I have problem with one branch site with SRX100 and cable broadband with public static DHCP IP (based on MAC address). I try to establish VPN to datacenter where is SRX240 cluster with static IP and multiple VPN tunnels already working.
Here are my current settings:
proposal AES128_MD5_DH1_LT28800 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
policy [VPN-DATACENTER] {
mode main;
proposals AES128_MD5_DH1_LT28800;
pre-shared-key ascii-text ""; ## SECRET-DATA
}
gateway [DATACENTER] {
ike-policy VPN-DATACENTER;
address [DATACENTER-IP];
external-interface fe-0/0/0.0;
}
proposal AES128_SHA1_LT3600 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy [VPN-DATACENTER] {
perfect-forward-secrecy {
keys group1;
}
proposals AES128_SHA1_LT3600;
}
vpn [DATACENTER] {
ike {
gateway [DATACENTER];
ipsec-policy [VPN-DATACENTER];
}
establish-tunnels immediately;
}
I tried several different configurations, but based on debug IKE traffic cannot get trough:
Jul 17 13:28:18 clear-log[2827]: logfile cleared
Jul 17 13:28:38 iked_pm_ike_spd_notify_request: Sending Initial contact
Jul 17 13:28:38 ssh_ike_connect: Start, remote_name = [DATACENTER-IP]:500, xchg = 2, flags = 00090000
Jul 17 13:28:38 ike_sa_allocate: Start, SA = { 899c0760 37185816 - 00000000 00000000 }
Jul 17 13:28:38 ike_init_isakmp_sa: Start, remote = [DATACENTER-IP]:500, initiator = 1
Jul 17 13:28:38 ssh_ike_connect: SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:38 ike_st_o_sa_proposal: Start
Jul 17 13:28:38 ike_policy_reply_isakmp_vendor_ids: Start
Jul 17 13:28:38 ike_st_o_private: Start
Jul 17 13:28:38 ike_policy_reply_private_payload_out: Start
Jul 17 13:28:38 ike_encode_packet: Start, SA = { 0x899c0760 37185816 - 00000000 00000000 } / 00000000, nego = -1
Jul 17 13:28:38 ike_send_packet: Start, send SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500, routing table id = 0
Jul 17 13:28:48 ike_retransmit_callback: Start, retransmit SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:48 ike_send_packet: Start, retransmit previous packet SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500 routing table id = 0
Jul 17 13:28:58 ike_retransmit_callback: Start, retransmit SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:28:58 ike_send_packet: Start, retransmit previous packet SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1, dst = [DATACENTER-IP]:500 routing table id = 0
Jul 17 13:29:08 P1 SA 6848010 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
Jul 17 13:29:08 iked_pm_ike_sa_delete_done_cb: For p1 sa index 6848010, ref cnt 2, status: Error ok
Jul 17 13:29:08 ike_remove_callback: Start, delete SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:29:08 [REMOTESITE-IP]:500 (Initiator) <-> [DATACENTER-IP]:500 { 899c0760 37185816 - 00000000 00000000 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Jul 17 13:29:08 ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
Jul 17 13:29:08 ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
Jul 17 13:29:08 iked_pm_ike_sa_done: UNUSABLE p1_sa 6848010
Jul 17 13:29:08 IKEv1 Error : Timeout
Jul 17 13:29:08 IPSec Rekey for SPI 0x0 failed
Jul 17 13:29:08 IPSec SA done callback called for sa-cfg INSTANCE-[DATACENTER]_0002_0004_0000 local:[REMOTESITE-IP], remote:[DATACENTER-IP] IKEv1 with status Timed out
Jul 17 13:29:08 ike_delete_negotiation: Start, SA = { 899c0760 37185816 - 00000000 00000000}, nego = -1
Jul 17 13:29:08 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Jul 17 13:29:08 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Jul 17 13:29:08 ike_sa_delete: Start, SA = { 899c0760 37185816 - 00000000 00000000 }
Jul 17 13:29:08 ike_free_negotiation_isakmp: Start, nego = -1
Jul 17 13:29:08 ike_free_negotiation: Start, nego = -1
Jul 17 13:29:08 IKE SA delete called for p1 sa 6848010 (ref cnt 1) local:[REMOTESITE-IP], remote:[DATACENTER-IP], IKEv1
Jul 17 13:29:08 iked_pm_p1_sa_destroy: p1 sa 6848010 (ref cnt 0), waiting_for_del 0x0
Jul 17 13:29:08 ike_free_id_payload: Start, id type = 1
Jul 17 13:29:08 ike_free_sa: Start
Jul 17 13:29:08 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
Internet traffic otherwise flows normally. Tried also tcpdump, but I cannot see nothing but outgoing packets:
root@% tcpdump -i fe-0/0/0.0 udp port 500
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on fe-0/0/0.0, capture size 96 bytes
Reverse lookup for [DATACENTER-IP] failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.
13:39:38.433695 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:39:48.445182 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:39:58.456384 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:40:38.436741 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
13:40:48.440717 Out IP truncated-ip - 256 bytes missing! [REMOTESITE-IP].isakmp > [DATACENTER-IP]isakmp: isakmp: phase 1 I ident: [|sa]
I'm out of ideas, what could block IKE packets? On remote site tcp dump does not show any packets coming from remote site.