Hi all, i need yours knowledge for help me please. I configured VPN policy-based from SRX210 to PIX535, but vpn is DOWN, i wanted information in the web (google, juniper.net, etc) but not have one solution. I configured trace-option in the SRX and see following:
show log kmd
Oct 4 08:52:03 ike_st_o_private: Start
Oct 4 08:52:03 ike_policy_reply_private_payload_out: Start
Oct 4 08:52:03 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 00000000
00000000 } / 00000000, nego = -1
Oct 4 08:52:03 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 00000000
00000000}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
ng table id = 0
Oct 4 08:52:03 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 00000000, remote = 206.49.166.253:500
Oct 4 08:52:03 ike_sa_find: Not found SA = { 4e80e37d 85197171 - 0974013e dcca7
79f }
Oct 4 08:52:03 ike_sa_find_half: Found half SA = { 4e80e37d 85197171 - 00000000
00000000 }
Oct 4 08:52:03 ike_sa_upgrade: Start, SA = { 4e80e37d 85197171 - 00000000 00000
000 } -> { ... - 0974013e dcca779f }
Oct 4 08:52:03 ike_decode_packet: Start
Oct 4 08:52:03 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
ca779f} / 00000000, nego = -1
Oct 4 08:52:03 ike_decode_payload_sa: Start
Oct 4 08:52:03 ike_decode_payload_t: Start, # trans = 1
Oct 4 08:52:03 ike_st_i_sa_value: Start
Oct 4 08:52:03 ike_st_i_cr: Start
Oct 4 08:52:03 ike_st_i_cert: Start
Oct 4 08:52:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Oct 4 08:52:03 Setting natt remote version to 3
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is 'draft-ietf-ipsec-nat
-t-ike-02'
Oct 4 08:52:03 ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is '40 48 b7 d5 6e bc e8
85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00'
Oct 4 08:52:03 ike_st_i_private: Start
Oct 4 08:52:03 ike_st_o_ke: Start
Oct 4 08:52:03 ike_st_o_nonce: Start
Oct 4 08:52:03 ike_policy_reply_isakmp_nonce_data_len: Start
Oct 4 08:52:03 ike_st_o_private: Start
Oct 4 08:52:03 ike_policy_reply_private_payload_out: Start
Oct 4 08:52:03 my_ipaddr_as_ike_id: add <192.168.41.222>
Oct 4 08:52:03 ike_policy_reply_private_payload_out: Start
Oct 4 08:52:03 ike_policy_reply_private_payload_out: Start
Oct 4 08:52:03 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 0974013e
dcca779f } / 00000000, nego = -1
Oct 4 08:52:03 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 0974013e
dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
ng table id = 0
Oct 4 08:52:03 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 00000000, remote = 206.49.166.253:500
Oct 4 08:52:03 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
}
Oct 4 08:52:03 ike_decode_packet: Start
Oct 4 08:52:03 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
ca779f} / 00000000, nego = -1
Oct 4 08:52:03 ike_st_i_nonce: Start, nonce[0..20] = 77bac5ad d72c3016 ...
Oct 4 08:52:03 ike_st_i_ke: Ke[0..128] = 84f8c988 9d24ee97 ...
Oct 4 08:52:03 ike_st_i_cr: Start
Oct 4 08:52:03 ike_st_i_cert: Start
Oct 4 08:52:03 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is 'CISCO-UNITY'
Oct 4 08:52:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is 'draft-beaulieu-ike-x
auth-02.txt'
Oct 4 08:52:03 ike_st_i_vid: VID[0..16] = fcb3a623 dccb779f ...
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is 'fc b3 a6 23 dc cb 77
9f c1 f4 32 fd 89 a8 97 4c'
Oct 4 08:52:03 ike_st_i_vid: VID[0..16] = 1f07f70e aa6514d3 ...
Oct 4 08:52:03 The remote server at 206.49.166.253:500 is '1f 07 f7 0e aa 65 14
d3 b0 fa 96 54 2a 50 01 00'
Oct 4 08:52:03 ike_st_i_private: Start
Oct 4 08:52:03 my_ipaddr_as_ike_id: add <192.168.41.222>
Oct 4 08:52:03 NATT: Match found, local end is NOT behind NAT
Oct 4 08:52:03 perceived == real remote.
Oct 4 08:52:03 ike_st_o_id: Start
Oct 4 08:52:03 ike_st_o_hash: Start
Oct 4 08:52:04 ike_find_pre_shared_key: Find pre shared key key for 192.168.41.
222:500, id = ipv4(udp:500,[0..3]=192.168.41.222) -> 206.49.166.253:500, id = No
Id
Oct 4 08:52:04 ike_policy_reply_find_pre_shared_key: Start
Oct 4 08:52:04 ike_calc_mac: Start, initiator = true, local = true
Oct 4 08:52:04 ike_st_o_status_n: Start
Oct 4 08:52:04 ike_st_o_private: Start
Oct 4 08:52:04 ike_policy_reply_private_payload_out: Start
Oct 4 08:52:04 ike_st_o_encrypt: Marking encryption for packet
Oct 4 08:52:04 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 0974013e
dcca779f } / 00000000, nego = -1
Oct 4 08:52:04 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 0974013e
dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
ng table id = 0
Oct 4 08:52:09 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
171 - 0974013e dcca779f}, nego = -1
Oct 4 08:52:09 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
.49.166.253:500, routing table id = 0
Oct 4 08:52:09 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 00000000, remote = 206.49.166.253:500
Oct 4 08:52:09 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
}
Oct 4 08:52:17 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 00000000, remote = 206.49.166.253:500
Oct 4 08:52:17 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
}
Oct 4 08:52:17 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
.49.166.253:500, routing table id = 0
Oct 4 08:52:17 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 00000000, remote = 206.49.166.253:500
Oct 4 08:52:17 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
}
Oct 4 08:52:19 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
171 - 0974013e dcca779f}, nego = -1
Oct 4 08:52:19 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
.49.166.253:500, routing table id = 0
Oct 4 08:52:19 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
} / 3ea7eb41, remote = 206.49.166.253:500
Oct 4 08:52:19 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
}
Oct 4 08:52:19 ike_alloc_negotiation: Start, SA = { 4e80e37d 85197171 - 0974013
e dcca779f}
Oct 4 08:52:19 ike_decode_packet: Start
Oct 4 08:52:19 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
ca779f} / 3ea7eb41, nego = 0
Oct 4 08:52:19 192.168.41.222:500 (Responder) <-> 206.49.166.253:500 { 4e80e37d
85197171 - 0974013e dcca779f [0] / 0x3ea7eb41 } Info; Trying to decrypt, but no
decryption context initialized
Oct 4 08:52:19 192.168.41.222:500 (Responder) <-> 206.49.166.253:500 { 4e80e37d
85197171 - 0974013e dcca779f [0] / 0x3ea7eb41 } Info; Error = No SA established
(8194)
Oct 4 08:52:19 ike_send_notify: Notification to informational exchange ignored
Oct 4 08:52:19 ike_delete_negotiation: Start, SA = { 4e80e37d 85197171 - 097401
3e dcca779f}, nego = 0
Oct 4 08:52:19 ike_free_negotiation_info: Start, nego = 0
Oct 4 08:52:19 ike_free_negotiation: Start, nego = 0
Oct 4 08:52:39 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
171 - 0974013e dcca779f}, nego = -1
Oct 4 08:52:39 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
.49.166.253:500, routing table id = 0
I don't know over VPN and Juniper... and my english not is good...
If can help me, i will be grateful for
Thanks