I have been having a ton of issues with a VPN connection between a SRX-240H and a Check Point device.
I have managed to lower the number of IKE sessions I'm seeing by asking the remote side to disable the persistant connection establishment option on the check point (we were seeing ~20-30 IKE SAs!). but even now I am getting very odd results. Today I am seeing a duplicate of IPSEC sa's (which I have not seen prior to today) ... Occasionally we are seeing drops on the VPN tunnel for brief moments, during those times another ike sa tends to show up with the old ones remaining.
This is running very stable compared to when I was seeing 20+ IKE sa's ... But it is still an issue and I can't figure out for the life of me why this is happening.
There is 1 tunnel with 1 subnet (policy)
root@obi-fw-01> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6979863 UP a97609f5a9a38078 e4afc2b0c537fd5c Main xxx.xxx.xx.236
6979862 UP 6e06f3992aef2102 afec5dd17921d28a Main xxx.xxx.xx.236
root@obi-fw-01> show security ike security-associations detail
IKE peer xxx.xxx.xx.236, Index 6979863,
Role: Responder, State: UP
Initiator cookie: a97609f5a9a38078, Responder cookie: e4afc2b0c537fd5c
Exchange type: Main, Authentication method: Pre-shared-keys
Local: xx.xxx.xx.xxx:500, Remote: xxx.xxx.xx.236:500
Lifetime: Expires in 6466 seconds
Peer ike-id: xxx.xxx.xx.236
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 888
Output bytes : 756
Input packets: 8
Output packets: 4
Flags: IKE SA is created
IPSec security associations: 1 created, 1 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Local identity: xx.xxx.xx.202
Remote identity: xxx.xxx.xx.236
Flags: IKE SA is created
IKE peer xxx.xxx.xx.236, Index 6979862,
Role: Responder, State: UP
Initiator cookie: 6e06f3992aef2102, Responder cookie: afec5dd17921d28a
Exchange type: Main, Authentication method: Pre-shared-keys
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Lifetime: Expires in 6412 seconds
Peer ike-id: xxx.xxx.xx.236
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 812
Output bytes : 832
Input packets: 7
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Local identity: xx.xxx.xx.202
Remote identity: xxx.xxx.xx.236
Flags: IKE SA is created
root@obi-fw-01> show security ip security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<2 ESP:aes-256/sha1 3a879d2f 6686/ unlim - root 500 xxx.xxx.xxx.236
>2 ESP:aes-256/sha1 59c5e156 6686/ unlim - root 500 xxx.xxx.xxx.236
<2 ESP:aes-256/sha1 567d9685 7305/ unlim - root 500 xxx.xxx.xxx.236
>2 ESP:aes-256/sha1 59c5e158 7305/ unlim - root 500 xxx.xxx.xxx.236
root@obi-fw-01> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: xx.xxx.xx.202, Remote Gateway: xxx.xxx.xx.236
Local Identity: ipv4_subnet(any:0,[0..7]=10.129.146.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.1.0.0/16)
Version: IKEv1
DF-bit: clear
Policy-name: vpnpolicy-1-suitej-to-midco300j
Direction: inbound, SPI: 3a879d2f, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 5725 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5161 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 59c5e156, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 5725 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5161 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: inbound, SPI: 567d9685, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 6344 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5749 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 59c5e158, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 6344 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5749 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
-------------
Config:
[edit security ike]
proposal ike-proposal-1 {
authentication-method pre-shared-keys;
inactive: dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-policy-1 {
mode main;
proposals ike-proposal-1;
pre-shared-key ascii-text xxx; ## SECRET-DATA
}
gateway ike-gate-1 {
ike-policy ike-policy-1;
address xxx.xxx.xx.236;
inactive: dead-peer-detection {
interval 20;
threshold 2;
}
nat-keepalive 60;
local-identity inet xx.xxx.xx.202;
remote-identity inet xxx.xxx.xx.236;
external-interface ge-0/0/14;
local-address xx.xxx.xx.202;
}
[edit security ipsec]
proposal ipsec-proposal-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ipsec-policy-1 {
proposals ipsec-proposal-1;
}
vpn ipsec-vpn-1 {
}
ike {
gateway ike-gate-1;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}