SRX Services Gateway
Reply
Contributor
badar28
Posts: 76
Registered: ‎06-12-2008
0

unable to establish VPN between 2xSRX-210

Dear All,

 

i have 2 srx210,

 

10.1.1.1/24---(srx210-Lahore)----20.1.1.1/30 ------router--------30.1.1.1/30-----(srx210-karachi)-----172.16.1.1/24

 

version---10.0R1.8

 

configuration is attached and also the traceoption from Karachi device is also attached. everything is same even then its saying no proposal chosen. please advice as i am unable to understand this problem. thanks

 

Regards

badar

 

 

 

 

Trusted Contributor
BenR
Posts: 89
Registered: ‎03-18-2010
0

Re: unable to establish VPN between 2xSRX-210

I think your first step might be to update to 10.2R3 (juniper recommended, me as well) or 10.0R4, 10.0R1 isn't stable on these devices.

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: unable to establish VPN between 2xSRX-210

As BenR suggested, you should start by getting off of 10.0R1.  10.2R3.10 is recommended, as he said, and many folks around here have had success with 10.4R1.9 and now 10.4R2.7 is available.

 

A couple suggestions also, and these probably won't fix your problems immediately, but they're a place to start...

 

1.  Your IKE and IPSec lifetimes are quite short.  Did you have a reason for setting them so short?  Junos default IKE lifetime is 28800 seconds and IPSec is 3600 seconds.  For SRX-SRX tunnels, I think the defaults are good values.

 

2.  You should specify the unit number in your ike gateway external interface.

 

Instead of:

 

set security ike gateway ike-gw-1 external-interface ge-0/0/1

Try:

 

set security ike gateway ike-gw-1 external-interface ge-0/0/1.0

Also, and this is a silly one but it's bitten me before... are you sure your pre-shared-keys match?  I fat-fingered once configuring my PSKs on both ends and beat my head against a wall for half a day before I just went and re-typed them and then it started working.

 

If you still have problems after upgrading and tidying up the settings above, post your full configs for both ends, and try setting your ike traceoptions something like this:

 

traceoptions {
    file ike-trace size 25m files 2;
    flag all;
    level 15;
}

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.