Hi,everyone.
I have an SRX220 and we're trying to set up an IPsec VPN with SRX650.
On SRX220 IPsec phase 1 failed: on "show security ike sa" - blank.
All VPN related configuration such as encryption algorithm, hash alrorithm, policy are configured correctly.
Certificate are loaded successfully and the certificate are not expired.
In pcap file from WAN interface there is no ipsec traffic between peers.
What could be the problem?
Model: RE-SRX220H2
SW ver: 12.1X46-D50.4
ike\ipsec log:
SpoilerApr 22 08:59:38 SRX clear-log[8071]: logfile cleared
[Apr 22 09:05:11]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 161159148 **
[Apr 22 09:05:11]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is c, reclen = 161159148 **
[Apr 22 09:05:11]KMD_INTERNAL_ERROR: kmd_read_securitycfg: dax_get_object_by_path() returned FALSE, secop: 0x38210560.
[Apr 22 09:05:11]kmd_iked_cfgbuf_addrec: 535: ** Allocated recptr is 0, reclen = 0 **
[Apr 22 09:05:11]No SPUs are operational, returning.
[Apr 22 09:05:11]Config download: Processed 1 - 2 messages
[Apr 22 09:05:11]Config download time: 0 secs
[Apr 22 09:05:11]iked_config_process_config_list, configuration diff complete
[Apr 22 09:05:55]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[Apr 22 09:05:55]Config download: Processed 1 - 1 messages
[Apr 22 09:05:55]Config download time: 0 secs
[Apr 22 09:05:55]Creating PM instance for service_set: root
[Apr 22 09:05:55]ssh_ike_init: Start
[Apr 22 09:05:55]ssh_ike_init: params->ignore_cr_payloads = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->no_key_hash_payload = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->no_cr_payloads = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->do_not_send_crls = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->send_full_chains = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->trust_icmp_messages = FALSE
[Apr 22 09:05:55]ssh_ike_init: params->spi_size = 0
[Apr 22 09:05:55]ssh_ike_init: params->zero_spi = TRUE
[Apr 22 09:05:55]ssh_ike_init: params->max_key_length = 512
[Apr 22 09:05:55]ssh_ike_init: params->max_isakmp_sa_count = 8192
[Apr 22 09:05:55]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[Apr 22 09:05:55]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_default_cnt = 1
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_default_retry = 2
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_private_cnt = 1
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[Apr 22 09:05:55]ssh_ike_create_system: params->randomizers_private_retry = 2
[Apr 22 09:05:55]ssh_ike_attach_audit_context: Attaching a new audit context
[Apr 22 09:05:55]ssh_ike_init: params->base_retry_limit = 5
[Apr 22 09:05:55]ssh_ike_init: params->base_retry_timer = 10.000000
[Apr 22 09:05:55]ssh_ike_init: params->base_retry_timer_max = 150.000000
[Apr 22 09:05:55]ssh_ike_init: params->base_expire_timer = 180.000000
[Apr 22 09:05:55]ssh_ike_init: params->extended_retry_limit = 5
[Apr 22 09:05:55]ssh_ike_init: params->extended_retry_timer = 5.000000
[Apr 22 09:05:55]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[Apr 22 09:05:55]ssh_ike_init: params->extended_expire_timer = 240.000000
[Apr 22 09:05:55]ssh_ikev2_fallback_create: FB; v1 policy manager e30a00 started
[Apr 22 09:05:55]ssh_ikev2_fallback_attach: FB; v1 policy manager e30a00 attached to server eea600
[Apr 22 09:05:55]iked_config_process_config_list, configuration diff complete
[Apr 22 09:05:55]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[Apr 22 09:05:55]kmd_rpd_cb_session_connect
[Apr 22 09:05:55]kmd_rpd_cb_session_connect: rpd session established
[Apr 22 09:05:55]kmd_rpd_db_read
[Apr 22 09:05:55]kmd_rpd_db_read: gw handle 20825600
[Apr 22 09:05:55]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl st0.0
[Apr 22 09:05:55]kmd_rpd_cb_protocol_register gw handle 20825600 return code 0
[Apr 22 09:05:55]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl vlan.0
[Apr 22 09:05:55]kmd_rpd_cb_protocol_unregister
[Apr 22 09:05:55]kmd_rpd_db_write
[Apr 22 09:05:55]kmd_rpd_cb_protocol_register gw handle 20825600 return code 0
[Apr 22 09:05:55]kmd_rpd_db_write
[Apr 22 09:05:55]kmd_rpd_refresh_routes
[Apr 22 09:05:55]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr 22 09:05:59]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[Apr 22 09:10:12]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[Apr 22 09:10:12]Config download: Processed 1 - 1 messages
[Apr 22 09:10:12]Config download time: 0 secs
[Apr 22 09:10:12]Creating PM instance for service_set: root
[Apr 22 09:10:12]ssh_ike_init: Start
[Apr 22 09:10:12]ssh_ike_init: params->ignore_cr_payloads = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->no_key_hash_payload = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->no_cr_payloads = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->do_not_send_crls = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->send_full_chains = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->trust_icmp_messages = FALSE
[Apr 22 09:10:12]ssh_ike_init: params->spi_size = 0
[Apr 22 09:10:12]ssh_ike_init: params->zero_spi = TRUE
[Apr 22 09:10:12]ssh_ike_init: params->max_key_length = 512
[Apr 22 09:10:12]ssh_ike_init: params->max_isakmp_sa_count = 8192
[Apr 22 09:10:12]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[Apr 22 09:10:12]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_default_cnt = 1
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_default_retry = 2
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_private_cnt = 1
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[Apr 22 09:10:12]ssh_ike_create_system: params->randomizers_private_retry = 2
[Apr 22 09:10:13]ssh_ike_attach_audit_context: Attaching a new audit context
[Apr 22 09:10:13]ssh_ike_init: params->base_retry_limit = 5
[Apr 22 09:10:13]ssh_ike_init: params->base_retry_timer = 10.000000
[Apr 22 09:10:13]ssh_ike_init: params->base_retry_timer_max = 150.000000
[Apr 22 09:10:13]ssh_ike_init: params->base_expire_timer = 180.000000
[Apr 22 09:10:13]ssh_ike_init: params->extended_retry_limit = 5
[Apr 22 09:10:13]ssh_ike_init: params->extended_retry_timer = 5.000000
[Apr 22 09:10:13]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[Apr 22 09:10:13]ssh_ike_init: params->extended_expire_timer = 240.000000
[Apr 22 09:10:13]ssh_ikev2_fallback_create: FB; v1 policy manager e30a00 started
[Apr 22 09:10:13]ssh_ikev2_fallback_attach: FB; v1 policy manager e30a00 attached to server eea600
[Apr 22 09:10:13]iked_config_process_config_list, configuration diff complete
[Apr 22 09:10:13]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
[Apr 22 09:10:13]kmd_rpd_cb_session_connect
[Apr 22 09:10:13]kmd_rpd_cb_session_connect: rpd session established
[Apr 22 09:10:13]kmd_rpd_db_read
[Apr 22 09:10:13]kmd_rpd_db_read: gw handle 20825600
[Apr 22 09:10:13]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl st0.0
[Apr 22 09:10:13]kmd_rpd_cb_protocol_register gw handle 20825600 return code 0
[Apr 22 09:10:13]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl vlan.0
[Apr 22 09:10:13]kmd_rpd_cb_protocol_unregister
[Apr 22 09:10:13]kmd_rpd_db_write
[Apr 22 09:10:13]kmd_rpd_cb_protocol_register gw handle 20825600 return code 0
[Apr 22 09:10:13]kmd_rpd_db_write
[Apr 22 09:10:13]kmd_rpd_refresh_routes
[Apr 22 09:10:13]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr 22 09:10:17]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[Apr 22 09:14:38]iked_spu_sync_config_add this is SEC ASSOC on RE/complete, add it to the list
[Apr 22 09:14:38]Config download: Processed 1 - 1 messages
[Apr 22 09:14:38]Config download time: 0 secs
[Apr 22 09:14:38]Creating PM instance for service_set: root
[Apr 22 09:14:38]ssh_ike_init: Start
[Apr 22 09:14:38]ssh_ike_init: params->ignore_cr_payloads = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->no_key_hash_payload = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->no_cr_payloads = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->do_not_send_crls = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->send_full_chains = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->trust_icmp_messages = FALSE
[Apr 22 09:14:38]ssh_ike_init: params->spi_size = 0
[Apr 22 09:14:38]ssh_ike_init: params->zero_spi = TRUE
[Apr 22 09:14:38]ssh_ike_init: params->max_key_length = 512
[Apr 22 09:14:38]ssh_ike_init: params->max_isakmp_sa_count = 8192
[Apr 22 09:14:38]Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
[Apr 22 09:14:38]Obsolete parameter token_hash_type is not set to zero in ssh_ike_init
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_default_cnt = 1
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_default_max_cnt = 64
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_default_retry = 2
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_private_cnt = 1
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_private_max_cnt = 16
[Apr 22 09:14:38]ssh_ike_create_system: params->randomizers_private_retry = 2
[Apr 22 09:14:38]ssh_ike_attach_audit_context: Attaching a new audit context
[Apr 22 09:14:38]ssh_ike_init: params->base_retry_limit = 5
[Apr 22 09:14:38]ssh_ike_init: params->base_retry_timer = 10.000000
[Apr 22 09:14:38]ssh_ike_init: params->base_retry_timer_max = 150.000000
[Apr 22 09:14:38]ssh_ike_init: params->base_expire_timer = 180.000000
[Apr 22 09:14:38]ssh_ike_init: params->extended_retry_limit = 5
[Apr 22 09:14:38]ssh_ike_init: params->extended_retry_timer = 5.000000
[Apr 22 09:14:38]ssh_ike_init: params->extended_retry_timer_max = 300.000000
[Apr 22 09:14:38]ssh_ike_init: params->extended_expire_timer = 240.000000
[Apr 22 09:14:38]ssh_ikev2_fallback_create: FB; v1 policy manager e25900 started
[Apr 22 09:14:38]ssh_ikev2_fallback_attach: FB; v1 policy manager e25900 attached to server edf500
[Apr 22 09:14:38]iked_config_process_config_list, configuration diff complete
[Apr 22 09:14:38]KMD_INTERNAL_ERROR: iked_ifstate_eoc_handler: EOC msg received
[Apr 22 09:14:40]IKED-PKID-IPC
[Apr 22 09:14:40]kmd_rpd_init
[Apr 22 09:14:40]kmd_rpd_shutdown_session
[Apr 22 09:14:40]Failed to connect with rpd: Unknown error: 0 (22), will retry
[Apr 22 09:14:40]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[Apr 22 09:14:40]KMD_INTERNAL_ERROR: iked_trace_ipc_connect: usp_ipc_client_open fail
[Apr 22 09:14:45]IKED-PKID-IPC
[Apr 22 09:14:45]kmd_rpd_init
[Apr 22 09:14:45]kmd_rpd_shutdown_session
[Apr 22 09:14:45]Failed to connect with rpd: Unknown error: 0 (22), will retry
[Apr 22 09:14:45]iked_spu_ha_ipc_get_server_addr, server tnp addr (standalone): 0x1, ISSU pending=no
[Apr 22 09:14:50]IKED-PKID-IPC
[Apr 22 09:14:50]kmd_rpd_init
[Apr 22 09:14:50]kmd_rpd_shutdown_session
[Apr 22 09:14:50]Failed to connect with rpd: Unknown error: 0 (22), will retry
[Apr 22 09:14:55]kmd_rpd_init
[Apr 22 09:14:55]rpd session connected
[Apr 22 09:14:55]kmd_rpd_cb_session_connect
[Apr 22 09:14:55]kmd_rpd_cb_session_connect: rpd session established
[Apr 22 09:14:55]kmd_rpd_db_read
[Apr 22 09:14:55]kmd_rpd_db_read: gw handle 20825600
[Apr 22 09:14:55]kmd_rpd_cb_protocol_register gw handle 128 return code 1
[Apr 22 09:14:55]kmd_rpd_cb_protocol_register:Failed to register with rpd rc 1
[Apr 22 09:14:55]kmd_rpd_db_write
[Apr 22 09:14:55]kmd_rpd_shutdown_session
[Apr 22 09:15:00]kmd_rpd_init
[Apr 22 09:15:00]rpd session connected
[Apr 22 09:15:01]kmd_rpd_cb_session_connect
[Apr 22 09:15:01]kmd_rpd_cb_session_connect: rpd session established
[Apr 22 09:15:01]kmd_rpd_db_write
[Apr 22 09:15:01]kmd_rpd_cb_protocol_register gw handle 20825792 return code 0
[Apr 22 09:15:01]kmd_rpd_db_write
[Apr 22 09:15:01]kmd_rpd_refresh_routes
[Apr 22 09:15:21]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl st0.0
[Apr 22 09:15:21]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl vlan.0
[Apr 22 09:15:31]iked_process_ifl_ext_add: ifl tunnel-id lookup failed for ifl ge-0/0/0.0
SRX220 config:
Spoiler
## Last commit: 2016-04-22 11:05:21 UTC by user_adm
version 12.1X46-D50.4;
system {
host-name SRX;
root-authentication {
encrypted-password "$1$4CX7J5Yo$fFqfWvaSKQoKuCb6pBkUS0"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user user_adm {
full-name userEN;
uid 2000;
class super-user;
authentication {
encrypted-password "$1$6A7.mgsd$gVPIxqG1ATK5eqWDBPDKl1"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
}
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
sampling {
input;
output;
}
address 82.xxx.xxx.154/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet {
address 10.0.0.83/20;
}
}
}
vlan {
unit 0 {
family inet {
address 10.99.95.8/24;
}
}
}
}
forwarding-options {
packet-capture {
file filename pcap files 2 size 10m world-readable;
maximum-capture-size 1500;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 82.xxx.xxx.153;
route 192.168.0.0/16 next-hop 10.99.95.1;
route 172.16.0.0/12 next-hop 10.99.95.1;
route 10.0.0.0/8 next-hop 10.99.95.1;
}
}
protocols {
stp;
}
security {
pki {
ca-profile ca-profile1 {
ca-identity DOMAIN.ru;
enrollment {
url http://scep.DOMAIN.ru/certsrv/mscep/mscep.dll;
}
revocation-check {
disable;
}
}
}
ike {
traceoptions {
file ipsec size 2m files 2;
flag all;
}
proposal AES-MD5 {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm aes-256-cbc;
}
policy DOMAIN {
mode main;
proposals AES-MD5;
certificate {
local-certificate vpn;
}
}
gateway pri-hq-pri {
ike-policy DOMAIN;
address 212.SRX.650.2;
local-identity distinguished-name;
remote-identity distinguished-name container DC=headqr.gate.DOMAIN.ru;
external-interface ge-0/0/0.0;
}
}
ipsec {
traceoptions {
flag all;
}
proposal AES-MD5 {
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
}
policy DOMAIN {
perfect-forward-secrecy {
keys group2;
}
proposals AES-MD5;
}
vpn pri-hq-pri {
vpn-monitor;
ike {
gateway pri-hq-pri;
proxy-identity {
local 10.0.0.83/32;
}
ipsec-policy DOMAIN;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1300;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
traceroute;
ike;
}
}
}
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
any-service;
}
protocols {
ospf;
}
}
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}