Thanks for the reply. I dont actually have VPN monitor enabled at each end (i dont think). Do you mean that Ge0/0/0.0 and St0.0 for example are in different zones? Surely Ge needs to be in the Internet zone as it is connected to the internet but the St interface is a virtual one bound to the tunnel and therefore needs to be internal?
6. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
kashifnawaz
Posted 01-13-2014 08:10

Reply Reply Privately
Sorry for over sighting, actually in dynamic IP site for external site IKE service is not enabled. Please enable it.

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos
7. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
Erdem
Posted 01-13-2014 08:28

Reply Reply Privately
Sorry i misunderstand - will I still need to make St0 interface untrusted? (and therefore swap all my policies round to Internet to Internal)

Or do I just need to enable VPN monitor at the dynamic end and point it at the static end?

Or both?
8. RE: SRX220 VPN Tunnel Static to Dynamic
Best Answer

0 Recommend
kashifnawaz
Posted 01-13-2014 08:43

Reply Reply Privately
No need to place st0 in untrust just make enable IKE on ge-0/0/0 on dynamic IP site . Dead peer detection is enabled it is enough because either DPD or VPN monitor can be enabled.

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos
9. RE: SRX220 VPN Tunnel Static to Dynamic

0 Recommend
kashifnawaz
Posted 01-13-2014 08:59

Reply Reply Privately
Otherwise , if problem still persists place st0 in untrust and make it un numbered interface it will use IP address of external interface , make policy ( if not there ) from zone internet to zone internet. Also enable IKE service on external interface

Please mark this as accepted solution if it works for you

A kudos is a good way of appreciation

Kashif Nawaz

JNCIP-Sec ,JNCIP-Ent

JNCIS-Ent, JNCIS-Sec

JNCIA-Junos

SRX

SRX220 VPN Tunnel Static to Dynamic

Erdem01-13-2014 03:24

kashifnawaz01-13-2014 05:07

Erdem01-13-2014 05:48

kashifnawaz01-13-2014 06:40

Erdem01-13-2014 07:10

kashifnawaz01-13-2014 08:10

Erdem01-13-2014 08:28

kashifnawaz01-13-2014 08:43Best Answer

kashifnawaz01-13-2014 08:59

1. SRX220 VPN Tunnel Static to Dynamic

2. RE: SRX220 VPN Tunnel Static to Dynamic

3. RE: SRX220 VPN Tunnel Static to Dynamic

4. RE: SRX220 VPN Tunnel Static to Dynamic

5. RE: SRX220 VPN Tunnel Static to Dynamic

6. RE: SRX220 VPN Tunnel Static to Dynamic

7. RE: SRX220 VPN Tunnel Static to Dynamic

8. RE: SRX220 VPN Tunnel Static to Dynamic Best Answer

9. RE: SRX220 VPN Tunnel Static to Dynamic

8. RE: SRX220 VPN Tunnel Static to Dynamic
Best Answer