Hi everyone,
I am having a site to site vpn issue. I have a similar vpn working with a CISCO ASA just fine.
The remote end is some DC supporting IPSEC vpn. With a ASA we have at the office it works just fine.
(ASA has the 3rd ISP line). All of the remote vpns have different IPs (as im not connecting to the same device)
We have HA srx 220 config with dual ISPs and some source based routing.
We want to implement this VPN onto one of these lines as well so we have redundancy.
All this traffic is segregated by a routing engine on the switch. We can flip this over when a line is down.
I have tried these things
1) manually creating the auto vpn phase 1 and 2
2) using the webtool to create the config https://www.juniper.net/customers/support/configtools/vpnconfig.html then copy pasting the cli
3) used the jweb tasks vpn vpn wizard also
All 3 have failed with similiar results. I have ended up trying all different kinds of proposals but they all end up not working.
I have changed keys and proposals many times to different ones and still had the same result.
Right now im just working with (remove VPN is unknown device by the DC provider, but has same ipsec settings)
phase 1
peer ip
psk - somevalue
encryption 3des
auth sha1
dh group 2
lifetime 3600
phase 2
3des
sha1
pfs yes
dh group 2
lifetime 3600
Version
kpanchal@srx-1> show version
node0:
--------------------------------------------------------------------------
Hostname: srx-1
Model: srx220h
JUNOS Software Release [11.4R1.6]
node1:
--------------------------------------------------------------------------
Hostname: srx-1
Model: srx220h
JUNOS Software Release [11.4R1.6]
This is what my config looks like
security {
ike {
traceoptions {
file ike-debug files 2;
flag all;
}
proposal phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ike_pol_softvpn {
mode main;
proposals phase1;
pre-shared-key ascii-text "somekey";
}
gateway gw_softvpn {
ike-policy ike_pol_softvpn;
address 173.192.253.13;
no-nat-traversal;
external-interface reth2.0;
version v1-only;
}
}
ipsec {
traceoptions {
flag all;
}
proposal phase2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 5500000;
}
policy ipsec_pol_softvpn {
perfect-forward-secrecy {
keys group2;
}
proposals phase2;
}
vpn softvpn {
ike {
gateway gw_softvpn;
proxy-identity {
local 192.168.0.0/16;
remote 10.21.243.64/26;
service any;
}
ipsec-policy ipsec_pol_softvpn;
}
establish-tunnels on-traffic;
}
}
Here are the SA error messages from ike-debug file
kpanchal@srx-1> show security ike security-associations detail
node0:
--------------------------------------------------------------------------
IKE peer 173.192.253.13, Index 5942927,
Role: Responder, State: DOWN
Initiator cookie: 5f7523787e777f1d, Responder cookie: a1d83982874a0f22
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 173.164.228.209:500, Remote: 173.192.253.13:500
Peer ike-id: not available
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 480
Output bytes : 264
Input packets: 2
Output packets: 2
Flags: Waiting for doneWaiting for remove
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Flags: Waiting for doneWaiting for remove
% tail -f ike-debug
Apr 27 04:33:38 ike_retransmit_callback: Start, retransmit SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:33:38 ike_send_packet: Start, retransmit previous packet SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:33:39 ikev2_packet_allocate: Allocated packet be7800 from freelist
Apr 27 04:33:39 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:33:39 ike_get_sa: Start, SA = { f406f3e3 6a2f82b9 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:33:49 ike_retransmit_callback: Start, retransmit SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:33:49 ike_send_packet: Start, retransmit previous packet SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:33:51 ikev2_packet_allocate: Allocated packet be7c00 from freelist
Apr 27 04:33:51 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:33:51 ike_get_sa: Start, SA = { f406f3e3 6a2f82b9 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:03 ikev2_packet_allocate: Allocated packet be8000 from freelist
Apr 27 04:34:03 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:03 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:03 ike_sa_allocate: Start, SA = { 5f752378 7e777f1d - bcf2e98c 3b85089f }
Apr 27 04:34:03 ike_init_isakmp_sa: Start, remote = 173.192.253.13:500, initiator = 0
Apr 27 04:34:03 ike_decode_packet: Start
Apr 27 04:34:03 ike_decode_packet: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22} / 00000000, nego = -1
Apr 27 04:34:03 ike_decode_payload_sa: Start
Apr 27 04:34:03 ike_decode_payload_t: Start, # trans = 1
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
Apr 27 04:34:03 ike_st_i_sa_proposal: Start
Apr 27 04:34:03 P1 SA 5942926 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x310.
Apr 27 04:34:03 iked_pm_ike_sa_delete_done_cb: For p1 sa index 5942926, ref cnt 2, status: Error ok
Apr 27 04:34:03 ike_isakmp_sa_reply: Start
Apr 27 04:34:03 ike_remove_callback: Start, delete SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:34:03 <none>:500 (Responder) <-> 173.192.253.13:500 { f406f3e3 6a2f82b9 - 47bc9259 4afef68e [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Apr 27 04:34:03 ike_delete_negotiation: Start, SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:34:03 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Apr 27 04:34:03 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Apr 27 04:34:03 ike_sa_delete: Start, SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e }
Apr 27 04:34:03 ike_free_negotiation_isakmp: Start, nego = -1
Apr 27 04:34:03 ike_free_negotiation: Start, nego = -1
Apr 27 04:34:03 IKE SA delete called for p1 sa 5942926 (ref cnt 2) local:173.164.228.209, remote:173.192.253.13, IKEv1
Apr 27 04:34:03 iked_del_ha_blob: Error deleting blob with type = phase1 mod, tunnel id 0. Error: No such file or directory
Apr 27 04:34:03 iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id 0. Error: No such file or directory
Apr 27 04:34:03 P1 SA 5942926 reference count is not zero (1). Delaying deletion of SA
Apr 27 04:34:03 ike_free_sa: Start
Apr 27 04:34:03 ike_state_restart_packet: Start, restart packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:03 ike_st_i_sa_proposal: Start
Apr 27 04:34:03 ike_st_i_cr: Start
Apr 27 04:34:03 ike_st_i_cert: Start
Apr 27 04:34:03 ike_st_i_private: Start
Apr 27 04:34:03 ike_st_o_sa_values: Start
Apr 27 04:34:03 ike_policy_reply_isakmp_vendor_ids: Start
Apr 27 04:34:03 ike_st_o_private: Start
Apr 27 04:34:03 ike_policy_reply_private_payload_out: Start
Apr 27 04:34:03 ike_encode_packet: Start, SA = { 0x5f752378 7e777f1d - a1d83982 874a0f22 } / 00000000, nego = -1
Apr 27 04:34:03 ike_send_packet: Start, send SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500, routing table id = 0
Apr 27 04:34:03 iked_pm_ike_sa_done: UNUSABLE p1_sa 5942926
Apr 27 04:34:03 IKEv1 Error : Timeout
Apr 27 04:34:03 iked_pm_p1_sa_destroy: p1 sa 5942926 (ref cnt 0), waiting_for_del 0xb431c0
Apr 27 04:34:08 ike_retransmit_callback: Start, retransmit SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:08 ike_send_packet: Start, retransmit previous packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:34:09 ikev2_packet_allocate: Allocated packet be8400 from freelist
Apr 27 04:34:09 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:09 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:18 ike_retransmit_callback: Start, retransmit SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:18 ike_send_packet: Start, retransmit previous packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:34:21 ikev2_packet_allocate: Allocated packet be8800 from freelist
Apr 27 04:34:21 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:21 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:33 ikev2_packet_allocate: Allocated packet be8c00 from freelist
Apr 27 04:34:33 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:33 ike_get_sa: Start, SA = { d13b9807 e85f9ee0 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:33 ike_sa_allocate: Start, SA = { d13b9807 e85f9ee0 - 9166f66a a39895dd }
Apr 27 04:34:33 ike_init_isakmp_sa: Start, remote = 173.192.253.13:500, initiator = 0
Apr 27 04:34:33 P1 SA 5942927 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x310.
Apr 27 04:34:33 iked_pm_ike_sa_delete_done_cb: For p1 sa index 5942927, ref cnt 2, status: Error ok
Apr 27 04:34:33 ike_remove_callback: Start, delete SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:33 <none>:500 (Responder) <-> 173.192.253.13:500 { 5f752378 7e777f1d - a1d83982 874a0f22 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Apr 27 04:34:33 ike_delete_negotiation: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:33 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Apr 27 04:34:33 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Apr 27 04:34:33 ike_sa_delete: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22 }
Apr 27 04:34:33 ike_free_negotiation_isakmp: Start, nego = -1
Apr 27 04:34:33 ike_free_negotiation: Start, nego = -1
Apr 27 04:34:33 IKE SA delete called for p1 sa 5942927 (ref cnt 2) local:173.164.228.209, remote:173.192.253.13, IKEv1
Apr 27 04:34:33 iked_del_ha_blob: Error deleting blob with type = phase1 mod, tunnel id 0. Error: No such file or directory
Apr 27 04:34:33 iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id 0. Error: No such file or directory
Apr 27 04:34:33 P1 SA 5942927 reference count is not zero (1). Delaying deletion of SA
Apr 27 04:34:33 ike_free_sa: Start
Apr 27 04:34:33 ike_decode_packet: Start
Apr 27 04:34:33 ike_decode_packet: Start, SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4} / 00000000, nego = -1
Apr 27 04:34:33 ike_decode_payload_sa: Start
Apr 27 04:34:33 ike_decode_payload_t: Start, # trans = 1
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
Apr 27 04:34:33 ike_st_i_sa_proposal: Start
Apr 27 04:34:33 iked_pm_ike_sa_done: UNUSABLE p1_sa 5942927
Apr 27 04:34:33 IKEv1 Error : Timeout
Apr 27 04:34:33 iked_pm_p1_sa_destroy: p1 sa 5942927 (ref cnt 0), waiting_for_del 0xbab3c0
Apr 27 04:34:33 ike_isakmp_sa_reply: Start
Apr 27 04:34:33 ike_state_restart_packet: Start, restart packet SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4}, nego = -1
Apr 27 04:34:33 ike_st_i_sa_proposal: Start
Apr 27 04:34:33 ike_st_i_cr: Start
Apr 27 04:34:33 ike_st_i_cert: Start
Apr 27 04:34:33 ike_st_i_private: Start
Apr 27 04:34:33 ike_st_o_sa_values: Start
Apr 27 04:34:33 ike_policy_reply_isakmp_vendor_ids: Start
Apr 27 04:34:33 ike_st_o_private: Start
Apr 27 04:34:33 ike_policy_reply_private_payload_out: Start
Apr 27 04:34:33 ike_encode_packet: Start, SA = { 0xd13b9807 e85f9ee0 - 88eb569f b3d450e4 } / 00000000, nego = -1
Apr 27 04:34:33 ike_send_packet: Start, send SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4}, nego = -1, dst = 173.192.253.13:500, routing table id = 0