SRX

Hello 

i am tring to setup VTI tunnel between SRX210 and Cisco router but it doesn't work .

here is the config of SRX side:

## Last changed: 
version 10.0R3.10;

ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/29;
}
}
}
ge-0/0/1 {
unit 0 {
description Outside;
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
st0 {
unit 0 {
family inet {
address 172.19.11.14/30;
}
}
}
vlan {
unit 0 {
family inet {
address 10.18.20.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
}
}
security {
ike {
proposal IKE_PSK {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy IKE_POLICY {
mode main;
proposals IKE_PSK;
pre-shared-key ascii-text "$9$tzDhuIESreWX7";
}
gateway UCC1 {
ike-policy IKE_POLICY;
address 2.2.2.2;
external-interface ge-0/0/0.0;
}
}
ipsec {
proposal ESP_SHA_3DES {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ESP_SHA_3DES_PFS2 {
proposals ESP_SHA_3DES;
}
vpn UCC1 {
bind-interface st0.0;
ike {
gateway UCC1;
ipsec-policy ESP_SHA_3DES_PFS2;
}
establish-tunnels immediately;
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

and here is the config of Cisco side:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp key 123 address 1.1.1.1

crypto ipsec transform-set TS esp-3des esp-sha-hmac

crypto ipsec profile test
set transform-set TS

interface TunnelXX
description test
ip address 172.19.11.13 255.255.255.252
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile test

create another static route to 172.19.11.13 with next-hop st0.0

lyndidon

added route but doesn't  help. tunnel doesn't comes up 😞 

If the tunnel does not come up, then your ike phase 1 options are incomplete/incorrectly matched. I do not know about CISCO, but you must verify that both sides are correctly configured. What does the following command show:

>show security flow ike sa

>show security flow ipsec sa

verify that teh mtu on both ends acommodate for overheads added to the packet and the mss does not exceed the interface mtu. I am going to look at your config in more detail later.

Also enable ike traceoptions and view the logs and examine the kmd logs

lyndidon

There are no such commands:

>show security flow ike sa

>show security flow ipsec sa

These is the output of what i see :

> show security flow ?
Possible completions:
gate            Show gate information
ip-action    Show ip-action table
session     Show session table

Maybe i have to update junos ?

Sorry my mistake:

show security ike security-associations   (show security ike sa)

show security ipsec security-associations (show security ipsec sa)

I do not expect to see anything from these outputs, but just to verify that the tunnels do not establish. There are cases when they establish and the traffic does not enter the tunnel.

Well, did you enable ike traceoptions?

Did you review the kmd log?

How can you tell that the tunnel is not up on the SRX?

>show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
4729 2.2.2.2 DOWN f82d4fb8dff1e04c 528a5389065ad734 Main

!

!

> show security ipsec security-associations 
Total active tunnels: 0

!
!

on kmd log i see following massages:

Nov 15 14:12:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)

show more of the kmd logs, say 15 lines above and 15 lines below the one you posted here. The immediate line above should indicate why the policy lookup failed!

You stil have not shown the results of the ike traceoptions log which will give more details.

i see only this log in KMD, multiple times.

Nov 15 13:52:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Nov 15 13:54:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Nov 15 13:54:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Nov 15 13:56:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Nov 15 13:56:08 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.1) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)

Can you tell me how to enable traceoptions ? 

i did this to enable :  set security ike traceoptions file IKE.txt size 1M files 5

and then tried to view log file : 

show log IKE.txt
Nov 15 14:15:57 kmd_diff_config_now, configuration diff complete
Nov 15 14:59:13 kmd_diff_config_now, configuration diff complete

you had a start but did not flag anything use this and then show th eoutput

I think the CISCO side may need more config but i am not able to say so definitely.

you can use this command if you do not want to type each line:

user@SRX#load set terminal

then copy and paste all of these set statements. once finised, press CTRL+SHIFT+D then commit configuration.

set security ike traceoptions file iketrace
set security ike traceoptions flag policy-manager
set security ike traceoptions flag routing-socket
set security ike traceoptions flag parse
set security ike traceoptions flag config
set security ike traceoptions flag ike
set security ike traceoptions file iketrace size 2m files 2
set security ike traceoptions level 15

If not enough data generated then use this
set security ike traceoptions flag all

You also want to run the command
>show route <remote_network> to verify that the traffic is using the st0 interface.

Then save the log into a text file and attach the whole output after a minute , to this thread.

The initial problem is with the ike configurtation and I am not sure why the kmd log only shows that one line.

here is an example of the route based vpn

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20543

if this fails then try policy based

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28106&smlogin=true

I noticed another policy is missing. Add the following policy

policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;

i added that security policy but  it doesn't help 😞

Does SRX needs any license for VPN ? 

i will provide logs later .

lyndidon

i have uploaded the logs. 

Can there be a problem with software version?  

now the version of juniper is : JUNOS Software Release [10.0R3.10]

does it make sense to upgrade software to : newer version? 

Attachment(s)

IKE.txt   6 KB 1 version

Definitely upgrade. Look at the links I gave you to make sure CISCO is properly configured. By the look of it, it seems like CISCO is not properly confiogured. Are you using access profile for conection?

Can you go ahead and upload the whole SRX config as an attachment?

Did you verify that the CISCO side is correctly configured? Phase 1 is the first stage which we already know is failing. Juniper side looks correct, CISCO looks questionable to me. If you cna get the equivalent output from cisco that will help for the others who know CISCO here.

Also run the following command and post the complete output:

show security ike security-associations

This wil produce an index number for the ike sa and the details will get more information.

show security ike security-associations index <index_number> detail

lyndidon

I found the problem. I think there is a bug with my current version of JUNOS ( JUNOS Software Release [10.0R3.10] ). i didn't changed anything in the config, i just restarted the device and tunnel works now 🙂 

i tried to change the JUNOS with the newest version but some error occured. 

Which Junos image do you recommend? What is the difference between SRX install Package and Install Package. 

awesome. All that work:) Glad you got it resolved. I keep forgetting to check if device needs rebooting first. After this I will always remember. Mark your solution as resolved.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476&smlogin=true

I use a different version from the juniper recommended version because it fills lots of needs and  resolves some issues. My SRX environment machine require a specific version. If you decide to go with the 12.1X44-D20.3 you have to consider the new address book supports - global address

http://www.juniper.net/support/downloads/?p=srx220#sw

Junos install package I believe is the J-Series and SRX is the SRX,but it will tell you when you go to the download.