SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  [solved] IPsec Phase-2 is always subnet 0.0.0.0/0

    Posted 08-25-2011 04:15
      |   view attached

    Hi,

     

    I try to connect with a site-to-site tunnel. Phase 1 is working. But Phase2 won't go up, because the srx trys to connect always with local and remote subnet 0.0.0.0/0.

     

    I'm working with the "_zf" Tunnel.

     

    I don't know why the SRX don't use the networks that I have given in the security policy. Have I made anything wrong or is it a reth0 cluster interface problem?

     

    Aug 25 12:45:53 ike_st_o_id: Start
Aug 25 12:45:53 ike_st_o_hash: Start
Aug 25 12:45:53 ike_find_pre_shared_key: Find pre shared key key for 62.96.131.138:500, id = ipv4(udp:500,[0..3]=62.96.131.138) -> 217.24.192.212:500, id = No Id
Aug 25 12:45:53 ike_policy_reply_find_pre_shared_key: Start
Aug 25 12:45:53 ike_calc_mac: Start, initiator = true, local = true
Aug 25 12:45:53 ike_st_o_status_n: Start
Aug 25 12:45:53 ike_st_o_private: Start
Aug 25 12:45:53 ike_policy_reply_private_payload_out: Start
Aug 25 12:45:53 ike_st_o_encrypt: Marking encryption for packet
Aug 25 12:45:53 ike_encode_packet: Start, SA = { 0x2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / 00000000, nego = -1
Aug 25 12:45:53 ike_send_packet: Start, send SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = -1, src=62.96.131.138:500, dst = 217.24.192.212:500, routing table id = 0
Aug 25 12:45:53 ike_get_sa: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / 00000000, remote = 217.24.192.212:500
Aug 25 12:45:53 ike_sa_find: Found SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 }
Aug 25 12:45:53 ike_decode_packet: Start
Aug 25 12:45:53 ike_decode_packet: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6} / 00000000, nego = -1
Aug 25 12:45:53 ike_st_i_encrypt: Check that packet was encrypted succeeded
Aug 25 12:45:53 ike_st_i_id: Start
Aug 25 12:45:53 ike_st_i_hash: Start, hash[0..20] = ba74bdc1 ff4359dc ...
Aug 25 12:45:53 ike_calc_mac: Start, initiator = true, local = false
Aug 25 12:45:53 ike_st_i_cert: Start
Aug 25 12:45:53 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Aug 25 12:45:53 The remote server at 217.24.192.212:500 is 'draft-ietf-ipsec-dpd-00.txt'
Aug 25 12:45:53 Not setting PMDATA_PEER_IS_OURS for 217.24.192.212
Aug 25 12:45:53 ike_st_i_private: Start
Aug 25 12:45:53 ike_st_o_wait_done: Marking for waiting for done
Aug 25 12:45:53 ike_st_o_all_done: MESSAGE: Phase 1 { 0x2f33c27c 62a784ac - 0x494e7d15 4b8ba0f6 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 86400 sec, key l
Aug 25 12:45:53 62.96.131.138:500 (Initiator) <-> 217.24.192.212:500 { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 86400 sec, k
Aug 25 12:45:53 Inserting DPD server entry for remote: 217.24.192.212:500. SA_CFG=INSTANCE-vpn_zf_0006_0008_0000
Aug 25 12:45:53 DPD server entry for remote: 217.24.192.212:500 has sa_cfg associated with it
Aug 25 12:45:53 jnp_ike_sa_export: Start
Aug 25 12:45:53 jnp_ike_sa_export_id: Start
Aug 25 12:45:53 jnp_ike_sa_export_id: Start
Aug 25 12:45:53 Phase-1 [initiator] done for local=ipv4(udp:500,[0..3]=62.96.131.138) remote=ipv4(udp:0,[0..3]=217.24.192.212)
Aug 25 12:45:53 Phase-1 negotiation succeeded for p1_local=ipv4(udp:500,[0..3]=62.96.131.138) p1_remote=ipv4(udp:500,[0..3]=217.24.192.212)
Aug 25 12:45:53 Phase-2 sa_cfg lookup with local_id=ipv4_subnet(any:0,[0..7]=0.0.0.0/0), remote_id=ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Aug 25 12:45:53 Updating DPD server entry for remote: 217.24.192.212:500
Aug 25 12:45:53 Successfully updated DPD server entry for remote: 217.24.192.212:500 [dpd SA_CFG=INSTANCE-vpn_zf_0006_0008_0000]
Aug 25 12:45:53 Negotiating IPsec SA with Phase-2 IDS: local_id=ipv4_subnet(any:0,[0..7]=0.0.0.0/0) remote_id=ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Aug 25 12:45:53 jnp_ike_connect_ipsec: Start, remote_name = 217.24.192.212:500, flags = 00000000
Aug 25 12:45:53 ike_sa_find_ip_port: Remote = 217.24.192.212:500, Found SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}
Aug 25 12:45:53 ike_alloc_negotiation: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}
Aug 25 12:45:53 jnp_ike_connect_ipsec: SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = 0
Aug 25 12:45:53 ike_init_qm_negotiation: Start, initiator = 1, message_id = f55cdaa1
Aug 25 12:45:53 ike_st_o_qm_hash_1: Start
Aug 25 12:45:53 ike_st_o_qm_sa_proposals: Start
Aug 25 12:45:53 ike_st_o_qm_nonce: Start
Aug 25 12:45:53 ike_policy_reply_qm_nonce_data_len: Start
Aug 25 12:45:53 ike_st_o_qm_optional_ke: Start
Aug 25 12:45:53 ike_st_o_qm_optional_ids: Start
Aug 25 12:45:53 ike_st_qm_optional_id: Start
Aug 25 12:45:53 ike_st_qm_optional_id: Start
Aug 25 12:45:53 ike_st_o_private: Start
Aug 25 12:45:53 ike_policy_reply_private_payload_out: Start
Aug 25 12:45:53 ike_st_o_encrypt: Marking encryption for packet
Aug 25 12:45:53 ike_encode_packet: Start, SA = { 0x2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / f55cdaa1, nego = 0
Aug 25 12:45:53 ike_finalize_qm_hash_1: Hash[0..20] = 96a693cc c920f294 ...
Aug 25 12:45:53 ike_send_packet: Start, send SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = 0, src=62.96.131.138:500, dst = 217.24.192.212:500, routing table id = 0
Aug 25 12:45:53 ike_send_notify: Connected, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = -1
Aug 25 12:45:53 ike_get_sa: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / 99aaf294, remote = 217.24.192.212:500
Aug 25 12:45:53 ike_sa_find: Found SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 }
Aug 25 12:45:53 ike_st_o_done: ISAKMP SA negotiation done
Aug 25 12:45:53 ike_send_notify: Connected, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = -1
Aug 25 12:45:53 ike_free_negotiation_isakmp: Start, nego = -1
Aug 25 12:45:53 ike_free_negotiation: Start, nego = -1
Aug 25 12:45:53 ike_alloc_negotiation: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}
Aug 25 12:45:53 ike_decode_packet: Start
Aug 25 12:45:53 ike_decode_packet: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6} / 99aaf294, nego = 1
Aug 25 12:45:53 ike_st_i_encrypt: Check that packet was encrypted succeeded
Aug 25 12:45:53 ike_st_i_gen_hash: Start, hash[0..20] = af1edf92 e7fd9bc7 ...
Aug 25 12:45:53 ike_st_i_n: Start, doi = 1, protocol = 1, code = Invalid ID information (18), spi[0..16] = 2f33c27c 62a784ac ..., data[0..176] = 01000018 96a693cc ...
Aug 25 12:45:53 62.96.131.138:500 (Responder) <-> 217.24.192.212:500 { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 [1] / 0x99aaf294 } Info; Received notify err = Invalid ID information (18) to isakmp sa, delete it
Aug 25 12:45:53 ike_st_i_private: Start
Aug 25 12:45:53 ike_send_notify: Connected, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = 1
Aug 25 12:45:53 ike_delete_negotiation: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = 1
Aug 25 12:45:53 ike_free_negotiation_info: Start, nego = 1
Aug 25 12:45:53 ike_free_negotiation: Start, nego = 1
Aug 25 12:45:53 ike_remove_callback: Start, delete SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = -1
Aug 25 12:45:53 ike_delete_negotiation: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6}, nego = -1
Aug 25 12:45:53 jnp_ike_tunnel_table_entry_delete: Deleting tunnel_id: 1753097 from IKE tunnel table
Aug 25 12:45:53 ike_sa_delete: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 }
Aug 25 12:45:53 kmd_pm_ike_p2qm_notify_callback
Aug 25 12:45:53 Quick mode negotiation failed for p1_local=ipv4(udp:500,[0..3]=62.96.131.138) p1_remote=ipv4(udp:500,[0..3]=217.24.192.212) p2_local=ipv4_subnet(any:0,[0..7]=0.0.0.0/0) p2_remote=ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Aug 25 12:45:53 Phase-2 [initiator] failed with error(Aborted notification) for p1_local=ipv4(udp:500,[0..3]=62.96.131.138) p1_remote=ipv4(udp:0,[0..3]=217.24.192.212) p2_local=ipv4_subnet(any:0,[0..7]=0.0.0.0/0) p2_remote=ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Aug 25 12:45:53 ike_free_negotiation_qm: Start, nego = 0
Aug 25 12:45:53 ike_free_negotiation: Start, nego = 0
Aug 25 12:45:53 ike_free_id_payload: Start, id type = 4
Aug 25 12:45:53 ike_free_id_payload: Start, id type = 4
Aug 25 12:45:53 ike_free_negotiation_isakmp: Start, nego = -1
Aug 25 12:45:53 ike_free_negotiation: Start, nego = -1
Aug 25 12:45:53 Deleting DPD server entry for remote: 217.24.192.212:500
Aug 25 12:45:53 Deleting DPD CTXT server entry for c7ee00:c84190
Aug 25 12:45:53 P1 freeing PMdata c6ac00
Aug 25 12:45:53 ike_free_id_payload: Start, id type = 1
Aug 25 12:45:53 ike_free_id_payload: Start, id type = 1
Aug 25 12:45:53 ike_free_sa: Start
Aug 25 12:45:53 ike_get_sa: Start, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / 033b401d, remote = 217.24.192.212:500
Aug 25 12:45:53 ike_sa_find: Not found SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 }
Aug 25 12:45:53 ike_sa_find_half: Not found half SA = { 2f33c27c 62a784ac - 00000000 00000000 }
Aug 25 12:45:53 ike_get_sa: Invalid cookie, no sa found, SA = { 2f33c27c 62a784ac - 494e7d15 4b8ba0f6 } / 033b401d, remote = 217.24.192.212:500
Aug 25 12:45:53 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 217.24.192.212:500
Aug 25 12:45:58 ike_get_sa: Start, SA = { 6c18acf3 04061a56 - 00000000 00000000 } / 00000000, remote = 62.206.115.141:500
Aug 25 12:46:08 kmd_pm_ike_start_p1
Aug 25 12:46:08 jnp_ike_connect: Start, remote_name = 217.24.192.212:500, local = 62.96.131.138:500 xchg = 2, flags = 00000000
Aug 25 12:46:08 ike_sa_allocate: Start, SA = { c226d1c0 6deea6cf - 00000000 00000000 }
Aug 25 12:46:08 ike_init_isakmp_sa: Start, remote = 217.24.192.212:500, initiator = 1
Aug 25 12:46:08 jnp_ike_connect: SA = { c226d1c0 6deea6cf - 00000000 00000000}, nego = -1
Aug 25 12:46:08 ike_st_o_sa_proposal: Start
Aug 25 12:46:08 NAT is enabled

     

    Attachment(s)

    txt
    config.txt   65 KB 1 version


  • 2.  RE: [solved] IPsec Phase-2 is always subnet 0.0.0.0/0

    Posted 08-25-2011 07:49

    It's a policy-based VPN, proxy ID should be determined by policy. Good question as to why it doesn't work.

     

    The quick fix is to convert this into a route-based VPN. Since you only have one subnet each side, that'll be easy. That way, the proxy ID you are setting manually will be used.

     



  • 3.  RE: [solved] IPsec Phase-2 is always subnet 0.0.0.0/0
    Best Answer

    Posted 08-26-2011 15:10

    Hi,

     

    i have solved my problem.

     

    I have uses "any" in the vpn security policy. I must exactly define which network I will connect each other. Then it works. Otherwise when i use "any" it is 0.0.0.0/0 for the IPSec stack, when the srx trys to negotiate the security association.



  • 4.  RE: [solved] IPsec Phase-2 is always subnet 0.0.0.0/0

    Posted 08-27-2011 05:12
    @coolblue wrote:

    Hi,

     

    i have solved my problem.

     

    I have uses "any" in the vpn security policy. I must exactly define which network I will connect each other. Then it works. Otherwise when i use "any" it is 0.0.0.0/0 for the IPSec stack, when the srx trys to negotiate the security association.

    Makes sense, doesn't it. Thanks for the update, good to know!