SRX

I have problem with one branch site with SRX100 and cable broadband with public static DHCP IP (based on MAC address). I try to establish VPN to datacenter where is SRX240 cluster with static IP and multiple VPN tunnels already working.

Here are my current settings:

proposal AES128_MD5_DH1_LT28800 {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm md5;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy [VPN-DATACENTER] {
    mode main;
    proposals AES128_MD5_DH1_LT28800;
    pre-shared-key ascii-text ""; ## SECRET-DATA
}
gateway [DATACENTER] {
    ike-policy VPN-DATACENTER;
    address [DATACENTER-IP];
    external-interface fe-0/0/0.0;
}

proposal AES128_SHA1_LT3600 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy [VPN-DATACENTER] {
    perfect-forward-secrecy {
        keys group1;
    }
    proposals AES128_SHA1_LT3600;
}
vpn [DATACENTER] {
    ike {
        gateway [DATACENTER];
        ipsec-policy [VPN-DATACENTER];
    }
    establish-tunnels immediately;
}

I tried several different configurations, but based on debug IKE traffic cannot get trough:

Jul 17 13:28:18  clear-log[2827]: logfile cleared
Jul 17 13:28:38 iked_pm_ike_spd_notify_request: Sending Initial contact
Jul 17 13:28:38 ssh_ike_connect: Start, remote_name = [DATACENTER-IP]:500, xchg = 2, flags = 00090000
Jul 17 13:28:38 ike_sa_allocate: Start, SA = { 899c0760 37185816 - 00000000 00000000 }
Jul 17 13:28:38 ike_init_isakmp_sa: Start, remote = [DATACENTER-IP]:500, initiator = 1
Jul 17 13:28:38 ssh_ike_connect: SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:38 ike_st_o_sa_proposal: Start
Jul 17 13:28:38 ike_policy_reply_isakmp_vendor_ids: Start
Jul 17 13:28:38 ike_st_o_private: Start
Jul 17 13:28:38 ike_policy_reply_private_payload_out: Start
Jul 17 13:28:38 ike_encode_packet: Start, SA = { 0x899c0760 37185816 - 00000000 00000000 } / 00000000, nego = -1
Jul 17 13:28:38 ike_send_packet: Start, send SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500,  routing table id = 0
Jul 17 13:28:48 ike_retransmit_callback: Start, retransmit SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:48 ike_send_packet: Start, retransmit previous packet SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500 routing table id = 0
Jul 17 13:28:58 ike_retransmit_callback: Start, retransmit SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:58 ike_send_packet: Start, retransmit previous packet SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500 routing table id = 0
Jul 17 13:29:08 P1 SA 6848010 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
Jul 17 13:29:08 iked_pm_ike_sa_delete_done_cb: For p1 sa index 6848010, ref cnt 2, status: Error ok
Jul 17 13:29:08 ike_remove_callback: Start, delete SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:29:08 [REMOTESITE-IP]:500 (Initiator) <-> [DATACENTER-IP]:500 { 899c0760 37185816 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Jul 17 13:29:08 ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
Jul 17 13:29:08 iked_pm_ike_sa_done: UNUSABLE p1_sa 6848010
Jul 17 13:29:08   IKEv1 Error : Timeout
Jul 17 13:29:08 IPSec Rekey for SPI 0x0 failed
Jul 17 13:29:08 IPSec SA done callback called for sa-cfg INSTANCE-[DATACENTER]_0002_0004_0000 local:[REMOTESITE-IP], remote:[DATACENTER-IP] IKEv1 with status Timed out
Jul 17 13:29:08 ike_delete_negotiation: Start, SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:29:08 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Jul 17 13:29:08 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Jul 17 13:29:08 ike_sa_delete: Start, SA = { 899c0760 37185816 - 00000000 00000000 }
Jul 17 13:29:08 ike_free_negotiation_isakmp: Start, nego = -1
Jul 17 13:29:08 ike_free_negotiation: Start, nego = -1
Jul 17 13:29:08 IKE SA delete called for p1 sa 6848010 (ref cnt 1) local:[REMOTESITE-IP], remote:[DATACENTER-IP], IKEv1
Jul 17 13:29:08 iked_pm_p1_sa_destroy:  p1 sa 6848010 (ref cnt 0), waiting_for_del 0x0
Jul 17 13:29:08 ike_free_id_payload: Start, id type = 1
Jul 17 13:29:08 ike_free_sa: Start
Jul 17 13:29:08 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)

Internet traffic otherwise flows normally. Tried also tcpdump, but I cannot see nothing but outgoing packets:

root@% tcpdump -i fe-0/0/0.0 udp port 500
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fe-0/0/0.0, capture size 96 bytes

Reverse lookup for [DATACENTER-IP] failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

13:39:38.433695 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:39:48.445182 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:39:58.456384 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:40:38.436741 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:40:48.440717 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]

I'm out of ideas, what could block IKE packets? On remote site tcp dump does not show any packets coming from remote site.

Can you post the other side of the config. DATACENTER VPN ike phase 1 and 2. 

Yes:

proposal AES128_MD5_DH1_LT28800 {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm md5;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy [VPN-REMOTESITE] {
    mode main;
    proposals AES128_MD5_DH1_LT28800;
    pre-shared-key ascii-text ""; ## SECRET-DATA
}
gateway [REMOTESITE] {
    ike-policy [VPN-REMOTESITE];
    address [REMOTESITE-IP];
    external-interface reth0.0;
}

proposal AES128_SHA1_LT3600 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy [VPN-REMOTESITE] {
    perfect-forward-secrecy {
        keys group1;
    }
    proposals AES128_SHA1_LT3600;
}
vpn [REMOTESITE] {
    ike {
        gateway [REMOTESITE];
        ipsec-policy [VPN-REMOTESITE];
    }
    establish-tunnels immediately;
}

DataCenter side has ~20 other VPN tunnels running.

The first thing that jumps to mind is that you don't have "host-inbound-traffic ike" configured under the interface that this tunnel terminates on on the Data Centre firewall.  

Though if there are 20 other tunnels configured (assuming the same interface address) then it probably is.

Can you ping the Data Centre IP address from the remote site?

Are there any firewall filters (not security policies) applied to that interface on the DC firewall?

The fact that you have establish-tunnels immediately on both ends and you're still not seeing anything from the far side makes me think there is a routing issue somewhere.

Both firewalls have host-inbound-traffic ike allowed. DC side has firewall rules to restrict ssh access. Normal internet traffic works fine from client side.

I think there is something really fishy with client side WAN connection,its not something I normally would use. Customer wanted to use it. Ping goes trough, nmap port scan shows UDP 500 is open. These nmap port scans actually show up in tcpdump where ike packets do not.

I think I'll build VPN to another site, with different ISP from client site and DC site, to see if theres any difference.

Same thing for another site and another FW. IKE retransmit times out on both ends. I suppose I start pointing ISP

hello,

could you check if the host-inbound-traffic system-services ike is configured on the untrust zone or on the interface in that zone. if it is configured on the zone, please change it to the interface.

as far as i have noticed on previous configurations: host inbound traffic system services ike and dhcp only work when you have configured them on the interface in the specific zone, and not on the zone itself.

Also take notice that when you have some system services configured on the interface, the zone configured system services won't work anymore. You also have to place them - for example ping, or ssh, or https, or whatever you have enabled on that zone - to the interface.

sincerely and good luck

When one side is static and other is DHCP, you must use aggressive mode instead of main mode

Modify to use aggressive

Also verify that both sides have same encryption and hash algorithym

 Unknown IKE encryption identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1

policy [VPN-DATACENTER] { mode main; proposals AES128_MD5_DH1_LT28800; pre-shared-key ascii-text ""; ## SECRET-DATA