SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Troubleshout phase II on Policy based VPn

    Posted 07-23-2013 11:46

    Hi,

    I am building a vpn tunnel. I'am on SRX 240 on my end and there s a cisco at the other end.

    He says the tunnel is up so phase I is ok but I can't see it on my end with show security ike security-associations . Is it because I'am not using the routed based vpn and so the tunnel is up only when it is used ?

    2) When I try to debug and see why phase II is not working I use the command "show security ipsec security associations detail" I have nothing too.

    Please help me I don't know if those commands are only relevant on route based vpn context.

    If it is the case how can I troubleshouut IKE phase I and II on policy based VPN .

    Thanks for your help. I'am a beginner so please consider that in your answer.

    tahnks

     



  • 2.  RE: Troubleshout phase II on Policy based VPn

     
    Posted 07-23-2013 19:57

    These commands should work irrespective of the tunnel type that you use.

    Can you paste the output of each of the commands, and configuration as well?

     

    Yes, only when you configure tunnel to be established immeaditaley, it gets created.

    Otherwise, tunnel gets created when traffic flown.

     

    Regards,

    Raveen



  • 3.  RE: Troubleshout phase II on Policy based VPn

    Posted 07-24-2013 08:31

    Tahnks you were right it works now



  • 4.  RE: Troubleshout phase II on Policy based VPn

    Posted 07-24-2013 00:37

    You may want to attach the configs. Otherwise verify correct ike/ipsec policies,proposals, encryption algorithym, gateway, make sure the bind-interface statement is used if route based. In you case verify that the correct policies are configured to allow the traffic, verify that ike is allowed on the external interface that the vpn tunnel is using.



  • 5.  RE: Troubleshout phase II on Policy based VPn
    Best Answer

    Posted 07-24-2013 02:04

    commands arent relevant only on route based VPN, but you cant see any security association as its formed in phase 2, and you said your tunnel is failing on P2...

     

    now, as you said, if your phase 1 is OK, that means you have correct peers, DH and PSK. it setting up a tunnel between your peers, and have channel secured for phase 2.

     

    if your phase 2 is failing, then you either dont have proper auth algorithms, or your private networks arent set up correctly. those are usually the reasons why P2 is failing.

     

    check auth and encryption algorithms on both sides, make sure they are same. check private networks on both sides, be sure you are not source NAT them on both sides...

     

    can we see tunnel configuration on both sides?



  • 6.  RE: Troubleshout phase II on Policy based VPn

    Posted 07-24-2013 08:30

    Thanks once again everything is ok now and the tunnel can be seen with the commands I have put

    set security ipsec vpn VPN_Name establish-tunnels immediately. so I don't know if it is because of that.

    Thanks so much once again for your help and guidance
    "MAy the Force ...."