SRX

Hi everyone,

I am having a site to site vpn issue.  I have a similar vpn working with a CISCO ASA just fine.

The remote end is some DC supporting IPSEC vpn.  With a ASA we have at the office it works just fine.

(ASA has the 3rd ISP line).  All of the remote vpns have different IPs (as im not connecting to the same device)

We have HA srx 220 config with dual ISPs and some source based routing.

We want to implement this VPN onto one of these lines as well so we have redundancy.

All this traffic is segregated by a routing engine on the switch.  We can flip this over when a line is down.

I have tried these things

1) manually creating the auto vpn phase 1 and 2 

2) using the webtool to create the config   https://www.juniper.net/customers/support/configtools/vpnconfig.html then copy pasting the cli

3) used the jweb tasks vpn vpn wizard also

All 3 have failed with similiar results.  I have ended up trying all different kinds of proposals but they all end up not working.

I have changed keys and proposals many times to different ones and still had the same result.

Right now im just working with (remove VPN is unknown device by the DC provider, but has same ipsec settings)

phase 1

peer ip

psk - somevalue

encryption 3des

auth sha1

dh group 2

 lifetime 3600

phase 2

3des

sha1

pfs yes

dh group 2

lifetime 3600

Version

kpanchal@srx-1> show version
node0:
--------------------------------------------------------------------------
Hostname: srx-1
Model: srx220h
JUNOS Software Release [11.4R1.6]

node1:
--------------------------------------------------------------------------
Hostname: srx-1
Model: srx220h
JUNOS Software Release [11.4R1.6]

This is what my config looks like

security {
    ike {
        traceoptions {
            file ike-debug files 2;
            flag all;
        }
        proposal phase1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy ike_pol_softvpn {
            mode main;
            proposals phase1;
            pre-shared-key ascii-text "somekey";
        }
        gateway gw_softvpn {
            ike-policy ike_pol_softvpn;
            address 173.192.253.13;
            no-nat-traversal;
            external-interface reth2.0;
            version v1-only;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal phase2 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
            lifetime-kilobytes 5500000;
        }
        policy ipsec_pol_softvpn {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals phase2;
        }
        vpn softvpn {
            ike {
                gateway gw_softvpn;
                proxy-identity {
                    local 192.168.0.0/16;
                    remote 10.21.243.64/26;
                    service any;
                }
                ipsec-policy ipsec_pol_softvpn;
            }
            establish-tunnels on-traffic;
        }
    }

Here are the SA error messages from ike-debug file

kpanchal@srx-1> show security ike security-associations detail    
node0:
--------------------------------------------------------------------------
IKE peer 173.192.253.13, Index 5942927,
  Role: Responder, State: DOWN
  Initiator cookie: 5f7523787e777f1d, Responder cookie: a1d83982874a0f22
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 173.164.228.209:500, Remote: 173.192.253.13:500
  Peer ike-id: not available
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
  Traffic statistics:
   Input  bytes  :                  480
   Output bytes  :                  264
   Input  packets:                    2
   Output packets:                    2
  Flags: Waiting for doneWaiting for remove
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Flags: Waiting for doneWaiting for remove

% tail -f ike-debug
Apr 27 04:33:38 ike_retransmit_callback: Start, retransmit SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:33:38 ike_send_packet: Start, retransmit previous packet SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:33:39 ikev2_packet_allocate: Allocated packet be7800 from freelist
Apr 27 04:33:39 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:33:39 ike_get_sa: Start, SA = { f406f3e3 6a2f82b9 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:33:49 ike_retransmit_callback: Start, retransmit SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:33:49 ike_send_packet: Start, retransmit previous packet SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:33:51 ikev2_packet_allocate: Allocated packet be7c00 from freelist
Apr 27 04:33:51 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:33:51 ike_get_sa: Start, SA = { f406f3e3 6a2f82b9 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:03 ikev2_packet_allocate: Allocated packet be8000 from freelist
Apr 27 04:34:03 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:03 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:03 ike_sa_allocate: Start, SA = { 5f752378 7e777f1d - bcf2e98c 3b85089f }
Apr 27 04:34:03 ike_init_isakmp_sa: Start, remote = 173.192.253.13:500, initiator = 0
Apr 27 04:34:03 ike_decode_packet: Start
Apr 27 04:34:03 ike_decode_packet: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22} / 00000000, nego = -1
Apr 27 04:34:03 ike_decode_payload_sa: Start
Apr 27 04:34:03 ike_decode_payload_t: Start, # trans = 1
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Apr 27 04:34:03 ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
Apr 27 04:34:03 ike_st_i_sa_proposal: Start
Apr 27 04:34:03 P1 SA 5942926 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x310.
Apr 27 04:34:03 iked_pm_ike_sa_delete_done_cb: For p1 sa index 5942926, ref cnt 2, status: Error ok
Apr 27 04:34:03 ike_isakmp_sa_reply: Start
Apr 27 04:34:03 ike_remove_callback: Start, delete SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:34:03 <none>:500 (Responder) <-> 173.192.253.13:500 { f406f3e3 6a2f82b9 - 47bc9259 4afef68e [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Apr 27 04:34:03 ike_delete_negotiation: Start, SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e}, nego = -1
Apr 27 04:34:03 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Apr 27 04:34:03 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Apr 27 04:34:03 ike_sa_delete: Start, SA = { f406f3e3 6a2f82b9 - 47bc9259 4afef68e }
Apr 27 04:34:03 ike_free_negotiation_isakmp: Start, nego = -1
Apr 27 04:34:03 ike_free_negotiation: Start, nego = -1
Apr 27 04:34:03 IKE SA delete called for p1 sa 5942926 (ref cnt 2) local:173.164.228.209, remote:173.192.253.13, IKEv1
Apr 27 04:34:03 iked_del_ha_blob: Error deleting blob with type = phase1 mod, tunnel id 0.  Error: No such file or directory
Apr 27 04:34:03 iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id 0.  Error: No such file or directory
Apr 27 04:34:03 P1 SA 5942926 reference count is not zero (1). Delaying deletion of SA
Apr 27 04:34:03 ike_free_sa: Start
Apr 27 04:34:03 ike_state_restart_packet: Start, restart packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:03 ike_st_i_sa_proposal: Start
Apr 27 04:34:03 ike_st_i_cr: Start
Apr 27 04:34:03 ike_st_i_cert: Start
Apr 27 04:34:03 ike_st_i_private: Start
Apr 27 04:34:03 ike_st_o_sa_values: Start
Apr 27 04:34:03 ike_policy_reply_isakmp_vendor_ids: Start
Apr 27 04:34:03 ike_st_o_private: Start
Apr 27 04:34:03 ike_policy_reply_private_payload_out: Start
Apr 27 04:34:03 ike_encode_packet: Start, SA = { 0x5f752378 7e777f1d - a1d83982 874a0f22 } / 00000000, nego = -1
Apr 27 04:34:03 ike_send_packet: Start, send SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500,  routing table id = 0
Apr 27 04:34:03 iked_pm_ike_sa_done: UNUSABLE p1_sa 5942926
Apr 27 04:34:03   IKEv1 Error : Timeout
Apr 27 04:34:03 iked_pm_p1_sa_destroy:  p1 sa 5942926 (ref cnt 0), waiting_for_del 0xb431c0
Apr 27 04:34:08 ike_retransmit_callback: Start, retransmit SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:08 ike_send_packet: Start, retransmit previous packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:34:09 ikev2_packet_allocate: Allocated packet be8400 from freelist
Apr 27 04:34:09 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:09 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:18 ike_retransmit_callback: Start, retransmit SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:18 ike_send_packet: Start, retransmit previous packet SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1, dst = 173.192.253.13:500 routing table id = 0
Apr 27 04:34:21 ikev2_packet_allocate: Allocated packet be8800 from freelist
Apr 27 04:34:21 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:21 ike_get_sa: Start, SA = { 5f752378 7e777f1d - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:33 ikev2_packet_allocate: Allocated packet be8c00 from freelist
Apr 27 04:34:33 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
Apr 27 04:34:33 ike_get_sa: Start, SA = { d13b9807 e85f9ee0 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
Apr 27 04:34:33 ike_sa_allocate: Start, SA = { d13b9807 e85f9ee0 - 9166f66a a39895dd }
Apr 27 04:34:33 ike_init_isakmp_sa: Start, remote = 173.192.253.13:500, initiator = 0
Apr 27 04:34:33 P1 SA 5942927 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x310.
Apr 27 04:34:33 iked_pm_ike_sa_delete_done_cb: For p1 sa index 5942927, ref cnt 2, status: Error ok
Apr 27 04:34:33 ike_remove_callback: Start, delete SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:33 <none>:500 (Responder) <-> 173.192.253.13:500 { 5f752378 7e777f1d - a1d83982 874a0f22 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
Apr 27 04:34:33 ike_delete_negotiation: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22}, nego = -1
Apr 27 04:34:33 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
Apr 27 04:34:33 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
Apr 27 04:34:33 ike_sa_delete: Start, SA = { 5f752378 7e777f1d - a1d83982 874a0f22 }
Apr 27 04:34:33 ike_free_negotiation_isakmp: Start, nego = -1
Apr 27 04:34:33 ike_free_negotiation: Start, nego = -1
Apr 27 04:34:33 IKE SA delete called for p1 sa 5942927 (ref cnt 2) local:173.164.228.209, remote:173.192.253.13, IKEv1
Apr 27 04:34:33 iked_del_ha_blob: Error deleting blob with type = phase1 mod, tunnel id 0.  Error: No such file or directory
Apr 27 04:34:33 iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id 0.  Error: No such file or directory
Apr 27 04:34:33 P1 SA 5942927 reference count is not zero (1). Delaying deletion of SA
Apr 27 04:34:33 ike_free_sa: Start
Apr 27 04:34:33 ike_decode_packet: Start
Apr 27 04:34:33 ike_decode_packet: Start, SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4} / 00000000, nego = -1
Apr 27 04:34:33 ike_decode_payload_sa: Start
Apr 27 04:34:33 ike_decode_payload_t: Start, # trans = 1
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
Apr 27 04:34:33 ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
Apr 27 04:34:33 ike_st_i_sa_proposal: Start
Apr 27 04:34:33 iked_pm_ike_sa_done: UNUSABLE p1_sa 5942927
Apr 27 04:34:33   IKEv1 Error : Timeout
Apr 27 04:34:33 iked_pm_p1_sa_destroy:  p1 sa 5942927 (ref cnt 0), waiting_for_del 0xbab3c0
Apr 27 04:34:33 ike_isakmp_sa_reply: Start
Apr 27 04:34:33 ike_state_restart_packet: Start, restart packet SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4}, nego = -1
Apr 27 04:34:33 ike_st_i_sa_proposal: Start
Apr 27 04:34:33 ike_st_i_cr: Start
Apr 27 04:34:33 ike_st_i_cert: Start
Apr 27 04:34:33 ike_st_i_private: Start
Apr 27 04:34:33 ike_st_o_sa_values: Start
Apr 27 04:34:33 ike_policy_reply_isakmp_vendor_ids: Start
Apr 27 04:34:33 ike_st_o_private: Start
Apr 27 04:34:33 ike_policy_reply_private_payload_out: Start
Apr 27 04:34:33 ike_encode_packet: Start, SA = { 0xd13b9807 e85f9ee0 - 88eb569f b3d450e4 } / 00000000, nego = -1
Apr 27 04:34:33 ike_send_packet: Start, send SA = { d13b9807 e85f9ee0 - 88eb569f b3d450e4}, nego = -1, dst = 173.192.253.13:500,  routing table id = 0

Hi,

From the traceoptions we can see many retransmissions which indicates a reachability issue. you have mentioned that you are using source-based routing with dual ISPs, so from inet.0  is the other end gateway reachable ?  

Thanks for the reply. 

I did add a static route to my srx which solved that problem.  I didnt have one originally, as the source based routing took care of the traffic from the lans.  I can ping the remote gateway fine from the srx.

The debugging on this is very poor.  I am now seeing

May  1 04:38:08   IKEv1 Error : No proposal chosen

Again I have tried different kinds of proposals.  Based on the tools I am using the same exact proposals with still the same problem.  I wish the debugging would tell me which proposals remote is giving me. (even though they are set the same on both ends)

Here is some more logging

May  1 04:42:08 ikev2_packet_allocate: Allocated packet be9c00 from freelist
May  1 04:42:08 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
May  1 04:42:08 ike_get_sa: Start, SA = { 945978ca ea3e6960 - 00000000 00000000 } / 00000000, remote = 173.192.253.13:500
May  1 04:42:08 ike_sa_allocate: Start, SA = { 945978ca ea3e6960 - 12544b58 0f55e508 }
May  1 04:42:08 ike_init_isakmp_sa: Start, remote = 173.192.253.13:500, initiator = 0
May  1 04:42:08 ike_decode_packet: Start
May  1 04:42:08 ike_decode_packet: Start, SA = { 945978ca ea3e6960 - 6c75efbf 7c0cfa45} / 00000000, nego = -1
May  1 04:42:08 ike_decode_payload_sa: Start
May  1 04:42:08 ike_decode_payload_t: Start, # trans = 1
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 16f6ca16 e4a4066d ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
May  1 04:42:08 ike_st_i_vid: VID[0..16] = 82990317 57a36082 ...
May  1 04:42:08 ike_st_i_sa_proposal: Start
May  1 04:42:08 P1 SA 3779137 timer expiry. ref cnt 1, timer reason Force delete timer expired (1), flags 0x310.
May  1 04:42:08 iked_pm_ike_sa_delete_done_cb: For p1 sa index 3779137, ref cnt 1, status: Error ok
May  1 04:42:08 iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
May  1 04:42:08 ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg c35800)
May  1 04:42:08 ike_isakmp_sa_reply: Start
May  1 04:42:08 ike_remove_callback: Start, delete SA = { 6c2d15f3 1373c770 - cdd9c301 69e2b6bb}, nego = -1
May  1 04:42:08 ike_delete_negotiation: Start, SA = { 6c2d15f3 1373c770 - cdd9c301 69e2b6bb}, nego = -1
May  1 04:42:08 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
May  1 04:42:08 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
May  1 04:42:08 ike_sa_delete: Start, SA = { 6c2d15f3 1373c770 - cdd9c301 69e2b6bb }
May  1 04:42:08 ike_free_negotiation_isakmp: Start, nego = -1
May  1 04:42:08 ike_free_negotiation: Start, nego = -1
May  1 04:42:08 IKE SA delete called for p1 sa 3779137 (ref cnt 1) local:<none>, remote:173.192.253.13, IKEv1
May  1 04:42:08 iked_del_ha_blob: Error deleting blob with type = phase1 mod, tunnel id 0.  Error: No such file or directory
May  1 04:42:08 iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id 0.  Error: No such file or directory
May  1 04:42:08 iked_pm_p1_sa_destroy:  p1 sa 3779137 (ref cnt 0), waiting_for_del 0x0
May  1 04:42:08 ike_free_sa: Start

May  1 04:42:08 ike_state_restart_packet: Start, restart packet SA = { 945978ca ea3e6960 - 6c75efbf 7c0cfa45}, nego = -1
May  1 04:42:08 ike_st_i_sa_proposal: Start
May  1 04:42:08 ike_st_i_cr: Start
May  1 04:42:08 ike_st_i_cert: Start
May  1 04:42:08 ike_st_i_private: Start
May  1 04:42:08 ike_st_o_sa_values: Start
May  1 04:42:08 <none>:500 (Responder) <-> 173.192.253.13:500 { 945978ca ea3e6960 - 6c75efbf 7c0cfa45 [-1] / 0x00000000 } IP; Error = No proposal chosen (14)
May  1 04:42:08 ike_alloc_negotiation: Start, SA = { 945978ca ea3e6960 - 6c75efbf 7c0cfa45}
May  1 04:42:08 ike_encode_packet: Start, SA = { 0x945978ca ea3e6960 - 6c75efbf 7c0cfa45 } / 4976b6b2, nego = 0
May  1 04:42:08 ike_send_packet: Start, send SA = { 945978ca ea3e6960 - 6c75efbf 7c0cfa45}, nego = 0, dst = 173.192.253.13:500,  routing table id = 0
May  1 04:42:08 ike_delete_negotiation: Start, SA = { 945978ca ea3e6960 - 6c75efbf 7c0cfa45}, nego = 0
May  1 04:42:08 ike_free_negotiation_info: Start, nego = 0
May  1 04:42:08 ike_free_negotiation: Start, nego = 0
May  1 04:42:08 IKE negotiation fail for local:173.164.228.209, remote:173.192.253.13 IKEv1 with status: No proposal chosen
May  1 04:42:08   IKEv1 Error : No proposal chosen

I had to restart the ipsec-management daemon for this to work at least on phase1 (or a reboot would have worked)

It seems to have gotten stuck on something.  Really odd, cost me almost a week of on/off trouble shooting.

hello everybody 

same here with SRX240 (in cluster and non-cluster setup) 

is there any suggestions? 

thanx 

P.S.: till now, i think that my ISP or ISP of my ISP filtering traffic ... or forgot to turn off old filters, don't know ...