SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Site to site VPN throuhg NAT with ISG1000 (central site) and SRX100 (remote site)

    Posted 08-30-2012 11:01

    Hi everyone,

    according to this kb http://kb.juniper.net/InfoCenter/index?page=content&id=KB17953&actp=search&viewlocale=en_US&searchid=1346248880681# I upgraded the SRX100 to the 11.4r4 in order to have a chance to make it works.

     

    Here is the scenario:

    ISG1000 (public ip) --------------------(public ip) Internet Box (private ip)-------------------------------(private-ip)srx-100

     

    Phase 1 is establised, but phase 2 is not.

     

    I did a basic VPN configuration in order to initiate the VPN from the SRX100.

     

    Here is the SRX100 configuration (st0.0 belong to vpn security zone)

    set interfaces st0 unit 0 family inet

set routing-options static route 0.0.0.0/0 next-hop 10.113.248.242
set routing-options static route 192.168.80.0/23 next-hop st0.0

set security ike proposal ike-proposal-isgbill authentication-method pre-shared-keys
set security ike proposal ike-proposal-isgbill dh-group group2
set security ike proposal ike-proposal-isgbill authentication-algorithm sha1
set security ike proposal ike-proposal-isgbill encryption-algorithm aes-128-cbc
set security ike proposal ike-proposal-isgbill lifetime-seconds 14400
set security ike policy ike-policy-isgbill mode aggressive
set security ike policy ike-policy-isgbill proposals ike-proposal-isgbill
set security ike policy ike-policy-isgbill pre-shared-key ascii-text "**********************"
set security ike gateway ike-gate-isg ike-policy ike-policy-isgbill
set security ike gateway ike-gate-isg address 83.97.61.xxx
set security ike gateway ike-gate-isg nat-keepalive 5
set security ike gateway ike-gate-isg local-identity hostname BillSRX
set security ike gateway ike-gate-isg external-interface fe-0/0/0.0
set security ike gateway ike-gate-isg version v1-only

set security ipsec proposal ipsec-proposal-isgbill protocol esp
set security ipsec proposal ipsec-proposal-isgbill authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-isgbill encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec-proposal-isgbill lifetime-seconds 14400
set security ipsec policy vpn-policy-isgbill proposals ipsec-proposal-isgbill
set security ipsec vpn ike-vpn-isgbill bind-interface st0.0
set security ipsec vpn ike-vpn-isgbill ike gateway ike-gate-isg
set security ipsec vpn ike-vpn-isgbill ike proxy-identity local 10.224.131.32/28
set security ipsec vpn ike-vpn-isgbill ike proxy-identity remote 0.0.0.0/0
set security ipsec vpn ike-vpn-isgbill ike proxy-identity service any
set security ipsec vpn ike-vpn-isgbill ike ipsec-policy vpn-policy-isgbill
set security ipsec vpn ike-vpn-isgbill establish-tunnels on-traffic
set security flow tcp-mss ipsec-vpn mss 1350

     Here is the ISG1000 VPN configuration

    set ike gateway "GW_Bill_SRX" address 0.0.0.0 id "BillSRX" Aggr outgoing-interface "ethernet2/5" preshare "********" sec-level custom_phase_matchsrx
set ike gateway "GW_Bill_SRX" nat-traversal udp-checksum
set ike gateway "GW_Bill_SRX" nat-traversal keepalive-frequency 5

set vpn “SRX-VPN” gateway “GW_Bill_SRX” replay tunnel idletime 0 sec-level custom_phase_matchsrx
set vpn “SRX-VPN” monitor optimized rekey
set vpn “SRX-VPN” bind interface tunnel.8

set route 10.224.131.32/28 interface tunnel.8

    Here is a part of the ike log on ISG

    ## 2012-08-30 11:07:07 : IKE<92.150.172.70> ID, len=11, type=2, pro=0, port=0,
## 2012-08-30 11:07:07 : IKE<92.150.172.70> 
## 2012-08-30 11:07:07 : IKE<92.150.172.70> completing Phase 1
## 2012-08-30 11:07:07 : IKE<92.150.172.70> sa_pidt = 22cce638
## 2012-08-30 11:07:07 : IKE<92.150.172.70> found existing peer identity 23a82634
## 2012-08-30 11:07:07 : IKE<92.150.172.70> peer_identity_unregister_p1_sa.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> peer_idt.c peer_identity_unregister_p1_sa 682: pidt deleted.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Phase 1: Completed Aggressive mode negotiation with a <14400>-second lifetime.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> IKE msg done: PKI state<0> IKE state<6/1097122f>
## 2012-08-30 11:07:07 : IKE<92.150.172.70  >   hdr
## 2012-08-30 11:07:07 : IKE<92.150.172.70> ike packet, len 204, action 0
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Catcher: received 176 bytes from socket.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> ****** Recv packet if <ethernet2/5> of vsys <fw-in-cg13> ******
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Catcher: get 176 bytes. src port 4500
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Create conn entry...
## 2012-08-30 11:07:07 : IKE<92.150.172.70>   ...done(new 1d65ba54)
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Phase 2 msg-id <1d65ba54>: Responded to the first peer message.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Decrypting payload (length 144)
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > iv:
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > new iv:
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > Recv*: [HASH] [SA] [NONCE] [ID] [ID] 
## 2012-08-30 11:07:07 : IKE<92.150.172.70> QM in state OAK_QM_SA_ACCEPT.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Start by finding matching member SA (verify -1/-1)
## 2012-08-30 11:07:07 : IKE<92.150.172.70> IKE: Matching policy: gw ip <92.150.172.70> peer entry id<22>
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Proxy ID match: Located matching Phase 2 SA <65612>.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Process [SA]:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> key length = 128
## 2012-08-30 11:07:07 : IKE<92.150.172.70> SA life type = seconds
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Phase 2 received:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> atts<00000003 00000000 0000000c 00000002 00000003 00000000>
## 2012-08-30 11:07:07 : IKE<92.150.172.70> proto(3)<ESP>, esp(12)<ESP_AES>, auth(2)<SHA>, encap(3)<UDP-TUNNEL>, group(0), keylen(128)
## 2012-08-30 11:07:07 : IKE<92.150.172.70> P2 proposal [0] selected.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Process [NONCE]:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> processing NONCE in phase 2.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Process [ID]:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Process [ID]:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Phase 2 Responder constructing 2nd message.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct ISAKMP header.
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Msg header built (next payload #8)
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [HASH]
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [SA] for IPSEC
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Initiator P2 ID built: .13.r.zPr.y`../ 
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Responder P2 ID built: .13.r.zPr.y`../ 
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [NONCE] for IPSec
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [ID] for Phase 2
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [ID] for Phase 2
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct custom [NAT-OA]
## 2012-08-30 11:07:07 : IKE<92.150.172.70> construct NOTIFY_NS_NHTB_INFORM: attr INTERNAL_IPx_ADDRESS, value 83.97.61.253, datalen 12
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Construct [NOTIF] (NOTIFY_NS_NHTB_INFORM) for IPSEC
## 2012-08-30 11:07:07 : IKE<92.150.172.70> construct QM HASH
## 2012-08-30 11:07:07 : IKE<92.150.172.70> P2 message header:
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] [NAT_OA] [NOTIF] 
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Encrypt P2 payload (len 212)
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > clear p2 pkt dump:
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > iv:
## 2012-08-30 11:07:07 : IKE<92.150.172.70  > new iv:
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:07 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:07 : IKE<92.150.172.70> oakley_process_quick_mode():exit
## 2012-08-30 11:07:07 : IKE<92.150.172.70> IKE msg done: PKI state<0> IKE state<6/1097122f>
## 2012-08-30 11:07:08 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:11 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:11 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:11 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:13 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:15 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:15 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:15 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:17 : IKE<92.150.172.70  >   hdr
## 2012-08-30 11:07:17 : IKE<92.150.172.70> ike packet, len 204, action 0
## 2012-08-30 11:07:17 : IKE<92.150.172.70> Catcher: received 176 bytes from socket.
## 2012-08-30 11:07:17 : IKE<92.150.172.70> ****** Recv packet if <ethernet2/5> of vsys <fw-in-cg13> ******
## 2012-08-30 11:07:17 : IKE<92.150.172.70> Catcher: get 176 bytes. src port 4500
## 2012-08-30 11:07:17 : IKE<92.150.172.70> Receive re-transmit IKE phase 2 packet, SA(92.150.172.70) exchg(32) len(172)
## 2012-08-30 11:07:18 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:19 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:19 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:19 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:23 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:23 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:23 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:23 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:27 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:27 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:27 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:27 : IKE<92.150.172.70  >   hdr
## 2012-08-30 11:07:27 : IKE<92.150.172.70> ike packet, len 204, action 0
## 2012-08-30 11:07:27 : IKE<92.150.172.70> Catcher: received 176 bytes from socket.
## 2012-08-30 11:07:27 : IKE<92.150.172.70> ****** Recv packet if <ethernet2/5> of vsys <fw-in-cg13> ******
## 2012-08-30 11:07:27 : IKE<92.150.172.70> Catcher: get 176 bytes. src port 4500
## 2012-08-30 11:07:27 : IKE<92.150.172.70> Receive re-transmit IKE phase 2 packet, SA(92.150.172.70) exchg(32) len(172)
## 2012-08-30 11:07:28 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:31 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:31 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:31 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:33 : IKE<92.150.172.70> Sent natt 0 bytes natt keepalive from 83.97.61.253/4500 to 92.150.172.70/4500.
## 2012-08-30 11:07:35 : IKE<92.150.172.70> phase-2 packet re-trans timer expired.
## 2012-08-30 11:07:35 : IKE<92.150.172.70> Responder sending IPv4 IP 92.150.172.70/port 4500
## 2012-08-30 11:07:35 : IKE<92.150.172.70> Send Phase 2 packet (len=220)
## 2012-08-30 11:07:37 : IKE<92.150.172.70  >   hdr

    As you can see, phase 1 is ok, but phase 2 is not.

    It seems that the third part of phase 2 message is not received by srx.

    We tried with two different internet provider box, and we have the same result so it's not about a "vpn passthrough" feature on the box...

    I tried to add nat rules on the internet box to nat the UDP 500 and UDP4500 port but nothing change.

    It seems that these box (Orange and Free internet provider) are not "VPN Passthrough" compliant.

     

     

    BUT, the same scenario between ISG1000 and SSG5 is working well with nat-t, so it means that the box are not the only issue (if they are). 

     

    Here is a part of the ike log on SRX

    Aug 30 19:07:48 ike_find_pre_shared_key: Find pre shared key key for 192.168.1.16:500, id = fqdn(any:0,[0..6]=BillSRX) -> 83.97.61.253:500, id = ipv4(udp:500,[0..3]=83.97.61.253)
Aug 30 19:07:48 ike_policy_reply_find_pre_shared_key: Start
Aug 30 19:07:48 ike_st_i_cert: Start
Aug 30 19:07:48 ike_st_i_vid: VID[0..28] = cefb1acd f3776a87 ...
Aug 30 19:07:48 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Aug 30 19:07:48 ike_st_i_vid: VID[0..20] = 48656172 74426561 ...
Aug 30 19:07:48 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Aug 30 19:07:48 ike_st_i_private: Start
Aug 30 19:07:48 ike_st_o_hash: Start
Aug 30 19:07:48 ike_calc_mac: Start, initiator = true, local = true
Aug 30 19:07:48 ike_st_o_status_n: Start
Aug 30 19:07:48 ike_st_o_private: Start
Aug 30 19:07:48 ike_policy_reply_private_payload_out: Start
Aug 30 19:07:48 ike_policy_reply_private_payload_out: Start
Aug 30 19:07:48 ike_policy_reply_private_payload_out: Start
Aug 30 19:07:48 ike_st_o_optional_encrypt: Marking encryption for packet
Aug 30 19:07:48 ike_st_o_wait_done: Marking for waiting for done
Aug 30 19:07:48 ike_st_o_all_done: MESSAGE: Phase 1 { 0xfe2249ab e9527e75 - 0x0be4f9cd 46394bb3 } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 14400 sec, key len = 12
Aug 30 19:07:48 192.168.1.16:4500 (Initiator) <-> 83.97.61.253:4500 { fe2249ab e9527e75 - 0be4f9cd 46394bb3 [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 14400 sec, k
Aug 30 19:07:48 ike_encode_packet: Start, SA = { 0xfe2249ab e9527e75 - 0be4f9cd 46394bb3 } / 00000000, nego = -1
Aug 30 19:07:48 ike_send_packet: Start, send SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = -1, dst = 83.97.61.253:4500,  routing table id = 0
Aug 30 19:07:48 ike_send_notify: Connected, SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = -1
Aug 30 19:07:48 iked_pm_ike_sa_done: local:192.168.1.16, remote:83.97.61.253 IKEv1
Aug 30 19:07:48 IKE negotiation done for local:192.168.1.16, remote:83.97.61.253 IKEv1 with status: Error ok
Aug 30 19:07:48 Added (spi=0x8efb5f0d, protocol=0) entry to the spi table
Aug 30 19:07:48 Added (spi=0xf9afbee5, protocol=0) entry to the spi table
Aug 30 19:07:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
Aug 30 19:07:48 ike_sa_find_ip_port: Remote = all:500, Found SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}
Aug 30 19:07:48 ike_alloc_negotiation: Start, SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}
Aug 30 19:07:48 ssh_ike_connect_ipsec: SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0
Aug 30 19:07:48 ike_init_qm_negotiation: Start, initiator = 1, message_id = 2221081d
Aug 30 19:07:48 ike_st_o_qm_hash_1: Start
Aug 30 19:07:48 ike_st_o_qm_sa_proposals: Start
Aug 30 19:07:48 ike_st_o_qm_nonce: Start
Aug 30 19:07:48 ike_policy_reply_qm_nonce_data_len: Start
Aug 30 19:07:48 ike_st_o_qm_optional_ke: Start
Aug 30 19:07:48 ike_st_o_qm_optional_ids: Start
Aug 30 19:07:48 ike_st_qm_optional_id: Start
Aug 30 19:07:48 ike_st_qm_optional_id: Start
Aug 30 19:07:48 ike_st_o_private: Start
Aug 30 19:07:48 Construction NHTB payload for  local:192.168.1.16, remote:83.97.61.253 IKEv1 P1 SA index 4643482 sa-cfg ike-vpn-isgbill
Aug 30 19:07:48 Could not get local tunnel ip address. Not sending NHTB notify payload for sa-cfg ike-vpn-isgbill
Aug 30 19:07:48 ike_policy_reply_private_payload_out: Start
Aug 30 19:07:48 ike_st_o_encrypt: Marking encryption for packet
Aug 30 19:07:48 ike_encode_packet: Start, SA = { 0xfe2249ab e9527e75 - 0be4f9cd 46394bb3 } / 2221081d, nego = 0
Aug 30 19:07:48 ike_finalize_qm_hash_1: Hash[0..20] = 0c609166 6e0e8230 ...
Aug 30 19:07:48 ike_send_packet: Start, send SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0, dst = 83.97.61.253:4500,  routing table id = 0
Aug 30 19:07:48 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
Aug 30 19:07:58 ike_retransmit_callback: Start, retransmit SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0
Aug 30 19:07:58 ike_send_packet: Start, retransmit previous packet SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0, dst = 83.97.61.253:4500 routing table id = 0
Aug 30 19:08:08 ike_retransmit_callback: Start, retransmit SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0
Aug 30 19:08:08 ike_send_packet: Start, retransmit previous packet SA = { fe2249ab e9527e75 - 0be4f9cd 46394bb3}, nego = 0, dst = 83.97.61.253:4500 routing table id = 0

     What is interesting are the last line, from "ike_send_packet start" line.

     

    According to this post http://jnet.lithium.com/t5/SRX-Services-Gateway/Site-2-Site-VPN-through-NAT/td-p/128879, we should see this after the "ike_send_packet start" line

    Jul  2 12:15:24 [IKED 2] ike_send_packet: Start, send SA = { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e}, nego = 0, dst = 6.6.6.1:2703,  routing table id = 0
Jul  2 12:15:24 [IKED 2] ikev2_packet_allocate: Allocated packet f5e400 from freelist
Jul  2 12:15:24 [IKED 2] ike_sa_find: Found SA = { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e }
Jul  2 12:15:24 [IKED 2] ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Jul  2 12:15:24 [IKED 2] ike_get_sa: Start, SA = { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e } / 8b48aee7, remote = 6.6.6.1:2703
Jul  2 12:15:24 [IKED 2] ike_sa_find: Found SA = { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e }
Jul  2 12:15:24 [IKED 2] ike_decode_packet: Start
Jul  2 12:15:24 [IKED 2] ike_decode_packet: Start, SA = { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e} / 8b48aee7, nego = 0
Jul  2 12:15:24 [IKED 2] ike_st_i_encrypt: Check that packet was encrypted succeeded
Jul  2 12:15:24 [IKED 2] ike_st_i_qm_hash_3: Start, hash[0..20] = 38c57449 a879e713 ...
Jul  2 12:15:24 [IKED 2] ike_st_i_private: Start
Jul  2 12:15:24 [IKED 2] <none>:4500 (Responder) <-> 6.6.6.1:2703 { 911e9c10 7dbb95ff - 65d8dad0 0b1cf75e [0] / 0x8b48aee7 } QM; MESSAGE: Phase 2 connection succeeded, Using PFS, group =
2

    In this case, it seems that ikev2 is used. 

    I will try to enable ikev2 on isg1000 tomorrow and uncheck the ikev1 only on srx100 to see if it works.

     

    Maybe that NAT-T implementation in 12.4R4 is not yet finished as I eard that future 12.4R5 will be the recommended version for VPN purposes...

     

    Any other ideas are welcome.

     

    Regards,

    Ludovic



  • 2.  RE: Site to site VPN throuhg NAT with ISG1000 (central site) and SRX100 (remote site)

    Posted 08-30-2012 20:02

    Just for grins, try dropping the Proxy-id's you have set. Between juniper devices you shouldn't need to have that enabled, especially when the ISG does not appear to have one set.



  • 3.  RE: Site to site VPN throuhg NAT with ISG1000 (central site) and SRX100 (remote site)

    Posted 08-30-2012 23:54

    Actually, I already tried with and without proxy ID and it changed nothing. I copy/past the wrong configuartion version of ISG when I wrote the message.

     

    Of course, when I tried, proxy ID was set on both side. Then I tried with proxy ID disabled on both side.

     



  • 4.  RE: Site to site VPN throuhg NAT with ISG1000 (central site) and SRX100 (remote site)

    Posted 08-31-2012 01:03

    I tried to enable IKEv2 but on ISG1000 side, when I choose "IKEV2 only", I can't choose "dynamic IP address" for the remote site. So, I can't test it 😞



  • 5.  RE: Site to site VPN throuhg NAT with ISG1000 (central site) and SRX100 (remote site)
    Best Answer

    Posted 09-03-2012 06:52

    The main issue was this:

     

    This command

    set security zones security-zone untrust host-inbound-traffic system-services ike

     can't be replaced by 

    set security zones security-zone untrust host-inbound-traffic system-services all

     So you have to specify the "system-services ike" in order to make it works...